From 27c652ef8cc5e928911003e76ac2c9905f9bfce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Barab=C3=A1s?= Date: Mon, 27 May 2024 16:44:12 -0700 Subject: [PATCH] CARML - AVM module transition complete (#4541) * readme updates * readme update * new template for MOVED-TO-AVM.md * remove old notice from README files * updated notice * update informational notice in the MOVED-TO-AVM.md files * update moved-to-avm notice * moved-to-avm, readme and retired files updated * readme update * deleting modules' source code * delete README files * rename RETIRED.md and MOVED-TO-AVM.md to README.md * readme update * readme updates --- README.md | 350 +- modules/aad/domain-service/README.md | 847 +-- modules/aad/domain-service/main.bicep | 304 -- modules/aad/domain-service/main.json | 564 -- .../tests/e2e/max/dependencies.bicep | 104 - .../tests/e2e/max/main.test.bicep | 109 - .../tests/e2e/waf-aligned/dependencies.bicep | 104 - .../tests/e2e/waf-aligned/main.test.bicep | 109 - modules/aad/domain-service/version.json | 7 - .../analysis-services/server/MOVED-TO-AVM.md | 1 - modules/analysis-services/server/README.md | 730 +-- modules/analysis-services/server/main.bicep | 209 - modules/analysis-services/server/main.json | 419 -- .../server/tests/e2e/defaults/main.test.bicep | 49 - .../server/tests/e2e/max/dependencies.bicep | 13 - .../server/tests/e2e/max/main.test.bicep | 131 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 114 - modules/analysis-services/server/version.json | 7 - .../api-management/service/MOVED-TO-AVM.md | 1 - modules/api-management/service/README.md | 1468 +----- .../service/api-version-set/README.md | 76 - .../service/api-version-set/main.bicep | 46 - .../service/api-version-set/main.json | 88 - .../service/api-version-set/version.json | 7 - modules/api-management/service/api/README.md | 297 -- modules/api-management/service/api/main.bicep | 168 - modules/api-management/service/api/main.json | 419 -- .../service/api/policy/README.md | 106 - .../service/api/policy/main.bicep | 65 - .../service/api/policy/main.json | 109 - .../service/api/policy/version.json | 7 - .../api-management/service/api/version.json | 7 - .../service/authorization-server/README.md | 217 - .../service/authorization-server/main.bicep | 119 - .../service/authorization-server/main.json | 210 - .../service/authorization-server/version.json | 7 - .../api-management/service/backend/README.md | 236 - .../api-management/service/backend/main.bicep | 85 - .../api-management/service/backend/main.json | 157 - .../service/backend/version.json | 7 - .../api-management/service/cache/README.md | 105 - .../api-management/service/cache/main.bicep | 60 - .../api-management/service/cache/main.json | 111 - .../api-management/service/cache/version.json | 7 - .../service/identity-provider/README.md | 181 - .../service/identity-provider/main.bicep | 99 - .../service/identity-provider/main.json | 180 - .../service/identity-provider/version.json | 7 - modules/api-management/service/main.bicep | 538 -- modules/api-management/service/main.json | 3098 ----------- .../service/named-value/README.md | 148 - .../service/named-value/main.bicep | 67 - .../service/named-value/main.json | 133 - .../service/named-value/version.json | 7 - .../api-management/service/policy/README.md | 98 - .../api-management/service/policy/main.bicep | 58 - .../api-management/service/policy/main.json | 103 - .../service/policy/version.json | 7 - .../service/portalsetting/README.md | 88 - .../service/portalsetting/main.bicep | 51 - .../service/portalsetting/main.json | 93 - .../service/portalsetting/version.json | 7 - .../api-management/service/product/README.md | 147 - .../service/product/api/README.md | 79 - .../service/product/api/main.bicep | 49 - .../service/product/api/main.json | 85 - .../service/product/api/version.json | 7 - .../service/product/group/README.md | 79 - .../service/product/group/main.bicep | 49 - .../service/product/group/main.json | 85 - .../service/product/group/version.json | 7 - .../api-management/service/product/main.bicep | 103 - .../api-management/service/product/main.json | 395 -- .../service/product/version.json | 7 - .../service/subscription/README.md | 125 - .../service/subscription/main.bicep | 69 - .../service/subscription/main.json | 130 - .../service/subscription/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 51 - .../service/tests/e2e/max/dependencies.bicep | 16 - .../service/tests/e2e/max/main.test.bicep | 230 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 213 - modules/api-management/service/version.json | 7 - .../configuration-store/MOVED-TO-AVM.md | 1 - .../configuration-store/README.md | 1406 +---- .../configuration-store/key-value/README.md | 96 - .../configuration-store/key-value/main.bicep | 55 - .../configuration-store/key-value/main.json | 114 - .../key-value/version.json | 7 - .../configuration-store/main.bicep | 402 -- .../configuration-store/main.json | 1520 ------ .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/encr/dependencies.bicep | 61 - .../tests/e2e/encr/main.test.bicep | 110 - .../tests/e2e/max/dependencies.bicep | 16 - .../tests/e2e/max/main.test.bicep | 135 - .../tests/e2e/pe/dependencies.bicep | 49 - .../tests/e2e/pe/main.test.bicep | 78 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 118 - .../configuration-store/version.json | 7 - modules/app/container-app/MOVED-TO-AVM.md | 1 - modules/app/container-app/README.md | 903 +--- modules/app/container-app/main.bicep | 267 - modules/app/container-app/main.json | 510 -- .../tests/e2e/defaults/dependencies.bicep | 17 - .../tests/e2e/defaults/main.test.bicep | 75 - .../tests/e2e/max/dependencies.bicep | 28 - .../tests/e2e/max/main.test.bicep | 110 - .../tests/e2e/waf-aligned/dependencies.bicep | 28 - .../tests/e2e/waf-aligned/main.test.bicep | 110 - modules/app/container-app/version.json | 7 - modules/app/job/README.md | 855 +--- modules/app/job/main.bicep | 205 - modules/app/job/main.json | 400 -- .../job/tests/e2e/defaults/dependencies.bicep | 21 - .../job/tests/e2e/defaults/main.test.bicep | 79 - .../app/job/tests/e2e/max/dependencies.bicep | 40 - modules/app/job/tests/e2e/max/main.test.bicep | 124 - .../tests/e2e/waf-aligned/dependencies.bicep | 40 - .../job/tests/e2e/waf-aligned/main.test.bicep | 117 - modules/app/job/version.json | 7 - .../app/managed-environment/MOVED-TO-AVM.md | 1 - modules/app/managed-environment/README.md | 619 +-- modules/app/managed-environment/main.bicep | 200 - modules/app/managed-environment/main.json | 395 -- .../tests/e2e/defaults/dependencies.bicep | 22 - .../tests/e2e/defaults/main.test.bicep | 57 - .../tests/e2e/max/dependencies.bicep | 59 - .../tests/e2e/max/main.test.bicep | 87 - .../tests/e2e/waf-aligned/dependencies.bicep | 59 - .../tests/e2e/waf-aligned/main.test.bicep | 86 - modules/app/managed-environment/version.json | 7 - modules/authorization/lock/README.md | 227 +- modules/authorization/lock/main.bicep | 75 - modules/authorization/lock/main.json | 364 -- .../lock/resource-group/README.md | 84 - .../lock/resource-group/main.bicep | 54 - .../lock/resource-group/main.json | 102 - .../lock/resource-group/version.json | 7 - .../authorization/lock/subscription/README.md | 84 - .../lock/subscription/main.bicep | 54 - .../authorization/lock/subscription/main.json | 102 - .../lock/subscription/version.json | 7 - .../lock/tests/e2e/max/main.test.bicep | 49 - .../tests/e2e/waf-aligned/main.test.bicep | 49 - modules/authorization/lock/version.json | 7 - .../authorization/policy-assignment/README.md | 1164 +---- .../policy-assignment/main.bicep | 171 - .../authorization/policy-assignment/main.json | 1060 ---- .../management-group/README.md | 209 - .../management-group/main.bicep | 128 - .../management-group/main.json | 231 - .../management-group/version.json | 7 - .../resource-group/README.md | 219 - .../resource-group/main.bicep | 133 - .../resource-group/main.json | 244 - .../resource-group/version.json | 7 - .../policy-assignment/subscription/README.md | 209 - .../policy-assignment/subscription/main.bicep | 128 - .../policy-assignment/subscription/main.json | 231 - .../subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 94 - .../tests/e2e/mg.min/main.test.bicep | 30 - .../tests/e2e/rg.common/dependencies.bicep | 33 - .../tests/e2e/rg.common/main.test.bicep | 121 - .../tests/e2e/rg.min/main.test.bicep | 50 - .../tests/e2e/sub.common/dependencies.bicep | 13 - .../tests/e2e/sub.common/main.test.bicep | 118 - .../tests/e2e/sub.min/main.test.bicep | 33 - .../policy-assignment/version.json | 7 - .../authorization/policy-definition/README.md | 742 +-- .../policy-definition/main.bicep | 104 - .../authorization/policy-definition/main.json | 496 -- .../management-group/README.md | 131 - .../management-group/main.bicep | 77 - .../management-group/main.json | 141 - .../management-group/version.json | 7 - .../policy-definition/subscription/README.md | 131 - .../policy-definition/subscription/main.bicep | 77 - .../policy-definition/subscription/main.json | 141 - .../subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 76 - .../tests/e2e/mg.min/main.test.bicep | 48 - .../tests/e2e/sub.common/main.test.bicep | 76 - .../tests/e2e/sub.min/main.test.bicep | 48 - .../policy-definition/version.json | 7 - .../authorization/policy-exemption/README.md | 840 +-- .../authorization/policy-exemption/main.bicep | 137 - .../authorization/policy-exemption/main.json | 808 --- .../management-group/README.md | 162 - .../management-group/main.bicep | 89 - .../management-group/main.json | 165 - .../management-group/version.json | 7 - .../policy-exemption/resource-group/README.md | 154 - .../resource-group/main.bicep | 88 - .../policy-exemption/resource-group/main.json | 164 - .../resource-group/version.json | 7 - .../policy-exemption/subscription/README.md | 162 - .../policy-exemption/subscription/main.bicep | 89 - .../policy-exemption/subscription/main.json | 165 - .../subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 115 - .../tests/e2e/mg.min/main.test.bicep | 45 - .../tests/e2e/rg.common/main.test.bicep | 124 - .../tests/e2e/rg.min/main.test.bicep | 55 - .../tests/e2e/sub.common/main.test.bicep | 114 - .../tests/e2e/sub.min/main.test.bicep | 45 - .../policy-exemption/version.json | 7 - .../policy-set-definition/README.md | 664 +-- .../policy-set-definition/main.bicep | 93 - .../policy-set-definition/main.json | 447 -- .../management-group/README.md | 119 - .../management-group/main.bicep | 66 - .../management-group/main.json | 126 - .../management-group/version.json | 7 - .../subscription/README.md | 119 - .../subscription/main.bicep | 66 - .../subscription/main.json | 126 - .../subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 71 - .../tests/e2e/mg.min/main.test.bicep | 38 - .../tests/e2e/sub.common/main.test.bicep | 71 - .../tests/e2e/sub.min/main.test.bicep | 38 - .../policy-set-definition/version.json | 7 - .../authorization/role-assignment/README.md | 656 +-- .../authorization/role-assignment/main.bicep | 127 - .../authorization/role-assignment/main.json | 750 --- .../management-group/README.md | 146 - .../management-group/main.bicep | 92 - .../management-group/main.json | 160 - .../management-group/version.json | 7 - .../role-assignment/resource-group/README.md | 147 - .../role-assignment/resource-group/main.bicep | 93 - .../role-assignment/resource-group/main.json | 165 - .../resource-group/version.json | 7 - .../role-assignment/subscription/README.md | 146 - .../role-assignment/subscription/main.bicep | 90 - .../role-assignment/subscription/main.json | 159 - .../role-assignment/subscription/version.json | 7 - .../tests/e2e/mg.common/dependencies.bicep | 13 - .../e2e/mg.common/interim.dependencies.bicep | 27 - .../tests/e2e/mg.common/main.test.bicep | 53 - .../tests/e2e/mg.min/dependencies.bicep | 13 - .../e2e/mg.min/interim.dependencies.bicep | 27 - .../tests/e2e/mg.min/main.test.bicep | 51 - .../tests/e2e/rg.common/dependencies.bicep | 13 - .../tests/e2e/rg.common/main.test.bicep | 58 - .../tests/e2e/rg.min/dependencies.bicep | 13 - .../tests/e2e/rg.min/main.test.bicep | 57 - .../tests/e2e/sub.common/dependencies.bicep | 13 - .../tests/e2e/sub.common/main.test.bicep | 56 - .../tests/e2e/sub.min/dependencies.bicep | 13 - .../tests/e2e/sub.min/main.test.bicep | 55 - .../role-assignment/version.json | 7 - .../authorization/role-definition/README.md | 720 +-- .../authorization/role-definition/main.bicep | 114 - .../authorization/role-definition/main.json | 664 --- .../management-group/README.md | 112 - .../management-group/main.bicep | 67 - .../management-group/main.json | 128 - .../management-group/version.json | 7 - .../role-definition/resource-group/README.md | 131 - .../role-definition/resource-group/main.bicep | 77 - .../role-definition/resource-group/main.json | 150 - .../resource-group/version.json | 7 - .../role-definition/subscription/README.md | 130 - .../role-definition/subscription/main.bicep | 75 - .../role-definition/subscription/main.json | 144 - .../role-definition/subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 39 - .../tests/e2e/mg.min/main.test.bicep | 30 - .../tests/e2e/rg.common/main.test.bicep | 64 - .../tests/e2e/rg.min/main.test.bicep | 49 - .../tests/e2e/sub.common/main.test.bicep | 45 - .../tests/e2e/sub.min/main.test.bicep | 31 - .../role-definition/version.json | 7 - .../automation-account/MOVED-TO-AVM.md | 1 - .../automation/automation-account/README.md | 1808 +------ .../automation-account/job-schedule/README.md | 111 - .../job-schedule/main.bicep | 66 - .../automation-account/job-schedule/main.json | 116 - .../job-schedule/version.json | 7 - .../automation/automation-account/main.bicep | 551 -- .../automation/automation-account/main.json | 3078 ----------- .../automation-account/module/README.md | 106 - .../automation-account/module/main.bicep | 65 - .../automation-account/module/main.json | 131 - .../automation-account/module/version.json | 7 - .../automation-account/runbook/README.md | 165 - .../automation-account/runbook/main.bicep | 104 - .../automation-account/runbook/main.json | 191 - .../automation-account/runbook/version.json | 7 - .../automation-account/schedule/README.md | 159 - .../automation-account/schedule/main.bicep | 88 - .../automation-account/schedule/main.json | 155 - .../automation-account/schedule/version.json | 7 - .../software-update-configuration/README.md | 557 -- .../software-update-configuration/main.bicep | 277 - .../software-update-configuration/main.json | 426 -- .../version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/encr/dependencies.bicep | 58 - .../tests/e2e/encr/main.test.bicep | 69 - .../tests/e2e/max/dependencies.bicep | 90 - .../tests/e2e/max/main.test.bicep | 272 - .../tests/e2e/waf-aligned/dependencies.bicep | 90 - .../tests/e2e/waf-aligned/main.test.bicep | 255 - .../automation-account/variable/README.md | 152 - .../automation-account/variable/main.bicep | 57 - .../automation-account/variable/main.json | 104 - .../automation-account/variable/version.json | 7 - .../automation-account/version.json | 7 - modules/batch/batch-account/MOVED-TO-AVM.md | 1 - modules/batch/batch-account/README.md | 1289 +---- modules/batch/batch-account/main.bicep | 407 -- modules/batch/batch-account/main.json | 1373 ----- .../tests/e2e/defaults/dependencies.bicep | 17 - .../tests/e2e/defaults/main.test.bicep | 58 - .../tests/e2e/encr/dependencies.bicep | 123 - .../tests/e2e/encr/main.test.bicep | 91 - .../tests/e2e/max/dependencies.bicep | 78 - .../tests/e2e/max/main.test.bicep | 130 - .../tests/e2e/waf-aligned/dependencies.bicep | 78 - .../tests/e2e/waf-aligned/main.test.bicep | 130 - modules/batch/batch-account/version.json | 7 - modules/cache/redis-enterprise/README.md | 1189 +---- .../cache/redis-enterprise/database/README.md | 255 - .../redis-enterprise/database/main.bicep | 115 - .../cache/redis-enterprise/database/main.json | 193 - .../redis-enterprise/database/version.json | 7 - modules/cache/redis-enterprise/main.bicep | 328 -- modules/cache/redis-enterprise/main.json | 1451 ------ .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/geo/dependencies.bicep | 59 - .../tests/e2e/geo/main.test.bicep | 91 - .../tests/e2e/max/dependencies.bicep | 60 - .../tests/e2e/max/main.test.bicep | 146 - .../tests/e2e/waf-aligned/dependencies.bicep | 60 - .../tests/e2e/waf-aligned/main.test.bicep | 129 - modules/cache/redis-enterprise/version.json | 7 - modules/cache/redis/MOVED-TO-AVM.md | 1 - modules/cache/redis/README.md | 1229 +---- modules/cache/redis/main.bicep | 410 -- modules/cache/redis/main.json | 1397 ----- .../redis/tests/e2e/defaults/main.test.bicep | 48 - .../redis/tests/e2e/max/dependencies.bicep | 60 - .../cache/redis/tests/e2e/max/main.test.bicep | 121 - .../tests/e2e/waf-aligned/dependencies.bicep | 60 - .../tests/e2e/waf-aligned/main.test.bicep | 121 - modules/cache/redis/version.json | 7 - modules/cdn/profile/MOVED-TO-AVM.md | 1 - modules/cdn/profile/README.md | 873 +--- modules/cdn/profile/afdEndpoint/README.md | 133 - modules/cdn/profile/afdEndpoint/main.bicep | 98 - modules/cdn/profile/afdEndpoint/main.json | 399 -- .../cdn/profile/afdEndpoint/route/README.md | 208 - .../cdn/profile/afdEndpoint/route/main.bicep | 131 - .../cdn/profile/afdEndpoint/route/main.json | 205 - .../profile/afdEndpoint/route/version.json | 7 - modules/cdn/profile/afdEndpoint/version.json | 7 - modules/cdn/profile/customdomain/README.md | 146 - modules/cdn/profile/customdomain/main.bicep | 92 - modules/cdn/profile/customdomain/main.json | 145 - modules/cdn/profile/customdomain/version.json | 7 - modules/cdn/profile/endpoint/README.md | 99 - modules/cdn/profile/endpoint/main.bicep | 82 - modules/cdn/profile/endpoint/main.json | 335 -- modules/cdn/profile/endpoint/origin/README.md | 166 - .../cdn/profile/endpoint/origin/main.bicep | 99 - modules/cdn/profile/endpoint/origin/main.json | 159 - .../cdn/profile/endpoint/origin/version.json | 7 - modules/cdn/profile/endpoint/version.json | 7 - modules/cdn/profile/main.bicep | 261 - modules/cdn/profile/main.json | 2151 -------- modules/cdn/profile/origingroup/README.md | 119 - modules/cdn/profile/origingroup/main.bicep | 91 - modules/cdn/profile/origingroup/main.json | 338 -- .../cdn/profile/origingroup/origin/README.md | 161 - .../cdn/profile/origingroup/origin/main.bicep | 91 - .../cdn/profile/origingroup/origin/main.json | 162 - .../profile/origingroup/origin/version.json | 7 - modules/cdn/profile/origingroup/version.json | 7 - modules/cdn/profile/ruleset/README.md | 81 - modules/cdn/profile/ruleset/main.bicep | 60 - modules/cdn/profile/ruleset/main.json | 247 - modules/cdn/profile/ruleset/rule/README.md | 115 - modules/cdn/profile/ruleset/rule/main.bicep | 71 - modules/cdn/profile/ruleset/rule/main.json | 121 - modules/cdn/profile/ruleset/rule/version.json | 7 - modules/cdn/profile/ruleset/version.json | 7 - modules/cdn/profile/secret/README.md | 125 - modules/cdn/profile/secret/main.bicep | 75 - modules/cdn/profile/secret/main.json | 123 - modules/cdn/profile/secret/version.json | 7 - .../profile/tests/e2e/afd/dependencies.bicep | 38 - .../cdn/profile/tests/e2e/afd/main.test.bicep | 142 - .../profile/tests/e2e/max/dependencies.bicep | 38 - .../cdn/profile/tests/e2e/max/main.test.bicep | 112 - .../tests/e2e/waf-aligned/dependencies.bicep | 38 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - modules/cdn/profile/version.json | 7 - .../account/MOVED-TO-AVM.md | 1 - modules/cognitive-services/account/README.md | 1472 +----- modules/cognitive-services/account/main.bicep | 473 -- modules/cognitive-services/account/main.json | 1468 ------ .../tests/e2e/defaults/main.test.bicep | 50 - .../account/tests/e2e/encr/dependencies.bicep | 89 - .../account/tests/e2e/encr/main.test.bicep | 72 - .../account/tests/e2e/max/dependencies.bicep | 68 - .../account/tests/e2e/max/main.test.bicep | 138 - .../tests/e2e/speech/dependencies.bicep | 60 - .../account/tests/e2e/speech/main.test.bicep | 82 - .../tests/e2e/waf-aligned/dependencies.bicep | 68 - .../tests/e2e/waf-aligned/main.test.bicep | 138 - .../cognitive-services/account/version.json | 7 - .../compute/availability-set/MOVED-TO-AVM.md | 1 - modules/compute/availability-set/README.md | 490 +- modules/compute/availability-set/main.bicep | 140 - modules/compute/availability-set/main.json | 283 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 24 - .../tests/e2e/max/main.test.bicep | 85 - .../tests/e2e/waf-aligned/dependencies.bicep | 24 - .../tests/e2e/waf-aligned/main.test.bicep | 68 - modules/compute/availability-set/version.json | 7 - .../disk-encryption-set/MOVED-TO-AVM.md | 1 - modules/compute/disk-encryption-set/README.md | 656 +-- .../compute/disk-encryption-set/main.bicep | 210 - modules/compute/disk-encryption-set/main.json | 671 --- .../modules/nested_keyVaultPermissions.bicep | 68 - .../nested_managedIdentityReference.bicep | 12 - .../e2e/accessPolicies/dependencies.bicep | 51 - .../tests/e2e/accessPolicies/main.test.bicep | 89 - .../tests/e2e/max/dependencies.bicep | 51 - .../tests/e2e/max/main.test.bicep | 95 - .../tests/e2e/waf-aligned/dependencies.bicep | 51 - .../tests/e2e/waf-aligned/main.test.bicep | 78 - .../compute/disk-encryption-set/version.json | 7 - modules/compute/disk/MOVED-TO-AVM.md | 1 - modules/compute/disk/README.md | 993 +--- modules/compute/disk/main.bicep | 264 - modules/compute/disk/main.json | 476 -- .../disk/tests/e2e/defaults/main.test.bicep | 50 - .../disk/tests/e2e/image/dependencies.bicep | 13 - .../disk/tests/e2e/image/main.test.bicep | 78 - .../disk/tests/e2e/import/dependencies.bicep | 152 - .../tests/e2e/import/dependencies_rbac.bicep | 16 - .../disk/tests/e2e/import/main.test.bicep | 83 - .../disk/tests/e2e/max/dependencies.bicep | 13 - .../disk/tests/e2e/max/main.test.bicep | 89 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 72 - modules/compute/disk/version.json | 7 - modules/compute/gallery/MOVED-TO-AVM.md | 1 - modules/compute/gallery/README.md | 951 +--- modules/compute/gallery/application/README.md | 352 -- .../compute/gallery/application/main.bicep | 140 - modules/compute/gallery/application/main.json | 281 - .../compute/gallery/application/version.json | 7 - modules/compute/gallery/image/README.md | 423 -- modules/compute/gallery/image/main.bicep | 263 - modules/compute/gallery/image/main.json | 442 -- modules/compute/gallery/image/version.json | 7 - modules/compute/gallery/main.bicep | 185 - modules/compute/gallery/main.json | 1091 ---- .../tests/e2e/defaults/main.test.bicep | 49 - .../gallery/tests/e2e/max/dependencies.bicep | 13 - .../gallery/tests/e2e/max/main.test.bicep | 200 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 183 - modules/compute/gallery/version.json | 7 - modules/compute/image/MOVED-TO-AVM.md | 1 - modules/compute/image/README.md | 540 +- modules/compute/image/main.bicep | 170 - modules/compute/image/main.json | 320 -- .../image/tests/e2e/max/dependencies.bicep | 218 - .../tests/e2e/max/dependencies_rbac.bicep | 16 - .../image/tests/e2e/max/main.test.bicep | 97 - .../tests/e2e/waf-aligned/dependencies.bicep | 218 - .../e2e/waf-aligned/dependencies_rbac.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 80 - modules/compute/image/version.json | 7 - .../proximity-placement-group/MOVED-TO-AVM.md | 1 - .../proximity-placement-group/README.md | 569 +-- .../proximity-placement-group/main.bicep | 139 - .../proximity-placement-group/main.json | 285 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 99 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 82 - .../proximity-placement-group/version.json | 7 - .../compute/ssh-public-key/MOVED-TO-AVM.md | 1 - modules/compute/ssh-public-key/README.md | 385 +- modules/compute/ssh-public-key/main.bicep | 125 - modules/compute/ssh-public-key/main.json | 257 - .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/max/dependencies.bicep | 61 - .../tests/e2e/max/main.test.bicep | 61 - .../tests/e2e/waf-aligned/dependencies.bicep | 61 - .../tests/e2e/waf-aligned/main.test.bicep | 61 - modules/compute/ssh-public-key/version.json | 7 - .../virtual-machine-scale-set/README.md | 2778 +--------- .../extension/README.md | 147 - .../extension/main.bicep | 81 - .../extension/main.json | 148 - .../extension/version.json | 7 - .../virtual-machine-scale-set/main.bicep | 726 --- .../virtual-machine-scale-set/main.json | 2522 --------- .../tests/e2e/linux.min/dependencies.bicep | 86 - .../tests/e2e/linux.min/main.test.bicep | 95 - .../tests/e2e/linux.ssecmk/dependencies.bicep | 148 - .../tests/e2e/linux.ssecmk/main.test.bicep | 126 - .../tests/e2e/linux/dependencies.bicep | 193 - .../tests/e2e/linux/main.test.bicep | 210 - .../tests/e2e/windows.min/dependencies.bicep | 30 - .../tests/e2e/windows.min/main.test.bicep | 90 - .../tests/e2e/windows/dependencies.bicep | 166 - .../tests/e2e/windows/main.test.bicep | 206 - .../virtual-machine-scale-set/version.json | 7 - .../compute/virtual-machine/MOVED-TO-AVM.md | 1 - modules/compute/virtual-machine/README.md | 3555 +------------ .../virtual-machine/extension/README.md | 165 - .../virtual-machine/extension/main.bicep | 92 - .../virtual-machine/extension/main.json | 181 - .../virtual-machine/extension/version.json | 7 - modules/compute/virtual-machine/main.bicep | 771 --- modules/compute/virtual-machine/main.json | 4524 ----------------- .../modules/nested_networkInterface.bicep | 147 - .../tests/e2e/linux.atmg/dependencies.bicep | 86 - .../tests/e2e/linux.atmg/main.test.bicep | 123 - .../tests/e2e/linux.min/dependencies.bicep | 86 - .../tests/e2e/linux.min/main.test.bicep | 102 - .../tests/e2e/linux/dependencies.bicep | 337 -- .../tests/e2e/linux/main.test.bicep | 314 -- .../tests/e2e/windows.atmg/dependencies.bicep | 30 - .../tests/e2e/windows.atmg/main.test.bicep | 92 - .../tests/e2e/windows.min/dependencies.bicep | 30 - .../tests/e2e/windows.min/main.test.bicep | 85 - .../e2e/windows.ssecmk/dependencies.bicep | 92 - .../tests/e2e/windows.ssecmk/main.test.bicep | 110 - .../tests/e2e/windows/dependencies.bicep | 310 -- .../tests/e2e/windows/main.test.bicep | 332 -- modules/compute/virtual-machine/version.json | 7 - modules/consumption/budget/MOVED-TO-AVM.md | 1 - modules/consumption/budget/README.md | 408 +- modules/consumption/budget/main.bicep | 111 - modules/consumption/budget/main.json | 193 - .../budget/tests/e2e/defaults/main.test.bicep | 34 - .../budget/tests/e2e/max/main.test.bicep | 41 - .../tests/e2e/waf-aligned/main.test.bicep | 41 - modules/consumption/budget/version.json | 7 - .../container-group/README.md | 1470 +----- .../container-group/main.bicep | 218 - .../container-group/main.json | 382 -- .../tests/e2e/defaults/main.test.bicep | 75 - .../tests/e2e/encr/dependencies.bicep | 60 - .../tests/e2e/encr/main.test.bicep | 135 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 128 - .../tests/e2e/private/dependencies.bicep | 49 - .../tests/e2e/private/main.test.bicep | 144 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 128 - .../container-group/version.json | 7 - .../registry/MOVED-TO-AVM.md | 1 - modules/container-registry/registry/README.md | 1657 +----- .../registry/cache-rules/README.md | 93 - .../registry/cache-rules/main.bicep | 56 - .../registry/cache-rules/main.json | 105 - .../registry/cache-rules/version.json | 8 - .../container-registry/registry/main.bicep | 543 -- modules/container-registry/registry/main.json | 2058 -------- .../registry/replication/README.md | 114 - .../registry/replication/main.bicep | 67 - .../registry/replication/main.json | 134 - .../registry/replication/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/encr/dependencies.bicep | 87 - .../registry/tests/e2e/encr/main.test.bicep | 77 - .../registry/tests/e2e/max/dependencies.bicep | 99 - .../registry/tests/e2e/max/main.test.bicep | 171 - .../registry/tests/e2e/pe/dependencies.bicep | 49 - .../registry/tests/e2e/pe/main.test.bicep | 73 - .../tests/e2e/waf-aligned/dependencies.bicep | 99 - .../tests/e2e/waf-aligned/main.test.bicep | 154 - .../container-registry/registry/version.json | 7 - .../registry/webhook/README.md | 153 - .../registry/webhook/main.bicep | 96 - .../registry/webhook/main.json | 187 - .../registry/webhook/version.json | 7 - .../managed-cluster/MOVED-TO-AVM.md | 1 - .../managed-cluster/README.md | 2504 +-------- .../managed-cluster/agent-pool/README.md | 435 -- .../managed-cluster/agent-pool/main.bicep | 228 - .../managed-cluster/agent-pool/main.json | 411 -- .../managed-cluster/agent-pool/version.json | 7 - .../managed-cluster/main.bicep | 864 ---- .../managed-cluster/main.json | 2280 --------- .../tests/e2e/azure/dependencies.bicep | 187 - .../tests/e2e/azure/main.test.bicep | 283 -- .../tests/e2e/defaults/main.test.bicep | 55 - .../tests/e2e/kubenet/dependencies.bicep | 27 - .../tests/e2e/kubenet/main.test.bicep | 180 - .../tests/e2e/priv/dependencies.bicep | 91 - .../tests/e2e/priv/main.test.bicep | 171 - .../managed-cluster/version.json | 7 - modules/data-factory/factory/MOVED-TO-AVM.md | 1 - modules/data-factory/factory/README.md | 1384 +---- .../factory/integration-runtime/README.md | 138 - .../factory/integration-runtime/main.bicep | 67 - .../factory/integration-runtime/main.json | 110 - .../factory/integration-runtime/version.json | 7 - modules/data-factory/factory/main.bicep | 430 -- modules/data-factory/factory/main.json | 1811 ------- .../factory/managed-virtual-network/README.md | 133 - .../managed-virtual-network/main.bicep | 61 - .../factory/managed-virtual-network/main.json | 236 - .../managed-private-endpoint/README.md | 103 - .../managed-private-endpoint/main.bicep | 63 - .../managed-private-endpoint/main.json | 108 - .../managed-private-endpoint/version.json | 7 - .../managed-virtual-network/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../factory/tests/e2e/max/dependencies.bicep | 135 - .../factory/tests/e2e/max/main.test.bicep | 172 - .../tests/e2e/waf-aligned/dependencies.bicep | 135 - .../tests/e2e/waf-aligned/main.test.bicep | 155 - modules/data-factory/factory/version.json | 7 - .../backup-vault/MOVED-TO-AVM.md | 1 - .../data-protection/backup-vault/README.md | 972 +--- .../backup-vault/backup-policy/README.md | 217 - .../backup-vault/backup-policy/main.bicep | 46 - .../backup-vault/backup-policy/main.json | 88 - .../backup-vault/backup-policy/version.json | 7 - .../data-protection/backup-vault/main.bicep | 195 - .../data-protection/backup-vault/main.json | 470 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 16 - .../tests/e2e/max/main.test.bicep | 149 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 132 - .../data-protection/backup-vault/version.json | 7 - .../access-connector/MOVED-TO-AVM.md | 1 - modules/databricks/access-connector/README.md | 512 +- .../databricks/access-connector/main.bicep | 140 - modules/databricks/access-connector/main.json | 287 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 16 - .../tests/e2e/max/main.test.bicep | 90 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 73 - .../databricks/access-connector/version.json | 7 - modules/databricks/workspace/MOVED-TO-AVM.md | 1 - modules/databricks/workspace/README.md | 1466 +----- modules/databricks/workspace/main.bicep | 487 -- modules/databricks/workspace/main.json | 1439 ------ .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 368 -- .../workspace/tests/e2e/max/main.test.bicep | 167 - .../tests/e2e/waf-aligned/dependencies.bicep | 368 -- .../tests/e2e/waf-aligned/main.test.bicep | 150 - modules/databricks/workspace/version.json | 7 - .../flexible-server/MOVED-TO-AVM.md | 1 - .../db-for-my-sql/flexible-server/README.md | 1289 +---- .../flexible-server/administrator/README.md | 105 - .../flexible-server/administrator/main.bicep | 61 - .../flexible-server/administrator/main.json | 112 - .../administrator/version.json | 7 - .../flexible-server/database/README.md | 98 - .../flexible-server/database/main.bicep | 55 - .../flexible-server/database/main.json | 104 - .../flexible-server/database/version.json | 7 - .../flexible-server/firewall-rule/README.md | 87 - .../flexible-server/firewall-rule/main.bicep | 52 - .../flexible-server/firewall-rule/main.json | 95 - .../firewall-rule/version.json | 7 - .../db-for-my-sql/flexible-server/main.bicep | 459 -- .../db-for-my-sql/flexible-server/main.json | 1177 ----- .../tests/e2e/defaults/main.test.bicep | 57 - .../tests/e2e/private/dependencies.bicep | 74 - .../tests/e2e/private/main.test.bicep | 144 - .../tests/e2e/public/dependencies1.bicep | 46 - .../tests/e2e/public/dependencies2.bicep | 120 - .../tests/e2e/public/main.test.bicep | 179 - .../flexible-server/version.json | 7 - .../flexible-server/MOVED-TO-AVM.md | 1 - .../flexible-server/README.md | 1144 +---- .../flexible-server/administrator/README.md | 114 - .../flexible-server/administrator/main.bicep | 65 - .../flexible-server/administrator/main.json | 116 - .../administrator/version.json | 7 - .../flexible-server/configuration/README.md | 98 - .../flexible-server/configuration/main.bicep | 55 - .../flexible-server/configuration/main.json | 104 - .../configuration/version.json | 7 - .../flexible-server/database/README.md | 98 - .../flexible-server/database/main.bicep | 55 - .../flexible-server/database/main.json | 104 - .../flexible-server/database/version.json | 7 - .../flexible-server/firewall-rule/README.md | 87 - .../flexible-server/firewall-rule/main.bicep | 52 - .../flexible-server/firewall-rule/main.json | 95 - .../firewall-rule/version.json | 7 - .../flexible-server/main.bicep | 454 -- .../flexible-server/main.json | 1277 ----- .../tests/e2e/defaults/main.test.bicep | 57 - .../tests/e2e/private/dependencies.bicep | 68 - .../tests/e2e/private/main.test.bicep | 121 - .../tests/e2e/public/dependencies.bicep | 64 - .../tests/e2e/public/main.test.bicep | 152 - .../flexible-server/version.json | 7 - .../application-group/MOVED-TO-AVM.md | 1 - .../application-group/README.md | 746 +-- .../application-group/application/README.md | 149 - .../application-group/application/main.bicep | 81 - .../application-group/application/main.json | 148 - .../application/version.json | 7 - .../application-group/main.bicep | 234 - .../application-group/main.json | 618 --- .../tests/e2e/defaults/dependencies.bicep | 18 - .../tests/e2e/defaults/main.test.bicep | 59 - .../tests/e2e/max/dependencies.bicep | 29 - .../tests/e2e/max/main.test.bicep | 130 - .../tests/e2e/waf-aligned/dependencies.bicep | 29 - .../tests/e2e/waf-aligned/main.test.bicep | 113 - .../application-group/version.json | 7 - .../host-pool/MOVED-TO-AVM.md | 1 - .../host-pool/README.md | 1078 +--- .../host-pool/main.bicep | 343 -- .../host-pool/main.json | 636 --- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../host-pool/tests/e2e/max/main.test.bicep | 146 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 129 - .../host-pool/version.json | 7 - .../scaling-plan/MOVED-TO-AVM.md | 1 - .../scaling-plan/README.md | 812 +-- .../scaling-plan/main.bicep | 237 - .../scaling-plan/main.json | 433 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 144 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 127 - .../scaling-plan/version.json | 7 - .../workspace/MOVED-TO-AVM.md | 1 - .../workspace/README.md | 638 +-- .../workspace/main.bicep | 199 - .../workspace/main.json | 403 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 41 - .../workspace/tests/e2e/max/main.test.bicep | 114 - .../tests/e2e/waf-aligned/dependencies.bicep | 41 - .../tests/e2e/waf-aligned/main.test.bicep | 97 - .../workspace/version.json | 7 - modules/dev-test-lab/lab/MOVED-TO-AVM.md | 1 - modules/dev-test-lab/lab/README.md | 1633 +----- .../dev-test-lab/lab/artifactsource/README.md | 168 - .../lab/artifactsource/main.bicep | 93 - .../dev-test-lab/lab/artifactsource/main.json | 172 - .../lab/artifactsource/version.json | 7 - modules/dev-test-lab/lab/cost/README.md | 300 -- modules/dev-test-lab/lab/cost/main.bicep | 195 - modules/dev-test-lab/lab/cost/main.json | 304 -- modules/dev-test-lab/lab/cost/version.json | 7 - modules/dev-test-lab/lab/main.bicep | 362 -- modules/dev-test-lab/lab/main.json | 1835 ------- .../lab/notificationchannel/README.md | 133 - .../lab/notificationchannel/main.bicep | 74 - .../lab/notificationchannel/main.json | 143 - .../lab/notificationchannel/version.json | 7 - .../lab/policyset/policy/README.md | 171 - .../lab/policyset/policy/main.bicep | 101 - .../lab/policyset/policy/main.json | 161 - .../lab/policyset/policy/version.json | 7 - modules/dev-test-lab/lab/schedule/README.md | 189 - modules/dev-test-lab/lab/schedule/main.bicep | 104 - modules/dev-test-lab/lab/schedule/main.json | 185 - .../dev-test-lab/lab/schedule/version.json | 7 - .../lab/tests/e2e/defaults/main.test.bicep | 49 - .../lab/tests/e2e/max/dependencies.bicep | 134 - .../lab/tests/e2e/max/main.test.bicep | 297 -- .../tests/e2e/waf-aligned/dependencies.bicep | 134 - .../lab/tests/e2e/waf-aligned/main.test.bicep | 280 - modules/dev-test-lab/lab/version.json | 7 - .../dev-test-lab/lab/virtualnetwork/README.md | 116 - .../lab/virtualnetwork/main.bicep | 66 - .../dev-test-lab/lab/virtualnetwork/main.json | 130 - .../lab/virtualnetwork/version.json | 7 - .../digital-twins-instance/README.md | 1078 +--- .../endpoint--event-grid/README.md | 106 - .../endpoint--event-grid/main.bicep | 64 - .../endpoint--event-grid/main.json | 115 - .../endpoint--event-grid/version.json | 7 - .../endpoint--event-hub/README.md | 166 - .../endpoint--event-hub/main.bicep | 101 - .../endpoint--event-hub/main.json | 185 - .../endpoint--event-hub/version.json | 7 - .../endpoint--service-bus/README.md | 166 - .../endpoint--service-bus/main.bicep | 101 - .../endpoint--service-bus/main.json | 185 - .../endpoint--service-bus/version.json | 7 - .../digital-twins-instance/main.bicep | 377 -- .../digital-twins-instance/main.json | 1843 ------- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 162 - .../tests/e2e/max/main.test.bicep | 140 - .../tests/e2e/waf-aligned/dependencies.bicep | 162 - .../tests/e2e/waf-aligned/main.test.bicep | 139 - .../digital-twins-instance/version.json | 7 - .../database-account/MOVED-TO-AVM.md | 1 - .../document-db/database-account/README.md | 2123 +------- .../gremlin-database/README.md | 166 - .../gremlin-database/graph/README.md | 139 - .../gremlin-database/graph/main.bicep | 68 - .../gremlin-database/graph/main.json | 135 - .../gremlin-database/graph/version.json | 7 - .../gremlin-database/main.bicep | 94 - .../gremlin-database/main.json | 321 -- .../gremlin-database/version.json | 7 - .../document-db/database-account/main.bicep | 503 -- .../document-db/database-account/main.json | 2477 --------- .../mongodb-database/README.md | 98 - .../mongodb-database/collection/README.md | 237 - .../mongodb-database/collection/main.bicep | 68 - .../mongodb-database/collection/main.json | 112 - .../mongodb-database/collection/version.json | 7 - .../mongodb-database/main.bicep | 74 - .../mongodb-database/main.json | 270 - .../mongodb-database/version.json | 7 - .../database-account/sql-database/README.md | 107 - .../sql-database/container/README.md | 221 - .../sql-database/container/main.bicep | 110 - .../sql-database/container/main.json | 198 - .../sql-database/container/version.json | 7 - .../database-account/sql-database/main.bicep | 87 - .../database-account/sql-database/main.json | 366 -- .../sql-database/version.json | 7 - .../tests/e2e/gremlindb/dependencies.bicep | 49 - .../tests/e2e/gremlindb/main.test.bicep | 171 - .../tests/e2e/mongodb/dependencies.bicep | 49 - .../tests/e2e/mongodb/main.test.bicep | 304 -- .../tests/e2e/plain/dependencies.bicep | 49 - .../tests/e2e/plain/main.test.bicep | 120 - .../tests/e2e/sqldb/dependencies.bicep | 99 - .../tests/e2e/sqldb/main.test.bicep | 213 - .../document-db/database-account/version.json | 7 - modules/event-grid/domain/MOVED-TO-AVM.md | 1 - modules/event-grid/domain/README.md | 1094 +--- modules/event-grid/domain/main.bicep | 321 -- modules/event-grid/domain/main.json | 1348 ----- .../domain/tests/e2e/defaults/main.test.bicep | 49 - .../domain/tests/e2e/max/dependencies.bicep | 60 - .../domain/tests/e2e/max/main.test.bicep | 125 - .../domain/tests/e2e/pe/dependencies.bicep | 49 - .../domain/tests/e2e/pe/main.test.bicep | 72 - .../tests/e2e/waf-aligned/dependencies.bicep | 60 - .../tests/e2e/waf-aligned/main.test.bicep | 125 - modules/event-grid/domain/topic/README.md | 80 - modules/event-grid/domain/topic/main.bicep | 45 - modules/event-grid/domain/topic/main.json | 86 - modules/event-grid/domain/topic/version.json | 7 - modules/event-grid/domain/version.json | 7 - .../event-grid/system-topic/MOVED-TO-AVM.md | 1 - modules/event-grid/system-topic/README.md | 791 +-- .../system-topic/event-subscription/README.md | 165 - .../event-subscription/main.bicep | 94 - .../system-topic/event-subscription/main.json | 172 - .../event-subscription/version.json | 7 - modules/event-grid/system-topic/main.bicep | 243 - modules/event-grid/system-topic/main.json | 659 --- .../tests/e2e/defaults/dependencies.bicep | 17 - .../tests/e2e/defaults/main.test.bicep | 73 - .../tests/e2e/max/dependencies.bicep | 42 - .../tests/e2e/max/main.test.bicep | 130 - .../tests/e2e/waf-aligned/dependencies.bicep | 42 - .../tests/e2e/waf-aligned/main.test.bicep | 130 - modules/event-grid/system-topic/version.json | 7 - modules/event-grid/topic/MOVED-TO-AVM.md | 1 - modules/event-grid/topic/README.md | 1160 +---- .../topic/event-subscription/README.md | 165 - .../topic/event-subscription/main.bicep | 94 - .../topic/event-subscription/main.json | 172 - .../topic/event-subscription/version.json | 7 - modules/event-grid/topic/main.bicep | 323 -- modules/event-grid/topic/main.json | 1425 ------ .../topic/tests/e2e/defaults/main.test.bicep | 49 - .../topic/tests/e2e/max/dependencies.bicep | 89 - .../topic/tests/e2e/max/main.test.bicep | 146 - .../topic/tests/e2e/pe/dependencies.bicep | 49 - .../topic/tests/e2e/pe/main.test.bicep | 72 - .../tests/e2e/waf-aligned/dependencies.bicep | 89 - .../tests/e2e/waf-aligned/main.test.bicep | 146 - modules/event-grid/topic/version.json | 7 - modules/event-hub/namespace/README.md | 1857 +------ .../namespace/authorization-rule/README.md | 88 - .../namespace/authorization-rule/main.bicep | 53 - .../namespace/authorization-rule/main.json | 94 - .../namespace/authorization-rule/version.json | 7 - .../disaster-recovery-config/README.md | 80 - .../disaster-recovery-config/main.bicep | 48 - .../disaster-recovery-config/main.json | 89 - .../disaster-recovery-config/version.json | 7 - .../event-hub/namespace/eventhub/README.md | 403 -- .../eventhub/authorization-rule/README.md | 96 - .../eventhub/authorization-rule/main.bicep | 60 - .../eventhub/authorization-rule/main.json | 100 - .../eventhub/authorization-rule/version.json | 7 - .../eventhub/consumergroup/README.md | 88 - .../eventhub/consumergroup/main.bicep | 55 - .../eventhub/consumergroup/main.json | 95 - .../eventhub/consumergroup/version.json | 7 - .../event-hub/namespace/eventhub/main.bicep | 269 - .../event-hub/namespace/eventhub/main.json | 702 --- .../event-hub/namespace/eventhub/version.json | 7 - modules/event-hub/namespace/main.bicep | 509 -- modules/event-hub/namespace/main.json | 2595 ---------- .../namespace/network-rule-set/README.md | 117 - .../namespace/network-rule-set/main.bicep | 76 - .../namespace/network-rule-set/main.json | 135 - .../namespace/network-rule-set/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/encr/dependencies.bicep | 90 - .../namespace/tests/e2e/encr/main.test.bicep | 78 - .../tests/e2e/max/dependencies.bicep | 83 - .../namespace/tests/e2e/max/main.test.bicep | 239 - .../namespace/tests/e2e/pe/dependencies.bicep | 54 - .../namespace/tests/e2e/pe/main.test.bicep | 74 - .../tests/e2e/waf-aligned/dependencies.bicep | 83 - .../tests/e2e/waf-aligned/main.test.bicep | 221 - modules/event-hub/namespace/version.json | 7 - modules/health-bot/health-bot/MOVED-TO-AVM.md | 1 - modules/health-bot/health-bot/README.md | 519 +- modules/health-bot/health-bot/main.bicep | 145 - modules/health-bot/health-bot/main.json | 286 -- .../tests/e2e/defaults/main.test.bicep | 50 - .../tests/e2e/max/dependencies.bicep | 16 - .../health-bot/tests/e2e/max/main.test.bicep | 89 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 72 - modules/health-bot/health-bot/version.json | 7 - .../healthcare-apis/workspace/MOVED-TO-AVM.md | 1 - modules/healthcare-apis/workspace/README.md | 978 +--- .../workspace/dicomservice/README.md | 322 -- .../workspace/dicomservice/main.bicep | 210 - .../workspace/dicomservice/main.json | 400 -- .../workspace/dicomservice/version.json | 7 - .../workspace/fhirservice/README.md | 589 --- .../workspace/fhirservice/main.bicep | 347 -- .../workspace/fhirservice/main.json | 650 --- .../workspace/fhirservice/version.json | 7 - .../workspace/iotconnector/README.md | 441 -- .../iotconnector/fhirdestination/README.md | 198 - .../iotconnector/fhirdestination/main.bicep | 86 - .../iotconnector/fhirdestination/main.json | 142 - .../iotconnector/fhirdestination/version.json | 7 - .../workspace/iotconnector/main.bicep | 220 - .../workspace/iotconnector/main.json | 569 --- .../workspace/iotconnector/version.json | 7 - modules/healthcare-apis/workspace/main.bicep | 227 - modules/healthcare-apis/workspace/main.json | 2075 -------- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 74 - .../workspace/tests/e2e/max/main.test.bicep | 179 - .../tests/e2e/waf-aligned/dependencies.bicep | 74 - .../tests/e2e/waf-aligned/main.test.bicep | 162 - .../healthcare-apis/workspace/version.json | 7 - modules/insights/action-group/MOVED-TO-AVM.md | 1 - modules/insights/action-group/README.md | 601 +-- modules/insights/action-group/main.bicep | 146 - modules/insights/action-group/main.json | 299 -- .../tests/e2e/defaults/main.test.bicep | 50 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 89 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 89 - modules/insights/action-group/version.json | 7 - .../activity-log-alert/MOVED-TO-AVM.md | 1 - modules/insights/activity-log-alert/README.md | 560 +- .../insights/activity-log-alert/main.bicep | 129 - modules/insights/activity-log-alert/main.json | 259 - .../tests/e2e/max/dependencies.bicep | 28 - .../tests/e2e/max/main.test.bicep | 120 - .../tests/e2e/waf-aligned/dependencies.bicep | 28 - .../tests/e2e/waf-aligned/main.test.bicep | 103 - .../insights/activity-log-alert/version.json | 7 - modules/insights/component/MOVED-TO-AVM.md | 1 - modules/insights/component/README.md | 648 +-- modules/insights/component/main.bicep | 223 - modules/insights/component/main.json | 433 -- .../tests/e2e/defaults/dependencies.bicep | 13 - .../tests/e2e/defaults/main.test.bicep | 58 - .../tests/e2e/max/dependencies.bicep | 13 - .../component/tests/e2e/max/main.test.bicep | 98 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 98 - modules/insights/component/version.json | 7 - .../data-collection-endpoint/MOVED-TO-AVM.md | 1 - .../data-collection-endpoint/README.md | 490 +- .../data-collection-endpoint/main.bicep | 149 - .../data-collection-endpoint/main.json | 275 - .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 75 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 75 - .../data-collection-endpoint/version.json | 7 - .../data-collection-rule/MOVED-TO-AVM.md | 1 - .../insights/data-collection-rule/README.md | 1737 +------ .../insights/data-collection-rule/main.bicep | 163 - .../insights/data-collection-rule/main.json | 306 -- .../tests/e2e/customadv/dependencies.bicep | 79 - .../tests/e2e/customadv/main.test.bicep | 145 - .../tests/e2e/custombasic/dependencies.bicep | 63 - .../tests/e2e/custombasic/main.test.bicep | 129 - .../tests/e2e/customiis/dependencies.bicep | 44 - .../tests/e2e/customiis/main.test.bicep | 108 - .../tests/e2e/defaults/main.test.bicep | 87 - .../tests/e2e/linux/dependencies.bicep | 27 - .../tests/e2e/linux/main.test.bicep | 221 - .../tests/e2e/windows/dependencies.bicep | 27 - .../tests/e2e/windows/main.test.bicep | 175 - .../data-collection-rule/version.json | 7 - .../diagnostic-setting/MOVED-TO-AVM.md | 1 - modules/insights/diagnostic-setting/README.md | 330 +- .../insights/diagnostic-setting/main.bicep | 111 - modules/insights/diagnostic-setting/main.json | 201 - .../tests/e2e/max/main.test.bicep | 71 - .../tests/e2e/waf-aligned/main.test.bicep | 71 - .../insights/diagnostic-setting/version.json | 7 - modules/insights/metric-alert/MOVED-TO-AVM.md | 1 - modules/insights/metric-alert/README.md | 593 +-- modules/insights/metric-alert/main.bicep | 184 - modules/insights/metric-alert/main.json | 342 -- .../tests/e2e/max/dependencies.bicep | 29 - .../tests/e2e/max/main.test.bicep | 98 - .../tests/e2e/waf-aligned/dependencies.bicep | 29 - .../tests/e2e/waf-aligned/main.test.bicep | 81 - modules/insights/metric-alert/version.json | 7 - .../private-link-scope/MOVED-TO-AVM.md | 1 - modules/insights/private-link-scope/README.md | 896 +--- .../insights/private-link-scope/main.bicep | 268 - modules/insights/private-link-scope/main.json | 1268 ----- .../scoped-resource/README.md | 79 - .../scoped-resource/main.bicep | 50 - .../scoped-resource/main.json | 90 - .../scoped-resource/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 71 - .../tests/e2e/max/main.test.bicep | 111 - .../tests/e2e/waf-aligned/dependencies.bicep | 71 - .../tests/e2e/waf-aligned/main.test.bicep | 94 - .../insights/private-link-scope/version.json | 7 - .../scheduled-query-rule/MOVED-TO-AVM.md | 1 - .../insights/scheduled-query-rule/README.md | 656 +-- .../insights/scheduled-query-rule/main.bicep | 169 - .../insights/scheduled-query-rule/main.json | 329 -- .../tests/e2e/max/dependencies.bicep | 24 - .../tests/e2e/max/main.test.bicep | 116 - .../tests/e2e/waf-aligned/dependencies.bicep | 24 - .../tests/e2e/waf-aligned/main.test.bicep | 99 - .../scheduled-query-rule/version.json | 7 - modules/insights/webtest/MOVED-TO-AVM.md | 1 - modules/insights/webtest/README.md | 623 +-- modules/insights/webtest/main.bicep | 188 - modules/insights/webtest/main.json | 363 -- .../tests/e2e/defaults/dependencies.bicep | 26 - .../tests/e2e/defaults/main.test.bicep | 68 - .../webtest/tests/e2e/max/dependencies.bicep | 26 - .../webtest/tests/e2e/max/main.test.bicep | 78 - .../tests/e2e/waf-aligned/dependencies.bicep | 26 - .../tests/e2e/waf-aligned/main.test.bicep | 78 - modules/insights/webtest/version.json | 7 - modules/key-vault/vault/MOVED-TO-AVM.md | 1 - modules/key-vault/vault/README.md | 1755 +------ .../key-vault/vault/access-policy/README.md | 67 - .../key-vault/vault/access-policy/main.bicep | 52 - .../key-vault/vault/access-policy/main.json | 97 - .../vault/access-policy/version.json | 7 - modules/key-vault/vault/key/README.md | 352 -- modules/key-vault/vault/key/main.bicep | 163 - modules/key-vault/vault/key/main.json | 300 -- modules/key-vault/vault/key/version.json | 7 - modules/key-vault/vault/main.bicep | 435 -- modules/key-vault/vault/main.json | 2093 -------- modules/key-vault/vault/secret/README.md | 214 - modules/key-vault/vault/secret/main.bicep | 133 - modules/key-vault/vault/secret/main.json | 254 - modules/key-vault/vault/secret/version.json | 7 - .../e2e/accesspolicies/dependencies.bicep | 46 - .../tests/e2e/accesspolicies/main.test.bicep | 135 - .../vault/tests/e2e/defaults/main.test.bicep | 51 - .../vault/tests/e2e/max/dependencies.bicep | 65 - .../vault/tests/e2e/max/main.test.bicep | 190 - .../vault/tests/e2e/pe/dependencies.bicep | 54 - .../vault/tests/e2e/pe/main.test.bicep | 138 - .../tests/e2e/waf-aligned/dependencies.bicep | 65 - .../tests/e2e/waf-aligned/main.test.bicep | 190 - modules/key-vault/vault/version.json | 7 - .../extension/MOVED-TO-AVM.md | 1 - .../extension/README.md | 500 +- .../extension/main.bicep | 106 - .../extension/main.json | 350 -- .../tests/e2e/defaults/dependencies.bicep | 32 - .../tests/e2e/defaults/main.test.bicep | 62 - .../tests/e2e/max/dependencies.bicep | 32 - .../extension/tests/e2e/max/main.test.bicep | 95 - .../tests/e2e/waf-aligned/dependencies.bicep | 32 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - .../extension/version.json | 7 - .../flux-configuration/MOVED-TO-AVM.md | 1 - .../flux-configuration/README.md | 513 +- .../flux-configuration/main.bicep | 88 - .../flux-configuration/main.json | 157 - .../tests/e2e/defaults/dependencies.bicep | 49 - .../tests/e2e/defaults/main.test.bicep | 88 - .../tests/e2e/max/dependencies.bicep | 49 - .../tests/e2e/max/main.test.bicep | 82 - .../tests/e2e/waf-aligned/dependencies.bicep | 49 - .../tests/e2e/waf-aligned/main.test.bicep | 82 - .../flux-configuration/version.json | 7 - modules/logic/workflow/MOVED-TO-AVM.md | 1 - modules/logic/workflow/README.md | 979 +--- modules/logic/workflow/main.bicep | 289 -- modules/logic/workflow/main.json | 561 -- .../workflow/tests/e2e/max/dependencies.bicep | 16 - .../workflow/tests/e2e/max/main.test.bicep | 137 - .../tests/e2e/waf-aligned/dependencies.bicep | 16 - .../tests/e2e/waf-aligned/main.test.bicep | 137 - modules/logic/workflow/version.json | 7 - .../workspace/MOVED-TO-AVM.md | 1 - .../workspace/README.md | 1633 +----- .../workspace/compute/README.md | 217 - .../workspace/compute/main.bicep | 158 - .../workspace/compute/main.json | 234 - .../workspace/compute/version.json | 7 - .../workspace/main.bicep | 452 -- .../workspace/main.json | 1687 ------ .../tests/e2e/defaults/dependencies.bicep | 54 - .../tests/e2e/defaults/main.test.bicep | 65 - .../tests/e2e/encr/dependencies.bicep | 144 - .../workspace/tests/e2e/encr/main.test.bicep | 97 - .../tests/e2e/max/dependencies.bicep | 134 - .../workspace/tests/e2e/max/main.test.bicep | 172 - .../tests/e2e/waf-aligned/dependencies.bicep | 134 - .../tests/e2e/waf-aligned/main.test.bicep | 155 - .../workspace/version.json | 7 - .../maintenance-configuration/MOVED-TO-AVM.md | 1 - .../maintenance-configuration/README.md | 651 +-- .../maintenance-configuration/main.bicep | 169 - .../maintenance-configuration/main.json | 311 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 112 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - .../maintenance-configuration/version.json | 7 - .../user-assigned-identity/MOVED-TO-AVM.md | 1 - .../user-assigned-identity/README.md | 482 +- .../federated-identity-credential/README.md | 95 - .../federated-identity-credential/main.bicep | 56 - .../federated-identity-credential/main.json | 102 - .../version.json | 7 - .../user-assigned-identity/main.bicep | 142 - .../user-assigned-identity/main.json | 412 -- .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 93 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 76 - .../user-assigned-identity/version.json | 7 - .../nested_registrationAssignment.bicep | 15 - .../registration-definition/README.md | 441 +- .../registration-definition/main.bicep | 83 - .../registration-definition/main.json | 203 - .../tests/e2e/max/main.test.bicep | 49 - .../tests/e2e/rg/main.test.bicep | 65 - .../tests/e2e/waf-aligned/main.test.bicep | 49 - .../registration-definition/version.json | 7 - .../management-group/MOVED-TO-AVM.md | 1 - modules/management/management-group/README.md | 286 +- .../management/management-group/main.bicep | 61 - modules/management/management-group/main.json | 93 - .../tests/e2e/defaults/main.test.bicep | 30 - .../tests/e2e/max/main.test.bicep | 32 - .../tests/e2e/waf-aligned/main.test.bicep | 32 - .../management/management-group/version.json | 7 - .../net-app/net-app-account/MOVED-TO-AVM.md | 1 - modules/net-app/net-app-account/README.md | 852 +--- .../net-app-account/capacity-pool/README.md | 257 - .../net-app-account/capacity-pool/main.bicep | 164 - .../net-app-account/capacity-pool/main.json | 609 --- .../capacity-pool/version.json | 7 - .../capacity-pool/volume/README.md | 241 - .../capacity-pool/volume/main.bicep | 141 - .../capacity-pool/volume/main.json | 278 - .../capacity-pool/volume/version.json | 7 - modules/net-app/net-app-account/main.bicep | 189 - modules/net-app/net-app-account/main.json | 987 ---- .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/nfs3/dependencies.bicep | 49 - .../tests/e2e/nfs3/main.test.bicep | 146 - .../tests/e2e/nfs41/dependencies.bicep | 52 - .../tests/e2e/nfs41/main.test.bicep | 157 - modules/net-app/net-app-account/version.json | 7 - .../MOVED-TO-AVM.md | 1 - .../README.md | 323 +- .../main.bicep | 59 - .../main.json | 123 - .../tests/e2e/max/main.test.bicep | 73 - .../tests/e2e/waf-aligned/main.test.bicep | 73 - .../version.json | 7 - modules/network/application-gateway/README.md | 2872 +---------- .../network/application-gateway/main.bicep | 528 -- modules/network/application-gateway/main.json | 1528 ------ .../tests/e2e/max/dependencies.bicep | 146 - .../tests/e2e/max/main.test.bicep | 509 -- .../tests/e2e/waf-aligned/dependencies.bicep | 146 - .../tests/e2e/waf-aligned/main.test.bicep | 492 -- .../network/application-gateway/version.json | 7 - .../MOVED-TO-AVM.md | 1 - .../application-security-group/README.md | 397 +- .../application-security-group/main.bicep | 118 - .../application-security-group/main.json | 248 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 83 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 66 - .../application-security-group/version.json | 7 - modules/network/azure-firewall/README.md | 1513 +----- modules/network/azure-firewall/main.bicep | 381 -- modules/network/azure-firewall/main.json | 1627 ------ .../tests/e2e/addpip/dependencies.bicep | 70 - .../tests/e2e/addpip/main.test.bicep | 79 - .../tests/e2e/custompip/dependencies.bicep | 41 - .../tests/e2e/custompip/main.test.bicep | 103 - .../tests/e2e/defaults/dependencies.bicep | 29 - .../tests/e2e/defaults/main.test.bicep | 58 - .../tests/e2e/hubcommon/dependencies.bicep | 46 - .../tests/e2e/hubcommon/main.test.bicep | 68 - .../tests/e2e/hubmin/dependencies.bicep | 32 - .../tests/e2e/hubmin/main.test.bicep | 61 - .../tests/e2e/max/dependencies.bicep | 64 - .../tests/e2e/max/main.test.bicep | 201 - .../tests/e2e/waf-aligned/dependencies.bicep | 64 - .../tests/e2e/waf-aligned/main.test.bicep | 184 - modules/network/azure-firewall/version.json | 7 - modules/network/bastion-host/MOVED-TO-AVM.md | 1 - modules/network/bastion-host/README.md | 876 +--- modules/network/bastion-host/main.bicep | 270 - modules/network/bastion-host/main.json | 988 ---- .../tests/e2e/custompip/dependencies.bicep | 41 - .../tests/e2e/custompip/main.test.bicep | 108 - .../tests/e2e/defaults/dependencies.bicep | 30 - .../tests/e2e/defaults/main.test.bicep | 58 - .../tests/e2e/max/dependencies.bicep | 59 - .../tests/e2e/max/main.test.bicep | 116 - .../tests/e2e/waf-aligned/dependencies.bicep | 59 - .../tests/e2e/waf-aligned/main.test.bicep | 99 - modules/network/bastion-host/version.json | 7 - modules/network/connection/MOVED-TO-AVM.md | 1 - modules/network/connection/README.md | 563 +- modules/network/connection/main.bicep | 178 - modules/network/connection/main.json | 307 -- .../tests/e2e/vnet2vnet/dependencies.bicep | 132 - .../tests/e2e/vnet2vnet/main.test.bicep | 81 - modules/network/connection/version.json | 7 - .../ddos-protection-plan/MOVED-TO-AVM.md | 1 - .../network/ddos-protection-plan/README.md | 446 +- .../network/ddos-protection-plan/main.bicep | 119 - .../network/ddos-protection-plan/main.json | 249 - .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 82 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 65 - .../network/ddos-protection-plan/version.json | 7 - .../dns-forwarding-ruleset/MOVED-TO-AVM.md | 1 - .../network/dns-forwarding-ruleset/README.md | 566 +-- .../forwarding-rule/README.md | 121 - .../forwarding-rule/main.bicep | 68 - .../forwarding-rule/main.json | 123 - .../forwarding-rule/version.json | 7 - .../network/dns-forwarding-ruleset/main.bicep | 155 - .../network/dns-forwarding-ruleset/main.json | 563 -- .../tests/e2e/defaults/dependencies.bicep | 69 - .../tests/e2e/defaults/main.test.bicep | 62 - .../tests/e2e/max/dependencies.bicep | 81 - .../tests/e2e/max/main.test.bicep | 95 - .../tests/e2e/waf-aligned/dependencies.bicep | 81 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - .../dns-forwarding-ruleset/version.json | 7 - .../virtual-network-link/README.md | 89 - .../virtual-network-link/main.bicep | 53 - .../virtual-network-link/main.json | 98 - .../virtual-network-link/version.json | 7 - modules/network/dns-resolver/MOVED-TO-AVM.md | 1 - modules/network/dns-resolver/README.md | 433 +- modules/network/dns-resolver/main.bicep | 166 - modules/network/dns-resolver/main.json | 321 -- .../tests/e2e/max/dependencies.bicep | 42 - .../tests/e2e/max/main.test.bicep | 76 - .../tests/e2e/waf-aligned/dependencies.bicep | 42 - .../tests/e2e/waf-aligned/main.test.bicep | 76 - modules/network/dns-resolver/version.json | 7 - modules/network/dns-zone/MOVED-TO-AVM.md | 1 - modules/network/dns-zone/README.md | 1170 +---- modules/network/dns-zone/a/README.md | 198 - modules/network/dns-zone/a/main.bicep | 119 - modules/network/dns-zone/a/main.json | 234 - modules/network/dns-zone/a/version.json | 7 - modules/network/dns-zone/aaaa/README.md | 198 - modules/network/dns-zone/aaaa/main.bicep | 119 - modules/network/dns-zone/aaaa/main.json | 234 - modules/network/dns-zone/aaaa/version.json | 7 - modules/network/dns-zone/caa/README.md | 189 - modules/network/dns-zone/caa/main.bicep | 113 - modules/network/dns-zone/caa/main.json | 226 - modules/network/dns-zone/caa/version.json | 7 - modules/network/dns-zone/cname/README.md | 198 - modules/network/dns-zone/cname/main.bicep | 119 - modules/network/dns-zone/cname/main.json | 234 - modules/network/dns-zone/cname/version.json | 7 - modules/network/dns-zone/main.bicep | 293 -- modules/network/dns-zone/main.json | 2946 ----------- modules/network/dns-zone/mx/README.md | 189 - modules/network/dns-zone/mx/main.bicep | 113 - modules/network/dns-zone/mx/main.json | 226 - modules/network/dns-zone/mx/version.json | 7 - modules/network/dns-zone/ns/README.md | 189 - modules/network/dns-zone/ns/main.bicep | 113 - modules/network/dns-zone/ns/main.json | 226 - modules/network/dns-zone/ns/version.json | 7 - modules/network/dns-zone/ptr/README.md | 189 - modules/network/dns-zone/ptr/main.bicep | 113 - modules/network/dns-zone/ptr/main.json | 226 - modules/network/dns-zone/ptr/version.json | 7 - modules/network/dns-zone/soa/README.md | 189 - modules/network/dns-zone/soa/main.bicep | 113 - modules/network/dns-zone/soa/main.json | 226 - modules/network/dns-zone/soa/version.json | 7 - modules/network/dns-zone/srv/README.md | 189 - modules/network/dns-zone/srv/main.bicep | 113 - modules/network/dns-zone/srv/main.json | 226 - modules/network/dns-zone/srv/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../dns-zone/tests/e2e/max/dependencies.bicep | 37 - .../dns-zone/tests/e2e/max/main.test.bicep | 223 - .../tests/e2e/waf-aligned/dependencies.bicep | 37 - .../tests/e2e/waf-aligned/main.test.bicep | 223 - modules/network/dns-zone/txt/README.md | 189 - modules/network/dns-zone/txt/main.bicep | 113 - modules/network/dns-zone/txt/main.json | 226 - modules/network/dns-zone/txt/version.json | 7 - modules/network/dns-zone/version.json | 7 - .../express-route-circuit/MOVED-TO-AVM.MD | 1 - .../network/express-route-circuit/README.md | 823 +-- .../network/express-route-circuit/main.bicep | 282 - .../network/express-route-circuit/main.json | 542 -- .../tests/e2e/defaults/main.test.bicep | 52 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 117 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 100 - .../express-route-circuit/version.json | 7 - .../express-route-gateway/MOVED-TO-AVM.MD | 1 - .../network/express-route-gateway/README.md | 514 +- .../network/express-route-gateway/main.bicep | 146 - .../network/express-route-gateway/main.json | 295 -- .../tests/e2e/defaults/dependencies.bicep | 27 - .../tests/e2e/defaults/main.test.bicep | 59 - .../tests/e2e/max/dependencies.bicep | 38 - .../tests/e2e/max/main.test.bicep | 86 - .../tests/e2e/waf-aligned/dependencies.bicep | 38 - .../tests/e2e/waf-aligned/main.test.bicep | 69 - .../express-route-gateway/version.json | 7 - .../network/firewall-policy/MOVED-TO-AVM.md | 1 - modules/network/firewall-policy/README.md | 665 +-- modules/network/firewall-policy/main.bicep | 209 - modules/network/firewall-policy/main.json | 436 -- .../rule-collection-group/README.md | 88 - .../rule-collection-group/main.bicep | 52 - .../rule-collection-group/main.json | 96 - .../rule-collection-group/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/main.test.bicep | 94 - .../tests/e2e/waf-aligned/main.test.bicep | 94 - modules/network/firewall-policy/version.json | 7 - .../MOVED-TO-AVM.md | 1 - .../README.md | 805 +-- .../main.bicep | 180 - .../main.json | 328 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 146 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 129 - .../version.json | 7 - modules/network/front-door/MOVED-TO-AVM.md | 1 - modules/network/front-door/README.md | 1166 +---- modules/network/front-door/main.bicep | 225 - modules/network/front-door/main.json | 450 -- .../tests/e2e/defaults/main.test.bicep | 128 - .../tests/e2e/max/dependencies.bicep | 13 - .../front-door/tests/e2e/max/main.test.bicep | 172 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 155 - modules/network/front-door/version.json | 7 - modules/network/ip-group/MOVED-TO-AVM.md | 1 - modules/network/ip-group/README.md | 475 +- modules/network/ip-group/main.bicep | 125 - modules/network/ip-group/main.json | 259 - .../tests/e2e/defaults/main.test.bicep | 49 - .../ip-group/tests/e2e/max/dependencies.bicep | 13 - .../ip-group/tests/e2e/max/main.test.bicep | 87 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 70 - modules/network/ip-group/version.json | 7 - modules/network/load-balancer/MOVED-TO-AVM.MD | 1 - modules/network/load-balancer/README.md | 1323 +---- .../backend-address-pool/README.md | 115 - .../backend-address-pool/main.bicep | 65 - .../backend-address-pool/main.json | 118 - .../backend-address-pool/version.json | 7 - .../load-balancer/inbound-nat-rule/README.md | 167 - .../load-balancer/inbound-nat-rule/main.bicep | 101 - .../load-balancer/inbound-nat-rule/main.json | 174 - .../inbound-nat-rule/version.json | 7 - modules/network/load-balancer/main.bicep | 322 -- modules/network/load-balancer/main.json | 881 ---- .../tests/e2e/defaults/dependencies.bicep | 25 - .../tests/e2e/defaults/main.test.bicep | 63 - .../tests/e2e/internal/dependencies.bicep | 41 - .../tests/e2e/internal/main.test.bicep | 149 - .../tests/e2e/max/dependencies.bicep | 36 - .../tests/e2e/max/main.test.bicep | 181 - .../tests/e2e/waf-aligned/dependencies.bicep | 36 - .../tests/e2e/waf-aligned/main.test.bicep | 181 - modules/network/load-balancer/version.json | 7 - .../local-network-gateway/MOVED-TO-AVM.md | 1 - .../network/local-network-gateway/README.md | 550 +- .../network/local-network-gateway/main.bicep | 151 - .../network/local-network-gateway/main.json | 302 -- .../tests/e2e/defaults/main.test.bicep | 53 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 89 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 72 - .../local-network-gateway/version.json | 7 - modules/network/nat-gateway/MOVED-TO-AVM.md | 1 - modules/network/nat-gateway/README.md | 738 +-- modules/network/nat-gateway/main.bicep | 236 - modules/network/nat-gateway/main.json | 1383 ----- .../modules/formatResourceId.bicep | 6 - .../tests/e2e/max/dependencies.bicep | 13 - .../nat-gateway/tests/e2e/max/main.test.bicep | 129 - .../e2e/prefixCombined/dependencies.bicep | 30 - .../tests/e2e/prefixCombined/main.test.bicep | 118 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 112 - modules/network/nat-gateway/version.json | 7 - .../network/network-interface/MOVED-TO-AVM.md | 1 - modules/network/network-interface/README.md | 790 +-- modules/network/network-interface/main.bicep | 240 - modules/network/network-interface/main.json | 457 -- .../tests/e2e/defaults/dependencies.bicep | 30 - .../tests/e2e/defaults/main.test.bicep | 63 - .../tests/e2e/max/dependencies.bicep | 113 - .../tests/e2e/max/main.test.bicep | 128 - .../tests/e2e/waf-aligned/dependencies.bicep | 113 - .../tests/e2e/waf-aligned/main.test.bicep | 128 - .../network/network-interface/version.json | 7 - .../network/network-manager/MOVED-TO-AVM.md | 1 - modules/network/network-manager/README.md | 1248 +---- .../connectivity-configuration/README.md | 146 - .../connectivity-configuration/main.bicep | 83 - .../connectivity-configuration/main.json | 142 - .../connectivity-configuration/version.json | 7 - modules/network/network-manager/main.bicep | 201 - modules/network/network-manager/main.json | 1423 ------ .../network-manager/network-group/README.md | 91 - .../network-manager/network-group/main.bicep | 67 - .../network-manager/network-group/main.json | 230 - .../network-group/static-member/README.md | 88 - .../network-group/static-member/main.bicep | 56 - .../network-group/static-member/main.json | 94 - .../network-group/static-member/version.json | 7 - .../network-group/version.json | 7 - .../scope-connection/README.md | 97 - .../scope-connection/main.bicep | 59 - .../scope-connection/main.json | 105 - .../scope-connection/version.json | 7 - .../security-admin-configuration/README.md | 114 - .../security-admin-configuration/main.bicep | 77 - .../security-admin-configuration/main.json | 500 -- .../rule-collection/README.md | 106 - .../rule-collection/main.bicep | 87 - .../rule-collection/main.json | 348 -- .../rule-collection/rule/README.md | 191 - .../rule-collection/rule/main.bicep | 117 - .../rule-collection/rule/main.json | 183 - .../rule-collection/rule/version.json | 7 - .../rule-collection/version.json | 7 - .../security-admin-configuration/version.json | 7 - .../tests/e2e/max/dependencies.bicep | 96 - .../tests/e2e/max/main.test.bicep | 266 - .../tests/e2e/waf-aligned/dependencies.bicep | 96 - .../tests/e2e/waf-aligned/main.test.bicep | 249 - modules/network/network-manager/version.json | 7 - .../network-security-group/MOVED-TO-AVM.md | 1 - .../network/network-security-group/README.md | 850 +--- .../network/network-security-group/main.bicep | 227 - .../network/network-security-group/main.json | 675 --- .../security-rule/README.md | 228 - .../security-rule/main.bicep | 121 - .../security-rule/main.json | 215 - .../security-rule/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 24 - .../tests/e2e/max/main.test.bicep | 171 - .../tests/e2e/waf-aligned/dependencies.bicep | 24 - .../tests/e2e/waf-aligned/main.test.bicep | 154 - .../network-security-group/version.json | 7 - modules/network/network-watcher/README.md | 720 +-- .../connection-monitor/README.md | 121 - .../connection-monitor/main.bicep | 80 - .../connection-monitor/main.json | 150 - .../connection-monitor/version.json | 7 - .../network-watcher/flow-log/README.md | 162 - .../network-watcher/flow-log/main.bicep | 110 - .../network-watcher/flow-log/main.json | 188 - .../network-watcher/flow-log/version.json | 7 - modules/network/network-watcher/main.bicep | 158 - modules/network/network-watcher/main.json | 676 --- .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/max/dependencies.bicep | 144 - .../tests/e2e/max/main.test.bicep | 169 - .../tests/e2e/waf-aligned/dependencies.bicep | 144 - .../tests/e2e/waf-aligned/main.test.bicep | 152 - modules/network/network-watcher/version.json | 7 - .../network/private-dns-zone/MOVED-TO-AVM.md | 1 - modules/network/private-dns-zone/README.md | 1172 +---- modules/network/private-dns-zone/a/README.md | 189 - modules/network/private-dns-zone/a/main.bicep | 113 - modules/network/private-dns-zone/a/main.json | 226 - .../network/private-dns-zone/a/version.json | 7 - .../network/private-dns-zone/aaaa/README.md | 189 - .../network/private-dns-zone/aaaa/main.bicep | 113 - .../network/private-dns-zone/aaaa/main.json | 226 - .../private-dns-zone/aaaa/version.json | 7 - .../network/private-dns-zone/cname/README.md | 189 - .../network/private-dns-zone/cname/main.bicep | 113 - .../network/private-dns-zone/cname/main.json | 226 - .../private-dns-zone/cname/version.json | 7 - modules/network/private-dns-zone/main.bicep | 269 - modules/network/private-dns-zone/main.json | 2556 ---------- modules/network/private-dns-zone/mx/README.md | 189 - .../network/private-dns-zone/mx/main.bicep | 113 - modules/network/private-dns-zone/mx/main.json | 226 - .../network/private-dns-zone/mx/version.json | 7 - .../network/private-dns-zone/ptr/README.md | 189 - .../network/private-dns-zone/ptr/main.bicep | 113 - .../network/private-dns-zone/ptr/main.json | 226 - .../network/private-dns-zone/ptr/version.json | 7 - .../network/private-dns-zone/soa/README.md | 189 - .../network/private-dns-zone/soa/main.bicep | 113 - .../network/private-dns-zone/soa/main.json | 226 - .../network/private-dns-zone/soa/version.json | 7 - .../network/private-dns-zone/srv/README.md | 189 - .../network/private-dns-zone/srv/main.bicep | 113 - .../network/private-dns-zone/srv/main.json | 226 - .../network/private-dns-zone/srv/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 41 - .../tests/e2e/max/main.test.bicep | 225 - .../tests/e2e/waf-aligned/dependencies.bicep | 41 - .../tests/e2e/waf-aligned/main.test.bicep | 225 - .../network/private-dns-zone/txt/README.md | 189 - .../network/private-dns-zone/txt/main.bicep | 113 - .../network/private-dns-zone/txt/main.json | 226 - .../network/private-dns-zone/txt/version.json | 7 - modules/network/private-dns-zone/version.json | 7 - .../virtual-network-link/README.md | 107 - .../virtual-network-link/main.bicep | 65 - .../virtual-network-link/main.json | 132 - .../virtual-network-link/version.json | 7 - .../network/private-endpoint/MOVED-TO-AVM.md | 1 - modules/network/private-endpoint/README.md | 733 +-- modules/network/private-endpoint/main.bicep | 210 - modules/network/private-endpoint/main.json | 546 -- .../private-dns-zone-group/README.md | 80 - .../private-dns-zone-group/main.bicep | 57 - .../private-dns-zone-group/main.json | 105 - .../private-dns-zone-group/version.json | 7 - .../tests/e2e/defaults/dependencies.bicep | 54 - .../tests/e2e/defaults/main.test.bicep | 63 - .../tests/e2e/max/dependencies.bicep | 95 - .../tests/e2e/max/main.test.bicep | 106 - .../tests/e2e/waf-aligned/dependencies.bicep | 95 - .../tests/e2e/waf-aligned/main.test.bicep | 106 - modules/network/private-endpoint/version.json | 7 - .../private-link-service/MOVED-TO-AVM.md | 1 - .../network/private-link-service/README.md | 849 +--- .../network/private-link-service/main.bicep | 152 - .../network/private-link-service/main.json | 310 -- .../tests/e2e/defaults/dependencies.bicep | 57 - .../tests/e2e/defaults/main.test.bicep | 73 - .../tests/e2e/max/dependencies.bicep | 68 - .../tests/e2e/max/main.test.bicep | 107 - .../tests/e2e/waf-aligned/dependencies.bicep | 68 - .../tests/e2e/waf-aligned/main.test.bicep | 107 - .../network/private-link-service/version.json | 7 - .../network/public-ip-address/MOVED-TO-AVM.md | 1 - modules/network/public-ip-address/README.md | 764 +-- modules/network/public-ip-address/main.bicep | 261 - modules/network/public-ip-address/main.json | 496 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 108 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 108 - .../network/public-ip-address/version.json | 7 - .../network/public-ip-prefix/MOVED-TO-AVM.md | 1 - modules/network/public-ip-prefix/README.md | 475 +- modules/network/public-ip-prefix/main.bicep | 135 - modules/network/public-ip-prefix/main.json | 272 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 84 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 67 - modules/network/public-ip-prefix/version.json | 7 - modules/network/route-table/MOVED-TO-AVM.md | 1 - modules/network/route-table/README.md | 504 +- modules/network/route-table/main.bicep | 128 - modules/network/route-table/main.json | 266 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../route-table/tests/e2e/max/main.test.bicep | 83 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 83 - modules/network/route-table/version.json | 7 - .../network/service-endpoint-policy/README.md | 527 +- .../service-endpoint-policy/main.bicep | 132 - .../network/service-endpoint-policy/main.json | 274 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 96 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 79 - .../service-endpoint-policy/version.json | 7 - .../trafficmanagerprofile/MOVED-TO-AVM.md | 1 - .../network/trafficmanagerprofile/README.md | 797 +-- .../network/trafficmanagerprofile/main.bicep | 237 - .../network/trafficmanagerprofile/main.json | 458 -- .../tests/e2e/defaults/main.test.bicep | 50 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 112 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - .../trafficmanagerprofile/version.json | 7 - modules/network/virtual-hub/MOVED-TO-AVM.md | 1 - modules/network/virtual-hub/README.md | 616 +-- .../virtual-hub/hub-route-table/README.md | 89 - .../virtual-hub/hub-route-table/main.bicep | 52 - .../virtual-hub/hub-route-table/main.json | 97 - .../virtual-hub/hub-route-table/version.json | 7 - .../hub-virtual-network-connection/README.md | 97 - .../hub-virtual-network-connection/main.bicep | 58 - .../hub-virtual-network-connection/main.json | 106 - .../version.json | 7 - modules/network/virtual-hub/main.bicep | 184 - modules/network/virtual-hub/main.json | 554 -- .../tests/e2e/defaults/dependencies.bicep | 13 - .../tests/e2e/defaults/main.test.bicep | 59 - .../tests/e2e/max/dependencies.bicep | 42 - .../virtual-hub/tests/e2e/max/main.test.bicep | 95 - .../tests/e2e/waf-aligned/dependencies.bicep | 42 - .../tests/e2e/waf-aligned/main.test.bicep | 95 - modules/network/virtual-hub/version.json | 7 - .../virtual-network-gateway/MOVED-TO-AVM.md | 1 - .../network/virtual-network-gateway/README.md | 1271 +---- .../virtual-network-gateway/main.bicep | 477 -- .../network/virtual-network-gateway/main.json | 1353 ----- .../nat-rule/README.md | 132 - .../nat-rule/main.bicep | 74 - .../nat-rule/main.json | 131 - .../nat-rule/version.json | 7 - .../tests/e2e/aadvpn/dependencies.bicep | 41 - .../tests/e2e/aadvpn/main.test.bicep | 134 - .../tests/e2e/expressRoute/dependencies.bicep | 41 - .../tests/e2e/expressRoute/main.test.bicep | 111 - .../tests/e2e/vpn/dependencies.bicep | 60 - .../tests/e2e/vpn/main.test.bicep | 153 - .../virtual-network-gateway/version.json | 7 - .../network/virtual-network/MOVED-TO-AVM.md | 1 - modules/network/virtual-network/README.md | 1046 +--- modules/network/virtual-network/main.bicep | 329 -- modules/network/virtual-network/main.json | 1198 ----- .../network/virtual-network/subnet/README.md | 292 -- .../network/virtual-network/subnet/main.bicep | 166 - .../network/virtual-network/subnet/main.json | 316 -- .../virtual-network/subnet/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 51 - .../tests/e2e/max/dependencies.bicep | 35 - .../tests/e2e/max/main.test.bicep | 166 - .../tests/e2e/vnetPeering/dependencies.bicep | 30 - .../tests/e2e/vnetPeering/main.test.bicep | 80 - .../tests/e2e/waf-aligned/dependencies.bicep | 35 - .../tests/e2e/waf-aligned/main.test.bicep | 149 - modules/network/virtual-network/version.json | 7 - .../virtual-network-peering/README.md | 125 - .../virtual-network-peering/main.bicep | 70 - .../virtual-network-peering/main.json | 131 - .../virtual-network-peering/version.json | 7 - modules/network/virtual-wan/MOVED-TO-AVM.md | 1 - modules/network/virtual-wan/README.md | 521 +- modules/network/virtual-wan/main.bicep | 140 - modules/network/virtual-wan/main.json | 286 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../virtual-wan/tests/e2e/max/main.test.bicep | 87 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 70 - modules/network/virtual-wan/version.json | 7 - modules/network/vpn-gateway/MOVED-TO-AVM.md | 1 - modules/network/vpn-gateway/README.md | 627 +-- modules/network/vpn-gateway/main.bicep | 158 - modules/network/vpn-gateway/main.json | 659 --- .../network/vpn-gateway/nat-rule/README.md | 132 - .../network/vpn-gateway/nat-rule/main.bicep | 74 - .../network/vpn-gateway/nat-rule/main.json | 131 - .../network/vpn-gateway/nat-rule/version.json | 7 - .../tests/e2e/defaults/dependencies.bicep | 27 - .../tests/e2e/defaults/main.test.bicep | 59 - .../tests/e2e/max/dependencies.bicep | 49 - .../vpn-gateway/tests/e2e/max/main.test.bicep | 103 - .../tests/e2e/waf-aligned/dependencies.bicep | 49 - .../tests/e2e/waf-aligned/main.test.bicep | 103 - modules/network/vpn-gateway/version.json | 7 - .../vpn-gateway/vpn-connection/README.md | 264 - .../vpn-gateway/vpn-connection/main.bicep | 107 - .../vpn-gateway/vpn-connection/main.json | 197 - .../vpn-gateway/vpn-connection/version.json | 7 - modules/network/vpn-site/MOVED-TO-AVM.md | 1 - modules/network/vpn-site/README.md | 755 +-- modules/network/vpn-site/main.bicep | 156 - modules/network/vpn-site/main.json | 315 -- .../tests/e2e/defaults/dependencies.bicep | 13 - .../tests/e2e/defaults/main.test.bicep | 62 - .../vpn-site/tests/e2e/max/dependencies.bicep | 24 - .../vpn-site/tests/e2e/max/main.test.bicep | 125 - .../tests/e2e/waf-aligned/dependencies.bicep | 24 - .../tests/e2e/waf-aligned/main.test.bicep | 108 - modules/network/vpn-site/version.json | 7 - .../workspace/MOVED-TO-AVM.md | 1 - .../operational-insights/workspace/README.md | 1952 +------ .../workspace/data-export/README.md | 98 - .../workspace/data-export/main.bicep | 70 - .../workspace/data-export/main.json | 107 - .../workspace/data-export/version.json | 7 - .../workspace/data-source/README.md | 200 - .../workspace/data-source/main.bicep | 106 - .../workspace/data-source/main.json | 205 - .../workspace/data-source/version.json | 7 - .../workspace/linked-service/README.md | 97 - .../workspace/linked-service/main.bicep | 56 - .../workspace/linked-service/main.json | 115 - .../workspace/linked-service/version.json | 7 - .../linked-storage-account/README.md | 88 - .../linked-storage-account/main.bicep | 56 - .../linked-storage-account/main.json | 96 - .../linked-storage-account/version.json | 7 - .../operational-insights/workspace/main.bicep | 416 -- .../operational-insights/workspace/main.json | 1925 ------- .../workspace/saved-search/README.md | 140 - .../workspace/saved-search/main.bicep | 77 - .../workspace/saved-search/main.json | 142 - .../workspace/saved-search/version.json | 7 - .../storage-insight-config/README.md | 106 - .../storage-insight-config/main.bicep | 67 - .../storage-insight-config/main.json | 133 - .../storage-insight-config/version.json | 7 - .../workspace/table/README.md | 132 - .../workspace/table/main.bicep | 88 - .../workspace/table/main.json | 137 - .../workspace/table/version.json | 7 - .../tests/e2e/adv/dependencies.bicep | 85 - .../workspace/tests/e2e/adv/main.test.bicep | 310 -- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 47 - .../workspace/tests/e2e/max/main.test.bicep | 238 - .../tests/e2e/waf-aligned/dependencies.bicep | 47 - .../tests/e2e/waf-aligned/main.test.bicep | 238 - .../workspace/version.json | 7 - .../solution/MOVED-TO-AVM.md | 1 - .../operations-management/solution/README.md | 277 +- .../operations-management/solution/main.bicep | 67 - .../operations-management/solution/main.json | 121 - .../tests/e2e/defaults/dependencies.bicep | 13 - .../tests/e2e/defaults/main.test.bicep | 58 - .../solution/tests/e2e/ms/dependencies.bicep | 13 - .../solution/tests/e2e/ms/main.test.bicep | 57 - .../tests/e2e/nonms/dependencies.bicep | 13 - .../solution/tests/e2e/nonms/main.test.bicep | 57 - .../solution/version.json | 7 - modules/policy-insights/remediation/README.md | 687 +-- .../policy-insights/remediation/main.bicep | 127 - modules/policy-insights/remediation/main.json | 750 --- .../remediation/management-group/README.md | 136 - .../remediation/management-group/main.bicep | 82 - .../remediation/management-group/main.json | 150 - .../remediation/management-group/version.json | 7 - .../remediation/resource-group/README.md | 137 - .../remediation/resource-group/main.bicep | 84 - .../remediation/resource-group/main.json | 156 - .../remediation/resource-group/version.json | 7 - .../remediation/subscription/README.md | 136 - .../remediation/subscription/main.bicep | 82 - .../remediation/subscription/main.json | 150 - .../remediation/subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 100 - .../tests/e2e/mg.min/main.test.bicep | 46 - .../tests/e2e/rg.common/main.test.bicep | 110 - .../tests/e2e/rg.min/main.test.bicep | 56 - .../tests/e2e/sub.common/main.test.bicep | 100 - .../tests/e2e/sub.min/main.test.bicep | 46 - .../policy-insights/remediation/version.json | 7 - .../capacity/MOVED-TO-AVM.md | 1 - modules/power-bi-dedicated/capacity/README.md | 547 +- .../power-bi-dedicated/capacity/main.bicep | 162 - modules/power-bi-dedicated/capacity/main.json | 310 -- .../tests/e2e/defaults/dependencies.bicep | 13 - .../tests/e2e/defaults/main.test.bicep | 61 - .../capacity/tests/e2e/max/dependencies.bicep | 13 - .../capacity/tests/e2e/max/main.test.bicep | 77 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 77 - .../power-bi-dedicated/capacity/version.json | 7 - modules/purview/account/MOVED-TO-AVM.md | 1 - modules/purview/account/README.md | 1054 +--- modules/purview/account/main.bicep | 374 -- modules/purview/account/main.json | 3496 ------------- .../tests/e2e/defaults/main.test.bicep | 49 - .../account/tests/e2e/max/dependencies.bicep | 73 - .../account/tests/e2e/max/main.test.bicep | 190 - .../tests/e2e/waf-aligned/dependencies.bicep | 73 - .../tests/e2e/waf-aligned/main.test.bicep | 173 - modules/purview/account/version.json | 7 - modules/recovery-services/vault/README.md | 2301 +-------- .../vault/backup-config/README.md | 169 - .../vault/backup-config/main.bicep | 96 - .../vault/backup-config/main.json | 162 - .../vault/backup-config/version.json | 7 - .../protection-container/README.md | 156 - .../protection-container/main.bicep | 104 - .../protection-container/main.json | 326 -- .../protected-item/README.md | 127 - .../protected-item/main.bicep | 70 - .../protected-item/main.json | 128 - .../protected-item/version.json | 7 - .../protection-container/version.json | 7 - .../vault/backup-policy/README.md | 79 - .../vault/backup-policy/main.bicep | 46 - .../vault/backup-policy/main.json | 86 - .../vault/backup-policy/version.json | 7 - .../vault/backup-storage-config/README.md | 94 - .../vault/backup-storage-config/main.bicep | 58 - .../vault/backup-storage-config/main.json | 104 - .../vault/backup-storage-config/version.json | 7 - modules/recovery-services/vault/main.bicep | 445 -- modules/recovery-services/vault/main.json | 2865 ----------- .../vault/replication-alert-setting/README.md | 101 - .../replication-alert-setting/main.bicep | 60 - .../vault/replication-alert-setting/main.json | 110 - .../replication-alert-setting/version.json | 7 - .../vault/replication-fabric/README.md | 94 - .../vault/replication-fabric/main.bicep | 67 - .../vault/replication-fabric/main.json | 415 -- .../README.md | 91 - .../main.bicep | 73 - .../main.json | 279 - .../README.md | 130 - .../main.bicep | 71 - .../main.json | 139 - .../version.json | 7 - .../version.json | 7 - .../vault/replication-fabric/version.json | 7 - .../vault/replication-policy/README.md | 116 - .../vault/replication-policy/main.bicep | 63 - .../vault/replication-policy/main.json | 120 - .../vault/replication-policy/version.json | 7 - .../vault/tests/e2e/defaults/main.test.bicep | 49 - .../vault/tests/e2e/dr/main.test.bicep | 106 - .../vault/tests/e2e/max/dependencies.bicep | 63 - .../vault/tests/e2e/max/main.test.bicep | 389 -- .../tests/e2e/waf-aligned/dependencies.bicep | 63 - .../tests/e2e/waf-aligned/main.test.bicep | 372 -- modules/recovery-services/vault/version.json | 7 - modules/relay/namespace/MOVED-TO-AVM.md | 1 - modules/relay/namespace/README.md | 1357 +---- .../namespace/authorization-rule/README.md | 88 - .../namespace/authorization-rule/main.bicep | 55 - .../namespace/authorization-rule/main.json | 96 - .../namespace/authorization-rule/version.json | 7 - .../namespace/hybrid-connection/README.md | 251 - .../authorization-rule/README.md | 96 - .../authorization-rule/main.bicep | 60 - .../authorization-rule/main.json | 100 - .../authorization-rule/version.json | 7 - .../namespace/hybrid-connection/main.bicep | 168 - .../namespace/hybrid-connection/main.json | 425 -- .../namespace/hybrid-connection/version.json | 7 - modules/relay/namespace/main.bicep | 406 -- modules/relay/namespace/main.json | 2437 --------- .../namespace/network-rule-set/README.md | 99 - .../namespace/network-rule-set/main.bicep | 63 - .../namespace/network-rule-set/main.json | 109 - .../namespace/network-rule-set/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 60 - .../namespace/tests/e2e/max/main.test.bicep | 192 - .../namespace/tests/e2e/pe/dependencies.bicep | 49 - .../namespace/tests/e2e/pe/main.test.bicep | 73 - .../tests/e2e/waf-aligned/dependencies.bicep | 60 - .../tests/e2e/waf-aligned/main.test.bicep | 175 - modules/relay/namespace/version.json | 7 - modules/relay/namespace/wcf-relay/README.md | 276 - .../wcf-relay/authorization-rule/README.md | 96 - .../wcf-relay/authorization-rule/main.bicep | 60 - .../wcf-relay/authorization-rule/main.json | 100 - .../wcf-relay/authorization-rule/version.json | 7 - modules/relay/namespace/wcf-relay/main.bicep | 180 - modules/relay/namespace/wcf-relay/main.json | 445 -- .../relay/namespace/wcf-relay/version.json | 7 - modules/resource-graph/query/MOVED-TO-AVM.md | 1 - modules/resource-graph/query/README.md | 483 +- modules/resource-graph/query/main.bicep | 127 - modules/resource-graph/query/main.json | 264 - .../query/tests/e2e/defaults/main.test.bicep | 50 - .../query/tests/e2e/max/dependencies.bicep | 13 - .../query/tests/e2e/max/main.test.bicep | 85 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 68 - modules/resource-graph/query/version.json | 7 - .../deployment-script/MOVED-TO-AVM.md | 1 - modules/resources/deployment-script/README.md | 545 +- .../resources/deployment-script/main.bicep | 168 - modules/resources/deployment-script/main.json | 310 -- .../tests/e2e/cli/dependencies.bicep | 28 - .../tests/e2e/cli/main.test.bicep | 85 - .../tests/e2e/ps/dependencies.bicep | 28 - .../tests/e2e/ps/main.test.bicep | 77 - .../resources/deployment-script/version.json | 7 - .../resources/resource-group/MOVED-TO-AVM.md | 1 - modules/resources/resource-group/README.md | 454 +- modules/resources/resource-group/main.bicep | 126 - modules/resources/resource-group/main.json | 329 -- .../resource-group/modules/nested_lock.bicep | 25 - .../tests/e2e/defaults/main.test.bicep | 30 - .../tests/e2e/max/dependencies.bicep | 17 - .../tests/e2e/max/main.test.bicep | 82 - .../tests/e2e/waf-aligned/dependencies.bicep | 17 - .../tests/e2e/waf-aligned/main.test.bicep | 65 - modules/resources/resource-group/version.json | 7 - modules/resources/tags/README.md | 254 +- modules/resources/tags/main.bicep | 67 - modules/resources/tags/main.json | 429 -- .../tags/resource-group/.bicep/readTags.bicep | 9 - .../resources/tags/resource-group/README.md | 63 - .../resources/tags/resource-group/main.bicep | 49 - .../resources/tags/resource-group/main.json | 137 - .../tags/resource-group/version.json | 7 - .../tags/subscription/.bicep/readTags.bicep | 11 - modules/resources/tags/subscription/README.md | 71 - .../resources/tags/subscription/main.bicep | 52 - modules/resources/tags/subscription/main.json | 139 - .../resources/tags/subscription/version.json | 7 - .../tags/tests/e2e/defaults/main.test.bicep | 25 - .../tags/tests/e2e/rg/main.test.bicep | 50 - .../tags/tests/e2e/sub/main.test.bicep | 28 - modules/resources/tags/version.json | 7 - modules/search/search-service/MOVED-TO-AVM.md | 1 - modules/search/search-service/README.md | 1271 +---- modules/search/search-service/main.bicep | 404 -- modules/search/search-service/main.json | 1467 ------ .../shared-private-link-resource/README.md | 104 - .../shared-private-link-resource/main.bicep | 68 - .../shared-private-link-resource/main.json | 110 - .../shared-private-link-resource/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 130 - .../tests/e2e/pe/dependencies.bicep | 114 - .../tests/e2e/pe/main.test.bicep | 92 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 130 - modules/search/search-service/version.json | 7 - .../.bicep/nested_iotSecuritySolutions.bicep | 16 - .../security/azure-security-center/README.md | 468 +- .../security/azure-security-center/main.bicep | 252 - .../security/azure-security-center/main.json | 420 -- .../tests/e2e/max/dependencies.bicep | 13 - .../tests/e2e/max/main.test.bicep | 63 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 63 - .../azure-security-center/version.json | 7 - modules/service-bus/namespace/MOVED-TO-AVM.md | 1 - modules/service-bus/namespace/README.md | 1965 +------ .../namespace/authorization-rule/README.md | 88 - .../namespace/authorization-rule/main.bicep | 55 - .../namespace/authorization-rule/main.json | 96 - .../namespace/authorization-rule/version.json | 7 - .../disaster-recovery-config/README.md | 85 - .../disaster-recovery-config/main.bicep | 54 - .../disaster-recovery-config/main.json | 100 - .../disaster-recovery-config/version.json | 7 - modules/service-bus/namespace/main.bicep | 555 -- modules/service-bus/namespace/main.json | 3116 ------------ .../migration-configuration/README.md | 79 - .../migration-configuration/main.bicep | 51 - .../migration-configuration/main.json | 91 - .../migration-configuration/version.json | 7 - .../namespace/network-rule-set/README.md | 117 - .../namespace/network-rule-set/main.bicep | 78 - .../namespace/network-rule-set/main.json | 137 - .../namespace/network-rule-set/version.json | 7 - modules/service-bus/namespace/queue/README.md | 382 -- .../queue/authorization-rule/README.md | 96 - .../queue/authorization-rule/main.bicep | 60 - .../queue/authorization-rule/main.json | 100 - .../queue/authorization-rule/version.json | 7 - .../service-bus/namespace/queue/main.bicep | 225 - modules/service-bus/namespace/queue/main.json | 539 -- .../service-bus/namespace/queue/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/encr/dependencies.bicep | 90 - .../namespace/tests/e2e/encr/main.test.bicep | 131 - .../tests/e2e/max/dependencies.bicep | 63 - .../namespace/tests/e2e/max/main.test.bicep | 227 - .../namespace/tests/e2e/pe/dependencies.bicep | 49 - .../namespace/tests/e2e/pe/main.test.bicep | 74 - .../tests/e2e/waf-aligned/dependencies.bicep | 63 - .../tests/e2e/waf-aligned/main.test.bicep | 227 - modules/service-bus/namespace/topic/README.md | 337 -- .../topic/authorization-rule/README.md | 96 - .../topic/authorization-rule/main.bicep | 60 - .../topic/authorization-rule/main.json | 100 - .../topic/authorization-rule/version.json | 7 - .../service-bus/namespace/topic/main.bicep | 205 - modules/service-bus/namespace/topic/main.json | 499 -- .../service-bus/namespace/topic/version.json | 7 - modules/service-bus/namespace/version.json | 7 - modules/service-fabric/cluster/README.md | 1611 +----- .../cluster/application-type/README.md | 75 - .../cluster/application-type/main.bicep | 46 - .../cluster/application-type/main.json | 98 - .../cluster/application-type/version.json | 7 - modules/service-fabric/cluster/main.bicep | 373 -- modules/service-fabric/cluster/main.json | 696 --- .../cluster/tests/e2e/cert/main.test.bicep | 74 - .../tests/e2e/defaults/main.test.bicep | 69 - .../cluster/tests/e2e/max/dependencies.bicep | 31 - .../cluster/tests/e2e/max/main.test.bicep | 236 - .../tests/e2e/waf-aligned/dependencies.bicep | 31 - .../tests/e2e/waf-aligned/main.test.bicep | 219 - modules/service-fabric/cluster/version.json | 7 - .../signal-r-service/signal-r/MOVED-TO-AVM.md | 1 - modules/signal-r-service/signal-r/README.md | 1092 +--- modules/signal-r-service/signal-r/main.bicep | 338 -- modules/signal-r-service/signal-r/main.json | 1225 ----- .../tests/e2e/defaults/main.test.bicep | 49 - .../signal-r/tests/e2e/max/dependencies.bicep | 62 - .../signal-r/tests/e2e/max/main.test.bicep | 118 - .../tests/e2e/waf-aligned/dependencies.bicep | 62 - .../tests/e2e/waf-aligned/main.test.bicep | 118 - .../signal-r-service/signal-r/version.json | 7 - .../web-pub-sub/MOVED-TO-AVM.md | 1 - .../signal-r-service/web-pub-sub/README.md | 1145 +---- .../signal-r-service/web-pub-sub/main.bicep | 318 -- .../signal-r-service/web-pub-sub/main.json | 1219 ----- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 62 - .../web-pub-sub/tests/e2e/max/main.test.bicep | 120 - .../tests/e2e/pe/dependencies.bicep | 51 - .../web-pub-sub/tests/e2e/pe/main.test.bicep | 73 - .../tests/e2e/waf-aligned/dependencies.bicep | 62 - .../tests/e2e/waf-aligned/main.test.bicep | 120 - .../signal-r-service/web-pub-sub/version.json | 7 - modules/sql/managed-instance/README.md | 1438 +----- .../managed-instance/administrator/README.md | 88 - .../managed-instance/administrator/main.bicep | 54 - .../managed-instance/administrator/main.json | 98 - .../administrator/version.json | 7 - .../sql/managed-instance/database/README.md | 332 -- .../README.md | 115 - .../main.bicep | 67 - .../main.json | 119 - .../version.json | 7 - .../README.md | 88 - .../main.bicep | 55 - .../main.json | 95 - .../version.json | 7 - .../sql/managed-instance/database/main.bicep | 213 - .../sql/managed-instance/database/main.json | 658 --- .../managed-instance/database/version.json | 7 - .../encryption-protector/README.md | 96 - .../encryption-protector/main.bicep | 57 - .../encryption-protector/main.json | 102 - .../encryption-protector/version.json | 7 - modules/sql/managed-instance/key/README.md | 96 - modules/sql/managed-instance/key/main.bicep | 62 - modules/sql/managed-instance/key/main.json | 105 - modules/sql/managed-instance/key/version.json | 7 - modules/sql/managed-instance/main.bicep | 451 -- modules/sql/managed-instance/main.json | 2137 -------- .../security-alert-policy/README.md | 96 - .../security-alert-policy/main.bicep | 56 - .../security-alert-policy/main.json | 101 - .../security-alert-policy/version.json | 7 - .../tests/e2e/defaults/dependencies.bicep | 288 -- .../tests/e2e/defaults/main.test.bicep | 67 - .../tests/e2e/max/dependencies.bicep | 350 -- .../tests/e2e/max/main.test.bicep | 192 - .../tests/e2e/vulnAssm/dependencies.bicep | 386 -- .../tests/e2e/vulnAssm/main.test.bicep | 90 - .../tests/e2e/waf-aligned/dependencies.bicep | 350 -- .../tests/e2e/waf-aligned/main.test.bicep | 175 - modules/sql/managed-instance/version.json | 7 - .../vulnerability-assessment/README.md | 125 - .../vulnerability-assessment/main.bicep | 79 - .../vulnerability-assessment/main.json | 182 - .../nested_storageRoleAssignment.bicep | 17 - .../vulnerability-assessment/version.json | 7 - modules/sql/server/MOVED-TO-AVM.md | 1 - modules/sql/server/README.md | 1738 +------ modules/sql/server/database/README.md | 455 -- .../README.md | 102 - .../main.bicep | 65 - .../main.json | 113 - .../version.json | 7 - .../README.md | 84 - .../main.bicep | 57 - .../main.json | 97 - .../version.json | 7 - modules/sql/server/database/main.bicep | 283 -- modules/sql/server/database/main.json | 741 --- modules/sql/server/database/version.json | 7 - modules/sql/server/elastic-pool/README.md | 195 - modules/sql/server/elastic-pool/main.bicep | 107 - modules/sql/server/elastic-pool/main.json | 210 - modules/sql/server/elastic-pool/version.json | 7 - .../sql/server/encryption-protector/README.md | 96 - .../server/encryption-protector/main.bicep | 57 - .../sql/server/encryption-protector/main.json | 102 - .../server/encryption-protector/version.json | 7 - modules/sql/server/firewall-rule/README.md | 89 - modules/sql/server/firewall-rule/main.bicep | 52 - modules/sql/server/firewall-rule/main.json | 97 - modules/sql/server/firewall-rule/version.json | 7 - modules/sql/server/key/README.md | 96 - modules/sql/server/key/main.bicep | 62 - modules/sql/server/key/main.json | 105 - modules/sql/server/key/version.json | 7 - modules/sql/server/main.bicep | 464 -- modules/sql/server/main.json | 3200 ------------ .../server/security-alert-policy/README.md | 141 - .../server/security-alert-policy/main.bicep | 77 - .../server/security-alert-policy/main.json | 141 - .../server/security-alert-policy/version.json | 7 - .../server/tests/e2e/admin/dependencies.bicep | 13 - .../server/tests/e2e/admin/main.test.bicep | 61 - .../server/tests/e2e/max/dependencies.bicep | 111 - .../sql/server/tests/e2e/max/main.test.bicep | 208 - .../server/tests/e2e/pe/dependencies.bicep | 50 - .../sql/server/tests/e2e/pe/main.test.bicep | 79 - .../tests/e2e/secondary/dependencies.bicep | 36 - .../tests/e2e/secondary/main.test.bicep | 75 - .../tests/e2e/vulnAssm/dependencies.bicep | 35 - .../server/tests/e2e/vulnAssm/main.test.bicep | 94 - .../tests/e2e/waf-aligned/dependencies.bicep | 111 - .../tests/e2e/waf-aligned/main.test.bicep | 191 - modules/sql/server/version.json | 7 - .../sql/server/virtual-network-rule/README.md | 88 - .../server/virtual-network-rule/main.bicep | 52 - .../sql/server/virtual-network-rule/main.json | 96 - .../server/virtual-network-rule/version.json | 7 - .../server/vulnerability-assessment/README.md | 125 - .../vulnerability-assessment/main.bicep | 79 - .../server/vulnerability-assessment/main.json | 182 - .../nested_storageRoleAssignment.bicep | 17 - .../vulnerability-assessment/version.json | 7 - .../storage/storage-account/MOVED-TO-AVM.md | 1 - modules/storage/storage-account/README.md | 2758 +--------- .../storage-account/blob-service/README.md | 294 -- .../blob-service/container/README.md | 252 - .../container/immutability-policy/README.md | 93 - .../container/immutability-policy/main.bicep | 65 - .../container/immutability-policy/main.json | 106 - .../immutability-policy/version.json | 7 - .../blob-service/container/main.bicep | 172 - .../blob-service/container/main.json | 435 -- .../blob-service/container/version.json | 7 - .../storage-account/blob-service/main.bicep | 219 - .../storage-account/blob-service/main.json | 842 --- .../storage-account/blob-service/version.json | 7 - .../storage-account/file-service/README.md | 194 - .../storage-account/file-service/main.bicep | 148 - .../storage-account/file-service/main.json | 740 --- .../file-service/share/README.md | 230 - .../file-service/share/main.bicep | 122 - .../file-service/share/main.json | 443 -- .../modules/nested_inner_roleAssignment.json | 93 - .../share/modules/nested_roleAssignment.bicep | 70 - .../file-service/share/version.json | 7 - .../storage-account/file-service/version.json | 7 - .../storage-account/local-user/README.md | 122 - .../storage-account/local-user/main.bicep | 69 - .../storage-account/local-user/main.json | 127 - .../storage-account/local-user/version.json | 7 - modules/storage/storage-account/main.bicep | 631 --- modules/storage/storage-account/main.json | 4416 ---------------- .../management-policy/README.md | 71 - .../management-policy/main.bicep | 49 - .../management-policy/main.json | 86 - .../management-policy/version.json | 7 - .../storage-account/queue-service/README.md | 162 - .../storage-account/queue-service/main.bicep | 130 - .../storage-account/queue-service/main.json | 495 -- .../queue-service/queue/README.md | 171 - .../queue-service/queue/main.bicep | 121 - .../queue-service/queue/main.json | 231 - .../queue-service/queue/version.json | 7 - .../queue-service/version.json | 7 - .../storage-account/table-service/README.md | 161 - .../storage-account/table-service/main.bicep | 128 - .../storage-account/table-service/main.json | 342 -- .../table-service/table/README.md | 71 - .../table-service/table/main.bicep | 47 - .../table-service/table/main.json | 80 - .../table-service/table/version.json | 7 - .../table-service/version.json | 7 - .../tests/e2e/defaults/main.test.bicep | 50 - .../tests/e2e/encr/dependencies.bicep | 113 - .../tests/e2e/encr/main.test.bicep | 114 - .../tests/e2e/max/dependencies.bicep | 68 - .../tests/e2e/max/main.test.bicep | 374 -- .../tests/e2e/nfs/dependencies.bicep | 16 - .../tests/e2e/nfs/main.test.bicep | 126 - .../tests/e2e/v1/main.test.bicep | 53 - .../tests/e2e/waf-aligned/dependencies.bicep | 68 - .../tests/e2e/waf-aligned/main.test.bicep | 327 -- modules/storage/storage-account/version.json | 7 - modules/synapse/private-link-hub/README.md | 775 +-- modules/synapse/private-link-hub/main.bicep | 217 - modules/synapse/private-link-hub/main.json | 1044 ---- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 74 - .../tests/e2e/max/main.test.bicep | 94 - .../tests/e2e/waf-aligned/dependencies.bicep | 74 - .../tests/e2e/waf-aligned/main.test.bicep | 94 - modules/synapse/private-link-hub/version.json | 7 - modules/synapse/workspace/README.md | 1449 +----- .../workspace/integration-runtime/README.md | 95 - .../workspace/integration-runtime/main.bicep | 62 - .../workspace/integration-runtime/main.json | 97 - .../integration-runtime/version.json | 7 - modules/synapse/workspace/key/README.md | 96 - modules/synapse/workspace/key/main.bicep | 64 - modules/synapse/workspace/key/main.json | 102 - modules/synapse/workspace/key/version.json | 7 - modules/synapse/workspace/main.bicep | 473 -- modules/synapse/workspace/main.json | 1761 ------- .../workspace/modules/nested_cmkRbac.bicep | 40 - .../tests/e2e/defaults/dependencies.bicep | 31 - .../tests/e2e/defaults/main.test.bicep | 60 - .../tests/e2e/encrwsai/dependencies.bicep | 66 - .../tests/e2e/encrwsai/main.test.bicep | 67 - .../tests/e2e/encrwuai/dependencies.bicep | 87 - .../tests/e2e/encrwuai/main.test.bicep | 73 - .../tests/e2e/managedvnet/dependencies.bicep | 31 - .../tests/e2e/managedvnet/main.test.bicep | 67 - .../tests/e2e/max/dependencies.bicep | 92 - .../workspace/tests/e2e/max/main.test.bicep | 137 - .../tests/e2e/waf-aligned/dependencies.bicep | 92 - .../tests/e2e/waf-aligned/main.test.bicep | 120 - modules/synapse/workspace/version.json | 7 - .../image-template/MOVED-TO-AVM.md | 1 - .../image-template/README.md | 933 +--- .../image-template/main.bicep | 262 - .../image-template/main.json | 467 -- .../tests/e2e/defaults/dependencies.bicep | 25 - .../tests/e2e/defaults/main.test.bicep | 72 - .../tests/e2e/max/dependencies.bicep | 109 - .../tests/e2e/max/main.test.bicep | 119 - .../tests/e2e/waf-aligned/dependencies.bicep | 106 - .../tests/e2e/waf-aligned/main.test.bicep | 102 - .../image-template/version.json | 7 - modules/web/connection/MOVED-TO-AVM.md | 1 - modules/web/connection/README.md | 483 +- modules/web/connection/main.bicep | 149 - modules/web/connection/main.json | 304 -- .../tests/e2e/max/dependencies.bicep | 13 - .../connection/tests/e2e/max/main.test.bicep | 88 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 71 - modules/web/connection/version.json | 7 - modules/web/hosting-environment/README.md | 924 +--- .../configuration--customdnssuffix/README.md | 87 - .../configuration--customdnssuffix/main.bicep | 53 - .../configuration--customdnssuffix/main.json | 96 - .../version.json | 7 - .../configuration--networking/README.md | 94 - .../configuration--networking/main.bicep | 57 - .../configuration--networking/main.json | 107 - .../configuration--networking/version.json | 7 - modules/web/hosting-environment/main.bicep | 324 -- modules/web/hosting-environment/main.json | 850 ---- .../tests/e2e/asev2/dependencies.bicep | 80 - .../tests/e2e/asev2/main.test.bicep | 122 - .../tests/e2e/asev3/dependencies.bicep | 135 - .../tests/e2e/asev3/main.test.bicep | 130 - modules/web/hosting-environment/version.json | 7 - modules/web/serverfarm/MOVED-TO-AVM.md | 1 - modules/web/serverfarm/README.md | 667 +-- modules/web/serverfarm/main.bicep | 227 - modules/web/serverfarm/main.json | 437 -- .../tests/e2e/max/dependencies.bicep | 13 - .../serverfarm/tests/e2e/max/main.test.bicep | 118 - .../tests/e2e/waf-aligned/dependencies.bicep | 13 - .../tests/e2e/waf-aligned/main.test.bicep | 101 - modules/web/serverfarm/version.json | 7 - modules/web/site/MOVED-TO-AVM.md | 1 - modules/web/site/README.md | 1864 +------ .../README.md | 97 - .../main.bicep | 59 - .../main.json | 108 - .../version.json | 7 - .../web/site/config--appsettings/README.md | 166 - .../web/site/config--appsettings/main.bicep | 86 - .../web/site/config--appsettings/main.json | 116 - .../web/site/config--appsettings/version.json | 7 - .../web/site/config--authsettingsv2/README.md | 89 - .../site/config--authsettingsv2/main.bicep | 54 - .../web/site/config--authsettingsv2/main.json | 94 - .../site/config--authsettingsv2/version.json | 7 - .../relay/README.md | 89 - .../relay/main.bicep | 66 - .../relay/main.json | 103 - .../relay/version.json | 7 - modules/web/site/main.bicep | 561 -- modules/web/site/main.json | 4259 ---------------- modules/web/site/slot/README.md | 954 ---- .../README.md | 105 - .../main.bicep | 66 - .../main.json | 114 - .../version.json | 7 - .../site/slot/config--appsettings/README.md | 169 - .../site/slot/config--appsettings/main.bicep | 93 - .../site/slot/config--appsettings/main.json | 122 - .../slot/config--appsettings/version.json | 7 - .../slot/config--authsettingsv2/README.md | 97 - .../slot/config--authsettingsv2/main.bicep | 61 - .../slot/config--authsettingsv2/main.json | 100 - .../slot/config--authsettingsv2/version.json | 7 - .../relay/README.md | 97 - .../relay/main.bicep | 69 - .../relay/main.json | 109 - .../relay/version.json | 7 - modules/web/site/slot/main.bicep | 505 -- modules/web/site/slot/main.json | 2091 -------- modules/web/site/slot/version.json | 7 - .../e2e/functionAppCommon/dependencies.bicep | 148 - .../e2e/functionAppCommon/main.test.bicep | 222 - .../e2e/functionAppMin/dependencies.bicep | 21 - .../tests/e2e/functionAppMin/main.test.bicep | 59 - .../tests/e2e/webAppCommon/dependencies.bicep | 119 - .../tests/e2e/webAppCommon/main.test.bicep | 231 - .../tests/e2e/webAppMin/dependencies.bicep | 21 - .../site/tests/e2e/webAppMin/main.test.bicep | 56 - modules/web/site/version.json | 7 - modules/web/static-site/MOVED-TO-AVM.md | 1 - modules/web/static-site/README.md | 1056 +--- modules/web/static-site/config/README.md | 95 - modules/web/static-site/config/main.bicep | 54 - modules/web/static-site/config/main.json | 97 - modules/web/static-site/config/version.json | 7 - .../web/static-site/custom-domain/README.md | 89 - .../web/static-site/custom-domain/main.bicep | 51 - .../web/static-site/custom-domain/main.json | 96 - .../static-site/custom-domain/version.json | 7 - .../web/static-site/linked-backend/README.md | 98 - .../web/static-site/linked-backend/main.bicep | 55 - .../web/static-site/linked-backend/main.json | 104 - .../static-site/linked-backend/version.json | 7 - modules/web/static-site/main.bicep | 355 -- modules/web/static-site/main.json | 1731 ------- .../tests/e2e/defaults/main.test.bicep | 49 - .../tests/e2e/max/dependencies.bicep | 94 - .../static-site/tests/e2e/max/main.test.bicep | 120 - .../tests/e2e/waf-aligned/dependencies.bicep | 94 - .../tests/e2e/waf-aligned/main.test.bicep | 103 - modules/web/static-site/version.json | 7 - 2408 files changed, 717 insertions(+), 487898 deletions(-) delete mode 100644 modules/aad/domain-service/main.bicep delete mode 100644 modules/aad/domain-service/main.json delete mode 100644 modules/aad/domain-service/tests/e2e/max/dependencies.bicep delete mode 100644 modules/aad/domain-service/tests/e2e/max/main.test.bicep delete mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/aad/domain-service/version.json delete mode 100644 modules/analysis-services/server/MOVED-TO-AVM.md delete mode 100644 modules/analysis-services/server/main.bicep delete mode 100644 modules/analysis-services/server/main.json delete mode 100644 modules/analysis-services/server/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/analysis-services/server/tests/e2e/max/dependencies.bicep delete mode 100644 modules/analysis-services/server/tests/e2e/max/main.test.bicep delete mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/analysis-services/server/version.json delete mode 100644 modules/api-management/service/MOVED-TO-AVM.md delete mode 100644 modules/api-management/service/api-version-set/README.md delete mode 100644 modules/api-management/service/api-version-set/main.bicep delete mode 100644 modules/api-management/service/api-version-set/main.json delete mode 100644 modules/api-management/service/api-version-set/version.json delete mode 100644 modules/api-management/service/api/README.md delete mode 100644 modules/api-management/service/api/main.bicep delete mode 100644 modules/api-management/service/api/main.json delete mode 100644 modules/api-management/service/api/policy/README.md delete mode 100644 modules/api-management/service/api/policy/main.bicep delete mode 100644 modules/api-management/service/api/policy/main.json delete mode 100644 modules/api-management/service/api/policy/version.json delete mode 100644 modules/api-management/service/api/version.json delete mode 100644 modules/api-management/service/authorization-server/README.md delete mode 100644 modules/api-management/service/authorization-server/main.bicep delete mode 100644 modules/api-management/service/authorization-server/main.json delete mode 100644 modules/api-management/service/authorization-server/version.json delete mode 100644 modules/api-management/service/backend/README.md delete mode 100644 modules/api-management/service/backend/main.bicep delete mode 100644 modules/api-management/service/backend/main.json delete mode 100644 modules/api-management/service/backend/version.json delete mode 100644 modules/api-management/service/cache/README.md delete mode 100644 modules/api-management/service/cache/main.bicep delete mode 100644 modules/api-management/service/cache/main.json delete mode 100644 modules/api-management/service/cache/version.json delete mode 100644 modules/api-management/service/identity-provider/README.md delete mode 100644 modules/api-management/service/identity-provider/main.bicep delete mode 100644 modules/api-management/service/identity-provider/main.json delete mode 100644 modules/api-management/service/identity-provider/version.json delete mode 100644 modules/api-management/service/main.bicep delete mode 100644 modules/api-management/service/main.json delete mode 100644 modules/api-management/service/named-value/README.md delete mode 100644 modules/api-management/service/named-value/main.bicep delete mode 100644 modules/api-management/service/named-value/main.json delete mode 100644 modules/api-management/service/named-value/version.json delete mode 100644 modules/api-management/service/policy/README.md delete mode 100644 modules/api-management/service/policy/main.bicep delete mode 100644 modules/api-management/service/policy/main.json delete mode 100644 modules/api-management/service/policy/version.json delete mode 100644 modules/api-management/service/portalsetting/README.md delete mode 100644 modules/api-management/service/portalsetting/main.bicep delete mode 100644 modules/api-management/service/portalsetting/main.json delete mode 100644 modules/api-management/service/portalsetting/version.json delete mode 100644 modules/api-management/service/product/README.md delete mode 100644 modules/api-management/service/product/api/README.md delete mode 100644 modules/api-management/service/product/api/main.bicep delete mode 100644 modules/api-management/service/product/api/main.json delete mode 100644 modules/api-management/service/product/api/version.json delete mode 100644 modules/api-management/service/product/group/README.md delete mode 100644 modules/api-management/service/product/group/main.bicep delete mode 100644 modules/api-management/service/product/group/main.json delete mode 100644 modules/api-management/service/product/group/version.json delete mode 100644 modules/api-management/service/product/main.bicep delete mode 100644 modules/api-management/service/product/main.json delete mode 100644 modules/api-management/service/product/version.json delete mode 100644 modules/api-management/service/subscription/README.md delete mode 100644 modules/api-management/service/subscription/main.bicep delete mode 100644 modules/api-management/service/subscription/main.json delete mode 100644 modules/api-management/service/subscription/version.json delete mode 100644 modules/api-management/service/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/api-management/service/tests/e2e/max/dependencies.bicep delete mode 100644 modules/api-management/service/tests/e2e/max/main.test.bicep delete mode 100644 modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/api-management/service/version.json delete mode 100644 modules/app-configuration/configuration-store/MOVED-TO-AVM.md delete mode 100644 modules/app-configuration/configuration-store/key-value/README.md delete mode 100644 modules/app-configuration/configuration-store/key-value/main.bicep delete mode 100644 modules/app-configuration/configuration-store/key-value/main.json delete mode 100644 modules/app-configuration/configuration-store/key-value/version.json delete mode 100644 modules/app-configuration/configuration-store/main.bicep delete mode 100644 modules/app-configuration/configuration-store/main.json delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/app-configuration/configuration-store/version.json delete mode 100644 modules/app/container-app/MOVED-TO-AVM.md delete mode 100644 modules/app/container-app/main.bicep delete mode 100644 modules/app/container-app/main.json delete mode 100644 modules/app/container-app/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/app/container-app/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/app/container-app/tests/e2e/max/dependencies.bicep delete mode 100644 modules/app/container-app/tests/e2e/max/main.test.bicep delete mode 100644 modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/app/container-app/version.json delete mode 100644 modules/app/job/main.bicep delete mode 100644 modules/app/job/main.json delete mode 100644 modules/app/job/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/app/job/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/app/job/tests/e2e/max/dependencies.bicep delete mode 100644 modules/app/job/tests/e2e/max/main.test.bicep delete mode 100644 modules/app/job/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/app/job/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/app/job/version.json delete mode 100644 modules/app/managed-environment/MOVED-TO-AVM.md delete mode 100644 modules/app/managed-environment/main.bicep delete mode 100644 modules/app/managed-environment/main.json delete mode 100644 modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/app/managed-environment/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/app/managed-environment/tests/e2e/max/dependencies.bicep delete mode 100644 modules/app/managed-environment/tests/e2e/max/main.test.bicep delete mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/app/managed-environment/version.json delete mode 100644 modules/authorization/lock/main.bicep delete mode 100644 modules/authorization/lock/main.json delete mode 100644 modules/authorization/lock/resource-group/README.md delete mode 100644 modules/authorization/lock/resource-group/main.bicep delete mode 100644 modules/authorization/lock/resource-group/main.json delete mode 100644 modules/authorization/lock/resource-group/version.json delete mode 100644 modules/authorization/lock/subscription/README.md delete mode 100644 modules/authorization/lock/subscription/main.bicep delete mode 100644 modules/authorization/lock/subscription/main.json delete mode 100644 modules/authorization/lock/subscription/version.json delete mode 100644 modules/authorization/lock/tests/e2e/max/main.test.bicep delete mode 100644 modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/authorization/lock/version.json delete mode 100644 modules/authorization/policy-assignment/main.bicep delete mode 100644 modules/authorization/policy-assignment/main.json delete mode 100644 modules/authorization/policy-assignment/management-group/README.md delete mode 100644 modules/authorization/policy-assignment/management-group/main.bicep delete mode 100644 modules/authorization/policy-assignment/management-group/main.json delete mode 100644 modules/authorization/policy-assignment/management-group/version.json delete mode 100644 modules/authorization/policy-assignment/resource-group/README.md delete mode 100644 modules/authorization/policy-assignment/resource-group/main.bicep delete mode 100644 modules/authorization/policy-assignment/resource-group/main.json delete mode 100644 modules/authorization/policy-assignment/resource-group/version.json delete mode 100644 modules/authorization/policy-assignment/subscription/README.md delete mode 100644 modules/authorization/policy-assignment/subscription/main.bicep delete mode 100644 modules/authorization/policy-assignment/subscription/main.json delete mode 100644 modules/authorization/policy-assignment/subscription/version.json delete mode 100644 modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/policy-assignment/version.json delete mode 100644 modules/authorization/policy-definition/main.bicep delete mode 100644 modules/authorization/policy-definition/main.json delete mode 100644 modules/authorization/policy-definition/management-group/README.md delete mode 100644 modules/authorization/policy-definition/management-group/main.bicep delete mode 100644 modules/authorization/policy-definition/management-group/main.json delete mode 100644 modules/authorization/policy-definition/management-group/version.json delete mode 100644 modules/authorization/policy-definition/subscription/README.md delete mode 100644 modules/authorization/policy-definition/subscription/main.bicep delete mode 100644 modules/authorization/policy-definition/subscription/main.json delete mode 100644 modules/authorization/policy-definition/subscription/version.json delete mode 100644 modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/policy-definition/version.json delete mode 100644 modules/authorization/policy-exemption/main.bicep delete mode 100644 modules/authorization/policy-exemption/main.json delete mode 100644 modules/authorization/policy-exemption/management-group/README.md delete mode 100644 modules/authorization/policy-exemption/management-group/main.bicep delete mode 100644 modules/authorization/policy-exemption/management-group/main.json delete mode 100644 modules/authorization/policy-exemption/management-group/version.json delete mode 100644 modules/authorization/policy-exemption/resource-group/README.md delete mode 100644 modules/authorization/policy-exemption/resource-group/main.bicep delete mode 100644 modules/authorization/policy-exemption/resource-group/main.json delete mode 100644 modules/authorization/policy-exemption/resource-group/version.json delete mode 100644 modules/authorization/policy-exemption/subscription/README.md delete mode 100644 modules/authorization/policy-exemption/subscription/main.bicep delete mode 100644 modules/authorization/policy-exemption/subscription/main.json delete mode 100644 modules/authorization/policy-exemption/subscription/version.json delete mode 100644 modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/policy-exemption/version.json delete mode 100644 modules/authorization/policy-set-definition/main.bicep delete mode 100644 modules/authorization/policy-set-definition/main.json delete mode 100644 modules/authorization/policy-set-definition/management-group/README.md delete mode 100644 modules/authorization/policy-set-definition/management-group/main.bicep delete mode 100644 modules/authorization/policy-set-definition/management-group/main.json delete mode 100644 modules/authorization/policy-set-definition/management-group/version.json delete mode 100644 modules/authorization/policy-set-definition/subscription/README.md delete mode 100644 modules/authorization/policy-set-definition/subscription/main.bicep delete mode 100644 modules/authorization/policy-set-definition/subscription/main.json delete mode 100644 modules/authorization/policy-set-definition/subscription/version.json delete mode 100644 modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/policy-set-definition/version.json delete mode 100644 modules/authorization/role-assignment/main.bicep delete mode 100644 modules/authorization/role-assignment/main.json delete mode 100644 modules/authorization/role-assignment/management-group/README.md delete mode 100644 modules/authorization/role-assignment/management-group/main.bicep delete mode 100644 modules/authorization/role-assignment/management-group/main.json delete mode 100644 modules/authorization/role-assignment/management-group/version.json delete mode 100644 modules/authorization/role-assignment/resource-group/README.md delete mode 100644 modules/authorization/role-assignment/resource-group/main.bicep delete mode 100644 modules/authorization/role-assignment/resource-group/main.json delete mode 100644 modules/authorization/role-assignment/resource-group/version.json delete mode 100644 modules/authorization/role-assignment/subscription/README.md delete mode 100644 modules/authorization/role-assignment/subscription/main.bicep delete mode 100644 modules/authorization/role-assignment/subscription/main.json delete mode 100644 modules/authorization/role-assignment/subscription/version.json delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep delete mode 100644 modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/role-assignment/version.json delete mode 100644 modules/authorization/role-definition/main.bicep delete mode 100644 modules/authorization/role-definition/main.json delete mode 100644 modules/authorization/role-definition/management-group/README.md delete mode 100644 modules/authorization/role-definition/management-group/main.bicep delete mode 100644 modules/authorization/role-definition/management-group/main.json delete mode 100644 modules/authorization/role-definition/management-group/version.json delete mode 100644 modules/authorization/role-definition/resource-group/README.md delete mode 100644 modules/authorization/role-definition/resource-group/main.bicep delete mode 100644 modules/authorization/role-definition/resource-group/main.json delete mode 100644 modules/authorization/role-definition/resource-group/version.json delete mode 100644 modules/authorization/role-definition/subscription/README.md delete mode 100644 modules/authorization/role-definition/subscription/main.bicep delete mode 100644 modules/authorization/role-definition/subscription/main.json delete mode 100644 modules/authorization/role-definition/subscription/version.json delete mode 100644 modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep delete mode 100644 modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep delete mode 100644 modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/authorization/role-definition/version.json delete mode 100644 modules/automation/automation-account/MOVED-TO-AVM.md delete mode 100644 modules/automation/automation-account/job-schedule/README.md delete mode 100644 modules/automation/automation-account/job-schedule/main.bicep delete mode 100644 modules/automation/automation-account/job-schedule/main.json delete mode 100644 modules/automation/automation-account/job-schedule/version.json delete mode 100644 modules/automation/automation-account/main.bicep delete mode 100644 modules/automation/automation-account/main.json delete mode 100644 modules/automation/automation-account/module/README.md delete mode 100644 modules/automation/automation-account/module/main.bicep delete mode 100644 modules/automation/automation-account/module/main.json delete mode 100644 modules/automation/automation-account/module/version.json delete mode 100644 modules/automation/automation-account/runbook/README.md delete mode 100644 modules/automation/automation-account/runbook/main.bicep delete mode 100644 modules/automation/automation-account/runbook/main.json delete mode 100644 modules/automation/automation-account/runbook/version.json delete mode 100644 modules/automation/automation-account/schedule/README.md delete mode 100644 modules/automation/automation-account/schedule/main.bicep delete mode 100644 modules/automation/automation-account/schedule/main.json delete mode 100644 modules/automation/automation-account/schedule/version.json delete mode 100644 modules/automation/automation-account/software-update-configuration/README.md delete mode 100644 modules/automation/automation-account/software-update-configuration/main.bicep delete mode 100644 modules/automation/automation-account/software-update-configuration/main.json delete mode 100644 modules/automation/automation-account/software-update-configuration/version.json delete mode 100644 modules/automation/automation-account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/encr/main.test.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/max/dependencies.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/max/main.test.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/automation/automation-account/variable/README.md delete mode 100644 modules/automation/automation-account/variable/main.bicep delete mode 100644 modules/automation/automation-account/variable/main.json delete mode 100644 modules/automation/automation-account/variable/version.json delete mode 100644 modules/automation/automation-account/version.json delete mode 100644 modules/batch/batch-account/MOVED-TO-AVM.md delete mode 100644 modules/batch/batch-account/main.bicep delete mode 100644 modules/batch/batch-account/main.json delete mode 100644 modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/encr/main.test.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/max/dependencies.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/max/main.test.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/batch/batch-account/version.json delete mode 100644 modules/cache/redis-enterprise/database/README.md delete mode 100644 modules/cache/redis-enterprise/database/main.bicep delete mode 100644 modules/cache/redis-enterprise/database/main.json delete mode 100644 modules/cache/redis-enterprise/database/version.json delete mode 100644 modules/cache/redis-enterprise/main.bicep delete mode 100644 modules/cache/redis-enterprise/main.json delete mode 100644 modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/cache/redis-enterprise/version.json delete mode 100644 modules/cache/redis/MOVED-TO-AVM.md delete mode 100644 modules/cache/redis/main.bicep delete mode 100644 modules/cache/redis/main.json delete mode 100644 modules/cache/redis/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/cache/redis/tests/e2e/max/dependencies.bicep delete mode 100644 modules/cache/redis/tests/e2e/max/main.test.bicep delete mode 100644 modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/cache/redis/version.json delete mode 100644 modules/cdn/profile/MOVED-TO-AVM.md delete mode 100644 modules/cdn/profile/afdEndpoint/README.md delete mode 100644 modules/cdn/profile/afdEndpoint/main.bicep delete mode 100644 modules/cdn/profile/afdEndpoint/main.json delete mode 100644 modules/cdn/profile/afdEndpoint/route/README.md delete mode 100644 modules/cdn/profile/afdEndpoint/route/main.bicep delete mode 100644 modules/cdn/profile/afdEndpoint/route/main.json delete mode 100644 modules/cdn/profile/afdEndpoint/route/version.json delete mode 100644 modules/cdn/profile/afdEndpoint/version.json delete mode 100644 modules/cdn/profile/customdomain/README.md delete mode 100644 modules/cdn/profile/customdomain/main.bicep delete mode 100644 modules/cdn/profile/customdomain/main.json delete mode 100644 modules/cdn/profile/customdomain/version.json delete mode 100644 modules/cdn/profile/endpoint/README.md delete mode 100644 modules/cdn/profile/endpoint/main.bicep delete mode 100644 modules/cdn/profile/endpoint/main.json delete mode 100644 modules/cdn/profile/endpoint/origin/README.md delete mode 100644 modules/cdn/profile/endpoint/origin/main.bicep delete mode 100644 modules/cdn/profile/endpoint/origin/main.json delete mode 100644 modules/cdn/profile/endpoint/origin/version.json delete mode 100644 modules/cdn/profile/endpoint/version.json delete mode 100644 modules/cdn/profile/main.bicep delete mode 100644 modules/cdn/profile/main.json delete mode 100644 modules/cdn/profile/origingroup/README.md delete mode 100644 modules/cdn/profile/origingroup/main.bicep delete mode 100644 modules/cdn/profile/origingroup/main.json delete mode 100644 modules/cdn/profile/origingroup/origin/README.md delete mode 100644 modules/cdn/profile/origingroup/origin/main.bicep delete mode 100644 modules/cdn/profile/origingroup/origin/main.json delete mode 100644 modules/cdn/profile/origingroup/origin/version.json delete mode 100644 modules/cdn/profile/origingroup/version.json delete mode 100644 modules/cdn/profile/ruleset/README.md delete mode 100644 modules/cdn/profile/ruleset/main.bicep delete mode 100644 modules/cdn/profile/ruleset/main.json delete mode 100644 modules/cdn/profile/ruleset/rule/README.md delete mode 100644 modules/cdn/profile/ruleset/rule/main.bicep delete mode 100644 modules/cdn/profile/ruleset/rule/main.json delete mode 100644 modules/cdn/profile/ruleset/rule/version.json delete mode 100644 modules/cdn/profile/ruleset/version.json delete mode 100644 modules/cdn/profile/secret/README.md delete mode 100644 modules/cdn/profile/secret/main.bicep delete mode 100644 modules/cdn/profile/secret/main.json delete mode 100644 modules/cdn/profile/secret/version.json delete mode 100644 modules/cdn/profile/tests/e2e/afd/dependencies.bicep delete mode 100644 modules/cdn/profile/tests/e2e/afd/main.test.bicep delete mode 100644 modules/cdn/profile/tests/e2e/max/dependencies.bicep delete mode 100644 modules/cdn/profile/tests/e2e/max/main.test.bicep delete mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/cdn/profile/version.json delete mode 100644 modules/cognitive-services/account/MOVED-TO-AVM.md delete mode 100644 modules/cognitive-services/account/main.bicep delete mode 100644 modules/cognitive-services/account/main.json delete mode 100644 modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/encr/main.test.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/max/dependencies.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/max/main.test.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/speech/main.test.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/cognitive-services/account/version.json delete mode 100644 modules/compute/availability-set/MOVED-TO-AVM.md delete mode 100644 modules/compute/availability-set/main.bicep delete mode 100644 modules/compute/availability-set/main.json delete mode 100644 modules/compute/availability-set/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/compute/availability-set/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/availability-set/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/availability-set/version.json delete mode 100644 modules/compute/disk-encryption-set/MOVED-TO-AVM.md delete mode 100644 modules/compute/disk-encryption-set/main.bicep delete mode 100644 modules/compute/disk-encryption-set/main.json delete mode 100644 modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep delete mode 100644 modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/disk-encryption-set/version.json delete mode 100644 modules/compute/disk/MOVED-TO-AVM.md delete mode 100644 modules/compute/disk/main.bicep delete mode 100644 modules/compute/disk/main.json delete mode 100644 modules/compute/disk/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/compute/disk/tests/e2e/image/dependencies.bicep delete mode 100644 modules/compute/disk/tests/e2e/image/main.test.bicep delete mode 100644 modules/compute/disk/tests/e2e/import/dependencies.bicep delete mode 100644 modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep delete mode 100644 modules/compute/disk/tests/e2e/import/main.test.bicep delete mode 100644 modules/compute/disk/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/disk/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/disk/version.json delete mode 100644 modules/compute/gallery/MOVED-TO-AVM.md delete mode 100644 modules/compute/gallery/application/README.md delete mode 100644 modules/compute/gallery/application/main.bicep delete mode 100644 modules/compute/gallery/application/main.json delete mode 100644 modules/compute/gallery/application/version.json delete mode 100644 modules/compute/gallery/image/README.md delete mode 100644 modules/compute/gallery/image/main.bicep delete mode 100644 modules/compute/gallery/image/main.json delete mode 100644 modules/compute/gallery/image/version.json delete mode 100644 modules/compute/gallery/main.bicep delete mode 100644 modules/compute/gallery/main.json delete mode 100644 modules/compute/gallery/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/compute/gallery/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/gallery/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/gallery/version.json delete mode 100644 modules/compute/image/MOVED-TO-AVM.md delete mode 100644 modules/compute/image/main.bicep delete mode 100644 modules/compute/image/main.json delete mode 100644 modules/compute/image/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/image/tests/e2e/max/dependencies_rbac.bicep delete mode 100644 modules/compute/image/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep delete mode 100644 modules/compute/image/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/image/version.json delete mode 100644 modules/compute/proximity-placement-group/MOVED-TO-AVM.md delete mode 100644 modules/compute/proximity-placement-group/main.bicep delete mode 100644 modules/compute/proximity-placement-group/main.json delete mode 100644 modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/proximity-placement-group/version.json delete mode 100644 modules/compute/ssh-public-key/MOVED-TO-AVM.md delete mode 100644 modules/compute/ssh-public-key/main.bicep delete mode 100644 modules/compute/ssh-public-key/main.json delete mode 100644 modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep delete mode 100644 modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep delete mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/compute/ssh-public-key/version.json delete mode 100644 modules/compute/virtual-machine-scale-set/extension/README.md delete mode 100644 modules/compute/virtual-machine-scale-set/extension/main.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/extension/main.json delete mode 100644 modules/compute/virtual-machine-scale-set/extension/version.json delete mode 100644 modules/compute/virtual-machine-scale-set/main.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/main.json delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/version.json delete mode 100644 modules/compute/virtual-machine/MOVED-TO-AVM.md delete mode 100644 modules/compute/virtual-machine/extension/README.md delete mode 100644 modules/compute/virtual-machine/extension/main.bicep delete mode 100644 modules/compute/virtual-machine/extension/main.json delete mode 100644 modules/compute/virtual-machine/extension/version.json delete mode 100644 modules/compute/virtual-machine/main.bicep delete mode 100644 modules/compute/virtual-machine/main.json delete mode 100644 modules/compute/virtual-machine/modules/nested_networkInterface.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep delete mode 100644 modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep delete mode 100644 modules/compute/virtual-machine/version.json delete mode 100644 modules/consumption/budget/MOVED-TO-AVM.md delete mode 100644 modules/consumption/budget/main.bicep delete mode 100644 modules/consumption/budget/main.json delete mode 100644 modules/consumption/budget/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/consumption/budget/tests/e2e/max/main.test.bicep delete mode 100644 modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/consumption/budget/version.json delete mode 100644 modules/container-instance/container-group/main.bicep delete mode 100644 modules/container-instance/container-group/main.json delete mode 100644 modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/encr/main.test.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/private/dependencies.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/private/main.test.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/container-instance/container-group/version.json delete mode 100644 modules/container-registry/registry/MOVED-TO-AVM.md delete mode 100644 modules/container-registry/registry/cache-rules/README.md delete mode 100644 modules/container-registry/registry/cache-rules/main.bicep delete mode 100644 modules/container-registry/registry/cache-rules/main.json delete mode 100644 modules/container-registry/registry/cache-rules/version.json delete mode 100644 modules/container-registry/registry/main.bicep delete mode 100644 modules/container-registry/registry/main.json delete mode 100644 modules/container-registry/registry/replication/README.md delete mode 100644 modules/container-registry/registry/replication/main.bicep delete mode 100644 modules/container-registry/registry/replication/main.json delete mode 100644 modules/container-registry/registry/replication/version.json delete mode 100644 modules/container-registry/registry/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/encr/main.test.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/max/dependencies.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/max/main.test.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/pe/main.test.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/container-registry/registry/version.json delete mode 100644 modules/container-registry/registry/webhook/README.md delete mode 100644 modules/container-registry/registry/webhook/main.bicep delete mode 100644 modules/container-registry/registry/webhook/main.json delete mode 100644 modules/container-registry/registry/webhook/version.json delete mode 100644 modules/container-service/managed-cluster/MOVED-TO-AVM.md delete mode 100644 modules/container-service/managed-cluster/agent-pool/README.md delete mode 100644 modules/container-service/managed-cluster/agent-pool/main.bicep delete mode 100644 modules/container-service/managed-cluster/agent-pool/main.json delete mode 100644 modules/container-service/managed-cluster/agent-pool/version.json delete mode 100644 modules/container-service/managed-cluster/main.bicep delete mode 100644 modules/container-service/managed-cluster/main.json delete mode 100644 modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep delete mode 100644 modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep delete mode 100644 modules/container-service/managed-cluster/version.json delete mode 100644 modules/data-factory/factory/MOVED-TO-AVM.md delete mode 100644 modules/data-factory/factory/integration-runtime/README.md delete mode 100644 modules/data-factory/factory/integration-runtime/main.bicep delete mode 100644 modules/data-factory/factory/integration-runtime/main.json delete mode 100644 modules/data-factory/factory/integration-runtime/version.json delete mode 100644 modules/data-factory/factory/main.bicep delete mode 100644 modules/data-factory/factory/main.json delete mode 100644 modules/data-factory/factory/managed-virtual-network/README.md delete mode 100644 modules/data-factory/factory/managed-virtual-network/main.bicep delete mode 100644 modules/data-factory/factory/managed-virtual-network/main.json delete mode 100644 modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md delete mode 100644 modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.bicep delete mode 100644 modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json delete mode 100644 modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/version.json delete mode 100644 modules/data-factory/factory/managed-virtual-network/version.json delete mode 100644 modules/data-factory/factory/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/data-factory/factory/tests/e2e/max/dependencies.bicep delete mode 100644 modules/data-factory/factory/tests/e2e/max/main.test.bicep delete mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/data-factory/factory/version.json delete mode 100644 modules/data-protection/backup-vault/MOVED-TO-AVM.md delete mode 100644 modules/data-protection/backup-vault/backup-policy/README.md delete mode 100644 modules/data-protection/backup-vault/backup-policy/main.bicep delete mode 100644 modules/data-protection/backup-vault/backup-policy/main.json delete mode 100644 modules/data-protection/backup-vault/backup-policy/version.json delete mode 100644 modules/data-protection/backup-vault/main.bicep delete mode 100644 modules/data-protection/backup-vault/main.json delete mode 100644 modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep delete mode 100644 modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep delete mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/data-protection/backup-vault/version.json delete mode 100644 modules/databricks/access-connector/MOVED-TO-AVM.md delete mode 100644 modules/databricks/access-connector/main.bicep delete mode 100644 modules/databricks/access-connector/main.json delete mode 100644 modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/databricks/access-connector/tests/e2e/max/dependencies.bicep delete mode 100644 modules/databricks/access-connector/tests/e2e/max/main.test.bicep delete mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/databricks/access-connector/version.json delete mode 100644 modules/databricks/workspace/MOVED-TO-AVM.md delete mode 100644 modules/databricks/workspace/main.bicep delete mode 100644 modules/databricks/workspace/main.json delete mode 100644 modules/databricks/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/databricks/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/databricks/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/databricks/workspace/version.json delete mode 100644 modules/db-for-my-sql/flexible-server/MOVED-TO-AVM.md delete mode 100644 modules/db-for-my-sql/flexible-server/administrator/README.md delete mode 100644 modules/db-for-my-sql/flexible-server/administrator/main.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/administrator/main.json delete mode 100644 modules/db-for-my-sql/flexible-server/administrator/version.json delete mode 100644 modules/db-for-my-sql/flexible-server/database/README.md delete mode 100644 modules/db-for-my-sql/flexible-server/database/main.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/database/main.json delete mode 100644 modules/db-for-my-sql/flexible-server/database/version.json delete mode 100644 modules/db-for-my-sql/flexible-server/firewall-rule/README.md delete mode 100644 modules/db-for-my-sql/flexible-server/firewall-rule/main.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/firewall-rule/main.json delete mode 100644 modules/db-for-my-sql/flexible-server/firewall-rule/version.json delete mode 100644 modules/db-for-my-sql/flexible-server/main.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/main.json delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/version.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md delete mode 100644 modules/db-for-postgre-sql/flexible-server/administrator/README.md delete mode 100644 modules/db-for-postgre-sql/flexible-server/administrator/main.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/administrator/main.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/administrator/version.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/configuration/README.md delete mode 100644 modules/db-for-postgre-sql/flexible-server/configuration/main.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/configuration/main.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/configuration/version.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/database/README.md delete mode 100644 modules/db-for-postgre-sql/flexible-server/database/main.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/database/main.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/database/version.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md delete mode 100644 modules/db-for-postgre-sql/flexible-server/firewall-rule/main.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/firewall-rule/version.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/main.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/main.json delete mode 100644 modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/version.json delete mode 100644 modules/desktop-virtualization/application-group/MOVED-TO-AVM.md delete mode 100644 modules/desktop-virtualization/application-group/application/README.md delete mode 100644 modules/desktop-virtualization/application-group/application/main.bicep delete mode 100644 modules/desktop-virtualization/application-group/application/main.json delete mode 100644 modules/desktop-virtualization/application-group/application/version.json delete mode 100644 modules/desktop-virtualization/application-group/main.bicep delete mode 100644 modules/desktop-virtualization/application-group/main.json delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/desktop-virtualization/application-group/version.json delete mode 100644 modules/desktop-virtualization/host-pool/MOVED-TO-AVM.md delete mode 100644 modules/desktop-virtualization/host-pool/main.bicep delete mode 100644 modules/desktop-virtualization/host-pool/main.json delete mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep delete mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep delete mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/desktop-virtualization/host-pool/version.json delete mode 100644 modules/desktop-virtualization/scaling-plan/MOVED-TO-AVM.md delete mode 100644 modules/desktop-virtualization/scaling-plan/main.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/main.json delete mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/version.json delete mode 100644 modules/desktop-virtualization/workspace/MOVED-TO-AVM.md delete mode 100644 modules/desktop-virtualization/workspace/main.bicep delete mode 100644 modules/desktop-virtualization/workspace/main.json delete mode 100644 modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/desktop-virtualization/workspace/version.json delete mode 100644 modules/dev-test-lab/lab/MOVED-TO-AVM.md delete mode 100644 modules/dev-test-lab/lab/artifactsource/README.md delete mode 100644 modules/dev-test-lab/lab/artifactsource/main.bicep delete mode 100644 modules/dev-test-lab/lab/artifactsource/main.json delete mode 100644 modules/dev-test-lab/lab/artifactsource/version.json delete mode 100644 modules/dev-test-lab/lab/cost/README.md delete mode 100644 modules/dev-test-lab/lab/cost/main.bicep delete mode 100644 modules/dev-test-lab/lab/cost/main.json delete mode 100644 modules/dev-test-lab/lab/cost/version.json delete mode 100644 modules/dev-test-lab/lab/main.bicep delete mode 100644 modules/dev-test-lab/lab/main.json delete mode 100644 modules/dev-test-lab/lab/notificationchannel/README.md delete mode 100644 modules/dev-test-lab/lab/notificationchannel/main.bicep delete mode 100644 modules/dev-test-lab/lab/notificationchannel/main.json delete mode 100644 modules/dev-test-lab/lab/notificationchannel/version.json delete mode 100644 modules/dev-test-lab/lab/policyset/policy/README.md delete mode 100644 modules/dev-test-lab/lab/policyset/policy/main.bicep delete mode 100644 modules/dev-test-lab/lab/policyset/policy/main.json delete mode 100644 modules/dev-test-lab/lab/policyset/policy/version.json delete mode 100644 modules/dev-test-lab/lab/schedule/README.md delete mode 100644 modules/dev-test-lab/lab/schedule/main.bicep delete mode 100644 modules/dev-test-lab/lab/schedule/main.json delete mode 100644 modules/dev-test-lab/lab/schedule/version.json delete mode 100644 modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep delete mode 100644 modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep delete mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/dev-test-lab/lab/version.json delete mode 100644 modules/dev-test-lab/lab/virtualnetwork/README.md delete mode 100644 modules/dev-test-lab/lab/virtualnetwork/main.bicep delete mode 100644 modules/dev-test-lab/lab/virtualnetwork/main.json delete mode 100644 modules/dev-test-lab/lab/virtualnetwork/version.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-grid/version.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--event-hub/version.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json delete mode 100644 modules/digital-twins/digital-twins-instance/endpoint--service-bus/version.json delete mode 100644 modules/digital-twins/digital-twins-instance/main.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/main.json delete mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/version.json delete mode 100644 modules/document-db/database-account/MOVED-TO-AVM.md delete mode 100644 modules/document-db/database-account/gremlin-database/README.md delete mode 100644 modules/document-db/database-account/gremlin-database/graph/README.md delete mode 100644 modules/document-db/database-account/gremlin-database/graph/main.bicep delete mode 100644 modules/document-db/database-account/gremlin-database/graph/main.json delete mode 100644 modules/document-db/database-account/gremlin-database/graph/version.json delete mode 100644 modules/document-db/database-account/gremlin-database/main.bicep delete mode 100644 modules/document-db/database-account/gremlin-database/main.json delete mode 100644 modules/document-db/database-account/gremlin-database/version.json delete mode 100644 modules/document-db/database-account/main.bicep delete mode 100644 modules/document-db/database-account/main.json delete mode 100644 modules/document-db/database-account/mongodb-database/README.md delete mode 100644 modules/document-db/database-account/mongodb-database/collection/README.md delete mode 100644 modules/document-db/database-account/mongodb-database/collection/main.bicep delete mode 100644 modules/document-db/database-account/mongodb-database/collection/main.json delete mode 100644 modules/document-db/database-account/mongodb-database/collection/version.json delete mode 100644 modules/document-db/database-account/mongodb-database/main.bicep delete mode 100644 modules/document-db/database-account/mongodb-database/main.json delete mode 100644 modules/document-db/database-account/mongodb-database/version.json delete mode 100644 modules/document-db/database-account/sql-database/README.md delete mode 100644 modules/document-db/database-account/sql-database/container/README.md delete mode 100644 modules/document-db/database-account/sql-database/container/main.bicep delete mode 100644 modules/document-db/database-account/sql-database/container/main.json delete mode 100644 modules/document-db/database-account/sql-database/container/version.json delete mode 100644 modules/document-db/database-account/sql-database/main.bicep delete mode 100644 modules/document-db/database-account/sql-database/main.json delete mode 100644 modules/document-db/database-account/sql-database/version.json delete mode 100644 modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/plain/dependencies.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/plain/main.test.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep delete mode 100644 modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep delete mode 100644 modules/document-db/database-account/version.json delete mode 100644 modules/event-grid/domain/MOVED-TO-AVM.md delete mode 100644 modules/event-grid/domain/main.bicep delete mode 100644 modules/event-grid/domain/main.json delete mode 100644 modules/event-grid/domain/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/max/dependencies.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/max/main.test.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/pe/main.test.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/event-grid/domain/topic/README.md delete mode 100644 modules/event-grid/domain/topic/main.bicep delete mode 100644 modules/event-grid/domain/topic/main.json delete mode 100644 modules/event-grid/domain/topic/version.json delete mode 100644 modules/event-grid/domain/version.json delete mode 100644 modules/event-grid/system-topic/MOVED-TO-AVM.md delete mode 100644 modules/event-grid/system-topic/event-subscription/README.md delete mode 100644 modules/event-grid/system-topic/event-subscription/main.bicep delete mode 100644 modules/event-grid/system-topic/event-subscription/main.json delete mode 100644 modules/event-grid/system-topic/event-subscription/version.json delete mode 100644 modules/event-grid/system-topic/main.bicep delete mode 100644 modules/event-grid/system-topic/main.json delete mode 100644 modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep delete mode 100644 modules/event-grid/system-topic/tests/e2e/max/main.test.bicep delete mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/event-grid/system-topic/version.json delete mode 100644 modules/event-grid/topic/MOVED-TO-AVM.md delete mode 100644 modules/event-grid/topic/event-subscription/README.md delete mode 100644 modules/event-grid/topic/event-subscription/main.bicep delete mode 100644 modules/event-grid/topic/event-subscription/main.json delete mode 100644 modules/event-grid/topic/event-subscription/version.json delete mode 100644 modules/event-grid/topic/main.bicep delete mode 100644 modules/event-grid/topic/main.json delete mode 100644 modules/event-grid/topic/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/max/dependencies.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/max/main.test.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/pe/main.test.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/event-grid/topic/version.json delete mode 100644 modules/event-hub/namespace/authorization-rule/README.md delete mode 100644 modules/event-hub/namespace/authorization-rule/main.bicep delete mode 100644 modules/event-hub/namespace/authorization-rule/main.json delete mode 100644 modules/event-hub/namespace/authorization-rule/version.json delete mode 100644 modules/event-hub/namespace/disaster-recovery-config/README.md delete mode 100644 modules/event-hub/namespace/disaster-recovery-config/main.bicep delete mode 100644 modules/event-hub/namespace/disaster-recovery-config/main.json delete mode 100644 modules/event-hub/namespace/disaster-recovery-config/version.json delete mode 100644 modules/event-hub/namespace/eventhub/README.md delete mode 100644 modules/event-hub/namespace/eventhub/authorization-rule/README.md delete mode 100644 modules/event-hub/namespace/eventhub/authorization-rule/main.bicep delete mode 100644 modules/event-hub/namespace/eventhub/authorization-rule/main.json delete mode 100644 modules/event-hub/namespace/eventhub/authorization-rule/version.json delete mode 100644 modules/event-hub/namespace/eventhub/consumergroup/README.md delete mode 100644 modules/event-hub/namespace/eventhub/consumergroup/main.bicep delete mode 100644 modules/event-hub/namespace/eventhub/consumergroup/main.json delete mode 100644 modules/event-hub/namespace/eventhub/consumergroup/version.json delete mode 100644 modules/event-hub/namespace/eventhub/main.bicep delete mode 100644 modules/event-hub/namespace/eventhub/main.json delete mode 100644 modules/event-hub/namespace/eventhub/version.json delete mode 100644 modules/event-hub/namespace/main.bicep delete mode 100644 modules/event-hub/namespace/main.json delete mode 100644 modules/event-hub/namespace/network-rule-set/README.md delete mode 100644 modules/event-hub/namespace/network-rule-set/main.bicep delete mode 100644 modules/event-hub/namespace/network-rule-set/main.json delete mode 100644 modules/event-hub/namespace/network-rule-set/version.json delete mode 100644 modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/encr/main.test.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/max/main.test.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/pe/main.test.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/event-hub/namespace/version.json delete mode 100644 modules/health-bot/health-bot/MOVED-TO-AVM.md delete mode 100644 modules/health-bot/health-bot/main.bicep delete mode 100644 modules/health-bot/health-bot/main.json delete mode 100644 modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep delete mode 100644 modules/health-bot/health-bot/tests/e2e/max/main.test.bicep delete mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/health-bot/health-bot/version.json delete mode 100644 modules/healthcare-apis/workspace/MOVED-TO-AVM.md delete mode 100644 modules/healthcare-apis/workspace/dicomservice/README.md delete mode 100644 modules/healthcare-apis/workspace/dicomservice/main.bicep delete mode 100644 modules/healthcare-apis/workspace/dicomservice/main.json delete mode 100644 modules/healthcare-apis/workspace/dicomservice/version.json delete mode 100644 modules/healthcare-apis/workspace/fhirservice/README.md delete mode 100644 modules/healthcare-apis/workspace/fhirservice/main.bicep delete mode 100644 modules/healthcare-apis/workspace/fhirservice/main.json delete mode 100644 modules/healthcare-apis/workspace/fhirservice/version.json delete mode 100644 modules/healthcare-apis/workspace/iotconnector/README.md delete mode 100644 modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md delete mode 100644 modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep delete mode 100644 modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json delete mode 100644 modules/healthcare-apis/workspace/iotconnector/fhirdestination/version.json delete mode 100644 modules/healthcare-apis/workspace/iotconnector/main.bicep delete mode 100644 modules/healthcare-apis/workspace/iotconnector/main.json delete mode 100644 modules/healthcare-apis/workspace/iotconnector/version.json delete mode 100644 modules/healthcare-apis/workspace/main.bicep delete mode 100644 modules/healthcare-apis/workspace/main.json delete mode 100644 modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/healthcare-apis/workspace/version.json delete mode 100644 modules/insights/action-group/MOVED-TO-AVM.md delete mode 100644 modules/insights/action-group/main.bicep delete mode 100644 modules/insights/action-group/main.json delete mode 100644 modules/insights/action-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/action-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/action-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/action-group/version.json delete mode 100644 modules/insights/activity-log-alert/MOVED-TO-AVM.md delete mode 100644 modules/insights/activity-log-alert/main.bicep delete mode 100644 modules/insights/activity-log-alert/main.json delete mode 100644 modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/activity-log-alert/version.json delete mode 100644 modules/insights/component/MOVED-TO-AVM.md delete mode 100644 modules/insights/component/main.bicep delete mode 100644 modules/insights/component/main.json delete mode 100644 modules/insights/component/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/insights/component/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/component/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/component/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/component/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/component/version.json delete mode 100644 modules/insights/data-collection-endpoint/MOVED-TO-AVM.md delete mode 100644 modules/insights/data-collection-endpoint/main.bicep delete mode 100644 modules/insights/data-collection-endpoint/main.json delete mode 100644 modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/data-collection-endpoint/version.json delete mode 100644 modules/insights/data-collection-rule/MOVED-TO-AVM.md delete mode 100644 modules/insights/data-collection-rule/main.bicep delete mode 100644 modules/insights/data-collection-rule/main.json delete mode 100644 modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep delete mode 100644 modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep delete mode 100644 modules/insights/data-collection-rule/version.json delete mode 100644 modules/insights/diagnostic-setting/MOVED-TO-AVM.md delete mode 100644 modules/insights/diagnostic-setting/main.bicep delete mode 100644 modules/insights/diagnostic-setting/main.json delete mode 100644 modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/diagnostic-setting/version.json delete mode 100644 modules/insights/metric-alert/MOVED-TO-AVM.md delete mode 100644 modules/insights/metric-alert/main.bicep delete mode 100644 modules/insights/metric-alert/main.json delete mode 100644 modules/insights/metric-alert/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/metric-alert/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/metric-alert/version.json delete mode 100644 modules/insights/private-link-scope/MOVED-TO-AVM.md delete mode 100644 modules/insights/private-link-scope/main.bicep delete mode 100644 modules/insights/private-link-scope/main.json delete mode 100644 modules/insights/private-link-scope/scoped-resource/README.md delete mode 100644 modules/insights/private-link-scope/scoped-resource/main.bicep delete mode 100644 modules/insights/private-link-scope/scoped-resource/main.json delete mode 100644 modules/insights/private-link-scope/scoped-resource/version.json delete mode 100644 modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/private-link-scope/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/private-link-scope/version.json delete mode 100644 modules/insights/scheduled-query-rule/MOVED-TO-AVM.md delete mode 100644 modules/insights/scheduled-query-rule/main.bicep delete mode 100644 modules/insights/scheduled-query-rule/main.json delete mode 100644 modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/scheduled-query-rule/version.json delete mode 100644 modules/insights/webtest/MOVED-TO-AVM.md delete mode 100644 modules/insights/webtest/main.bicep delete mode 100644 modules/insights/webtest/main.json delete mode 100644 modules/insights/webtest/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/insights/webtest/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/insights/webtest/tests/e2e/max/dependencies.bicep delete mode 100644 modules/insights/webtest/tests/e2e/max/main.test.bicep delete mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/insights/webtest/version.json delete mode 100644 modules/key-vault/vault/MOVED-TO-AVM.md delete mode 100644 modules/key-vault/vault/access-policy/README.md delete mode 100644 modules/key-vault/vault/access-policy/main.bicep delete mode 100644 modules/key-vault/vault/access-policy/main.json delete mode 100644 modules/key-vault/vault/access-policy/version.json delete mode 100644 modules/key-vault/vault/key/README.md delete mode 100644 modules/key-vault/vault/key/main.bicep delete mode 100644 modules/key-vault/vault/key/main.json delete mode 100644 modules/key-vault/vault/key/version.json delete mode 100644 modules/key-vault/vault/main.bicep delete mode 100644 modules/key-vault/vault/main.json delete mode 100644 modules/key-vault/vault/secret/README.md delete mode 100644 modules/key-vault/vault/secret/main.bicep delete mode 100644 modules/key-vault/vault/secret/main.json delete mode 100644 modules/key-vault/vault/secret/version.json delete mode 100644 modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/max/dependencies.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/max/main.test.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/pe/main.test.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/key-vault/vault/version.json delete mode 100644 modules/kubernetes-configuration/extension/MOVED-TO-AVM.md delete mode 100644 modules/kubernetes-configuration/extension/main.bicep delete mode 100644 modules/kubernetes-configuration/extension/main.json delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/kubernetes-configuration/extension/version.json delete mode 100644 modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md delete mode 100644 modules/kubernetes-configuration/flux-configuration/main.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/main.json delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/kubernetes-configuration/flux-configuration/version.json delete mode 100644 modules/logic/workflow/MOVED-TO-AVM.md delete mode 100644 modules/logic/workflow/main.bicep delete mode 100644 modules/logic/workflow/main.json delete mode 100644 modules/logic/workflow/tests/e2e/max/dependencies.bicep delete mode 100644 modules/logic/workflow/tests/e2e/max/main.test.bicep delete mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/logic/workflow/version.json delete mode 100644 modules/machine-learning-services/workspace/MOVED-TO-AVM.md delete mode 100644 modules/machine-learning-services/workspace/compute/README.md delete mode 100644 modules/machine-learning-services/workspace/compute/main.bicep delete mode 100644 modules/machine-learning-services/workspace/compute/main.json delete mode 100644 modules/machine-learning-services/workspace/compute/version.json delete mode 100644 modules/machine-learning-services/workspace/main.bicep delete mode 100644 modules/machine-learning-services/workspace/main.json delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/machine-learning-services/workspace/version.json delete mode 100644 modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md delete mode 100644 modules/maintenance/maintenance-configuration/main.bicep delete mode 100644 modules/maintenance/maintenance-configuration/main.json delete mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep delete mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep delete mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/maintenance/maintenance-configuration/version.json delete mode 100644 modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md delete mode 100644 modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md delete mode 100644 modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json delete mode 100644 modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json delete mode 100644 modules/managed-identity/user-assigned-identity/main.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/main.json delete mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/version.json delete mode 100644 modules/managed-services/registration-definition/.bicep/nested_registrationAssignment.bicep delete mode 100644 modules/managed-services/registration-definition/main.bicep delete mode 100644 modules/managed-services/registration-definition/main.json delete mode 100644 modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep delete mode 100644 modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep delete mode 100644 modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/managed-services/registration-definition/version.json delete mode 100644 modules/management/management-group/MOVED-TO-AVM.md delete mode 100644 modules/management/management-group/main.bicep delete mode 100644 modules/management/management-group/main.json delete mode 100644 modules/management/management-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/management/management-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/management/management-group/version.json delete mode 100644 modules/net-app/net-app-account/MOVED-TO-AVM.md delete mode 100644 modules/net-app/net-app-account/capacity-pool/README.md delete mode 100644 modules/net-app/net-app-account/capacity-pool/main.bicep delete mode 100644 modules/net-app/net-app-account/capacity-pool/main.json delete mode 100644 modules/net-app/net-app-account/capacity-pool/version.json delete mode 100644 modules/net-app/net-app-account/capacity-pool/volume/README.md delete mode 100644 modules/net-app/net-app-account/capacity-pool/volume/main.bicep delete mode 100644 modules/net-app/net-app-account/capacity-pool/volume/main.json delete mode 100644 modules/net-app/net-app-account/capacity-pool/volume/version.json delete mode 100644 modules/net-app/net-app-account/main.bicep delete mode 100644 modules/net-app/net-app-account/main.json delete mode 100644 modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep delete mode 100644 modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep delete mode 100644 modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep delete mode 100644 modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep delete mode 100644 modules/net-app/net-app-account/version.json delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/MOVED-TO-AVM.md delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/main.bicep delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/main.json delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/application-gateway-web-application-firewall-policy/version.json delete mode 100644 modules/network/application-gateway/main.bicep delete mode 100644 modules/network/application-gateway/main.json delete mode 100644 modules/network/application-gateway/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/application-gateway/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/application-gateway/version.json delete mode 100644 modules/network/application-security-group/MOVED-TO-AVM.md delete mode 100644 modules/network/application-security-group/main.bicep delete mode 100644 modules/network/application-security-group/main.json delete mode 100644 modules/network/application-security-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/application-security-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/application-security-group/version.json delete mode 100644 modules/network/azure-firewall/main.bicep delete mode 100644 modules/network/azure-firewall/main.json delete mode 100644 modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/azure-firewall/version.json delete mode 100644 modules/network/bastion-host/MOVED-TO-AVM.md delete mode 100644 modules/network/bastion-host/main.bicep delete mode 100644 modules/network/bastion-host/main.json delete mode 100644 modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/custompip/main.test.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/bastion-host/version.json delete mode 100644 modules/network/connection/MOVED-TO-AVM.md delete mode 100644 modules/network/connection/main.bicep delete mode 100644 modules/network/connection/main.json delete mode 100644 modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep delete mode 100644 modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep delete mode 100644 modules/network/connection/version.json delete mode 100644 modules/network/ddos-protection-plan/MOVED-TO-AVM.md delete mode 100644 modules/network/ddos-protection-plan/main.bicep delete mode 100644 modules/network/ddos-protection-plan/main.json delete mode 100644 modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/ddos-protection-plan/version.json delete mode 100644 modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md delete mode 100644 modules/network/dns-forwarding-ruleset/forwarding-rule/README.md delete mode 100644 modules/network/dns-forwarding-ruleset/forwarding-rule/main.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/forwarding-rule/main.json delete mode 100644 modules/network/dns-forwarding-ruleset/forwarding-rule/version.json delete mode 100644 modules/network/dns-forwarding-ruleset/main.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/main.json delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/version.json delete mode 100644 modules/network/dns-forwarding-ruleset/virtual-network-link/README.md delete mode 100644 modules/network/dns-forwarding-ruleset/virtual-network-link/main.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/virtual-network-link/main.json delete mode 100644 modules/network/dns-forwarding-ruleset/virtual-network-link/version.json delete mode 100644 modules/network/dns-resolver/MOVED-TO-AVM.md delete mode 100644 modules/network/dns-resolver/main.bicep delete mode 100644 modules/network/dns-resolver/main.json delete mode 100644 modules/network/dns-resolver/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/dns-resolver/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/dns-resolver/version.json delete mode 100644 modules/network/dns-zone/MOVED-TO-AVM.md delete mode 100644 modules/network/dns-zone/a/README.md delete mode 100644 modules/network/dns-zone/a/main.bicep delete mode 100644 modules/network/dns-zone/a/main.json delete mode 100644 modules/network/dns-zone/a/version.json delete mode 100644 modules/network/dns-zone/aaaa/README.md delete mode 100644 modules/network/dns-zone/aaaa/main.bicep delete mode 100644 modules/network/dns-zone/aaaa/main.json delete mode 100644 modules/network/dns-zone/aaaa/version.json delete mode 100644 modules/network/dns-zone/caa/README.md delete mode 100644 modules/network/dns-zone/caa/main.bicep delete mode 100644 modules/network/dns-zone/caa/main.json delete mode 100644 modules/network/dns-zone/caa/version.json delete mode 100644 modules/network/dns-zone/cname/README.md delete mode 100644 modules/network/dns-zone/cname/main.bicep delete mode 100644 modules/network/dns-zone/cname/main.json delete mode 100644 modules/network/dns-zone/cname/version.json delete mode 100644 modules/network/dns-zone/main.bicep delete mode 100644 modules/network/dns-zone/main.json delete mode 100644 modules/network/dns-zone/mx/README.md delete mode 100644 modules/network/dns-zone/mx/main.bicep delete mode 100644 modules/network/dns-zone/mx/main.json delete mode 100644 modules/network/dns-zone/mx/version.json delete mode 100644 modules/network/dns-zone/ns/README.md delete mode 100644 modules/network/dns-zone/ns/main.bicep delete mode 100644 modules/network/dns-zone/ns/main.json delete mode 100644 modules/network/dns-zone/ns/version.json delete mode 100644 modules/network/dns-zone/ptr/README.md delete mode 100644 modules/network/dns-zone/ptr/main.bicep delete mode 100644 modules/network/dns-zone/ptr/main.json delete mode 100644 modules/network/dns-zone/ptr/version.json delete mode 100644 modules/network/dns-zone/soa/README.md delete mode 100644 modules/network/dns-zone/soa/main.bicep delete mode 100644 modules/network/dns-zone/soa/main.json delete mode 100644 modules/network/dns-zone/soa/version.json delete mode 100644 modules/network/dns-zone/srv/README.md delete mode 100644 modules/network/dns-zone/srv/main.bicep delete mode 100644 modules/network/dns-zone/srv/main.json delete mode 100644 modules/network/dns-zone/srv/version.json delete mode 100644 modules/network/dns-zone/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/dns-zone/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/dns-zone/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/dns-zone/txt/README.md delete mode 100644 modules/network/dns-zone/txt/main.bicep delete mode 100644 modules/network/dns-zone/txt/main.json delete mode 100644 modules/network/dns-zone/txt/version.json delete mode 100644 modules/network/dns-zone/version.json delete mode 100644 modules/network/express-route-circuit/MOVED-TO-AVM.MD delete mode 100644 modules/network/express-route-circuit/main.bicep delete mode 100644 modules/network/express-route-circuit/main.json delete mode 100644 modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/express-route-circuit/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/express-route-circuit/version.json delete mode 100644 modules/network/express-route-gateway/MOVED-TO-AVM.MD delete mode 100644 modules/network/express-route-gateway/main.bicep delete mode 100644 modules/network/express-route-gateway/main.json delete mode 100644 modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/express-route-gateway/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/express-route-gateway/version.json delete mode 100644 modules/network/firewall-policy/MOVED-TO-AVM.md delete mode 100644 modules/network/firewall-policy/main.bicep delete mode 100644 modules/network/firewall-policy/main.json delete mode 100644 modules/network/firewall-policy/rule-collection-group/README.md delete mode 100644 modules/network/firewall-policy/rule-collection-group/main.bicep delete mode 100644 modules/network/firewall-policy/rule-collection-group/main.json delete mode 100644 modules/network/firewall-policy/rule-collection-group/version.json delete mode 100644 modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/firewall-policy/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/firewall-policy/version.json delete mode 100644 modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md delete mode 100644 modules/network/front-door-web-application-firewall-policy/main.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/main.json delete mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/version.json delete mode 100644 modules/network/front-door/MOVED-TO-AVM.md delete mode 100644 modules/network/front-door/main.bicep delete mode 100644 modules/network/front-door/main.json delete mode 100644 modules/network/front-door/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/front-door/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/front-door/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/front-door/version.json delete mode 100644 modules/network/ip-group/MOVED-TO-AVM.md delete mode 100644 modules/network/ip-group/main.bicep delete mode 100644 modules/network/ip-group/main.json delete mode 100644 modules/network/ip-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/ip-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/ip-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/ip-group/version.json delete mode 100644 modules/network/load-balancer/MOVED-TO-AVM.MD delete mode 100644 modules/network/load-balancer/backend-address-pool/README.md delete mode 100644 modules/network/load-balancer/backend-address-pool/main.bicep delete mode 100644 modules/network/load-balancer/backend-address-pool/main.json delete mode 100644 modules/network/load-balancer/backend-address-pool/version.json delete mode 100644 modules/network/load-balancer/inbound-nat-rule/README.md delete mode 100644 modules/network/load-balancer/inbound-nat-rule/main.bicep delete mode 100644 modules/network/load-balancer/inbound-nat-rule/main.json delete mode 100644 modules/network/load-balancer/inbound-nat-rule/version.json delete mode 100644 modules/network/load-balancer/main.bicep delete mode 100644 modules/network/load-balancer/main.json delete mode 100644 modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/internal/dependencies.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/internal/main.test.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/load-balancer/version.json delete mode 100644 modules/network/local-network-gateway/MOVED-TO-AVM.md delete mode 100644 modules/network/local-network-gateway/main.bicep delete mode 100644 modules/network/local-network-gateway/main.json delete mode 100644 modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/local-network-gateway/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/local-network-gateway/version.json delete mode 100644 modules/network/nat-gateway/MOVED-TO-AVM.md delete mode 100644 modules/network/nat-gateway/main.bicep delete mode 100644 modules/network/nat-gateway/main.json delete mode 100644 modules/network/nat-gateway/modules/formatResourceId.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/nat-gateway/version.json delete mode 100644 modules/network/network-interface/MOVED-TO-AVM.md delete mode 100644 modules/network/network-interface/main.bicep delete mode 100644 modules/network/network-interface/main.json delete mode 100644 modules/network/network-interface/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/network-interface/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/network-interface/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/network-interface/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/network-interface/version.json delete mode 100644 modules/network/network-manager/MOVED-TO-AVM.md delete mode 100644 modules/network/network-manager/connectivity-configuration/README.md delete mode 100644 modules/network/network-manager/connectivity-configuration/main.bicep delete mode 100644 modules/network/network-manager/connectivity-configuration/main.json delete mode 100644 modules/network/network-manager/connectivity-configuration/version.json delete mode 100644 modules/network/network-manager/main.bicep delete mode 100644 modules/network/network-manager/main.json delete mode 100644 modules/network/network-manager/network-group/README.md delete mode 100644 modules/network/network-manager/network-group/main.bicep delete mode 100644 modules/network/network-manager/network-group/main.json delete mode 100644 modules/network/network-manager/network-group/static-member/README.md delete mode 100644 modules/network/network-manager/network-group/static-member/main.bicep delete mode 100644 modules/network/network-manager/network-group/static-member/main.json delete mode 100644 modules/network/network-manager/network-group/static-member/version.json delete mode 100644 modules/network/network-manager/network-group/version.json delete mode 100644 modules/network/network-manager/scope-connection/README.md delete mode 100644 modules/network/network-manager/scope-connection/main.bicep delete mode 100644 modules/network/network-manager/scope-connection/main.json delete mode 100644 modules/network/network-manager/scope-connection/version.json delete mode 100644 modules/network/network-manager/security-admin-configuration/README.md delete mode 100644 modules/network/network-manager/security-admin-configuration/main.bicep delete mode 100644 modules/network/network-manager/security-admin-configuration/main.json delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/README.md delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/main.bicep delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/main.json delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/rule/version.json delete mode 100644 modules/network/network-manager/security-admin-configuration/rule-collection/version.json delete mode 100644 modules/network/network-manager/security-admin-configuration/version.json delete mode 100644 modules/network/network-manager/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/network-manager/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/network-manager/version.json delete mode 100644 modules/network/network-security-group/MOVED-TO-AVM.md delete mode 100644 modules/network/network-security-group/main.bicep delete mode 100644 modules/network/network-security-group/main.json delete mode 100644 modules/network/network-security-group/security-rule/README.md delete mode 100644 modules/network/network-security-group/security-rule/main.bicep delete mode 100644 modules/network/network-security-group/security-rule/main.json delete mode 100644 modules/network/network-security-group/security-rule/version.json delete mode 100644 modules/network/network-security-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/network-security-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/network-security-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/network-security-group/version.json delete mode 100644 modules/network/network-watcher/connection-monitor/README.md delete mode 100644 modules/network/network-watcher/connection-monitor/main.bicep delete mode 100644 modules/network/network-watcher/connection-monitor/main.json delete mode 100644 modules/network/network-watcher/connection-monitor/version.json delete mode 100644 modules/network/network-watcher/flow-log/README.md delete mode 100644 modules/network/network-watcher/flow-log/main.bicep delete mode 100644 modules/network/network-watcher/flow-log/main.json delete mode 100644 modules/network/network-watcher/flow-log/version.json delete mode 100644 modules/network/network-watcher/main.bicep delete mode 100644 modules/network/network-watcher/main.json delete mode 100644 modules/network/network-watcher/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/network-watcher/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/network-watcher/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/network-watcher/version.json delete mode 100644 modules/network/private-dns-zone/MOVED-TO-AVM.md delete mode 100644 modules/network/private-dns-zone/a/README.md delete mode 100644 modules/network/private-dns-zone/a/main.bicep delete mode 100644 modules/network/private-dns-zone/a/main.json delete mode 100644 modules/network/private-dns-zone/a/version.json delete mode 100644 modules/network/private-dns-zone/aaaa/README.md delete mode 100644 modules/network/private-dns-zone/aaaa/main.bicep delete mode 100644 modules/network/private-dns-zone/aaaa/main.json delete mode 100644 modules/network/private-dns-zone/aaaa/version.json delete mode 100644 modules/network/private-dns-zone/cname/README.md delete mode 100644 modules/network/private-dns-zone/cname/main.bicep delete mode 100644 modules/network/private-dns-zone/cname/main.json delete mode 100644 modules/network/private-dns-zone/cname/version.json delete mode 100644 modules/network/private-dns-zone/main.bicep delete mode 100644 modules/network/private-dns-zone/main.json delete mode 100644 modules/network/private-dns-zone/mx/README.md delete mode 100644 modules/network/private-dns-zone/mx/main.bicep delete mode 100644 modules/network/private-dns-zone/mx/main.json delete mode 100644 modules/network/private-dns-zone/mx/version.json delete mode 100644 modules/network/private-dns-zone/ptr/README.md delete mode 100644 modules/network/private-dns-zone/ptr/main.bicep delete mode 100644 modules/network/private-dns-zone/ptr/main.json delete mode 100644 modules/network/private-dns-zone/ptr/version.json delete mode 100644 modules/network/private-dns-zone/soa/README.md delete mode 100644 modules/network/private-dns-zone/soa/main.bicep delete mode 100644 modules/network/private-dns-zone/soa/main.json delete mode 100644 modules/network/private-dns-zone/soa/version.json delete mode 100644 modules/network/private-dns-zone/srv/README.md delete mode 100644 modules/network/private-dns-zone/srv/main.bicep delete mode 100644 modules/network/private-dns-zone/srv/main.json delete mode 100644 modules/network/private-dns-zone/srv/version.json delete mode 100644 modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/private-dns-zone/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/private-dns-zone/txt/README.md delete mode 100644 modules/network/private-dns-zone/txt/main.bicep delete mode 100644 modules/network/private-dns-zone/txt/main.json delete mode 100644 modules/network/private-dns-zone/txt/version.json delete mode 100644 modules/network/private-dns-zone/version.json delete mode 100644 modules/network/private-dns-zone/virtual-network-link/README.md delete mode 100644 modules/network/private-dns-zone/virtual-network-link/main.bicep delete mode 100644 modules/network/private-dns-zone/virtual-network-link/main.json delete mode 100644 modules/network/private-dns-zone/virtual-network-link/version.json delete mode 100644 modules/network/private-endpoint/MOVED-TO-AVM.md delete mode 100644 modules/network/private-endpoint/main.bicep delete mode 100644 modules/network/private-endpoint/main.json delete mode 100644 modules/network/private-endpoint/private-dns-zone-group/README.md delete mode 100644 modules/network/private-endpoint/private-dns-zone-group/main.bicep delete mode 100644 modules/network/private-endpoint/private-dns-zone-group/main.json delete mode 100644 modules/network/private-endpoint/private-dns-zone-group/version.json delete mode 100644 modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/private-endpoint/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/private-endpoint/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/private-endpoint/version.json delete mode 100644 modules/network/private-link-service/MOVED-TO-AVM.md delete mode 100644 modules/network/private-link-service/main.bicep delete mode 100644 modules/network/private-link-service/main.json delete mode 100644 modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/private-link-service/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/private-link-service/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/private-link-service/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/private-link-service/version.json delete mode 100644 modules/network/public-ip-address/MOVED-TO-AVM.md delete mode 100644 modules/network/public-ip-address/main.bicep delete mode 100644 modules/network/public-ip-address/main.json delete mode 100644 modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/public-ip-address/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/public-ip-address/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/public-ip-address/version.json delete mode 100644 modules/network/public-ip-prefix/MOVED-TO-AVM.md delete mode 100644 modules/network/public-ip-prefix/main.bicep delete mode 100644 modules/network/public-ip-prefix/main.json delete mode 100644 modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/public-ip-prefix/version.json delete mode 100644 modules/network/route-table/MOVED-TO-AVM.md delete mode 100644 modules/network/route-table/main.bicep delete mode 100644 modules/network/route-table/main.json delete mode 100644 modules/network/route-table/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/route-table/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/route-table/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/route-table/version.json delete mode 100644 modules/network/service-endpoint-policy/main.bicep delete mode 100644 modules/network/service-endpoint-policy/main.json delete mode 100644 modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/service-endpoint-policy/version.json delete mode 100644 modules/network/trafficmanagerprofile/MOVED-TO-AVM.md delete mode 100644 modules/network/trafficmanagerprofile/main.bicep delete mode 100644 modules/network/trafficmanagerprofile/main.json delete mode 100644 modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/trafficmanagerprofile/version.json delete mode 100644 modules/network/virtual-hub/MOVED-TO-AVM.md delete mode 100644 modules/network/virtual-hub/hub-route-table/README.md delete mode 100644 modules/network/virtual-hub/hub-route-table/main.bicep delete mode 100644 modules/network/virtual-hub/hub-route-table/main.json delete mode 100644 modules/network/virtual-hub/hub-route-table/version.json delete mode 100644 modules/network/virtual-hub/hub-virtual-network-connection/README.md delete mode 100644 modules/network/virtual-hub/hub-virtual-network-connection/main.bicep delete mode 100644 modules/network/virtual-hub/hub-virtual-network-connection/main.json delete mode 100644 modules/network/virtual-hub/hub-virtual-network-connection/version.json delete mode 100644 modules/network/virtual-hub/main.bicep delete mode 100644 modules/network/virtual-hub/main.json delete mode 100644 modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/virtual-hub/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/virtual-hub/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/virtual-hub/version.json delete mode 100644 modules/network/virtual-network-gateway/MOVED-TO-AVM.md delete mode 100644 modules/network/virtual-network-gateway/main.bicep delete mode 100644 modules/network/virtual-network-gateway/main.json delete mode 100644 modules/network/virtual-network-gateway/nat-rule/README.md delete mode 100644 modules/network/virtual-network-gateway/nat-rule/main.bicep delete mode 100644 modules/network/virtual-network-gateway/nat-rule/main.json delete mode 100644 modules/network/virtual-network-gateway/nat-rule/version.json delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep delete mode 100644 modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep delete mode 100644 modules/network/virtual-network-gateway/version.json delete mode 100644 modules/network/virtual-network/MOVED-TO-AVM.md delete mode 100644 modules/network/virtual-network/main.bicep delete mode 100644 modules/network/virtual-network/main.json delete mode 100644 modules/network/virtual-network/subnet/README.md delete mode 100644 modules/network/virtual-network/subnet/main.bicep delete mode 100644 modules/network/virtual-network/subnet/main.json delete mode 100644 modules/network/virtual-network/subnet/version.json delete mode 100644 modules/network/virtual-network/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/virtual-network/version.json delete mode 100644 modules/network/virtual-network/virtual-network-peering/README.md delete mode 100644 modules/network/virtual-network/virtual-network-peering/main.bicep delete mode 100644 modules/network/virtual-network/virtual-network-peering/main.json delete mode 100644 modules/network/virtual-network/virtual-network-peering/version.json delete mode 100644 modules/network/virtual-wan/MOVED-TO-AVM.md delete mode 100644 modules/network/virtual-wan/main.bicep delete mode 100644 modules/network/virtual-wan/main.json delete mode 100644 modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/virtual-wan/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/virtual-wan/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/virtual-wan/version.json delete mode 100644 modules/network/vpn-gateway/MOVED-TO-AVM.md delete mode 100644 modules/network/vpn-gateway/main.bicep delete mode 100644 modules/network/vpn-gateway/main.json delete mode 100644 modules/network/vpn-gateway/nat-rule/README.md delete mode 100644 modules/network/vpn-gateway/nat-rule/main.bicep delete mode 100644 modules/network/vpn-gateway/nat-rule/main.json delete mode 100644 modules/network/vpn-gateway/nat-rule/version.json delete mode 100644 modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/vpn-gateway/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/vpn-gateway/version.json delete mode 100644 modules/network/vpn-gateway/vpn-connection/README.md delete mode 100644 modules/network/vpn-gateway/vpn-connection/main.bicep delete mode 100644 modules/network/vpn-gateway/vpn-connection/main.json delete mode 100644 modules/network/vpn-gateway/vpn-connection/version.json delete mode 100644 modules/network/vpn-site/MOVED-TO-AVM.md delete mode 100644 modules/network/vpn-site/main.bicep delete mode 100644 modules/network/vpn-site/main.json delete mode 100644 modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/network/vpn-site/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/network/vpn-site/tests/e2e/max/dependencies.bicep delete mode 100644 modules/network/vpn-site/tests/e2e/max/main.test.bicep delete mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/network/vpn-site/version.json delete mode 100644 modules/operational-insights/workspace/MOVED-TO-AVM.md delete mode 100644 modules/operational-insights/workspace/data-export/README.md delete mode 100644 modules/operational-insights/workspace/data-export/main.bicep delete mode 100644 modules/operational-insights/workspace/data-export/main.json delete mode 100644 modules/operational-insights/workspace/data-export/version.json delete mode 100644 modules/operational-insights/workspace/data-source/README.md delete mode 100644 modules/operational-insights/workspace/data-source/main.bicep delete mode 100644 modules/operational-insights/workspace/data-source/main.json delete mode 100644 modules/operational-insights/workspace/data-source/version.json delete mode 100644 modules/operational-insights/workspace/linked-service/README.md delete mode 100644 modules/operational-insights/workspace/linked-service/main.bicep delete mode 100644 modules/operational-insights/workspace/linked-service/main.json delete mode 100644 modules/operational-insights/workspace/linked-service/version.json delete mode 100644 modules/operational-insights/workspace/linked-storage-account/README.md delete mode 100644 modules/operational-insights/workspace/linked-storage-account/main.bicep delete mode 100644 modules/operational-insights/workspace/linked-storage-account/main.json delete mode 100644 modules/operational-insights/workspace/linked-storage-account/version.json delete mode 100644 modules/operational-insights/workspace/main.bicep delete mode 100644 modules/operational-insights/workspace/main.json delete mode 100644 modules/operational-insights/workspace/saved-search/README.md delete mode 100644 modules/operational-insights/workspace/saved-search/main.bicep delete mode 100644 modules/operational-insights/workspace/saved-search/main.json delete mode 100644 modules/operational-insights/workspace/saved-search/version.json delete mode 100644 modules/operational-insights/workspace/storage-insight-config/README.md delete mode 100644 modules/operational-insights/workspace/storage-insight-config/main.bicep delete mode 100644 modules/operational-insights/workspace/storage-insight-config/main.json delete mode 100644 modules/operational-insights/workspace/storage-insight-config/version.json delete mode 100644 modules/operational-insights/workspace/table/README.md delete mode 100644 modules/operational-insights/workspace/table/main.bicep delete mode 100644 modules/operational-insights/workspace/table/main.json delete mode 100644 modules/operational-insights/workspace/table/version.json delete mode 100644 modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/operational-insights/workspace/version.json delete mode 100644 modules/operations-management/solution/MOVED-TO-AVM.md delete mode 100644 modules/operations-management/solution/main.bicep delete mode 100644 modules/operations-management/solution/main.json delete mode 100644 modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/operations-management/solution/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/operations-management/solution/tests/e2e/ms/dependencies.bicep delete mode 100644 modules/operations-management/solution/tests/e2e/ms/main.test.bicep delete mode 100644 modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep delete mode 100644 modules/operations-management/solution/tests/e2e/nonms/main.test.bicep delete mode 100644 modules/operations-management/solution/version.json delete mode 100644 modules/policy-insights/remediation/main.bicep delete mode 100644 modules/policy-insights/remediation/main.json delete mode 100644 modules/policy-insights/remediation/management-group/README.md delete mode 100644 modules/policy-insights/remediation/management-group/main.bicep delete mode 100644 modules/policy-insights/remediation/management-group/main.json delete mode 100644 modules/policy-insights/remediation/management-group/version.json delete mode 100644 modules/policy-insights/remediation/resource-group/README.md delete mode 100644 modules/policy-insights/remediation/resource-group/main.bicep delete mode 100644 modules/policy-insights/remediation/resource-group/main.json delete mode 100644 modules/policy-insights/remediation/resource-group/version.json delete mode 100644 modules/policy-insights/remediation/subscription/README.md delete mode 100644 modules/policy-insights/remediation/subscription/main.bicep delete mode 100644 modules/policy-insights/remediation/subscription/main.json delete mode 100644 modules/policy-insights/remediation/subscription/version.json delete mode 100644 modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep delete mode 100644 modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep delete mode 100644 modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep delete mode 100644 modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep delete mode 100644 modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep delete mode 100644 modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep delete mode 100644 modules/policy-insights/remediation/version.json delete mode 100644 modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md delete mode 100644 modules/power-bi-dedicated/capacity/main.bicep delete mode 100644 modules/power-bi-dedicated/capacity/main.json delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/power-bi-dedicated/capacity/version.json delete mode 100644 modules/purview/account/MOVED-TO-AVM.md delete mode 100644 modules/purview/account/main.bicep delete mode 100644 modules/purview/account/main.json delete mode 100644 modules/purview/account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/purview/account/tests/e2e/max/dependencies.bicep delete mode 100644 modules/purview/account/tests/e2e/max/main.test.bicep delete mode 100644 modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/purview/account/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/purview/account/version.json delete mode 100644 modules/recovery-services/vault/backup-config/README.md delete mode 100644 modules/recovery-services/vault/backup-config/main.bicep delete mode 100644 modules/recovery-services/vault/backup-config/main.json delete mode 100644 modules/recovery-services/vault/backup-config/version.json delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/README.md delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/main.bicep delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/main.json delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.bicep delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/protected-item/version.json delete mode 100644 modules/recovery-services/vault/backup-fabric/protection-container/version.json delete mode 100644 modules/recovery-services/vault/backup-policy/README.md delete mode 100644 modules/recovery-services/vault/backup-policy/main.bicep delete mode 100644 modules/recovery-services/vault/backup-policy/main.json delete mode 100644 modules/recovery-services/vault/backup-policy/version.json delete mode 100644 modules/recovery-services/vault/backup-storage-config/README.md delete mode 100644 modules/recovery-services/vault/backup-storage-config/main.bicep delete mode 100644 modules/recovery-services/vault/backup-storage-config/main.json delete mode 100644 modules/recovery-services/vault/backup-storage-config/version.json delete mode 100644 modules/recovery-services/vault/main.bicep delete mode 100644 modules/recovery-services/vault/main.json delete mode 100644 modules/recovery-services/vault/replication-alert-setting/README.md delete mode 100644 modules/recovery-services/vault/replication-alert-setting/main.bicep delete mode 100644 modules/recovery-services/vault/replication-alert-setting/main.json delete mode 100644 modules/recovery-services/vault/replication-alert-setting/version.json delete mode 100644 modules/recovery-services/vault/replication-fabric/README.md delete mode 100644 modules/recovery-services/vault/replication-fabric/main.bicep delete mode 100644 modules/recovery-services/vault/replication-fabric/main.json delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.bicep delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/version.json delete mode 100644 modules/recovery-services/vault/replication-fabric/replication-protection-container/version.json delete mode 100644 modules/recovery-services/vault/replication-fabric/version.json delete mode 100644 modules/recovery-services/vault/replication-policy/README.md delete mode 100644 modules/recovery-services/vault/replication-policy/main.bicep delete mode 100644 modules/recovery-services/vault/replication-policy/main.json delete mode 100644 modules/recovery-services/vault/replication-policy/version.json delete mode 100644 modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/recovery-services/vault/tests/e2e/dr/main.test.bicep delete mode 100644 modules/recovery-services/vault/tests/e2e/max/dependencies.bicep delete mode 100644 modules/recovery-services/vault/tests/e2e/max/main.test.bicep delete mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/recovery-services/vault/version.json delete mode 100644 modules/relay/namespace/MOVED-TO-AVM.md delete mode 100644 modules/relay/namespace/authorization-rule/README.md delete mode 100644 modules/relay/namespace/authorization-rule/main.bicep delete mode 100644 modules/relay/namespace/authorization-rule/main.json delete mode 100644 modules/relay/namespace/authorization-rule/version.json delete mode 100644 modules/relay/namespace/hybrid-connection/README.md delete mode 100644 modules/relay/namespace/hybrid-connection/authorization-rule/README.md delete mode 100644 modules/relay/namespace/hybrid-connection/authorization-rule/main.bicep delete mode 100644 modules/relay/namespace/hybrid-connection/authorization-rule/main.json delete mode 100644 modules/relay/namespace/hybrid-connection/authorization-rule/version.json delete mode 100644 modules/relay/namespace/hybrid-connection/main.bicep delete mode 100644 modules/relay/namespace/hybrid-connection/main.json delete mode 100644 modules/relay/namespace/hybrid-connection/version.json delete mode 100644 modules/relay/namespace/main.bicep delete mode 100644 modules/relay/namespace/main.json delete mode 100644 modules/relay/namespace/network-rule-set/README.md delete mode 100644 modules/relay/namespace/network-rule-set/main.bicep delete mode 100644 modules/relay/namespace/network-rule-set/main.json delete mode 100644 modules/relay/namespace/network-rule-set/version.json delete mode 100644 modules/relay/namespace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/relay/namespace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/relay/namespace/tests/e2e/max/main.test.bicep delete mode 100644 modules/relay/namespace/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/relay/namespace/tests/e2e/pe/main.test.bicep delete mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/relay/namespace/version.json delete mode 100644 modules/relay/namespace/wcf-relay/README.md delete mode 100644 modules/relay/namespace/wcf-relay/authorization-rule/README.md delete mode 100644 modules/relay/namespace/wcf-relay/authorization-rule/main.bicep delete mode 100644 modules/relay/namespace/wcf-relay/authorization-rule/main.json delete mode 100644 modules/relay/namespace/wcf-relay/authorization-rule/version.json delete mode 100644 modules/relay/namespace/wcf-relay/main.bicep delete mode 100644 modules/relay/namespace/wcf-relay/main.json delete mode 100644 modules/relay/namespace/wcf-relay/version.json delete mode 100644 modules/resource-graph/query/MOVED-TO-AVM.md delete mode 100644 modules/resource-graph/query/main.bicep delete mode 100644 modules/resource-graph/query/main.json delete mode 100644 modules/resource-graph/query/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/resource-graph/query/tests/e2e/max/dependencies.bicep delete mode 100644 modules/resource-graph/query/tests/e2e/max/main.test.bicep delete mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/resource-graph/query/version.json delete mode 100644 modules/resources/deployment-script/MOVED-TO-AVM.md delete mode 100644 modules/resources/deployment-script/main.bicep delete mode 100644 modules/resources/deployment-script/main.json delete mode 100644 modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep delete mode 100644 modules/resources/deployment-script/tests/e2e/cli/main.test.bicep delete mode 100644 modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep delete mode 100644 modules/resources/deployment-script/tests/e2e/ps/main.test.bicep delete mode 100644 modules/resources/deployment-script/version.json delete mode 100644 modules/resources/resource-group/MOVED-TO-AVM.md delete mode 100644 modules/resources/resource-group/main.bicep delete mode 100644 modules/resources/resource-group/main.json delete mode 100644 modules/resources/resource-group/modules/nested_lock.bicep delete mode 100644 modules/resources/resource-group/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/resources/resource-group/tests/e2e/max/dependencies.bicep delete mode 100644 modules/resources/resource-group/tests/e2e/max/main.test.bicep delete mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/resources/resource-group/version.json delete mode 100644 modules/resources/tags/main.bicep delete mode 100644 modules/resources/tags/main.json delete mode 100644 modules/resources/tags/resource-group/.bicep/readTags.bicep delete mode 100644 modules/resources/tags/resource-group/README.md delete mode 100644 modules/resources/tags/resource-group/main.bicep delete mode 100644 modules/resources/tags/resource-group/main.json delete mode 100644 modules/resources/tags/resource-group/version.json delete mode 100644 modules/resources/tags/subscription/.bicep/readTags.bicep delete mode 100644 modules/resources/tags/subscription/README.md delete mode 100644 modules/resources/tags/subscription/main.bicep delete mode 100644 modules/resources/tags/subscription/main.json delete mode 100644 modules/resources/tags/subscription/version.json delete mode 100644 modules/resources/tags/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/resources/tags/tests/e2e/rg/main.test.bicep delete mode 100644 modules/resources/tags/tests/e2e/sub/main.test.bicep delete mode 100644 modules/resources/tags/version.json delete mode 100644 modules/search/search-service/MOVED-TO-AVM.md delete mode 100644 modules/search/search-service/main.bicep delete mode 100644 modules/search/search-service/main.json delete mode 100644 modules/search/search-service/shared-private-link-resource/README.md delete mode 100644 modules/search/search-service/shared-private-link-resource/main.bicep delete mode 100644 modules/search/search-service/shared-private-link-resource/main.json delete mode 100644 modules/search/search-service/shared-private-link-resource/version.json delete mode 100644 modules/search/search-service/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/search/search-service/tests/e2e/max/dependencies.bicep delete mode 100644 modules/search/search-service/tests/e2e/max/main.test.bicep delete mode 100644 modules/search/search-service/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/search/search-service/tests/e2e/pe/main.test.bicep delete mode 100644 modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/search/search-service/version.json delete mode 100644 modules/security/azure-security-center/.bicep/nested_iotSecuritySolutions.bicep delete mode 100644 modules/security/azure-security-center/main.bicep delete mode 100644 modules/security/azure-security-center/main.json delete mode 100644 modules/security/azure-security-center/tests/e2e/max/dependencies.bicep delete mode 100644 modules/security/azure-security-center/tests/e2e/max/main.test.bicep delete mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/security/azure-security-center/version.json delete mode 100644 modules/service-bus/namespace/MOVED-TO-AVM.md delete mode 100644 modules/service-bus/namespace/authorization-rule/README.md delete mode 100644 modules/service-bus/namespace/authorization-rule/main.bicep delete mode 100644 modules/service-bus/namespace/authorization-rule/main.json delete mode 100644 modules/service-bus/namespace/authorization-rule/version.json delete mode 100644 modules/service-bus/namespace/disaster-recovery-config/README.md delete mode 100644 modules/service-bus/namespace/disaster-recovery-config/main.bicep delete mode 100644 modules/service-bus/namespace/disaster-recovery-config/main.json delete mode 100644 modules/service-bus/namespace/disaster-recovery-config/version.json delete mode 100644 modules/service-bus/namespace/main.bicep delete mode 100644 modules/service-bus/namespace/main.json delete mode 100644 modules/service-bus/namespace/migration-configuration/README.md delete mode 100644 modules/service-bus/namespace/migration-configuration/main.bicep delete mode 100644 modules/service-bus/namespace/migration-configuration/main.json delete mode 100644 modules/service-bus/namespace/migration-configuration/version.json delete mode 100644 modules/service-bus/namespace/network-rule-set/README.md delete mode 100644 modules/service-bus/namespace/network-rule-set/main.bicep delete mode 100644 modules/service-bus/namespace/network-rule-set/main.json delete mode 100644 modules/service-bus/namespace/network-rule-set/version.json delete mode 100644 modules/service-bus/namespace/queue/README.md delete mode 100644 modules/service-bus/namespace/queue/authorization-rule/README.md delete mode 100644 modules/service-bus/namespace/queue/authorization-rule/main.bicep delete mode 100644 modules/service-bus/namespace/queue/authorization-rule/main.json delete mode 100644 modules/service-bus/namespace/queue/authorization-rule/version.json delete mode 100644 modules/service-bus/namespace/queue/main.bicep delete mode 100644 modules/service-bus/namespace/queue/main.json delete mode 100644 modules/service-bus/namespace/queue/version.json delete mode 100644 modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/encr/main.test.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/max/main.test.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/pe/main.test.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/service-bus/namespace/topic/README.md delete mode 100644 modules/service-bus/namespace/topic/authorization-rule/README.md delete mode 100644 modules/service-bus/namespace/topic/authorization-rule/main.bicep delete mode 100644 modules/service-bus/namespace/topic/authorization-rule/main.json delete mode 100644 modules/service-bus/namespace/topic/authorization-rule/version.json delete mode 100644 modules/service-bus/namespace/topic/main.bicep delete mode 100644 modules/service-bus/namespace/topic/main.json delete mode 100644 modules/service-bus/namespace/topic/version.json delete mode 100644 modules/service-bus/namespace/version.json delete mode 100644 modules/service-fabric/cluster/application-type/README.md delete mode 100644 modules/service-fabric/cluster/application-type/main.bicep delete mode 100644 modules/service-fabric/cluster/application-type/main.json delete mode 100644 modules/service-fabric/cluster/application-type/version.json delete mode 100644 modules/service-fabric/cluster/main.bicep delete mode 100644 modules/service-fabric/cluster/main.json delete mode 100644 modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep delete mode 100644 modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep delete mode 100644 modules/service-fabric/cluster/tests/e2e/max/main.test.bicep delete mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/service-fabric/cluster/version.json delete mode 100644 modules/signal-r-service/signal-r/MOVED-TO-AVM.md delete mode 100644 modules/signal-r-service/signal-r/main.bicep delete mode 100644 modules/signal-r-service/signal-r/main.json delete mode 100644 modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep delete mode 100644 modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep delete mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/signal-r-service/signal-r/version.json delete mode 100644 modules/signal-r-service/web-pub-sub/MOVED-TO-AVM.md delete mode 100644 modules/signal-r-service/web-pub-sub/main.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/main.json delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/version.json delete mode 100644 modules/sql/managed-instance/administrator/README.md delete mode 100644 modules/sql/managed-instance/administrator/main.bicep delete mode 100644 modules/sql/managed-instance/administrator/main.json delete mode 100644 modules/sql/managed-instance/administrator/version.json delete mode 100644 modules/sql/managed-instance/database/README.md delete mode 100644 modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md delete mode 100644 modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep delete mode 100644 modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json delete mode 100644 modules/sql/managed-instance/database/backup-long-term-retention-policy/version.json delete mode 100644 modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md delete mode 100644 modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep delete mode 100644 modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json delete mode 100644 modules/sql/managed-instance/database/backup-short-term-retention-policy/version.json delete mode 100644 modules/sql/managed-instance/database/main.bicep delete mode 100644 modules/sql/managed-instance/database/main.json delete mode 100644 modules/sql/managed-instance/database/version.json delete mode 100644 modules/sql/managed-instance/encryption-protector/README.md delete mode 100644 modules/sql/managed-instance/encryption-protector/main.bicep delete mode 100644 modules/sql/managed-instance/encryption-protector/main.json delete mode 100644 modules/sql/managed-instance/encryption-protector/version.json delete mode 100644 modules/sql/managed-instance/key/README.md delete mode 100644 modules/sql/managed-instance/key/main.bicep delete mode 100644 modules/sql/managed-instance/key/main.json delete mode 100644 modules/sql/managed-instance/key/version.json delete mode 100644 modules/sql/managed-instance/main.bicep delete mode 100644 modules/sql/managed-instance/main.json delete mode 100644 modules/sql/managed-instance/security-alert-policy/README.md delete mode 100644 modules/sql/managed-instance/security-alert-policy/main.bicep delete mode 100644 modules/sql/managed-instance/security-alert-policy/main.json delete mode 100644 modules/sql/managed-instance/security-alert-policy/version.json delete mode 100644 modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/max/dependencies.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/max/main.test.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/sql/managed-instance/version.json delete mode 100644 modules/sql/managed-instance/vulnerability-assessment/README.md delete mode 100644 modules/sql/managed-instance/vulnerability-assessment/main.bicep delete mode 100644 modules/sql/managed-instance/vulnerability-assessment/main.json delete mode 100644 modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep delete mode 100644 modules/sql/managed-instance/vulnerability-assessment/version.json delete mode 100644 modules/sql/server/MOVED-TO-AVM.md delete mode 100644 modules/sql/server/database/README.md delete mode 100644 modules/sql/server/database/backup-long-term-retention-policy/README.md delete mode 100644 modules/sql/server/database/backup-long-term-retention-policy/main.bicep delete mode 100644 modules/sql/server/database/backup-long-term-retention-policy/main.json delete mode 100644 modules/sql/server/database/backup-long-term-retention-policy/version.json delete mode 100644 modules/sql/server/database/backup-short-term-retention-policy/README.md delete mode 100644 modules/sql/server/database/backup-short-term-retention-policy/main.bicep delete mode 100644 modules/sql/server/database/backup-short-term-retention-policy/main.json delete mode 100644 modules/sql/server/database/backup-short-term-retention-policy/version.json delete mode 100644 modules/sql/server/database/main.bicep delete mode 100644 modules/sql/server/database/main.json delete mode 100644 modules/sql/server/database/version.json delete mode 100644 modules/sql/server/elastic-pool/README.md delete mode 100644 modules/sql/server/elastic-pool/main.bicep delete mode 100644 modules/sql/server/elastic-pool/main.json delete mode 100644 modules/sql/server/elastic-pool/version.json delete mode 100644 modules/sql/server/encryption-protector/README.md delete mode 100644 modules/sql/server/encryption-protector/main.bicep delete mode 100644 modules/sql/server/encryption-protector/main.json delete mode 100644 modules/sql/server/encryption-protector/version.json delete mode 100644 modules/sql/server/firewall-rule/README.md delete mode 100644 modules/sql/server/firewall-rule/main.bicep delete mode 100644 modules/sql/server/firewall-rule/main.json delete mode 100644 modules/sql/server/firewall-rule/version.json delete mode 100644 modules/sql/server/key/README.md delete mode 100644 modules/sql/server/key/main.bicep delete mode 100644 modules/sql/server/key/main.json delete mode 100644 modules/sql/server/key/version.json delete mode 100644 modules/sql/server/main.bicep delete mode 100644 modules/sql/server/main.json delete mode 100644 modules/sql/server/security-alert-policy/README.md delete mode 100644 modules/sql/server/security-alert-policy/main.bicep delete mode 100644 modules/sql/server/security-alert-policy/main.json delete mode 100644 modules/sql/server/security-alert-policy/version.json delete mode 100644 modules/sql/server/tests/e2e/admin/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/admin/main.test.bicep delete mode 100644 modules/sql/server/tests/e2e/max/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/max/main.test.bicep delete mode 100644 modules/sql/server/tests/e2e/pe/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/pe/main.test.bicep delete mode 100644 modules/sql/server/tests/e2e/secondary/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/secondary/main.test.bicep delete mode 100644 modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/vulnAssm/main.test.bicep delete mode 100644 modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/sql/server/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/sql/server/version.json delete mode 100644 modules/sql/server/virtual-network-rule/README.md delete mode 100644 modules/sql/server/virtual-network-rule/main.bicep delete mode 100644 modules/sql/server/virtual-network-rule/main.json delete mode 100644 modules/sql/server/virtual-network-rule/version.json delete mode 100644 modules/sql/server/vulnerability-assessment/README.md delete mode 100644 modules/sql/server/vulnerability-assessment/main.bicep delete mode 100644 modules/sql/server/vulnerability-assessment/main.json delete mode 100644 modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep delete mode 100644 modules/sql/server/vulnerability-assessment/version.json delete mode 100644 modules/storage/storage-account/MOVED-TO-AVM.md delete mode 100644 modules/storage/storage-account/blob-service/README.md delete mode 100644 modules/storage/storage-account/blob-service/container/README.md delete mode 100644 modules/storage/storage-account/blob-service/container/immutability-policy/README.md delete mode 100644 modules/storage/storage-account/blob-service/container/immutability-policy/main.bicep delete mode 100644 modules/storage/storage-account/blob-service/container/immutability-policy/main.json delete mode 100644 modules/storage/storage-account/blob-service/container/immutability-policy/version.json delete mode 100644 modules/storage/storage-account/blob-service/container/main.bicep delete mode 100644 modules/storage/storage-account/blob-service/container/main.json delete mode 100644 modules/storage/storage-account/blob-service/container/version.json delete mode 100644 modules/storage/storage-account/blob-service/main.bicep delete mode 100644 modules/storage/storage-account/blob-service/main.json delete mode 100644 modules/storage/storage-account/blob-service/version.json delete mode 100644 modules/storage/storage-account/file-service/README.md delete mode 100644 modules/storage/storage-account/file-service/main.bicep delete mode 100644 modules/storage/storage-account/file-service/main.json delete mode 100644 modules/storage/storage-account/file-service/share/README.md delete mode 100644 modules/storage/storage-account/file-service/share/main.bicep delete mode 100644 modules/storage/storage-account/file-service/share/main.json delete mode 100644 modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json delete mode 100644 modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep delete mode 100644 modules/storage/storage-account/file-service/share/version.json delete mode 100644 modules/storage/storage-account/file-service/version.json delete mode 100644 modules/storage/storage-account/local-user/README.md delete mode 100644 modules/storage/storage-account/local-user/main.bicep delete mode 100644 modules/storage/storage-account/local-user/main.json delete mode 100644 modules/storage/storage-account/local-user/version.json delete mode 100644 modules/storage/storage-account/main.bicep delete mode 100644 modules/storage/storage-account/main.json delete mode 100644 modules/storage/storage-account/management-policy/README.md delete mode 100644 modules/storage/storage-account/management-policy/main.bicep delete mode 100644 modules/storage/storage-account/management-policy/main.json delete mode 100644 modules/storage/storage-account/management-policy/version.json delete mode 100644 modules/storage/storage-account/queue-service/README.md delete mode 100644 modules/storage/storage-account/queue-service/main.bicep delete mode 100644 modules/storage/storage-account/queue-service/main.json delete mode 100644 modules/storage/storage-account/queue-service/queue/README.md delete mode 100644 modules/storage/storage-account/queue-service/queue/main.bicep delete mode 100644 modules/storage/storage-account/queue-service/queue/main.json delete mode 100644 modules/storage/storage-account/queue-service/queue/version.json delete mode 100644 modules/storage/storage-account/queue-service/version.json delete mode 100644 modules/storage/storage-account/table-service/README.md delete mode 100644 modules/storage/storage-account/table-service/main.bicep delete mode 100644 modules/storage/storage-account/table-service/main.json delete mode 100644 modules/storage/storage-account/table-service/table/README.md delete mode 100644 modules/storage/storage-account/table-service/table/main.bicep delete mode 100644 modules/storage/storage-account/table-service/table/main.json delete mode 100644 modules/storage/storage-account/table-service/table/version.json delete mode 100644 modules/storage/storage-account/table-service/version.json delete mode 100644 modules/storage/storage-account/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/encr/dependencies.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/encr/main.test.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/max/dependencies.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/max/main.test.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/nfs/main.test.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/v1/main.test.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/storage/storage-account/version.json delete mode 100644 modules/synapse/private-link-hub/main.bicep delete mode 100644 modules/synapse/private-link-hub/main.json delete mode 100644 modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep delete mode 100644 modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep delete mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/synapse/private-link-hub/version.json delete mode 100644 modules/synapse/workspace/integration-runtime/README.md delete mode 100644 modules/synapse/workspace/integration-runtime/main.bicep delete mode 100644 modules/synapse/workspace/integration-runtime/main.json delete mode 100644 modules/synapse/workspace/integration-runtime/version.json delete mode 100644 modules/synapse/workspace/key/README.md delete mode 100644 modules/synapse/workspace/key/main.bicep delete mode 100644 modules/synapse/workspace/key/main.json delete mode 100644 modules/synapse/workspace/key/version.json delete mode 100644 modules/synapse/workspace/main.bicep delete mode 100644 modules/synapse/workspace/main.json delete mode 100644 modules/synapse/workspace/modules/nested_cmkRbac.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/max/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/max/main.test.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/synapse/workspace/version.json delete mode 100644 modules/virtual-machine-images/image-template/MOVED-TO-AVM.md delete mode 100644 modules/virtual-machine-images/image-template/main.bicep delete mode 100644 modules/virtual-machine-images/image-template/main.json delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/virtual-machine-images/image-template/version.json delete mode 100644 modules/web/connection/MOVED-TO-AVM.md delete mode 100644 modules/web/connection/main.bicep delete mode 100644 modules/web/connection/main.json delete mode 100644 modules/web/connection/tests/e2e/max/dependencies.bicep delete mode 100644 modules/web/connection/tests/e2e/max/main.test.bicep delete mode 100644 modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/web/connection/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/web/connection/version.json delete mode 100644 modules/web/hosting-environment/configuration--customdnssuffix/README.md delete mode 100644 modules/web/hosting-environment/configuration--customdnssuffix/main.bicep delete mode 100644 modules/web/hosting-environment/configuration--customdnssuffix/main.json delete mode 100644 modules/web/hosting-environment/configuration--customdnssuffix/version.json delete mode 100644 modules/web/hosting-environment/configuration--networking/README.md delete mode 100644 modules/web/hosting-environment/configuration--networking/main.bicep delete mode 100644 modules/web/hosting-environment/configuration--networking/main.json delete mode 100644 modules/web/hosting-environment/configuration--networking/version.json delete mode 100644 modules/web/hosting-environment/main.bicep delete mode 100644 modules/web/hosting-environment/main.json delete mode 100644 modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep delete mode 100644 modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep delete mode 100644 modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep delete mode 100644 modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep delete mode 100644 modules/web/hosting-environment/version.json delete mode 100644 modules/web/serverfarm/MOVED-TO-AVM.md delete mode 100644 modules/web/serverfarm/main.bicep delete mode 100644 modules/web/serverfarm/main.json delete mode 100644 modules/web/serverfarm/tests/e2e/max/dependencies.bicep delete mode 100644 modules/web/serverfarm/tests/e2e/max/main.test.bicep delete mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/web/serverfarm/version.json delete mode 100644 modules/web/site/MOVED-TO-AVM.md delete mode 100644 modules/web/site/basic-publishing-credentials-policy/README.md delete mode 100644 modules/web/site/basic-publishing-credentials-policy/main.bicep delete mode 100644 modules/web/site/basic-publishing-credentials-policy/main.json delete mode 100644 modules/web/site/basic-publishing-credentials-policy/version.json delete mode 100644 modules/web/site/config--appsettings/README.md delete mode 100644 modules/web/site/config--appsettings/main.bicep delete mode 100644 modules/web/site/config--appsettings/main.json delete mode 100644 modules/web/site/config--appsettings/version.json delete mode 100644 modules/web/site/config--authsettingsv2/README.md delete mode 100644 modules/web/site/config--authsettingsv2/main.bicep delete mode 100644 modules/web/site/config--authsettingsv2/main.json delete mode 100644 modules/web/site/config--authsettingsv2/version.json delete mode 100644 modules/web/site/hybrid-connection-namespace/relay/README.md delete mode 100644 modules/web/site/hybrid-connection-namespace/relay/main.bicep delete mode 100644 modules/web/site/hybrid-connection-namespace/relay/main.json delete mode 100644 modules/web/site/hybrid-connection-namespace/relay/version.json delete mode 100644 modules/web/site/main.bicep delete mode 100644 modules/web/site/main.json delete mode 100644 modules/web/site/slot/README.md delete mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/README.md delete mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/main.bicep delete mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/main.json delete mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/version.json delete mode 100644 modules/web/site/slot/config--appsettings/README.md delete mode 100644 modules/web/site/slot/config--appsettings/main.bicep delete mode 100644 modules/web/site/slot/config--appsettings/main.json delete mode 100644 modules/web/site/slot/config--appsettings/version.json delete mode 100644 modules/web/site/slot/config--authsettingsv2/README.md delete mode 100644 modules/web/site/slot/config--authsettingsv2/main.bicep delete mode 100644 modules/web/site/slot/config--authsettingsv2/main.json delete mode 100644 modules/web/site/slot/config--authsettingsv2/version.json delete mode 100644 modules/web/site/slot/hybrid-connection-namespace/relay/README.md delete mode 100644 modules/web/site/slot/hybrid-connection-namespace/relay/main.bicep delete mode 100644 modules/web/site/slot/hybrid-connection-namespace/relay/main.json delete mode 100644 modules/web/site/slot/hybrid-connection-namespace/relay/version.json delete mode 100644 modules/web/site/slot/main.bicep delete mode 100644 modules/web/site/slot/main.json delete mode 100644 modules/web/site/slot/version.json delete mode 100644 modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep delete mode 100644 modules/web/site/tests/e2e/functionAppCommon/main.test.bicep delete mode 100644 modules/web/site/tests/e2e/functionAppMin/dependencies.bicep delete mode 100644 modules/web/site/tests/e2e/functionAppMin/main.test.bicep delete mode 100644 modules/web/site/tests/e2e/webAppCommon/dependencies.bicep delete mode 100644 modules/web/site/tests/e2e/webAppCommon/main.test.bicep delete mode 100644 modules/web/site/tests/e2e/webAppMin/dependencies.bicep delete mode 100644 modules/web/site/tests/e2e/webAppMin/main.test.bicep delete mode 100644 modules/web/site/version.json delete mode 100644 modules/web/static-site/MOVED-TO-AVM.md delete mode 100644 modules/web/static-site/config/README.md delete mode 100644 modules/web/static-site/config/main.bicep delete mode 100644 modules/web/static-site/config/main.json delete mode 100644 modules/web/static-site/config/version.json delete mode 100644 modules/web/static-site/custom-domain/README.md delete mode 100644 modules/web/static-site/custom-domain/main.bicep delete mode 100644 modules/web/static-site/custom-domain/main.json delete mode 100644 modules/web/static-site/custom-domain/version.json delete mode 100644 modules/web/static-site/linked-backend/README.md delete mode 100644 modules/web/static-site/linked-backend/main.bicep delete mode 100644 modules/web/static-site/linked-backend/main.json delete mode 100644 modules/web/static-site/linked-backend/version.json delete mode 100644 modules/web/static-site/main.bicep delete mode 100644 modules/web/static-site/main.json delete mode 100644 modules/web/static-site/tests/e2e/defaults/main.test.bicep delete mode 100644 modules/web/static-site/tests/e2e/max/dependencies.bicep delete mode 100644 modules/web/static-site/tests/e2e/max/main.test.bicep delete mode 100644 modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep delete mode 100644 modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep delete mode 100644 modules/web/static-site/version.json diff --git a/README.md b/README.md index f330519609..7393ae6421 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,23 @@ -

⚠️ Upcoming breaking changes ⚠️

+

⚠️ CARML - AVM transition ⚠️

-Following the recent release of [`0.11.0`](https://github.com/Azure/ResourceModules/releases/tag/v0.11.0), the upcoming period will focus on implementing the remaining changes required to align CARML's modules to the specifications of [Azure Verified Modules](https://aka.ms/avm) (currently in development). This will enable us to move & publish the modules of the CARML library to the official [Public Bicep Registry](https://github.com/Azure/bicep-registry-modules). You can read more about CARML's future in AVM [here](https://azure.github.io/Azure-Verified-Modules/faq/#what-is-happening-to-existing-initiatives-like-carml-and-tfvm). +**CARML evolved to and has been rebranded as the Bicep version of Azure Verifiefd Modules ([AVM](https://aka.ms/AVM)).** AVM is a straight-line successor of CARML, the next evolutionary step. A lot of CARML’s principles and architecture decisions have formed the basis for AVM. -> You can find details on the status of the migration in this [issue](https://github.com/Azure/ResourceModules/issues/4020). +While this means some minor changes in things such as parameter names or "standard interfaces" (e.g., diagnostic settings, etc.), **you can still use the same modules you're used to and love, as they have been transitioned to AVM as resource or pattern modules.** -Please note that these changes will affect many interfaces (e.g., the diagnostic settings). We intend to keep this period as short as possible, but are limited by our own available capacity. As we want to avoid one 'big bang' migration, we will incrementally align & move modules, and keep a copy in this repository until the move is concluded. For modules that were already published, we will redirect the proposed changes to the `AVM` folder of the new [repository](https://github.com/Azure/bicep-registry-modules). In its final state, this `AVM` folder will contain all modules you can currently find in the `modules` folder of this repository. +- You can find the full list of all AVM modules in the [AVM Module Indexes](https://aka.ms/AVM/ModuleIndex). +- Each module is published in the Public Bicep Registry and their source code can be found in the underlying repository ([BRM](https://aka.ms/BRM))! -Possible changes include (but are not limited to): -- An update of the extension resource interfaces (i.e., diagnostic settings, RBAC, etc.) -- An update of the `README.md` that comes with each module (including an update of the utility itself) to allow for a more detailed parameter description -- An update to individual folder names -- The addition of several user defined types (requiring Bicep version `0.21.1`) +A notice with additional details has been placed in each module. If for any reason, you still need access to the CARML version of the module, you can find it in the CARML repository by following the links in the module's `README.md` file. -Modules that are already migrated to AVM will contain a file `MOVED-TO-AVM.md` to indicate that further contributions to the module should be done in the Public Bicep Registry's [repository](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). -**Therefore, further contributions to those modules will not be integrated in the CARML repository.** +**Going forward, only the AVM version of the modules will receive updates and new features.** -Once the move concluded, the library & CI environment is planned to be maintained. However, several changes to the CARML CI environment will become necessary to ensure a low entry barrier when onboarding both (for example, as per the AVM specs we will need to be less restrictive in our tests). +- Please do not file issues in CARML or work on improving the module in CARML as further contributions to these modules will not be integrated in the CARML repository! +- To open an AVM module issue, use the [Module Issue](https://aka.ms/BRM/AVMModuleIssue) template in the BRM repository. +- If you accidentally raise an issue in the wrong place, we will transfer it to its correct home - the AVM Bicep repository ([BRM](https://aka.ms/BRM)). + +> NOTE: A few modules have been retired without being moved to AVM as is. In most of these cases, capabilities originally provided by these modules have been implemented differently in AVM - e.g., as part of all AVM modules. + +In the upcoming period, **the AVM team will work on ensuring full compatibility of CARML's inner-sourcing solution (CI environment) with AVM**. # ![AzureIcon] Common Azure Resource Modules Library @@ -27,161 +29,161 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub ## Get started -* For introduction guidance visit the [Wiki](https://github.com/Azure/ResourceModules/wiki) -* For guidance on which version of the code to leverage, see [Disclaimer](https://github.com/azure/resourcemodules#Disclaimer) -* For information on contributing, see [Contribution]() -* File an issue via [GitHub Issues](https://github.com/Azure/ResourceModules/issues/new/choose) -* For reference documentation, visit [Enterprise-Scale](https://github.com/azure/enterprise-scale) -* For an outline of the module features, visit [Module overview](https://github.com/Azure/ResourceModules/wiki/The%20library%20-%20Module%20overview) +- For introduction guidance visit the [Wiki](https://github.com/Azure/ResourceModules/wiki) +- For guidance on which version of the code to leverage, see [Disclaimer](https://github.com/azure/resourcemodules#Disclaimer) +- For information on contributing, see [Contribution]() +- File an issue via [GitHub Issues](https://github.com/Azure/ResourceModules/issues/new/choose) +- For reference documentation, visit [Enterprise-Scale](https://github.com/azure/enterprise-scale) +- For an outline of the module features, visit [Module overview](https://github.com/Azure/ResourceModules/wiki/The%20library%20-%20Module%20overview) -> **Note:** To ensure the modules and environment work as expected, please ensure you are using the latest version of the used tools such as PowerShell and Bicep. Especially in case of the later, note, that you need to manually update the Bicep CLI. For further information, see our [troubleshooting guide](./The%20CI%20environment%20-%20Troubleshooting). +> **Note:** To ensure the modules and environment work as expected, please ensure you are using the latest version of the used tools such as PowerShell and Bicep. Especially in case of the latter, note, that you need to manually update the Bicep CLI. For further information, see our [troubleshooting guide](./The%20CI%20environment%20-%20Troubleshooting). ## Available Resource Modules -| Provider namespace | Resource Type | Name | Deploy | -| - | - | - | - | -| `Microsoft.AAD` | [domainServices](https://github.com/Azure/ResourceModules/tree/main/modules/aad/domain-service) | [Azure Active Directory Domain Services](https://github.com/Azure/ResourceModules/tree/main/modules/aad/domain-service) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.AnalysisServices` | [servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | [Analysis Services Servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ApiManagement` | [service](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | [API Management Services](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.App` | [containerApps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | [Container Apps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | [Container App Jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [managedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [App ManagedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.AppConfiguration` | [configurationStores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [App Configuration Stores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Authorization` | [locks](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [Authorization Locks (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policyAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [Policy Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policyDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policyExemptions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [Policy Exemptions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policySetDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [Policy Set Definitions (Initiatives) (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [roleAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [Role Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [roleDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | [Role Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Automation` | [automationAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | [Automation Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Batch` | [batchAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | [Batch Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Cache` | [redis](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [Redis Cache](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [redisEnterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | [Redis Cache Enterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Cdn` | [profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | [CDN Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.CognitiveServices` | [accounts](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | [Cognitive Services](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Compute` | [availabilitySets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/availability-set) | [Availability Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/availability-set) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [disks](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk) | [Compute Disks](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [diskEncryptionSets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk-encryption-set) | [Disk Encryption Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk-encryption-set) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [galleries](https://github.com/Azure/ResourceModules/tree/main/modules/compute/gallery) | [Azure Compute Galleries](https://github.com/Azure/ResourceModules/tree/main/modules/compute/gallery) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [images](https://github.com/Azure/ResourceModules/tree/main/modules/compute/image) | [Images](https://github.com/Azure/ResourceModules/tree/main/modules/compute/image) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [proximityPlacementGroups](https://github.com/Azure/ResourceModules/tree/main/modules/compute/proximity-placement-group) | [Proximity Placement Groups](https://github.com/Azure/ResourceModules/tree/main/modules/compute/proximity-placement-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [sshPublicKeys](https://github.com/Azure/ResourceModules/tree/main/modules/compute/ssh-public-key) | [Public SSH Keys](https://github.com/Azure/ResourceModules/tree/main/modules/compute/ssh-public-key) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualMachines](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine) | [Virtual Machines](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualMachineScaleSets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine-scale-set) | [Virtual Machine Scale Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine-scale-set) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Consumption` | [budgets](https://github.com/Azure/ResourceModules/tree/main/modules/consumption/budget) | [Consumption Budgets](https://github.com/Azure/ResourceModules/tree/main/modules/consumption/budget) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ContainerInstance` | [containerGroups](https://github.com/Azure/ResourceModules/tree/main/modules/container-instance/container-group) | [Container Instances Container Groups](https://github.com/Azure/ResourceModules/tree/main/modules/container-instance/container-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ContainerRegistry` | [registries](https://github.com/Azure/ResourceModules/tree/main/modules/container-registry/registry) | [Azure Container Registries (ACR)](https://github.com/Azure/ResourceModules/tree/main/modules/container-registry/registry) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ContainerService` | [managedClusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | [Azure Kubernetes Service (AKS) Managed Clusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DataFactory` | [factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | [Data Factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DataProtection` | [backupVaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | [Data Protection Backup Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Databricks` | [accessConnectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | [Azure Databricks Access Connectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [Azure Databricks Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DBforMySQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | [DBforMySQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DBforPostgreSQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | [DBforPostgreSQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DesktopVirtualization` | [applicationGroups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | [Azure Virtual Desktop (AVD) Application Groups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [hostPools](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/host-pool) | [Azure Virtual Desktop (AVD) Host Pools](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/host-pool) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [scalingPlans](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/scaling-plan) | [Azure Virtual Desktop (AVD) Scaling Plans](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/scaling-plan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/workspace) | [Azure Virtual Desktop (AVD) Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DevTestLab` | [labs](https://github.com/Azure/ResourceModules/tree/main/modules/dev-test-lab/lab) | [DevTest Labs](https://github.com/Azure/ResourceModules/tree/main/modules/dev-test-lab/lab) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DigitalTwins` | [digitalTwinsInstances](https://github.com/Azure/ResourceModules/tree/main/modules/digital-twins/digital-twins-instance) | [Digital Twins Instances](https://github.com/Azure/ResourceModules/tree/main/modules/digital-twins/digital-twins-instance) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.DocumentDB` | [databaseAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/document-db/database-account) | [DocumentDB Database Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/document-db/database-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.EventGrid` | [domains](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/domain) | [Event Grid Domains](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/domain) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [systemTopics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/system-topic) | [Event Grid System Topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/system-topic) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/topic) | [Event Grid Topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/topic) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.EventHub` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [Event Hub Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.HealthBot` | [healthBots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [Azure Health Bots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.HealthcareApis` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [Healthcare API Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `microsoft.insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [activityLogAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [Activity Log Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [components](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [Application Insights](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dataCollectionEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [Data Collection Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dataCollectionRules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-rule) | [Data Collection Rules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-rule) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [diagnosticSettings](https://github.com/Azure/ResourceModules/tree/main/modules/insights/diagnostic-setting) | [Diagnostic Settings (Activity Logs) for Azure Subscriptions](https://github.com/Azure/ResourceModules/tree/main/modules/insights/diagnostic-setting) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [metricAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/metric-alert) | [Metric Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/metric-alert) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [privateLinkScopes](https://github.com/Azure/ResourceModules/tree/main/modules/insights/private-link-scope) | [Azure Monitor Private Link Scopes](https://github.com/Azure/ResourceModules/tree/main/modules/insights/private-link-scope) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [scheduledQueryRules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/scheduled-query-rule) | [Scheduled Query Rules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/scheduled-query-rule) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [webtests](https://github.com/Azure/ResourceModules/tree/main/modules/insights/webtest) | [Web Tests](https://github.com/Azure/ResourceModules/tree/main/modules/insights/webtest) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.KeyVault` | [vaults](https://github.com/Azure/ResourceModules/tree/main/modules/key-vault/vault) | [Key Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/key-vault/vault) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.KubernetesConfiguration` | [extensions](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/extension) | [Kubernetes Configuration Extensions](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/extension) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [fluxConfigurations](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/flux-configuration) | [Kubernetes Configuration Flux Configurations](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/flux-configuration) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Logic` | [workflows](https://github.com/Azure/ResourceModules/tree/main/modules/logic/workflow) | [Logic Apps (Workflows)](https://github.com/Azure/ResourceModules/tree/main/modules/logic/workflow) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.MachineLearningServices` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/machine-learning-services/workspace) | [Machine Learning Services Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/machine-learning-services/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Maintenance` | [maintenanceConfigurations](https://github.com/Azure/ResourceModules/tree/main/modules/maintenance/maintenance-configuration) | [Maintenance Configurations](https://github.com/Azure/ResourceModules/tree/main/modules/maintenance/maintenance-configuration) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ManagedIdentity` | [userAssignedIdentities](https://github.com/Azure/ResourceModules/tree/main/modules/managed-identity/user-assigned-identity) | [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/modules/managed-identity/user-assigned-identity) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ManagedServices` | [registrationDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/managed-services/registration-definition) | [Registration Definitions](https://github.com/Azure/ResourceModules/tree/main/modules/managed-services/registration-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Management` | [managementGroups](https://github.com/Azure/ResourceModules/tree/main/modules/management/management-group) | [Management Groups](https://github.com/Azure/ResourceModules/tree/main/modules/management/management-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.NetApp` | [netAppAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/net-app/net-app-account) | [Azure NetApp Files](https://github.com/Azure/ResourceModules/tree/main/modules/net-app/net-app-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Network` | [applicationGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway) | [Network Application Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway-web-application-firewall-policy) | [Application Gateway Web Application Firewall (WAF) Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway-web-application-firewall-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [applicationSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-security-group) | [Application Security Groups (ASG)](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-security-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [azureFirewalls](https://github.com/Azure/ResourceModules/tree/main/modules/network/azure-firewall) | [Azure Firewalls](https://github.com/Azure/ResourceModules/tree/main/modules/network/azure-firewall) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [bastionHosts](https://github.com/Azure/ResourceModules/tree/main/modules/network/bastion-host) | [Bastion Hosts](https://github.com/Azure/ResourceModules/tree/main/modules/network/bastion-host) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [connections](https://github.com/Azure/ResourceModules/tree/main/modules/network/connection) | [Virtual Network Gateway Connections](https://github.com/Azure/ResourceModules/tree/main/modules/network/connection) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [ddosProtectionPlans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | [DDoS Protection Plans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dnsForwardingRulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | [Dns Forwarding Rulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dnsResolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | [DNS Resolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dnsZones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [Public DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [expressRouteCircuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | [ExpressRoute Circuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [expressRouteGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | [Express Route Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [firewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | [Firewall Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [frontDoors](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door) | [Azure Front Doors](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door-web-application-firewall-policy) | [Front Door Web Application Firewall (WAF) Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door-web-application-firewall-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [ipGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/ip-group) | [IP Groups](https://github.com/Azure/ResourceModules/tree/main/modules/network/ip-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [loadBalancers](https://github.com/Azure/ResourceModules/tree/main/modules/network/load-balancer) | [Load Balancers](https://github.com/Azure/ResourceModules/tree/main/modules/network/load-balancer) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [localNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/local-network-gateway) | [Local Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/local-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [natGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/nat-gateway) | [NAT Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/nat-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [networkInterfaces](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-interface) | [Network Interface](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-interface) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [networkManagers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-manager) | [Network Managers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-manager) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [networkSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-security-group) | [Network Security Groups](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-security-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [networkWatchers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-watcher) | [Network Watchers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-watcher) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [privateDnsZones](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-dns-zone) | [Private DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-dns-zone) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [privateEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-endpoint) | [Private Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-endpoint) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [privateLinkServices](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-link-service) | [Private Link Services](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-link-service) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [publicIPAddresses](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-address) | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-address) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [publicIPPrefixes](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-prefix) | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-prefix) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [routeTables](https://github.com/Azure/ResourceModules/tree/main/modules/network/route-table) | [Route Tables](https://github.com/Azure/ResourceModules/tree/main/modules/network/route-table) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [serviceEndpointPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [Service Endpoint Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [trafficmanagerprofiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [Traffic Manager Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualHubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [Virtual Hubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualNetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualWans](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [Virtual WANs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [vpnGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [VPN Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [vpnSites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [VPN Sites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.OperationalInsights` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/operational-insights/workspace) | [Log Analytics Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/operational-insights/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.OperationsManagement` | [solutions](https://github.com/Azure/ResourceModules/tree/main/modules/operations-management/solution) | [Operations Management Solutions](https://github.com/Azure/ResourceModules/tree/main/modules/operations-management/solution) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.PolicyInsights` | [remediations](https://github.com/Azure/ResourceModules/tree/main/modules/policy-insights/remediation) | [Policy Insights Remediations](https://github.com/Azure/ResourceModules/tree/main/modules/policy-insights/remediation) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.PowerBIDedicated` | [capacities](https://github.com/Azure/ResourceModules/tree/main/modules/power-bi-dedicated/capacity) | [Power BI Dedicated Capacities](https://github.com/Azure/ResourceModules/tree/main/modules/power-bi-dedicated/capacity) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Purview` | [accounts](https://github.com/Azure/ResourceModules/tree/main/modules/purview/account) | [Purview Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/purview/account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.RecoveryServices` | [vaults](https://github.com/Azure/ResourceModules/tree/main/modules/recovery-services/vault) | [Recovery Services Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/recovery-services/vault) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Relay` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/relay/namespace) | [Relay Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/relay/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ResourceGraph` | [queries](https://github.com/Azure/ResourceModules/tree/main/modules/resource-graph/query) | [Resource Graph Queries](https://github.com/Azure/ResourceModules/tree/main/modules/resource-graph/query) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Resources` | [deploymentScripts](https://github.com/Azure/ResourceModules/tree/main/modules/resources/deployment-script) | [Deployment Scripts](https://github.com/Azure/ResourceModules/tree/main/modules/resources/deployment-script) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [resourceGroups](https://github.com/Azure/ResourceModules/tree/main/modules/resources/resource-group) | [Resource Groups](https://github.com/Azure/ResourceModules/tree/main/modules/resources/resource-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [tags](https://github.com/Azure/ResourceModules/tree/main/modules/resources/tags) | [Resources Tags](https://github.com/Azure/ResourceModules/tree/main/modules/resources/tags) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Search` | [searchServices](https://github.com/Azure/ResourceModules/tree/main/modules/search/search-service) | [Search Services](https://github.com/Azure/ResourceModules/tree/main/modules/search/search-service) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Security` | [azuresecuritycenter](https://github.com/Azure/ResourceModules/tree/main/modules/security/azure-security-center) | [Azure Security Center (Defender for Cloud)](https://github.com/Azure/ResourceModules/tree/main/modules/security/azure-security-center) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ServiceBus` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/service-bus/namespace) | [Service Bus Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/service-bus/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.ServiceFabric` | [clusters](https://github.com/Azure/ResourceModules/tree/main/modules/service-fabric/cluster) | [Service Fabric Clusters](https://github.com/Azure/ResourceModules/tree/main/modules/service-fabric/cluster) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.SignalRService` | [signalR](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/signal-r) | [SignalR Service SignalR](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/signal-r) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [webPubSub](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/web-pub-sub) | [SignalR Web PubSub Services](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/web-pub-sub) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Sql` | [managedInstances](https://github.com/Azure/ResourceModules/tree/main/modules/sql/managed-instance) | [SQL Managed Instances](https://github.com/Azure/ResourceModules/tree/main/modules/sql/managed-instance) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [servers](https://github.com/Azure/ResourceModules/tree/main/modules/sql/server) | [Azure SQL Servers](https://github.com/Azure/ResourceModules/tree/main/modules/sql/server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Storage` | [storageAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/storage/storage-account) | [Storage Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/storage/storage-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Synapse` | [privateLinkHubs](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/private-link-hub) | [Azure Synapse Analytics](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/private-link-hub) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/workspace) | [Synapse Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.VirtualMachineImages` | [imageTemplates](https://github.com/Azure/ResourceModules/tree/main/modules/virtual-machine-images/image-template) | [Virtual Machine Image Templates](https://github.com/Azure/ResourceModules/tree/main/modules/virtual-machine-images/image-template) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Web` | [connections](https://github.com/Azure/ResourceModules/tree/main/modules/web/connection) | [API Connections](https://github.com/Azure/ResourceModules/tree/main/modules/web/connection) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [hostingEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/web/hosting-environment) | [App Service Environments](https://github.com/Azure/ResourceModules/tree/main/modules/web/hosting-environment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [serverfarms](https://github.com/Azure/ResourceModules/tree/main/modules/web/serverfarm) | [App Service Plans](https://github.com/Azure/ResourceModules/tree/main/modules/web/serverfarm) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [sites](https://github.com/Azure/ResourceModules/tree/main/modules/web/site) | [Web/Function Apps](https://github.com/Azure/ResourceModules/tree/main/modules/web/site) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [staticSites](https://github.com/Azure/ResourceModules/tree/main/modules/web/static-site) | [Static Web Apps](https://github.com/Azure/ResourceModules/tree/main/modules/web/static-site) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| Provider namespace | Resource Type | Name | +|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Microsoft.AAD` | [domainServices](https://github.com/Azure/ResourceModules/tree/main/modules/aad/domain-service) | [Azure Active Directory Domain Services](https://github.com/Azure/ResourceModules/tree/main/modules/aad/domain-service) | +| `Microsoft.AnalysisServices` | [servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | [Analysis Services Servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | +| `Microsoft.ApiManagement` | [service](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | [API Management Services](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | +| `Microsoft.App` | [containerApps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | [Container Apps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | +| | [jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | [Container App Jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | +| | [managedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [App ManagedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | +| `Microsoft.AppConfiguration` | [configurationStores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [App Configuration Stores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | +| `Microsoft.Authorization` | [locks](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [Authorization Locks (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | +| | [policyAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [Policy Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | +| | [policyDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | +| | [policyExemptions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [Policy Exemptions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | +| | [policySetDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [Policy Set Definitions (Initiatives) (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | +| | [roleAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [Role Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | +| | [roleDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | [Role Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | +| `Microsoft.Automation` | [automationAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | [Automation Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | +| `Microsoft.Batch` | [batchAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | [Batch Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | +| `Microsoft.Cache` | [redis](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [Redis Cache](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | +| | [redisEnterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | [Redis Cache Enterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | +| `Microsoft.Cdn` | [profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | [CDN Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | +| `Microsoft.CognitiveServices` | [accounts](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | [Cognitive Services](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | +| `Microsoft.Compute` | [availabilitySets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/availability-set) | [Availability Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/availability-set) | +| | [disks](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk) | [Compute Disks](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk) | +| | [diskEncryptionSets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk-encryption-set) | [Disk Encryption Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/disk-encryption-set) | +| | [galleries](https://github.com/Azure/ResourceModules/tree/main/modules/compute/gallery) | [Azure Compute Galleries](https://github.com/Azure/ResourceModules/tree/main/modules/compute/gallery) | +| | [images](https://github.com/Azure/ResourceModules/tree/main/modules/compute/image) | [Images](https://github.com/Azure/ResourceModules/tree/main/modules/compute/image) | +| | [proximityPlacementGroups](https://github.com/Azure/ResourceModules/tree/main/modules/compute/proximity-placement-group) | [Proximity Placement Groups](https://github.com/Azure/ResourceModules/tree/main/modules/compute/proximity-placement-group) | +| | [sshPublicKeys](https://github.com/Azure/ResourceModules/tree/main/modules/compute/ssh-public-key) | [Public SSH Keys](https://github.com/Azure/ResourceModules/tree/main/modules/compute/ssh-public-key) | +| | [virtualMachines](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine) | [Virtual Machines](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine) | +| | [virtualMachineScaleSets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine-scale-set) | [Virtual Machine Scale Sets](https://github.com/Azure/ResourceModules/tree/main/modules/compute/virtual-machine-scale-set) | +| `Microsoft.Consumption` | [budgets](https://github.com/Azure/ResourceModules/tree/main/modules/consumption/budget) | [Consumption Budgets](https://github.com/Azure/ResourceModules/tree/main/modules/consumption/budget) | +| `Microsoft.ContainerInstance` | [containerGroups](https://github.com/Azure/ResourceModules/tree/main/modules/container-instance/container-group) | [Container Instances Container Groups](https://github.com/Azure/ResourceModules/tree/main/modules/container-instance/container-group) | +| `Microsoft.ContainerRegistry` | [registries](https://github.com/Azure/ResourceModules/tree/main/modules/container-registry/registry) | [Azure Container Registries (ACR)](https://github.com/Azure/ResourceModules/tree/main/modules/container-registry/registry) | +| `Microsoft.ContainerService` | [managedClusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | [Azure Kubernetes Service (AKS) Managed Clusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | +| `Microsoft.DataFactory` | [factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | [Data Factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | +| `Microsoft.DataProtection` | [backupVaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | [Data Protection Backup Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | +| `Microsoft.Databricks` | [accessConnectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | [Azure Databricks Access Connectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | +| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [Azure Databricks Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | +| `Microsoft.DBforMySQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | [DBforMySQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | +| `Microsoft.DBforPostgreSQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | [DBforPostgreSQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | +| `Microsoft.DesktopVirtualization` | [applicationGroups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | [Azure Virtual Desktop (AVD) Application Groups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | +| | [hostPools](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/host-pool) | [Azure Virtual Desktop (AVD) Host Pools](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/host-pool) | +| | [scalingPlans](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/scaling-plan) | [Azure Virtual Desktop (AVD) Scaling Plans](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/scaling-plan) | +| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/workspace) | [Azure Virtual Desktop (AVD) Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/workspace) | +| `Microsoft.DevTestLab` | [labs](https://github.com/Azure/ResourceModules/tree/main/modules/dev-test-lab/lab) | [DevTest Labs](https://github.com/Azure/ResourceModules/tree/main/modules/dev-test-lab/lab) | +| `Microsoft.DigitalTwins` | [digitalTwinsInstances](https://github.com/Azure/ResourceModules/tree/main/modules/digital-twins/digital-twins-instance) | [Digital Twins Instances](https://github.com/Azure/ResourceModules/tree/main/modules/digital-twins/digital-twins-instance) | +| `Microsoft.DocumentDB` | [databaseAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/document-db/database-account) | [DocumentDB Database Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/document-db/database-account) | +| `Microsoft.EventGrid` | [domains](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/domain) | [Event Grid Domains](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/domain) | +| | [systemTopics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/system-topic) | [Event Grid System Topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/system-topic) | +| | [topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/topic) | [Event Grid Topics](https://github.com/Azure/ResourceModules/tree/main/modules/event-grid/topic) | +| `Microsoft.EventHub` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [Event Hub Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | +| `Microsoft.HealthBot` | [healthBots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [Azure Health Bots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | +| `Microsoft.HealthcareApis` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [Healthcare API Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | +| `microsoft.insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | +| | [activityLogAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [Activity Log Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | +| | [components](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [Application Insights](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | +| | [dataCollectionEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [Data Collection Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | +| | [dataCollectionRules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-rule) | [Data Collection Rules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-rule) | +| | [diagnosticSettings](https://github.com/Azure/ResourceModules/tree/main/modules/insights/diagnostic-setting) | [Diagnostic Settings (Activity Logs) for Azure Subscriptions](https://github.com/Azure/ResourceModules/tree/main/modules/insights/diagnostic-setting) | +| | [metricAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/metric-alert) | [Metric Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/metric-alert) | +| | [privateLinkScopes](https://github.com/Azure/ResourceModules/tree/main/modules/insights/private-link-scope) | [Azure Monitor Private Link Scopes](https://github.com/Azure/ResourceModules/tree/main/modules/insights/private-link-scope) | +| | [scheduledQueryRules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/scheduled-query-rule) | [Scheduled Query Rules](https://github.com/Azure/ResourceModules/tree/main/modules/insights/scheduled-query-rule) | +| | [webtests](https://github.com/Azure/ResourceModules/tree/main/modules/insights/webtest) | [Web Tests](https://github.com/Azure/ResourceModules/tree/main/modules/insights/webtest) | +| `Microsoft.KeyVault` | [vaults](https://github.com/Azure/ResourceModules/tree/main/modules/key-vault/vault) | [Key Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/key-vault/vault) | +| `Microsoft.KubernetesConfiguration` | [extensions](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/extension) | [Kubernetes Configuration Extensions](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/extension) | +| | [fluxConfigurations](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/flux-configuration) | [Kubernetes Configuration Flux Configurations](https://github.com/Azure/ResourceModules/tree/main/modules/kubernetes-configuration/flux-configuration) | +| `Microsoft.Logic` | [workflows](https://github.com/Azure/ResourceModules/tree/main/modules/logic/workflow) | [Logic Apps (Workflows)](https://github.com/Azure/ResourceModules/tree/main/modules/logic/workflow) | +| `Microsoft.MachineLearningServices` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/machine-learning-services/workspace) | [Machine Learning Services Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/machine-learning-services/workspace) | +| `Microsoft.Maintenance` | [maintenanceConfigurations](https://github.com/Azure/ResourceModules/tree/main/modules/maintenance/maintenance-configuration) | [Maintenance Configurations](https://github.com/Azure/ResourceModules/tree/main/modules/maintenance/maintenance-configuration) | +| `Microsoft.ManagedIdentity` | [userAssignedIdentities](https://github.com/Azure/ResourceModules/tree/main/modules/managed-identity/user-assigned-identity) | [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/modules/managed-identity/user-assigned-identity) | +| `Microsoft.ManagedServices` | [registrationDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/managed-services/registration-definition) | [Registration Definitions](https://github.com/Azure/ResourceModules/tree/main/modules/managed-services/registration-definition) | +| `Microsoft.Management` | [managementGroups](https://github.com/Azure/ResourceModules/tree/main/modules/management/management-group) | [Management Groups](https://github.com/Azure/ResourceModules/tree/main/modules/management/management-group) | +| `Microsoft.NetApp` | [netAppAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/net-app/net-app-account) | [Azure NetApp Files](https://github.com/Azure/ResourceModules/tree/main/modules/net-app/net-app-account) | +| `Microsoft.Network` | [applicationGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway) | [Network Application Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway) | +| | [ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway-web-application-firewall-policy) | [Application Gateway Web Application Firewall (WAF) Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-gateway-web-application-firewall-policy) | +| | [applicationSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-security-group) | [Application Security Groups (ASG)](https://github.com/Azure/ResourceModules/tree/main/modules/network/application-security-group) | +| | [azureFirewalls](https://github.com/Azure/ResourceModules/tree/main/modules/network/azure-firewall) | [Azure Firewalls](https://github.com/Azure/ResourceModules/tree/main/modules/network/azure-firewall) | +| | [bastionHosts](https://github.com/Azure/ResourceModules/tree/main/modules/network/bastion-host) | [Bastion Hosts](https://github.com/Azure/ResourceModules/tree/main/modules/network/bastion-host) | +| | [connections](https://github.com/Azure/ResourceModules/tree/main/modules/network/connection) | [Virtual Network Gateway Connections](https://github.com/Azure/ResourceModules/tree/main/modules/network/connection) | +| | [ddosProtectionPlans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | [DDoS Protection Plans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | +| | [dnsForwardingRulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | [Dns Forwarding Rulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | +| | [dnsResolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | [DNS Resolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | +| | [dnsZones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [Public DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | +| | [expressRouteCircuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | [ExpressRoute Circuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | +| | [expressRouteGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | [Express Route Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | +| | [firewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | [Firewall Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | +| | [frontDoors](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door) | [Azure Front Doors](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door) | +| | [FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door-web-application-firewall-policy) | [Front Door Web Application Firewall (WAF) Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/front-door-web-application-firewall-policy) | +| | [ipGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/ip-group) | [IP Groups](https://github.com/Azure/ResourceModules/tree/main/modules/network/ip-group) | +| | [loadBalancers](https://github.com/Azure/ResourceModules/tree/main/modules/network/load-balancer) | [Load Balancers](https://github.com/Azure/ResourceModules/tree/main/modules/network/load-balancer) | +| | [localNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/local-network-gateway) | [Local Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/local-network-gateway) | +| | [natGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/nat-gateway) | [NAT Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/nat-gateway) | +| | [networkInterfaces](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-interface) | [Network Interface](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-interface) | +| | [networkManagers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-manager) | [Network Managers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-manager) | +| | [networkSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-security-group) | [Network Security Groups](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-security-group) | +| | [networkWatchers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-watcher) | [Network Watchers](https://github.com/Azure/ResourceModules/tree/main/modules/network/network-watcher) | +| | [privateDnsZones](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-dns-zone) | [Private DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-dns-zone) | +| | [privateEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-endpoint) | [Private Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-endpoint) | +| | [privateLinkServices](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-link-service) | [Private Link Services](https://github.com/Azure/ResourceModules/tree/main/modules/network/private-link-service) | +| | [publicIPAddresses](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-address) | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-address) | +| | [publicIPPrefixes](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-prefix) | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/modules/network/public-ip-prefix) | +| | [routeTables](https://github.com/Azure/ResourceModules/tree/main/modules/network/route-table) | [Route Tables](https://github.com/Azure/ResourceModules/tree/main/modules/network/route-table) | +| | [serviceEndpointPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [Service Endpoint Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | +| | [trafficmanagerprofiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [Traffic Manager Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | +| | [virtualHubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [Virtual Hubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | +| | [virtualNetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | +| | [virtualNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | +| | [virtualWans](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [Virtual WANs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | +| | [vpnGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [VPN Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | +| | [vpnSites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [VPN Sites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | +| `Microsoft.OperationalInsights` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/operational-insights/workspace) | [Log Analytics Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/operational-insights/workspace) | +| `Microsoft.OperationsManagement` | [solutions](https://github.com/Azure/ResourceModules/tree/main/modules/operations-management/solution) | [Operations Management Solutions](https://github.com/Azure/ResourceModules/tree/main/modules/operations-management/solution) | +| `Microsoft.PolicyInsights` | [remediations](https://github.com/Azure/ResourceModules/tree/main/modules/policy-insights/remediation) | [Policy Insights Remediations](https://github.com/Azure/ResourceModules/tree/main/modules/policy-insights/remediation) | +| `Microsoft.PowerBIDedicated` | [capacities](https://github.com/Azure/ResourceModules/tree/main/modules/power-bi-dedicated/capacity) | [Power BI Dedicated Capacities](https://github.com/Azure/ResourceModules/tree/main/modules/power-bi-dedicated/capacity) | +| `Microsoft.Purview` | [accounts](https://github.com/Azure/ResourceModules/tree/main/modules/purview/account) | [Purview Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/purview/account) | +| `Microsoft.RecoveryServices` | [vaults](https://github.com/Azure/ResourceModules/tree/main/modules/recovery-services/vault) | [Recovery Services Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/recovery-services/vault) | +| `Microsoft.Relay` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/relay/namespace) | [Relay Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/relay/namespace) | +| `Microsoft.ResourceGraph` | [queries](https://github.com/Azure/ResourceModules/tree/main/modules/resource-graph/query) | [Resource Graph Queries](https://github.com/Azure/ResourceModules/tree/main/modules/resource-graph/query) | +| `Microsoft.Resources` | [deploymentScripts](https://github.com/Azure/ResourceModules/tree/main/modules/resources/deployment-script) | [Deployment Scripts](https://github.com/Azure/ResourceModules/tree/main/modules/resources/deployment-script) | +| | [resourceGroups](https://github.com/Azure/ResourceModules/tree/main/modules/resources/resource-group) | [Resource Groups](https://github.com/Azure/ResourceModules/tree/main/modules/resources/resource-group) | +| | [tags](https://github.com/Azure/ResourceModules/tree/main/modules/resources/tags) | [Resources Tags](https://github.com/Azure/ResourceModules/tree/main/modules/resources/tags) | +| `Microsoft.Search` | [searchServices](https://github.com/Azure/ResourceModules/tree/main/modules/search/search-service) | [Search Services](https://github.com/Azure/ResourceModules/tree/main/modules/search/search-service) | +| `Microsoft.Security` | [azuresecuritycenter](https://github.com/Azure/ResourceModules/tree/main/modules/security/azure-security-center) | [Azure Security Center (Defender for Cloud)](https://github.com/Azure/ResourceModules/tree/main/modules/security/azure-security-center) | +| `Microsoft.ServiceBus` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/service-bus/namespace) | [Service Bus Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/service-bus/namespace) | +| `Microsoft.ServiceFabric` | [clusters](https://github.com/Azure/ResourceModules/tree/main/modules/service-fabric/cluster) | [Service Fabric Clusters](https://github.com/Azure/ResourceModules/tree/main/modules/service-fabric/cluster) | +| `Microsoft.SignalRService` | [signalR](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/signal-r) | [SignalR Service SignalR](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/signal-r) | +| | [webPubSub](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/web-pub-sub) | [SignalR Web PubSub Services](https://github.com/Azure/ResourceModules/tree/main/modules/signal-r-service/web-pub-sub) | +| `Microsoft.Sql` | [managedInstances](https://github.com/Azure/ResourceModules/tree/main/modules/sql/managed-instance) | [SQL Managed Instances](https://github.com/Azure/ResourceModules/tree/main/modules/sql/managed-instance) | +| | [servers](https://github.com/Azure/ResourceModules/tree/main/modules/sql/server) | [Azure SQL Servers](https://github.com/Azure/ResourceModules/tree/main/modules/sql/server) | +| `Microsoft.Storage` | [storageAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/storage/storage-account) | [Storage Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/storage/storage-account) | +| `Microsoft.Synapse` | [privateLinkHubs](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/private-link-hub) | [Azure Synapse Analytics](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/private-link-hub) | +| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/workspace) | [Synapse Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/synapse/workspace) | +| `Microsoft.VirtualMachineImages` | [imageTemplates](https://github.com/Azure/ResourceModules/tree/main/modules/virtual-machine-images/image-template) | [Virtual Machine Image Templates](https://github.com/Azure/ResourceModules/tree/main/modules/virtual-machine-images/image-template) | +| `Microsoft.Web` | [connections](https://github.com/Azure/ResourceModules/tree/main/modules/web/connection) | [API Connections](https://github.com/Azure/ResourceModules/tree/main/modules/web/connection) | +| | [hostingEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/web/hosting-environment) | [App Service Environments](https://github.com/Azure/ResourceModules/tree/main/modules/web/hosting-environment) | +| | [serverfarms](https://github.com/Azure/ResourceModules/tree/main/modules/web/serverfarm) | [App Service Plans](https://github.com/Azure/ResourceModules/tree/main/modules/web/serverfarm) | +| | [sites](https://github.com/Azure/ResourceModules/tree/main/modules/web/site) | [Web/Function Apps](https://github.com/Azure/ResourceModules/tree/main/modules/web/site) | +| | [staticSites](https://github.com/Azure/ResourceModules/tree/main/modules/web/static-site) | [Static Web Apps](https://github.com/Azure/ResourceModules/tree/main/modules/web/static-site) | ## Platform | Name | Status | -| - | - | +|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Update API Specs file | [![.Platform: Update API Specs file](https://github.com/Azure/ResourceModules/workflows/.Platform:%20Update%20API%20Specs%20file/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/platform.apiSpecs.yml) | | Assign Pull Request to Author | [![.Platform: Assign Pull Request to Author](https://github.com/Azure/ResourceModules/workflows/.Platform:%20Assign%20Pull%20Request%20to%20Author/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/platform.assignPrToAuthor.yml) | | Test - ConvertTo-ARMTemplate.ps1 | [![.Platform: Test - ConvertTo-ARMTemplate.ps1](https://github.com/Azure/ResourceModules/workflows/.Platform:%20Test%20-%20ConvertTo-ARMTemplate.ps1/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/platform.convertToArmTemplate.tests.yml) | @@ -196,13 +198,14 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub ## Disclaimer -Please note that CARML is constantly evolving and introducing new features. The `main` branch of this repository changes frequently and thus, it always contains the latest available version of the code. Some of the updates may introduce breaking changes as well. +Please note that the `main` branch of this repository always contains the latest available version of the code. Some of the updates may introduce breaking changes as well. + - **Default path**: To avoid disruptions, use distinct versions available through [releases](https://github.com/Azure/ResourceModules/releases). - **Early adopter path**: If the risk of breaking changes is understood and accepted, you can use the code in the `main` branch directly. However, the CARML team recommends against automatically pulling code from `main`. It is always recommended to review changes before you pull them into your own repository. ## Contributing -This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit . +This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit . When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. @@ -220,11 +223,11 @@ Any use of third-party trademarks or logos are subject to those third-party's po ## Learn More -* [PowerShell Documentation][PowerShellDocs] -* [Microsoft Azure Documentation][MicrosoftAzureDocs] -* [GitHubDocs][GitHubDocs] -* [Azure Resource Manager][AzureResourceManager] -* [Bicep][Bicep] +- [PowerShell Documentation][PowerShellDocs] +- [Microsoft Azure Documentation][MicrosoftAzureDocs] +- [GitHubDocs][GitHubDocs] +- [Azure Resource Manager][AzureResourceManager] +- [Bicep][Bicep] ## Telemetry @@ -233,27 +236,12 @@ Modules provided in this library have telemetry enabled by default. To learn mor -[Wiki]: -[ProjectSetup]: [GitHubDocs]: -[AzureDevOpsDocs]: -[GitHubIssues]: -[Contributing]: CONTRIBUTING.md [AzureIcon]: docs/media/MicrosoftAzure-32px.png -[PowershellIcon]: docs/media/MicrosoftPowerShellCore-32px.png [Bicep]: -[Az]: -[AzGallery]: -[PowerShellCore]: -[InstallAzPs]: [AzureResourceManager]: -[TemplateSpecs]: - -[ESLZ]: -[AzureSecurityBenchmark]: -[ESLZWorkloadTemplatesLibrary]: [MicrosoftAzureDocs]: diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index fa2a33f667..39675955c8 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -1,846 +1,7 @@ -# Azure Active Directory Domain Services `[Microsoft.AAD/domainServices]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Azure Active Directory Domain Services (AADDS). +**This module has been evolved into the following AVM module: [avm/res/aad/domain-service](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/aad/domain-service).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/aad/domain-service). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.AAD/domainServices` | [2021-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AAD/2021-05-01/domainServices) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/aad.domain-service:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaddsmax' - params: { - // Required parameters - domainName: 'onmicrosoft.com' - // Non-required parameters - additionalRecipients: [ - '@noreply.github.com' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - name: 'aaddsmax001' - pfxCertificate: '' - pfxCertificatePassword: '' - replicaSets: [ - { - location: 'WestEurope' - subnetId: '' - } - ] - sku: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "domainName": { - "value": "onmicrosoft.com" - }, - // Non-required parameters - "additionalRecipients": { - "value": [ - "@noreply.github.com" - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "name": { - "value": "aaddsmax001" - }, - "pfxCertificate": { - "value": "" - }, - "pfxCertificatePassword": { - "value": "" - }, - "replicaSets": { - "value": [ - { - "location": "WestEurope", - "subnetId": "" - } - ] - }, - "sku": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaddswaf' - params: { - // Required parameters - domainName: 'onmicrosoft.com' - // Non-required parameters - additionalRecipients: [ - '@noreply.github.com' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - name: 'aaddswaf001' - pfxCertificate: '' - pfxCertificatePassword: '' - replicaSets: [ - { - location: 'WestEurope' - subnetId: '' - } - ] - sku: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "domainName": { - "value": "onmicrosoft.com" - }, - // Non-required parameters - "additionalRecipients": { - "value": [ - "@noreply.github.com" - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "name": { - "value": "aaddswaf001" - }, - "pfxCertificate": { - "value": "" - }, - "pfxCertificatePassword": { - "value": "" - }, - "replicaSets": { - "value": [ - { - "location": "WestEurope", - "subnetId": "" - } - ] - }, - "sku": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`domainName`](#parameter-domainname) | string | The domain name specific to the Azure ADDS service. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`pfxCertificate`](#parameter-pfxcertificate) | securestring | The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. | -| [`pfxCertificatePassword`](#parameter-pfxcertificatepassword) | securestring | The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`additionalRecipients`](#parameter-additionalrecipients) | array | The email recipient value to receive alerts. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`domainConfigurationType`](#parameter-domainconfigurationtype) | string | The value is to provide domain configuration type. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`externalAccess`](#parameter-externalaccess) | string | The value is to enable the Secure LDAP for external services of Azure ADDS Services. | -| [`filteredSync`](#parameter-filteredsync) | string | The value is to synchronize scoped users and groups. | -| [`kerberosArmoring`](#parameter-kerberosarmoring) | string | The value is to enable to provide a protected channel between the Kerberos client and the KDC. | -| [`kerberosRc4Encryption`](#parameter-kerberosrc4encryption) | string | The value is to enable Kerberos requests that use RC4 encryption. | -| [`ldaps`](#parameter-ldaps) | string | A flag to determine whether or not Secure LDAP is enabled or disabled. | -| [`location`](#parameter-location) | string | The location to deploy the Azure ADDS Services. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`name`](#parameter-name) | string | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. | -| [`notifyDcAdmins`](#parameter-notifydcadmins) | string | The value is to notify the DC Admins. | -| [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. | -| [`ntlmV1`](#parameter-ntlmv1) | string | The value is to enable clients making request using NTLM v1. | -| [`replicaSets`](#parameter-replicasets) | array | Additional replica set for the managed domain. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | The name of the SKU specific to Azure ADDS Services. | -| [`syncNtlmPasswords`](#parameter-syncntlmpasswords) | string | The value is to enable synchronized users to use NTLM authentication. | -| [`syncOnPremPasswords`](#parameter-synconprempasswords) | string | The value is to enable on-premises users to authenticate against managed domain. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`tlsV1`](#parameter-tlsv1) | string | The value is to enable clients making request using TLSv1. | - -### Parameter: `domainName` - -The domain name specific to the Azure ADDS service. - -- Required: Yes -- Type: string - -### Parameter: `pfxCertificate` - -The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `pfxCertificatePassword` - -The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `additionalRecipients` - -The email recipient value to receive alerts. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `domainConfigurationType` - -The value is to provide domain configuration type. - -- Required: No -- Type: string -- Default: `'FullySynced'` -- Allowed: - ```Bicep - [ - 'FullySynced' - 'ResourceTrusting' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `externalAccess` - -The value is to enable the Secure LDAP for external services of Azure ADDS Services. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `filteredSync` - -The value is to synchronize scoped users and groups. - -- Required: No -- Type: string -- Default: `'Enabled'` - -### Parameter: `kerberosArmoring` - -The value is to enable to provide a protected channel between the Kerberos client and the KDC. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `kerberosRc4Encryption` - -The value is to enable Kerberos requests that use RC4 encryption. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `ldaps` - -A flag to determine whether or not Secure LDAP is enabled or disabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `location` - -The location to deploy the Azure ADDS Services. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `name` - -The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. - -- Required: No -- Type: string -- Default: `[parameters('domainName')]` - -### Parameter: `notifyDcAdmins` - -The value is to notify the DC Admins. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `notifyGlobalAdmins` - -The value is to notify the Global Admins. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `ntlmV1` - -The value is to enable clients making request using NTLM v1. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `replicaSets` - -Additional replica set for the managed domain. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -The name of the SKU specific to Azure ADDS Services. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Enterprise' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `syncNtlmPasswords` - -The value is to enable synchronized users to use NTLM authentication. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `syncOnPremPasswords` - -The value is to enable on-premises users to authenticate against managed domain. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `tlsV1` - -The value is to enable clients making request using TLSv1. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The domain name of the Azure Active Directory Domain Services(Azure ADDS). | -| `resourceGroupName` | string | The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in. | -| `resourceId` | string | The resource ID of the Azure Active Directory Domain Services(Azure ADDS). | - -## Cross-referenced modules - -_None_ - -## Notes - -### Network Security Group (NSG) requirements for AADDS - -- A network security group has to be created and assigned to the designated AADDS subnet before deploying this module - - The following inbound rules should be allowed on the network security group - | Name | Protocol | Source Port Range | Source Address Prefix | Destination Port Range | Destination Address Prefix | - | - | - | - | - | - | - | - | AllowSyncWithAzureAD | TCP | `*` | `AzureActiveDirectoryDomainServices` | `443` | `*` | - | AllowPSRemoting | TCP | `*` | `AzureActiveDirectoryDomainServices` | `5986` | `*` | -- Associating a route table to the AADDS subnet is not recommended -- The network used for AADDS must have its DNS Servers [configured](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#configure-dns-servers-in-the-peered-virtual-network) (e.g. with IPs `10.0.1.4` & `10.0.1.5`) -- Your Azure Active Directory must have the 'Domain Controller Services' service principal registered. If that's not the case, you can register it by executing the command `New-AzADServicePrincipal -ApplicationId '2565bd9d-da50-47d4-8b85-4c97f669dc36'` with an eligible user. - -### Create self-signed certificate for secure LDAP -Follow the below PowerShell commands to get base64 encoded string of a self-signed certificate (with a `pfxCertificatePassword`) - -```PowerShell -$pfxCertificatePassword = ConvertTo-SecureString '[[YourPfxCertificatePassword]]' -AsPlainText -Force -$certInputObject = @{ - Subject = 'CN=*.[[YourDomainName]]' - DnsName = '*.[[YourDomainName]]' - CertStoreLocation = 'cert:\LocalMachine\My' - KeyExportPolicy = 'Exportable' - Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider' - NotAfter = (Get-Date).AddMonths(3) - HashAlgorithm = 'SHA256' -} -$rawCert = New-SelfSignedCertificate @certInputObject -Export-PfxCertificate -Cert ('Cert:\localmachine\my\' + $rawCert.Thumbprint) -FilePath "$home/aadds.pfx" -Password $pfxCertificatePassword -Force -$rawCertByteStream = Get-Content "$home/aadds.pfx" -AsByteStream -$pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream) -``` +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep deleted file mode 100644 index 5fd0a7a9fb..0000000000 --- a/modules/aad/domain-service/main.bicep +++ /dev/null @@ -1,304 +0,0 @@ -metadata name = 'Azure Active Directory Domain Services' -metadata description = 'This module deploys an Azure Active Directory Domain Services (AADDS).' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service.') -param name string = domainName - -@description('Required. The domain name specific to the Azure ADDS service.') -param domainName string - -@description('Optional. The name of the SKU specific to Azure ADDS Services.') -@allowed([ - 'Standard' - 'Enterprise' - 'Premium' -]) -param sku string = 'Standard' - -@description('Optional. The location to deploy the Azure ADDS Services.') -param location string = resourceGroup().location - -@description('Optional. Additional replica set for the managed domain.') -param replicaSets array = [] - -@description('Conditional. The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days.') -@secure() -param pfxCertificate string = '' - -@description('Conditional. The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled.') -@secure() -param pfxCertificatePassword string = '' - -@description('Optional. The email recipient value to receive alerts.') -param additionalRecipients array = [] - -@description('Optional. The value is to provide domain configuration type.') -@allowed([ - 'FullySynced' - 'ResourceTrusting' -]) -param domainConfigurationType string = 'FullySynced' - -@description('Optional. The value is to synchronize scoped users and groups.') -param filteredSync string = 'Enabled' - -@description('Optional. The value is to enable clients making request using TLSv1.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param tlsV1 string = 'Enabled' - -@description('Optional. The value is to enable clients making request using NTLM v1.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param ntlmV1 string = 'Enabled' - -@description('Optional. The value is to enable synchronized users to use NTLM authentication.') -@allowed([ - 'Enabled' - 'Disabled' -]) -#disable-next-line secure-secrets-in-params // Not a secret -param syncNtlmPasswords string = 'Enabled' - -@description('Optional. The value is to enable on-premises users to authenticate against managed domain.') -@allowed([ - 'Enabled' - 'Disabled' -]) -#disable-next-line secure-secrets-in-params // Not a secret -param syncOnPremPasswords string = 'Enabled' - -@description('Optional. The value is to enable Kerberos requests that use RC4 encryption.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param kerberosRc4Encryption string = 'Enabled' - -@description('Optional. The value is to enable to provide a protected channel between the Kerberos client and the KDC.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param kerberosArmoring string = 'Enabled' - -@description('Optional. The value is to notify the DC Admins.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param notifyDcAdmins string = 'Enabled' - -@description('Optional. The value is to notify the Global Admins.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param notifyGlobalAdmins string = 'Enabled' - -@description('Optional. The value is to enable the Secure LDAP for external services of Azure ADDS Services.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param externalAccess string = 'Enabled' - -@description('Optional. A flag to determine whether or not Secure LDAP is enabled or disabled.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param ldaps string = 'Enabled' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = { - name: name - location: location - tags: tags - properties: { - domainName: domainName - domainConfigurationType: domainConfigurationType - filteredSync: filteredSync - notificationSettings: { - additionalRecipients: additionalRecipients - notifyDcAdmins: notifyDcAdmins - notifyGlobalAdmins: notifyGlobalAdmins - } - ldapsSettings: { - externalAccess: externalAccess - ldaps: ldaps - pfxCertificate: !empty(pfxCertificate) ? pfxCertificate : null - pfxCertificatePassword: !empty(pfxCertificatePassword) ? pfxCertificatePassword : null - } - replicaSets: replicaSets - domainSecuritySettings: { - tlsV1: tlsV1 - ntlmV1: ntlmV1 - syncNtlmPasswords: syncNtlmPasswords - syncOnPremPasswords: syncOnPremPasswords - kerberosRc4Encryption: kerberosRc4Encryption - kerberosArmoring: kerberosArmoring - } - sku: sku - } -} - -resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: domainService -}] - -resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: domainService -} - -resource domainService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(domainService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: domainService -}] - -@description('The domain name of the Azure Active Directory Domain Services(Azure ADDS).') -output name string = domainService.name - -@description('The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Azure Active Directory Domain Services(Azure ADDS).') -output resourceId string = domainService.id - -@description('The location the resource was deployed into.') -output location string = domainService.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json deleted file mode 100644 index d0510c3e8a..0000000000 --- a/modules/aad/domain-service/main.json +++ /dev/null @@ -1,564 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1250805842529058137" - }, - "name": "Azure Active Directory Domain Services", - "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[parameters('domainName')]", - "metadata": { - "description": "Optional. The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service." - } - }, - "domainName": { - "type": "string", - "metadata": { - "description": "Required. The domain name specific to the Azure ADDS service." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "Enterprise", - "Premium" - ], - "metadata": { - "description": "Optional. The name of the SKU specific to Azure ADDS Services." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location to deploy the Azure ADDS Services." - } - }, - "replicaSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Additional replica set for the managed domain." - } - }, - "pfxCertificate": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days." - } - }, - "pfxCertificatePassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled." - } - }, - "additionalRecipients": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The email recipient value to receive alerts." - } - }, - "domainConfigurationType": { - "type": "string", - "defaultValue": "FullySynced", - "allowedValues": [ - "FullySynced", - "ResourceTrusting" - ], - "metadata": { - "description": "Optional. The value is to provide domain configuration type." - } - }, - "filteredSync": { - "type": "string", - "defaultValue": "Enabled", - "metadata": { - "description": "Optional. The value is to synchronize scoped users and groups." - } - }, - "tlsV1": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable clients making request using TLSv1." - } - }, - "ntlmV1": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable clients making request using NTLM v1." - } - }, - "syncNtlmPasswords": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable synchronized users to use NTLM authentication." - } - }, - "syncOnPremPasswords": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable on-premises users to authenticate against managed domain." - } - }, - "kerberosRc4Encryption": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable Kerberos requests that use RC4 encryption." - } - }, - "kerberosArmoring": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable to provide a protected channel between the Kerberos client and the KDC." - } - }, - "notifyDcAdmins": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to notify the DC Admins." - } - }, - "notifyGlobalAdmins": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to notify the Global Admins." - } - }, - "externalAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The value is to enable the Secure LDAP for external services of Azure ADDS Services." - } - }, - "ldaps": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. A flag to determine whether or not Secure LDAP is enabled or disabled." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "domainService": { - "type": "Microsoft.AAD/domainServices", - "apiVersion": "2021-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "domainName": "[parameters('domainName')]", - "domainConfigurationType": "[parameters('domainConfigurationType')]", - "filteredSync": "[parameters('filteredSync')]", - "notificationSettings": { - "additionalRecipients": "[parameters('additionalRecipients')]", - "notifyDcAdmins": "[parameters('notifyDcAdmins')]", - "notifyGlobalAdmins": "[parameters('notifyGlobalAdmins')]" - }, - "ldapsSettings": { - "externalAccess": "[parameters('externalAccess')]", - "ldaps": "[parameters('ldaps')]", - "pfxCertificate": "[if(not(empty(parameters('pfxCertificate'))), parameters('pfxCertificate'), null())]", - "pfxCertificatePassword": "[if(not(empty(parameters('pfxCertificatePassword'))), parameters('pfxCertificatePassword'), null())]" - }, - "replicaSets": "[parameters('replicaSets')]", - "domainSecuritySettings": { - "tlsV1": "[parameters('tlsV1')]", - "ntlmV1": "[parameters('ntlmV1')]", - "syncNtlmPasswords": "[parameters('syncNtlmPasswords')]", - "syncOnPremPasswords": "[parameters('syncOnPremPasswords')]", - "kerberosRc4Encryption": "[parameters('kerberosRc4Encryption')]", - "kerberosArmoring": "[parameters('kerberosArmoring')]" - }, - "sku": "[parameters('sku')]" - } - }, - "domainService_diagnosticSettings": { - "copy": { - "name": "domainService_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "domainService" - ] - }, - "domainService_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "domainService" - ] - }, - "domainService_roleAssignments": { - "copy": { - "name": "domainService_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.AAD/domainServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "domainService" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The domain name of the Azure Active Directory Domain Services(Azure ADDS)." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Azure Active Directory Domain Services(Azure ADDS)." - }, - "value": "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('domainService', '2021-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/aad/domain-service/tests/e2e/max/dependencies.bicep b/modules/aad/domain-service/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 0767cf436a..0000000000 --- a/modules/aad/domain-service/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,104 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the Certificate generation.') -param certDeploymentScriptName string - -var certPWSecretName = 'pfxCertificatePassword' -var certSecretName = 'pfxBase64Certificate' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: certDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '3.0' - retentionInterval: 'P1D' - arguments: ' -KeyVaultName "${keyVault.name}" -ResourceGroupName "${resourceGroup().name}" -CertPWSecretName "${certPWSecretName}" -CertSecretName "${certSecretName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the certification password secret.') -output certPWSecretName string = certPWSecretName - -@description('The name of the certification secret.') -output certSecretName string = certSecretName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/aad/domain-service/tests/e2e/max/main.test.bicep b/modules/aad/domain-service/tests/e2e/max/main.test.bicep deleted file mode 100644 index 57a8a8aae6..0000000000 --- a/modules/aad/domain-service/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,109 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aaddsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: last(split(nestedDependencies.outputs.keyVaultResourceId, '/')) - scope: resourceGroup -} - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - domainName: '${namePrefix}.onmicrosoft.com' - additionalRecipients: [ - '${namePrefix}@noreply.github.com' - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName) - pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName) - replicaSets: [ - { - location: 'WestEurope' - subnetId: nestedDependencies.outputs.subnetResourceId - } - ] - sku: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 0767cf436a..0000000000 --- a/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,104 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the Certificate generation.') -param certDeploymentScriptName string - -var certPWSecretName = 'pfxCertificatePassword' -var certSecretName = 'pfxBase64Certificate' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: certDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '3.0' - retentionInterval: 'P1D' - arguments: ' -KeyVaultName "${keyVault.name}" -ResourceGroupName "${resourceGroup().name}" -CertPWSecretName "${certPWSecretName}" -CertSecretName "${certSecretName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the certification password secret.') -output certPWSecretName string = certPWSecretName - -@description('The name of the certification secret.') -output certSecretName string = certSecretName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 605f339c95..0000000000 --- a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,109 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aaddswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: last(split(nestedDependencies.outputs.keyVaultResourceId, '/')) - scope: resourceGroup -} - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - domainName: '${namePrefix}.onmicrosoft.com' - additionalRecipients: [ - '${namePrefix}@noreply.github.com' - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName) - pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName) - replicaSets: [ - { - location: 'WestEurope' - subnetId: nestedDependencies.outputs.subnetResourceId - } - ] - sku: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/aad/domain-service/version.json b/modules/aad/domain-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/aad/domain-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/analysis-services/server/MOVED-TO-AVM.md b/modules/analysis-services/server/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/analysis-services/server/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 14c36419b1..f7939b65f2 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -1,729 +1,7 @@ -# Analysis Services Servers `[Microsoft.AnalysisServices/servers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/analysis-services/server](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/analysis-services/server).** -This module deploys an Analysis Services Server. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/analysis-services/server). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.AnalysisServices/servers` | [2017-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AnalysisServices/2017-08-01/servers) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/analysis-services.server:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-assmin' - params: { - // Required parameters - name: 'assmin' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "assmin" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-assmax' - params: { - // Required parameters - name: 'assmax' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - firewallSettings: { - enablePowerBIService: true - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeEnd: '255.255.255.255' - rangeStart: '0.0.0.0' - } - ] - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuCapacity: 1 - skuName: 'S0' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "assmax" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "Engine" - }, - { - "category": "Service" - } - ], - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallSettings": { - "value": { - "enablePowerBIService": true, - "firewallRules": [ - { - "firewallRuleName": "AllowFromAll", - "rangeEnd": "255.255.255.255", - "rangeStart": "0.0.0.0" - } - ] - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuCapacity": { - "value": 1 - }, - "skuName": { - "value": "S0" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-asswaf' - params: { - // Required parameters - name: 'asswaf' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - firewallSettings: { - enablePowerBIService: true - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeEnd: '255.255.255.255' - rangeStart: '0.0.0.0' - } - ] - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuCapacity: 1 - skuName: 'S0' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "asswaf" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "Engine" - }, - { - "category": "Service" - } - ], - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallSettings": { - "value": { - "enablePowerBIService": true, - "firewallRules": [ - { - "firewallRuleName": "AllowFromAll", - "rangeEnd": "255.255.255.255", - "rangeStart": "0.0.0.0" - } - ] - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "skuCapacity": { - "value": 1 - }, - "skuName": { - "value": "S0" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Azure Analysis Services server to create. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuCapacity`](#parameter-skucapacity) | int | The total number of query replica scale-out instances. | -| [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Azure Analysis Services server to create. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `firewallSettings` - -The inbound firewall rules to define on the server. If not specified, firewall is disabled. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enablePowerBIService: true - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeEnd: '255.255.255.255' - rangeStart: '0.0.0.0' - } - ] - } - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuCapacity` - -The total number of query replica scale-out instances. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `skuName` - -The SKU name of the Azure Analysis Services server to create. - -- Required: No -- Type: string -- Default: `'S0'` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the analysis service. | -| `resourceGroupName` | string | The resource group the analysis service was deployed into. | -| `resourceId` | string | The resource ID of the analysis service. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep deleted file mode 100644 index 0d4d966a3b..0000000000 --- a/modules/analysis-services/server/main.bicep +++ /dev/null @@ -1,209 +0,0 @@ -metadata name = 'Analysis Services Servers' -metadata description = 'This module deploys an Analysis Services Server.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Azure Analysis Services server to create.') -param name string - -@description('Optional. The SKU name of the Azure Analysis Services server to create.') -param skuName string = 'S0' - -@description('Optional. The total number of query replica scale-out instances.') -param skuCapacity int = 1 - -@description('Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled.') -param firewallSettings object = { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true -} - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - capacity: skuCapacity - } - properties: { - ipV4FirewallSettings: firewallSettings - } -} - -resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: server -} - -resource server_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: server -}] - -resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: server -}] - -@description('The name of the analysis service.') -output name string = server.name - -@description('The resource ID of the analysis service.') -output resourceId string = server.id - -@description('The resource group the analysis service was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = server.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json deleted file mode 100644 index b3e4158662..0000000000 --- a/modules/analysis-services/server/main.json +++ /dev/null @@ -1,419 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1605417065240868452" - }, - "name": "Analysis Services Servers", - "description": "This module deploys an Analysis Services Server.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Azure Analysis Services server to create." - } - }, - "skuName": { - "type": "string", - "defaultValue": "S0", - "metadata": { - "description": "Optional. The SKU name of the Azure Analysis Services server to create." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The total number of query replica scale-out instances." - } - }, - "firewallSettings": { - "type": "object", - "defaultValue": { - "firewallRules": [ - { - "firewallRuleName": "AllowFromAll", - "rangeStart": "0.0.0.0", - "rangeEnd": "255.255.255.255" - } - ], - "enablePowerBIService": true - }, - "metadata": { - "description": "Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "type": "Microsoft.AnalysisServices/servers", - "apiVersion": "2017-08-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "capacity": "[parameters('skuCapacity')]" - }, - "properties": { - "ipV4FirewallSettings": "[parameters('firewallSettings')]" - } - }, - "server_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "server" - ] - }, - "server_diagnosticSettings": { - "copy": { - "name": "server_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "server" - ] - }, - "server_roleAssignments": { - "copy": { - "name": "server_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.AnalysisServices/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "server" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the analysis service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the analysis service." - }, - "value": "[resourceId('Microsoft.AnalysisServices/servers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the analysis service was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('server', '2017-08-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep b/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index d068d9795e..0000000000 --- a/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - } -}] diff --git a/modules/analysis-services/server/tests/e2e/max/dependencies.bicep b/modules/analysis-services/server/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 29b9641692..0000000000 --- a/modules/analysis-services/server/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/analysis-services/server/tests/e2e/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep deleted file mode 100644 index 93bfb2efaa..0000000000 --- a/modules/analysis-services/server/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,131 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - skuCapacity: 1 - firewallSettings: { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 29b9641692..0000000000 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 705eaf124d..0000000000 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,114 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'asswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - skuCapacity: 1 - firewallSettings: { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/analysis-services/server/version.json b/modules/analysis-services/server/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/analysis-services/server/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/MOVED-TO-AVM.md b/modules/api-management/service/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/api-management/service/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 8e1d7f8732..572a98b448 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -1,1467 +1,7 @@ -# API Management Services `[Microsoft.ApiManagement/service]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/api-management/service](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/api-management/service).** -This module deploys an API Management Service. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/api-management/service). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service) | -| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) | -| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) | -| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) | -| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) | -| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) | -| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) | -| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) | -| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) | -| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) | -| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) | -| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) | -| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) | -| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) | -| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/api-management.service:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismin' - params: { - // Required parameters - name: 'apismin001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apismin001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismax' - params: { - // Required parameters - name: 'apismax001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '' - clientId: 'apimclientid' - clientRegistrationEndpoint: 'http://localhost' - clientSecret: '' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apismax001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "apis": { - "value": [ - { - "apiVersionSet": { - "name": "echo-version-set", - "properties": { - "description": "echo-version-set", - "displayName": "echo-version-set", - "versioningScheme": "Segment" - } - }, - "displayName": "Echo API", - "name": "echo-api", - "path": "echo", - "serviceUrl": "http://echoapi.cloudapp.net/api" - } - ] - }, - "authorizationServers": { - "value": { - "secureList": [ - { - "authorizationEndpoint": "", - "clientId": "apimclientid", - "clientRegistrationEndpoint": "http://localhost", - "clientSecret": "", - "grantTypes": [ - "authorizationCode" - ], - "name": "AuthServer1", - "tokenEndpoint": "" - } - ] - } - }, - "backends": { - "value": [ - { - "name": "backend", - "tls": { - "validateCertificateChain": false, - "validateCertificateName": false - }, - "url": "http://echoapi.cloudapp.net/api" - } - ] - }, - "caches": { - "value": [ - { - "connectionString": "connectionstringtest", - "name": "westeurope", - "useFromLocation": "westeurope" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "identityProviders": { - "value": [ - { - "name": "aadProvider" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "namedValues": { - "value": [ - { - "displayName": "apimkey", - "name": "apimkey", - "secret": true - } - ] - }, - "policies": { - "value": [ - { - "format": "xml", - "value": " " - } - ] - }, - "portalsettings": { - "value": [ - { - "name": "signin", - "properties": { - "enabled": false - } - }, - { - "name": "signup", - "properties": { - "enabled": false, - "termsOfService": { - "consentRequired": false, - "enabled": false - } - } - } - ] - }, - "products": { - "value": [ - { - "apis": [ - { - "name": "echo-api" - } - ], - "approvalRequired": false, - "groups": [ - { - "name": "developers" - } - ], - "name": "Starter", - "subscriptionRequired": false - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "subscriptions": { - "value": [ - { - "name": "testArmSubscriptionAllApis" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apiswaf' - params: { - // Required parameters - name: 'apiswaf001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '' - clientId: 'apimclientid' - clientRegistrationEndpoint: 'http://localhost' - clientSecret: '' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apiswaf001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "apis": { - "value": [ - { - "apiVersionSet": { - "name": "echo-version-set", - "properties": { - "description": "echo-version-set", - "displayName": "echo-version-set", - "versioningScheme": "Segment" - } - }, - "displayName": "Echo API", - "name": "echo-api", - "path": "echo", - "serviceUrl": "http://echoapi.cloudapp.net/api" - } - ] - }, - "authorizationServers": { - "value": { - "secureList": [ - { - "authorizationEndpoint": "", - "clientId": "apimclientid", - "clientRegistrationEndpoint": "http://localhost", - "clientSecret": "", - "grantTypes": [ - "authorizationCode" - ], - "name": "AuthServer1", - "tokenEndpoint": "" - } - ] - } - }, - "backends": { - "value": [ - { - "name": "backend", - "tls": { - "validateCertificateChain": false, - "validateCertificateName": false - }, - "url": "http://echoapi.cloudapp.net/api" - } - ] - }, - "caches": { - "value": [ - { - "connectionString": "connectionstringtest", - "name": "westeurope", - "useFromLocation": "westeurope" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "identityProviders": { - "value": [ - { - "name": "aadProvider" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "namedValues": { - "value": [ - { - "displayName": "apimkey", - "name": "apimkey", - "secret": true - } - ] - }, - "policies": { - "value": [ - { - "format": "xml", - "value": " " - } - ] - }, - "portalsettings": { - "value": [ - { - "name": "signin", - "properties": { - "enabled": false - } - }, - { - "name": "signup", - "properties": { - "enabled": false, - "termsOfService": { - "consentRequired": false, - "enabled": false - } - } - } - ] - }, - "products": { - "value": [ - { - "apis": [ - { - "name": "echo-api" - } - ], - "approvalRequired": false, - "groups": [ - { - "name": "developers" - } - ], - "name": "Starter", - "subscriptionRequired": false - } - ] - }, - "subscriptions": { - "value": [ - { - "name": "testArmSubscriptionAllApis" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the API Management service. | -| [`publisherEmail`](#parameter-publisheremail) | string | The email address of the owner of the service. | -| [`publisherName`](#parameter-publishername) | string | The name of the owner of the service. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`additionalLocations`](#parameter-additionallocations) | array | Additional datacenter locations of the API Management service. | -| [`apis`](#parameter-apis) | array | APIs. | -| [`apiVersionSets`](#parameter-apiversionsets) | array | API Version Sets. | -| [`authorizationServers`](#parameter-authorizationservers) | secureObject | Authorization servers. | -| [`backends`](#parameter-backends) | array | Backends. | -| [`caches`](#parameter-caches) | array | Caches. | -| [`certificates`](#parameter-certificates) | array | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. | -| [`customProperties`](#parameter-customproperties) | object | Custom properties of the API Management service. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableGateway`](#parameter-disablegateway) | bool | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. | -| [`enableClientCertificate`](#parameter-enableclientcertificate) | bool | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hostnameConfigurations`](#parameter-hostnameconfigurations) | array | Custom hostname configuration of the API Management service. | -| [`identityProviders`](#parameter-identityproviders) | array | Identity providers. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. | -| [`namedValues`](#parameter-namedvalues) | array | Named values. | -| [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. | -| [`notificationSenderEmail`](#parameter-notificationsenderemail) | string | The notification sender email address for the service. | -| [`policies`](#parameter-policies) | array | Policies. | -| [`portalsettings`](#parameter-portalsettings) | array | Portal settings. | -| [`products`](#parameter-products) | array | Products. | -| [`restore`](#parameter-restore) | bool | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | The pricing tier of this API Management service. | -| [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. | -| [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | -| [`subscriptions`](#parameter-subscriptions) | array | Subscriptions. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualNetworkType`](#parameter-virtualnetworktype) | string | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. | -| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | - -### Parameter: `name` - -The name of the API Management service. - -- Required: Yes -- Type: string - -### Parameter: `publisherEmail` - -The email address of the owner of the service. - -- Required: Yes -- Type: string - -### Parameter: `publisherName` - -The name of the owner of the service. - -- Required: Yes -- Type: string - -### Parameter: `additionalLocations` - -Additional datacenter locations of the API Management service. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `apis` - -APIs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `apiVersionSets` - -API Version Sets. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `authorizationServers` - -Authorization servers. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `backends` - -Backends. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `caches` - -Caches. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `certificates` - -List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `customProperties` - -Custom properties of the API Management service. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableGateway` - -Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableClientCertificate` - -Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hostnameConfigurations` - -Custom hostname configuration of the API Management service. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `identityProviders` - -Identity providers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `minApiVersion` - -Limit control plane API calls to API Management service with version equal to or newer than this value. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `namedValues` - -Named values. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `newGuidValue` - -Necessary to create a new GUID. - -- Required: No -- Type: string -- Default: `[newGuid()]` - -### Parameter: `notificationSenderEmail` - -The notification sender email address for the service. - -- Required: No -- Type: string -- Default: `'apimgmt-noreply@mail.windowsazure.com'` - -### Parameter: `policies` - -Policies. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `portalsettings` - -Portal settings. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `products` - -Products. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `restore` - -Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -The pricing tier of this API Management service. - -- Required: No -- Type: string -- Default: `'Developer'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Consumption' - 'Developer' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `skuCount` - -The instance size of this API Management service. - -- Required: No -- Type: int -- Default: `1` -- Allowed: - ```Bicep - [ - 1 - 2 - ] - ``` - -### Parameter: `subnetResourceId` - -The full resource ID of a subnet in a virtual network to deploy the API Management service in. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptions` - -Subscriptions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualNetworkType` - -The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'External' - 'Internal' - 'None' - ] - ``` - -### Parameter: `zones` - -A list of availability zones denoting where the resource needs to come from. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the API management service. | -| `resourceGroupName` | string | The resource group the API management service was deployed into. | -| `resourceId` | string | The resource ID of the API management service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `apiManagementServicePolicy` - -

- -Parameter JSON format - -```json -"apiManagementServicePolicy": { - "value": { - "value":" ", - "format":"xml" - } -} -``` - -
- -
- -Bicep format - -```bicep -apiManagementServicePolicy: { - value:' ' - format:'xml' -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/api-management/service/api-version-set/README.md b/modules/api-management/service/api-version-set/README.md deleted file mode 100644 index 59367616e1..0000000000 --- a/modules/api-management/service/api-version-set/README.md +++ /dev/null @@ -1,76 +0,0 @@ -# API Management Service API Version Sets `[Microsoft.ApiManagement/service/apiVersionSets]` - -This module deploys an API Management Service API Version Set. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | API Version set name. | -| [`properties`](#parameter-properties) | object | API Version set properties. | - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -API Version set name. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `properties` - -API Version set properties. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API Version set. | -| `resourceGroupName` | string | The resource group the API Version set was deployed into. | -| `resourceId` | string | The resource ID of the API Version set. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/api-version-set/main.bicep b/modules/api-management/service/api-version-set/main.bicep deleted file mode 100644 index 25665f48b7..0000000000 --- a/modules/api-management/service/api-version-set/main.bicep +++ /dev/null @@ -1,46 +0,0 @@ -metadata name = 'API Management Service API Version Sets' -metadata description = 'This module deploys an API Management Service API Version Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. API Version set name.') -param name string = 'default' - -@description('Optional. API Version set properties.') -param properties object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource apiVersionSet 'Microsoft.ApiManagement/service/apiVersionSets@2021-08-01' = { - name: name - parent: service - properties: properties -} - -@description('The resource ID of the API Version set.') -output resourceId string = apiVersionSet.id - -@description('The name of the API Version set.') -output name string = apiVersionSet.name - -@description('The resource group the API Version set was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/api-version-set/main.json b/modules/api-management/service/api-version-set/main.json deleted file mode 100644 index 1dce7d194a..0000000000 --- a/modules/api-management/service/api-version-set/main.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16962621369738378491" - }, - "name": "API Management Service API Version Sets", - "description": "This module deploys an API Management Service API Version Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. API Version set name." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. API Version set properties." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apiVersionSets", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API Version set." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API Version set." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API Version set was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/api-version-set/version.json b/modules/api-management/service/api-version-set/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/api-version-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/api/README.md b/modules/api-management/service/api/README.md deleted file mode 100644 index 8f7687330e..0000000000 --- a/modules/api-management/service/api/README.md +++ /dev/null @@ -1,297 +0,0 @@ -# API Management Service APIs `[Microsoft.ApiManagement/service/apis]` - -This module deploys an API Management Service API. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) | -| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`displayName`](#parameter-displayname) | string | API name. Must be 1 to 300 characters long. | -| [`name`](#parameter-name) | string | API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. | -| [`path`](#parameter-path) | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiDescription`](#parameter-apidescription) | string | Description of the API. May include HTML formatting tags. | -| [`apiRevision`](#parameter-apirevision) | string | Describes the Revision of the API. If no value is provided, default revision 1 is created. | -| [`apiRevisionDescription`](#parameter-apirevisiondescription) | string | Description of the API Revision. | -| [`apiType`](#parameter-apitype) | string | Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. | -| [`apiVersion`](#parameter-apiversion) | string | Indicates the Version identifier of the API if the API is versioned. | -| [`apiVersionDescription`](#parameter-apiversiondescription) | string | Description of the API Version. | -| [`apiVersionSetId`](#parameter-apiversionsetid) | string | Indicates the Version identifier of the API version set. | -| [`authenticationSettings`](#parameter-authenticationsettings) | object | Collection of authentication settings included into this API. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`format`](#parameter-format) | string | Format of the Content in which the API is getting imported. | -| [`isCurrent`](#parameter-iscurrent) | bool | Indicates if API revision is current API revision. | -| [`policies`](#parameter-policies) | array | Array of Policies to apply to the Service API. | -| [`protocols`](#parameter-protocols) | array | Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. | -| [`serviceUrl`](#parameter-serviceurl) | string | Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. | -| [`sourceApiId`](#parameter-sourceapiid) | string | API identifier of the source API. | -| [`subscriptionKeyParameterNames`](#parameter-subscriptionkeyparameternames) | object | Protocols over which API is made available. | -| [`subscriptionRequired`](#parameter-subscriptionrequired) | bool | Specifies whether an API or Product subscription is required for accessing the API. | -| [`type`](#parameter-type) | string | Type of API. | -| [`value`](#parameter-value) | string | Content value when Importing an API. | -| [`wsdlSelector`](#parameter-wsdlselector) | object | Criteria to limit import of WSDL to a subset of the document. | - -### Parameter: `displayName` - -API name. Must be 1 to 300 characters long. - -- Required: Yes -- Type: string - -### Parameter: `name` - -API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. - -- Required: Yes -- Type: string - -### Parameter: `path` - -Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `apiDescription` - -Description of the API. May include HTML formatting tags. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `apiRevision` - -Describes the Revision of the API. If no value is provided, default revision 1 is created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `apiRevisionDescription` - -Description of the API Revision. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `apiType` - -Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. - -- Required: No -- Type: string -- Default: `'http'` -- Allowed: - ```Bicep - [ - 'graphql' - 'http' - 'soap' - 'websocket' - ] - ``` - -### Parameter: `apiVersion` - -Indicates the Version identifier of the API if the API is versioned. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `apiVersionDescription` - -Description of the API Version. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `apiVersionSetId` - -Indicates the Version identifier of the API version set. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `authenticationSettings` - -Collection of authentication settings included into this API. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `format` - -Format of the Content in which the API is getting imported. - -- Required: No -- Type: string -- Default: `'openapi'` -- Allowed: - ```Bicep - [ - 'openapi' - 'openapi-link' - 'openapi+json' - 'openapi+json-link' - 'swagger-json' - 'swagger-link-json' - 'wadl-link-json' - 'wadl-xml' - 'wsdl' - 'wsdl-link' - ] - ``` - -### Parameter: `isCurrent` - -Indicates if API revision is current API revision. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `policies` - -Array of Policies to apply to the Service API. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `protocols` - -Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'https' - ] - ``` - -### Parameter: `serviceUrl` - -Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceApiId` - -API identifier of the source API. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionKeyParameterNames` - -Protocols over which API is made available. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `subscriptionRequired` - -Specifies whether an API or Product subscription is required for accessing the API. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `type` - -Type of API. - -- Required: No -- Type: string -- Default: `'http'` -- Allowed: - ```Bicep - [ - 'graphql' - 'http' - 'soap' - 'websocket' - ] - ``` - -### Parameter: `value` - -Content value when Importing an API. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `wsdlSelector` - -Criteria to limit import of WSDL to a subset of the document. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service API. | -| `resourceGroupName` | string | The resource group the API management service API was deployed to. | -| `resourceId` | string | The resource ID of the API management service API. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/api/main.bicep b/modules/api-management/service/api/main.bicep deleted file mode 100644 index f61e9bf0d5..0000000000 --- a/modules/api-management/service/api/main.bicep +++ /dev/null @@ -1,168 +0,0 @@ -metadata name = 'API Management Service APIs' -metadata description = 'This module deploys an API Management Service API.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number.') -param name string - -@description('Optional. Array of Policies to apply to the Service API.') -param policies array = [] - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Describes the Revision of the API. If no value is provided, default revision 1 is created.') -param apiRevision string = '' - -@description('Optional. Description of the API Revision.') -param apiRevisionDescription string = '' - -@description('Optional. Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API.') -@allowed([ - 'graphql' - 'http' - 'soap' - 'websocket' -]) -param apiType string = 'http' - -@description('Optional. Indicates the Version identifier of the API if the API is versioned.') -param apiVersion string = '' - -@description('Optional. Indicates the Version identifier of the API version set.') -param apiVersionSetId string = '' - -@description('Optional. Description of the API Version.') -param apiVersionDescription string = '' - -@description('Optional. Collection of authentication settings included into this API.') -param authenticationSettings object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Description of the API. May include HTML formatting tags.') -param apiDescription string = '' - -@description('Required. API name. Must be 1 to 300 characters long.') -@maxLength(300) -param displayName string - -@description('Optional. Format of the Content in which the API is getting imported.') -@allowed([ - 'wadl-xml' - 'wadl-link-json' - 'swagger-json' - 'swagger-link-json' - 'wsdl' - 'wsdl-link' - 'openapi' - 'openapi+json' - 'openapi-link' - 'openapi+json-link' -]) -param format string = 'openapi' - -@description('Optional. Indicates if API revision is current API revision.') -param isCurrent bool = true - -@description('Required. Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API.') -param path string - -@description('Optional. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS.') -param protocols array = [ - 'https' -] - -@description('Optional. Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long.') -@maxLength(2000) -param serviceUrl string = '' - -@description('Optional. API identifier of the source API.') -param sourceApiId string = '' - -@description('Optional. Protocols over which API is made available.') -param subscriptionKeyParameterNames object = {} - -@description('Optional. Specifies whether an API or Product subscription is required for accessing the API.') -param subscriptionRequired bool = false - -@description('Optional. Type of API.') -@allowed([ - 'graphql' - 'http' - 'soap' - 'websocket' -]) -param type string = 'http' - -@description('Optional. Content value when Importing an API.') -param value string = '' - -@description('Optional. Criteria to limit import of WSDL to a subset of the document.') -param wsdlSelector object = {} - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = { - name: name - parent: service - properties: { - apiRevision: !empty(apiRevision) ? apiRevision : null - apiRevisionDescription: !empty(apiRevisionDescription) ? apiRevisionDescription : null - apiType: !empty(apiType) ? apiType : null - apiVersion: !empty(apiVersion) ? apiVersion : null - apiVersionDescription: !empty(apiVersionDescription) ? apiVersionDescription : null - apiVersionSetId: !empty(apiVersionSetId) ? apiVersionSetId : null - authenticationSettings: authenticationSettings - description: apiDescription - displayName: displayName - format: !empty(value) ? format : null - isCurrent: isCurrent - path: path - protocols: protocols - serviceUrl: !empty(serviceUrl) ? serviceUrl : null - sourceApiId: !empty(sourceApiId) ? sourceApiId : null - subscriptionKeyParameterNames: !empty(subscriptionKeyParameterNames) ? subscriptionKeyParameterNames : null - subscriptionRequired: subscriptionRequired - type: type - value: !empty(value) ? value : null - wsdlSelector: wsdlSelector - } -} - -module policy 'policy/main.bicep' = [for (policy, index) in policies: { - name: '${deployment().name}-Policy-${index}' - params: { - apiManagementServiceName: apiManagementServiceName - apiName: api.name - format: contains(policy, 'format') ? policy.format : 'xml' - value: policy.value - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the API management service API.') -output name string = api.name - -@description('The resource ID of the API management service API.') -output resourceId string = api.id - -@description('The resource group the API management service API was deployed to.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/api/main.json b/modules/api-management/service/api/main.json deleted file mode 100644 index 9baad434aa..0000000000 --- a/modules/api-management/service/api/main.json +++ /dev/null @@ -1,419 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11512052528068634292" - }, - "name": "API Management Service APIs", - "description": "This module deploys an API Management Service API.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number." - } - }, - "policies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Policies to apply to the Service API." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "apiRevision": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Describes the Revision of the API. If no value is provided, default revision 1 is created." - } - }, - "apiRevisionDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API Revision." - } - }, - "apiType": { - "type": "string", - "defaultValue": "http", - "allowedValues": [ - "graphql", - "http", - "soap", - "websocket" - ], - "metadata": { - "description": "Optional. Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API." - } - }, - "apiVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the Version identifier of the API if the API is versioned." - } - }, - "apiVersionSetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the Version identifier of the API version set." - } - }, - "apiVersionDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API Version." - } - }, - "authenticationSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Collection of authentication settings included into this API." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "apiDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API. May include HTML formatting tags." - } - }, - "displayName": { - "type": "string", - "maxLength": 300, - "metadata": { - "description": "Required. API name. Must be 1 to 300 characters long." - } - }, - "format": { - "type": "string", - "defaultValue": "openapi", - "allowedValues": [ - "wadl-xml", - "wadl-link-json", - "swagger-json", - "swagger-link-json", - "wsdl", - "wsdl-link", - "openapi", - "openapi+json", - "openapi-link", - "openapi+json-link" - ], - "metadata": { - "description": "Optional. Format of the Content in which the API is getting imported." - } - }, - "isCurrent": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates if API revision is current API revision." - } - }, - "path": { - "type": "string", - "metadata": { - "description": "Required. Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API." - } - }, - "protocols": { - "type": "array", - "defaultValue": [ - "https" - ], - "metadata": { - "description": "Optional. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS." - } - }, - "serviceUrl": { - "type": "string", - "defaultValue": "", - "maxLength": 2000, - "metadata": { - "description": "Optional. Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long." - } - }, - "sourceApiId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. API identifier of the source API." - } - }, - "subscriptionKeyParameterNames": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Protocols over which API is made available." - } - }, - "subscriptionRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether an API or Product subscription is required for accessing the API." - } - }, - "type": { - "type": "string", - "defaultValue": "http", - "allowedValues": [ - "graphql", - "http", - "soap", - "websocket" - ], - "metadata": { - "description": "Optional. Type of API." - } - }, - "value": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Content value when Importing an API." - } - }, - "wsdlSelector": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Criteria to limit import of WSDL to a subset of the document." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apis", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "apiRevision": "[if(not(empty(parameters('apiRevision'))), parameters('apiRevision'), null())]", - "apiRevisionDescription": "[if(not(empty(parameters('apiRevisionDescription'))), parameters('apiRevisionDescription'), null())]", - "apiType": "[if(not(empty(parameters('apiType'))), parameters('apiType'), null())]", - "apiVersion": "[if(not(empty(parameters('apiVersion'))), parameters('apiVersion'), null())]", - "apiVersionDescription": "[if(not(empty(parameters('apiVersionDescription'))), parameters('apiVersionDescription'), null())]", - "apiVersionSetId": "[if(not(empty(parameters('apiVersionSetId'))), parameters('apiVersionSetId'), null())]", - "authenticationSettings": "[parameters('authenticationSettings')]", - "description": "[parameters('apiDescription')]", - "displayName": "[parameters('displayName')]", - "format": "[if(not(empty(parameters('value'))), parameters('format'), null())]", - "isCurrent": "[parameters('isCurrent')]", - "path": "[parameters('path')]", - "protocols": "[parameters('protocols')]", - "serviceUrl": "[if(not(empty(parameters('serviceUrl'))), parameters('serviceUrl'), null())]", - "sourceApiId": "[if(not(empty(parameters('sourceApiId'))), parameters('sourceApiId'), null())]", - "subscriptionKeyParameterNames": "[if(not(empty(parameters('subscriptionKeyParameterNames'))), parameters('subscriptionKeyParameterNames'), null())]", - "subscriptionRequired": "[parameters('subscriptionRequired')]", - "type": "[parameters('type')]", - "value": "[if(not(empty(parameters('value'))), parameters('value'), null())]", - "wsdlSelector": "[parameters('wsdlSelector')]" - } - }, - { - "copy": { - "name": "policy", - "count": "[length(parameters('policies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Policy-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "apiName": { - "value": "[parameters('name')]" - }, - "format": "[if(contains(parameters('policies')[copyIndex()], 'format'), createObject('value', parameters('policies')[copyIndex()].format), createObject('value', 'xml'))]", - "value": { - "value": "[parameters('policies')[copyIndex()].value]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17230254380289042348" - }, - "name": "API Management Service APIs Policies", - "description": "This module deploys an API Management Service API Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "apiName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "policy", - "metadata": { - "description": "Optional. The name of the policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "format": { - "type": "string", - "defaultValue": "xml", - "allowedValues": [ - "rawxml", - "rawxml-link", - "xml", - "xml-link" - ], - "metadata": { - "description": "Optional. Format of the policyContent." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Contents of the Policy as defined by the format." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apis/policies", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]", - "properties": { - "format": "[parameters('format')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API policy." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apis/policies', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API policy." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API policy was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apiManagementServiceName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service API." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service API." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service API was deployed to." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/api/policy/README.md b/modules/api-management/service/api/policy/README.md deleted file mode 100644 index aa6e2a665e..0000000000 --- a/modules/api-management/service/api/policy/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# API Management Service APIs Policies `[Microsoft.ApiManagement/service/apis/policies]` - -This module deploys an API Management Service API Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`value`](#parameter-value) | string | Contents of the Policy as defined by the format. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| [`apiName`](#parameter-apiname) | string | The name of the parent API. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`format`](#parameter-format) | string | Format of the policyContent. | -| [`name`](#parameter-name) | string | The name of the policy. | - -### Parameter: `value` - -Contents of the Policy as defined by the format. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `apiName` - -The name of the parent API. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `format` - -Format of the policyContent. - -- Required: No -- Type: string -- Default: `'xml'` -- Allowed: - ```Bicep - [ - 'rawxml' - 'rawxml-link' - 'xml' - 'xml-link' - ] - ``` - -### Parameter: `name` - -The name of the policy. - -- Required: No -- Type: string -- Default: `'policy'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API policy. | -| `resourceGroupName` | string | The resource group the API policy was deployed into. | -| `resourceId` | string | The resource ID of the API policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/api/policy/main.bicep b/modules/api-management/service/api/policy/main.bicep deleted file mode 100644 index f6ce3106b9..0000000000 --- a/modules/api-management/service/api/policy/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'API Management Service APIs Policies' -metadata description = 'This module deploys an API Management Service API Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Conditional. The name of the parent API. Required if the template is used in a standalone deployment.') -param apiName string - -@description('Optional. The name of the policy.') -param name string = 'policy' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Format of the policyContent.') -@allowed([ - 'rawxml' - 'rawxml-link' - 'xml' - 'xml-link' -]) -param format string = 'xml' - -@description('Required. Contents of the Policy as defined by the format.') -param value string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName - - resource api 'apis@2021-08-01' existing = { - name: apiName - } -} - -resource policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = { - name: name - parent: service::api - properties: { - format: format - value: value - } -} - -@description('The resource ID of the API policy.') -output resourceId string = policy.id - -@description('The name of the API policy.') -output name string = policy.name - -@description('The resource group the API policy was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/api/policy/main.json b/modules/api-management/service/api/policy/main.json deleted file mode 100644 index d497a5e4af..0000000000 --- a/modules/api-management/service/api/policy/main.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17230254380289042348" - }, - "name": "API Management Service APIs Policies", - "description": "This module deploys an API Management Service API Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "apiName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "policy", - "metadata": { - "description": "Optional. The name of the policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "format": { - "type": "string", - "defaultValue": "xml", - "allowedValues": [ - "rawxml", - "rawxml-link", - "xml", - "xml-link" - ], - "metadata": { - "description": "Optional. Format of the policyContent." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Contents of the Policy as defined by the format." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apis/policies", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]", - "properties": { - "format": "[parameters('format')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API policy." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apis/policies', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API policy." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API policy was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/api/policy/version.json b/modules/api-management/service/api/policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/api/policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/api/version.json b/modules/api-management/service/api/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/api/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/authorization-server/README.md b/modules/api-management/service/authorization-server/README.md deleted file mode 100644 index 9c72d842e4..0000000000 --- a/modules/api-management/service/authorization-server/README.md +++ /dev/null @@ -1,217 +0,0 @@ -# API Management Service Authorization Servers `[Microsoft.ApiManagement/service/authorizationServers]` - -This module deploys an API Management Service Authorization Server. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationEndpoint`](#parameter-authorizationendpoint) | string | OAuth authorization endpoint. See . | -| [`clientId`](#parameter-clientid) | securestring | Client or app ID registered with this authorization server. | -| [`clientSecret`](#parameter-clientsecret) | securestring | Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | -| [`grantTypes`](#parameter-granttypes) | array | Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. | -| [`name`](#parameter-name) | string | Identifier of the authorization server. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationMethods`](#parameter-authorizationmethods) | array | HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. | -| [`bearerTokenSendingMethods`](#parameter-bearertokensendingmethods) | array | Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. | -| [`clientAuthenticationMethod`](#parameter-clientauthenticationmethod) | array | Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. | -| [`clientRegistrationEndpoint`](#parameter-clientregistrationendpoint) | string | Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. | -| [`defaultScope`](#parameter-defaultscope) | string | Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`resourceOwnerPassword`](#parameter-resourceownerpassword) | string | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. | -| [`resourceOwnerUsername`](#parameter-resourceownerusername) | string | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. | -| [`serverDescription`](#parameter-serverdescription) | string | Description of the authorization server. Can contain HTML formatting tags. | -| [`supportState`](#parameter-supportstate) | bool | If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. | -| [`tokenBodyParameters`](#parameter-tokenbodyparameters) | array | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. | -| [`tokenEndpoint`](#parameter-tokenendpoint) | string | OAuth token endpoint. Contains absolute URI to entity being referenced. | - -### Parameter: `authorizationEndpoint` - -OAuth authorization endpoint. See . - -- Required: Yes -- Type: string - -### Parameter: `clientId` - -Client or app ID registered with this authorization server. - -- Required: Yes -- Type: securestring - -### Parameter: `clientSecret` - -Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. - -- Required: Yes -- Type: securestring - -### Parameter: `grantTypes` - -Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Identifier of the authorization server. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationMethods` - -HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'GET' - ] - ``` - -### Parameter: `bearerTokenSendingMethods` - -Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'authorizationHeader' - ] - ``` - -### Parameter: `clientAuthenticationMethod` - -Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'Basic' - ] - ``` - -### Parameter: `clientRegistrationEndpoint` - -Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `defaultScope` - -Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `resourceOwnerPassword` - -Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceOwnerUsername` - -Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `serverDescription` - -Description of the authorization server. Can contain HTML formatting tags. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `supportState` - -If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tokenBodyParameters` - -Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tokenEndpoint` - -OAuth token endpoint. Contains absolute URI to entity being referenced. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service authorization server. | -| `resourceGroupName` | string | The resource group the API management service authorization server was deployed into. | -| `resourceId` | string | The resource ID of the API management service authorization server. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/authorization-server/main.bicep b/modules/api-management/service/authorization-server/main.bicep deleted file mode 100644 index ca3c346b87..0000000000 --- a/modules/api-management/service/authorization-server/main.bicep +++ /dev/null @@ -1,119 +0,0 @@ -metadata name = 'API Management Service Authorization Servers' -metadata description = 'This module deploys an API Management Service Authorization Server.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Identifier of the authorization server.') -param name string - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Required. OAuth authorization endpoint. See .') -param authorizationEndpoint string - -@description('Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE.') -param authorizationMethods array = [ - 'GET' -] - -@description('Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query.') -param bearerTokenSendingMethods array = [ - 'authorizationHeader' -] - -@description('Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body.') -param clientAuthenticationMethod array = [ - 'Basic' -] - -@description('Required. Client or app ID registered with this authorization server.') -@secure() -param clientId string - -@description('Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.') -param clientRegistrationEndpoint string = '' - -@description('Required. Client or app secret registered with this authorization server. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.') -@secure() -param clientSecret string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.') -param defaultScope string = '' - -@description('Optional. Description of the authorization server. Can contain HTML formatting tags.') -param serverDescription string = '' - -@description('Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials.') -param grantTypes array - -@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.') -#disable-next-line secure-secrets-in-params // Not a secret -param resourceOwnerPassword string = '' - -@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.') -param resourceOwnerUsername string = '' - -@description('Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.') -param supportState bool = false - -@description('Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object.') -param tokenBodyParameters array = [] - -@description('Optional. OAuth token endpoint. Contains absolute URI to entity being referenced.') -param tokenEndpoint string = '' - -var defaultAuthorizationMethods = [ - 'GET' -] -var setAuthorizationMethods = union(authorizationMethods, defaultAuthorizationMethods) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource authorizationServer 'Microsoft.ApiManagement/service/authorizationServers@2021-08-01' = { - name: name - parent: service - properties: { - description: serverDescription - authorizationMethods: setAuthorizationMethods - clientAuthenticationMethod: clientAuthenticationMethod - tokenBodyParameters: tokenBodyParameters - tokenEndpoint: tokenEndpoint - supportState: supportState - defaultScope: defaultScope - bearerTokenSendingMethods: bearerTokenSendingMethods - resourceOwnerUsername: resourceOwnerUsername - resourceOwnerPassword: resourceOwnerPassword - displayName: name - clientRegistrationEndpoint: clientRegistrationEndpoint - authorizationEndpoint: authorizationEndpoint - grantTypes: grantTypes - clientId: clientId - clientSecret: clientSecret - } -} - -@description('The name of the API management service authorization server.') -output name string = authorizationServer.name - -@description('The resource ID of the API management service authorization server.') -output resourceId string = authorizationServer.id - -@description('The resource group the API management service authorization server was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/authorization-server/main.json b/modules/api-management/service/authorization-server/main.json deleted file mode 100644 index a88731af50..0000000000 --- a/modules/api-management/service/authorization-server/main.json +++ /dev/null @@ -1,210 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4791396269511004286" - }, - "name": "API Management Service Authorization Servers", - "description": "This module deploys an API Management Service Authorization Server.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Identifier of the authorization server." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "authorizationEndpoint": { - "type": "string", - "metadata": { - "description": "Required. OAuth authorization endpoint. See ." - } - }, - "authorizationMethods": { - "type": "array", - "defaultValue": [ - "GET" - ], - "metadata": { - "description": "Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE." - } - }, - "bearerTokenSendingMethods": { - "type": "array", - "defaultValue": [ - "authorizationHeader" - ], - "metadata": { - "description": "Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query." - } - }, - "clientAuthenticationMethod": { - "type": "array", - "defaultValue": [ - "Basic" - ], - "metadata": { - "description": "Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body." - } - }, - "clientId": { - "type": "securestring", - "metadata": { - "description": "Required. Client or app ID registered with this authorization server." - } - }, - "clientRegistrationEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced." - } - }, - "clientSecret": { - "type": "securestring", - "metadata": { - "description": "Required. Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "defaultScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values." - } - }, - "serverDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the authorization server. Can contain HTML formatting tags." - } - }, - "grantTypes": { - "type": "array", - "metadata": { - "description": "Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials." - } - }, - "resourceOwnerPassword": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password." - } - }, - "resourceOwnerUsername": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username." - } - }, - "supportState": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security." - } - }, - "tokenBodyParameters": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {\"name\" : \"name value\", \"value\": \"a value\"}. - TokenBodyParameterContract object." - } - }, - "tokenEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. OAuth token endpoint. Contains absolute URI to entity being referenced." - } - } - }, - "variables": { - "defaultAuthorizationMethods": [ - "GET" - ], - "setAuthorizationMethods": "[union(parameters('authorizationMethods'), variables('defaultAuthorizationMethods'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/authorizationServers", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[parameters('serverDescription')]", - "authorizationMethods": "[variables('setAuthorizationMethods')]", - "clientAuthenticationMethod": "[parameters('clientAuthenticationMethod')]", - "tokenBodyParameters": "[parameters('tokenBodyParameters')]", - "tokenEndpoint": "[parameters('tokenEndpoint')]", - "supportState": "[parameters('supportState')]", - "defaultScope": "[parameters('defaultScope')]", - "bearerTokenSendingMethods": "[parameters('bearerTokenSendingMethods')]", - "resourceOwnerUsername": "[parameters('resourceOwnerUsername')]", - "resourceOwnerPassword": "[parameters('resourceOwnerPassword')]", - "displayName": "[parameters('name')]", - "clientRegistrationEndpoint": "[parameters('clientRegistrationEndpoint')]", - "authorizationEndpoint": "[parameters('authorizationEndpoint')]", - "grantTypes": "[parameters('grantTypes')]", - "clientId": "[parameters('clientId')]", - "clientSecret": "[parameters('clientSecret')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service authorization server." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service authorization server." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/authorizationServers', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service authorization server was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/authorization-server/version.json b/modules/api-management/service/authorization-server/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/authorization-server/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/backend/README.md b/modules/api-management/service/backend/README.md deleted file mode 100644 index fd4dd42342..0000000000 --- a/modules/api-management/service/backend/README.md +++ /dev/null @@ -1,236 +0,0 @@ -# API Management Service Backends `[Microsoft.ApiManagement/service/backends]` - -This module deploys an API Management Service Backend. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Backend Name. | -| [`url`](#parameter-url) | string | Runtime URL of the Backend. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`credentials`](#parameter-credentials) | object | Backend Credentials Contract Properties. | -| [`description`](#parameter-description) | string | Backend Description. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`protocol`](#parameter-protocol) | string | Backend communication protocol. - http or soap. | -| [`proxy`](#parameter-proxy) | object | Backend Proxy Contract Properties. | -| [`resourceId`](#parameter-resourceid) | string | Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. | -| [`serviceFabricCluster`](#parameter-servicefabriccluster) | object | Backend Service Fabric Cluster Properties. | -| [`title`](#parameter-title) | string | Backend Title. | -| [`tls`](#parameter-tls) | object | Backend TLS Properties. | - -### Parameter: `name` - -Backend Name. - -- Required: Yes -- Type: string - -### Parameter: `url` - -Runtime URL of the Backend. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `credentials` - -Backend Credentials Contract Properties. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `description` - -Backend Description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `protocol` - -Backend communication protocol. - http or soap. - -- Required: No -- Type: string -- Default: `'http'` - -### Parameter: `proxy` - -Backend Proxy Contract Properties. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceId` - -Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `serviceFabricCluster` - -Backend Service Fabric Cluster Properties. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `title` - -Backend Title. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tls` - -Backend TLS Properties. - -- Required: No -- Type: object -- Default: - ```Bicep - { - validateCertificateChain: false - validateCertificateName: false - } - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service backend. | -| `resourceGroupName` | string | The resource group the API management service backend was deployed into. | -| `resourceId` | string | The resource ID of the API management service backend. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `credentials` - -

- -Parameter JSON format - -```json -"credentials": { - "value":{ - "certificate": [ - "string" - ], - "query": {}, - "header": {}, - "authorization": { - "scheme": "Authentication Scheme name.-string", - "parameter": "Authentication Parameter value. - string" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -credentials: { - certificate: [ - 'string' - ] - query: {} - header: {} - authorization: { - scheme: 'Authentication Scheme name.-string' - parameter: 'Authentication Parameter value. - string' - } -} -``` - -
-

- -### Parameter Usage: `tls` - -

- -Parameter JSON format - -```json -"tls": { - "value":{ - "validateCertificateChain": "Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean", - "validateCertificateName": "Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean" - } -} -``` - -
- -
- -Bicep format - -```bicep -tls: { - validateCertificateChain: 'Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean' - validateCertificateName: 'Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean' -} -``` - -
-

diff --git a/modules/api-management/service/backend/main.bicep b/modules/api-management/service/backend/main.bicep deleted file mode 100644 index 28c5ec6ccd..0000000000 --- a/modules/api-management/service/backend/main.bicep +++ /dev/null @@ -1,85 +0,0 @@ -metadata name = 'API Management Service Backends' -metadata description = 'This module deploys an API Management Service Backend.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@sys.description('Required. Backend Name.') -param name string - -@sys.description('Optional. Backend Credentials Contract Properties.') -param credentials object = {} - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Backend Description.') -param description string = '' - -@sys.description('Optional. Backend communication protocol. - http or soap.') -param protocol string = 'http' - -@sys.description('Optional. Backend Proxy Contract Properties.') -param proxy object = {} - -@sys.description('Optional. Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps.') -param resourceId string = '' - -@sys.description('Optional. Backend Service Fabric Cluster Properties.') -param serviceFabricCluster object = {} - -@sys.description('Optional. Backend Title.') -param title string = '' - -@sys.description('Optional. Backend TLS Properties.') -param tls object = { - validateCertificateChain: false - validateCertificateName: false -} - -@sys.description('Required. Runtime URL of the Backend.') -param url string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = { - name: name - parent: service - properties: { - title: !empty(title) ? title : null - description: !empty(description) ? description : null - resourceId: !empty(resourceId) ? resourceId : null - properties: { - serviceFabricCluster: !empty(serviceFabricCluster) ? serviceFabricCluster : null - } - credentials: !empty(credentials) ? credentials : null - proxy: !empty(proxy) ? proxy : null - tls: !empty(tls) ? tls : null - url: url - protocol: protocol - } -} - -@sys.description('The resource ID of the API management service backend.') -output resourceId string = backend.id - -@sys.description('The name of the API management service backend.') -output name string = backend.name - -@sys.description('The resource group the API management service backend was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/backend/main.json b/modules/api-management/service/backend/main.json deleted file mode 100644 index 212f333040..0000000000 --- a/modules/api-management/service/backend/main.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14371393063475773678" - }, - "name": "API Management Service Backends", - "description": "This module deploys an API Management Service Backend.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Backend Name." - } - }, - "credentials": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Credentials Contract Properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Backend Description." - } - }, - "protocol": { - "type": "string", - "defaultValue": "http", - "metadata": { - "description": "Optional. Backend communication protocol. - http or soap." - } - }, - "proxy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Proxy Contract Properties." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps." - } - }, - "serviceFabricCluster": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Service Fabric Cluster Properties." - } - }, - "title": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Backend Title." - } - }, - "tls": { - "type": "object", - "defaultValue": { - "validateCertificateChain": false, - "validateCertificateName": false - }, - "metadata": { - "description": "Optional. Backend TLS Properties." - } - }, - "url": { - "type": "string", - "metadata": { - "description": "Required. Runtime URL of the Backend." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/backends", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "title": "[if(not(empty(parameters('title'))), parameters('title'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "resourceId": "[if(not(empty(parameters('resourceId'))), parameters('resourceId'), null())]", - "properties": { - "serviceFabricCluster": "[if(not(empty(parameters('serviceFabricCluster'))), parameters('serviceFabricCluster'), null())]" - }, - "credentials": "[if(not(empty(parameters('credentials'))), parameters('credentials'), null())]", - "proxy": "[if(not(empty(parameters('proxy'))), parameters('proxy'), null())]", - "tls": "[if(not(empty(parameters('tls'))), parameters('tls'), null())]", - "url": "[parameters('url')]", - "protocol": "[parameters('protocol')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service backend." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/backends', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service backend." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service backend was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/backend/version.json b/modules/api-management/service/backend/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/backend/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/cache/README.md b/modules/api-management/service/cache/README.md deleted file mode 100644 index 31c4f02a3c..0000000000 --- a/modules/api-management/service/cache/README.md +++ /dev/null @@ -1,105 +0,0 @@ -# API Management Service Caches `[Microsoft.ApiManagement/service/caches]` - -This module deploys an API Management Service Cache. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectionString`](#parameter-connectionstring) | string | Runtime connection string to cache. Can be referenced by a named value like so, {{}}. | -| [`name`](#parameter-name) | string | Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). | -| [`useFromLocation`](#parameter-usefromlocation) | string | Location identifier to use cache from (should be either 'default' or valid Azure region identifier). | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | Cache description. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`resourceId`](#parameter-resourceid) | string | Original uri of entity in external system cache points to. | - -### Parameter: `connectionString` - -Runtime connection string to cache. Can be referenced by a named value like so, {{}}. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). - -- Required: Yes -- Type: string - -### Parameter: `useFromLocation` - -Location identifier to use cache from (should be either 'default' or valid Azure region identifier). - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -Cache description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `resourceId` - -Original uri of entity in external system cache points to. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service cache. | -| `resourceGroupName` | string | The resource group the API management service cache was deployed into. | -| `resourceId` | string | The resource ID of the API management service cache. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/cache/main.bicep b/modules/api-management/service/cache/main.bicep deleted file mode 100644 index 16448035a2..0000000000 --- a/modules/api-management/service/cache/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'API Management Service Caches' -metadata description = 'This module deploys an API Management Service Cache.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@sys.description('Required. Identifier of the Cache entity. Cache identifier (should be either \'default\' or valid Azure region identifier).') -param name string - -@sys.description('Required. Runtime connection string to cache. Can be referenced by a named value like so, {{}}.') -param connectionString string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Cache description.') -param description string = '' - -@sys.description('Optional. Original uri of entity in external system cache points to.') -param resourceId string = '' - -@sys.description('Required. Location identifier to use cache from (should be either \'default\' or valid Azure region identifier).') -param useFromLocation string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource cache 'Microsoft.ApiManagement/service/caches@2021-08-01' = { - name: name - parent: service - properties: { - description: !empty(description) ? description : null - connectionString: connectionString - useFromLocation: useFromLocation - resourceId: !empty(resourceId) ? resourceId : null - } -} - -@sys.description('The resource ID of the API management service cache.') -output resourceId string = cache.id - -@sys.description('The name of the API management service cache.') -output name string = cache.name - -@sys.description('The resource group the API management service cache was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/cache/main.json b/modules/api-management/service/cache/main.json deleted file mode 100644 index 6e66b25bb1..0000000000 --- a/modules/api-management/service/cache/main.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10312358305910336044" - }, - "name": "API Management Service Caches", - "description": "This module deploys an API Management Service Cache.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier)." - } - }, - "connectionString": { - "type": "string", - "metadata": { - "description": "Required. Runtime connection string to cache. Can be referenced by a named value like so, {{}}." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Cache description." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Original uri of entity in external system cache points to." - } - }, - "useFromLocation": { - "type": "string", - "metadata": { - "description": "Required. Location identifier to use cache from (should be either 'default' or valid Azure region identifier)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/caches", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "connectionString": "[parameters('connectionString')]", - "useFromLocation": "[parameters('useFromLocation')]", - "resourceId": "[if(not(empty(parameters('resourceId'))), parameters('resourceId'), null())]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service cache." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/caches', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service cache." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service cache was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/cache/version.json b/modules/api-management/service/cache/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/cache/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/identity-provider/README.md b/modules/api-management/service/identity-provider/README.md deleted file mode 100644 index 3cd1e42cce..0000000000 --- a/modules/api-management/service/identity-provider/README.md +++ /dev/null @@ -1,181 +0,0 @@ -# API Management Service Identity Providers `[Microsoft.ApiManagement/service/identityProviders]` - -This module deploys an API Management Service Identity Provider. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Identity provider name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| [`clientId`](#parameter-clientid) | string | Client ID of the Application in the external Identity Provider. Required if identity provider is used. | -| [`clientSecret`](#parameter-clientsecret) | securestring | Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedTenants`](#parameter-allowedtenants) | array | List of Allowed Tenants when configuring Azure Active Directory login. - string. | -| [`authority`](#parameter-authority) | string | OpenID Connect discovery endpoint hostname for AAD or AAD B2C. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableIdentityProviders`](#parameter-enableidentityproviders) | bool | Used to enable the deployment of the identityProviders child resource. | -| [`passwordResetPolicyName`](#parameter-passwordresetpolicyname) | string | Password Reset Policy Name. Only applies to AAD B2C Identity Provider. | -| [`profileEditingPolicyName`](#parameter-profileeditingpolicyname) | string | Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. | -| [`signInPolicyName`](#parameter-signinpolicyname) | string | Signin Policy Name. Only applies to AAD B2C Identity Provider. | -| [`signInTenant`](#parameter-signintenant) | string | The TenantId to use instead of Common when logging into Active Directory. | -| [`signUpPolicyName`](#parameter-signuppolicyname) | string | Signup Policy Name. Only applies to AAD B2C Identity Provider. | -| [`type`](#parameter-type) | string | Identity Provider Type identifier. | - -### Parameter: `name` - -Identity provider name. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `clientId` - -Client ID of the Application in the external Identity Provider. Required if identity provider is used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `clientSecret` - -Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `allowedTenants` - -List of Allowed Tenants when configuring Azure Active Directory login. - string. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `authority` - -OpenID Connect discovery endpoint hostname for AAD or AAD B2C. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableIdentityProviders` - -Used to enable the deployment of the identityProviders child resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `passwordResetPolicyName` - -Password Reset Policy Name. Only applies to AAD B2C Identity Provider. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `profileEditingPolicyName` - -Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `signInPolicyName` - -Signin Policy Name. Only applies to AAD B2C Identity Provider. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `signInTenant` - -The TenantId to use instead of Common when logging into Active Directory. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `signUpPolicyName` - -Signup Policy Name. Only applies to AAD B2C Identity Provider. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `type` - -Identity Provider Type identifier. - -- Required: No -- Type: string -- Default: `'aad'` -- Allowed: - ```Bicep - [ - 'aad' - 'aadB2C' - 'facebook' - 'google' - 'microsoft' - 'twitter' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service identity provider. | -| `resourceGroupName` | string | The resource group the API management service identity provider was deployed into. | -| `resourceId` | string | The resource ID of the API management service identity provider. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/identity-provider/main.bicep b/modules/api-management/service/identity-provider/main.bicep deleted file mode 100644 index c63d645c68..0000000000 --- a/modules/api-management/service/identity-provider/main.bicep +++ /dev/null @@ -1,99 +0,0 @@ -metadata name = 'API Management Service Identity Providers' -metadata description = 'This module deploys an API Management Service Identity Provider.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Used to enable the deployment of the identityProviders child resource.') -param enableIdentityProviders bool = false - -@description('Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string.') -param allowedTenants array = [] - -@description('Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C.') -param authority string = '' - -@description('Conditional. Client ID of the Application in the external Identity Provider. Required if identity provider is used.') -param clientId string = '' - -@description('Conditional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used.') -@secure() -param clientSecret string = '' - -@description('Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider.') -#disable-next-line secure-secrets-in-params // Not a secret -param passwordResetPolicyName string = '' - -@description('Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider.') -param profileEditingPolicyName string = '' - -@description('Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider.') -param signInPolicyName string = '' - -@description('Optional. The TenantId to use instead of Common when logging into Active Directory.') -param signInTenant string = '' - -@description('Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider.') -param signUpPolicyName string = '' - -@description('Optional. Identity Provider Type identifier.') -@allowed([ - 'aad' - 'aadB2C' - 'facebook' - 'google' - 'microsoft' - 'twitter' -]) -param type string = 'aad' - -@description('Required. Identity provider name.') -param name string - -var isAadB2C = (type == 'aadB2C') - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource identityProvider 'Microsoft.ApiManagement/service/identityProviders@2021-08-01' = if (enableIdentityProviders) { - name: name - parent: service - properties: { - type: type - signinTenant: signInTenant - allowedTenants: allowedTenants - authority: authority - signupPolicyName: isAadB2C ? signUpPolicyName : null - signinPolicyName: isAadB2C ? signInPolicyName : null - profileEditingPolicyName: isAadB2C ? profileEditingPolicyName : null - passwordResetPolicyName: isAadB2C ? passwordResetPolicyName : null - clientId: clientId - clientSecret: clientSecret - } -} - -@description('The resource ID of the API management service identity provider.') -output resourceId string = identityProvider.id - -@description('The name of the API management service identity provider.') -output name string = identityProvider.name - -@description('The resource group the API management service identity provider was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/identity-provider/main.json b/modules/api-management/service/identity-provider/main.json deleted file mode 100644 index 23202bb012..0000000000 --- a/modules/api-management/service/identity-provider/main.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13036858747462562466" - }, - "name": "API Management Service Identity Providers", - "description": "This module deploys an API Management Service Identity Provider.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "enableIdentityProviders": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Used to enable the deployment of the identityProviders child resource." - } - }, - "allowedTenants": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string." - } - }, - "authority": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C." - } - }, - "clientId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Client ID of the Application in the external Identity Provider. Required if identity provider is used." - } - }, - "clientSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used." - } - }, - "passwordResetPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "profileEditingPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "signInPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "signInTenant": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The TenantId to use instead of Common when logging into Active Directory." - } - }, - "signUpPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "type": { - "type": "string", - "defaultValue": "aad", - "allowedValues": [ - "aad", - "aadB2C", - "facebook", - "google", - "microsoft", - "twitter" - ], - "metadata": { - "description": "Optional. Identity Provider Type identifier." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Identity provider name." - } - } - }, - "variables": { - "isAadB2C": "[equals(parameters('type'), 'aadB2C')]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[parameters('enableIdentityProviders')]", - "type": "Microsoft.ApiManagement/service/identityProviders", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "type": "[parameters('type')]", - "signinTenant": "[parameters('signInTenant')]", - "allowedTenants": "[parameters('allowedTenants')]", - "authority": "[parameters('authority')]", - "signupPolicyName": "[if(variables('isAadB2C'), parameters('signUpPolicyName'), null())]", - "signinPolicyName": "[if(variables('isAadB2C'), parameters('signInPolicyName'), null())]", - "profileEditingPolicyName": "[if(variables('isAadB2C'), parameters('profileEditingPolicyName'), null())]", - "passwordResetPolicyName": "[if(variables('isAadB2C'), parameters('passwordResetPolicyName'), null())]", - "clientId": "[parameters('clientId')]", - "clientSecret": "[parameters('clientSecret')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service identity provider." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/identityProviders', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service identity provider." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service identity provider was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/identity-provider/version.json b/modules/api-management/service/identity-provider/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/identity-provider/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep deleted file mode 100644 index 9e8142b83f..0000000000 --- a/modules/api-management/service/main.bicep +++ /dev/null @@ -1,538 +0,0 @@ -metadata name = 'API Management Services' -metadata description = 'This module deploys an API Management Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Additional datacenter locations of the API Management service.') -param additionalLocations array = [] - -@description('Required. The name of the API Management service.') -param name string - -@description('Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.') -@maxLength(10) -param certificates array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Custom properties of the API Management service.') -param customProperties object = {} - -@description('Optional. Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.') -param disableGateway bool = false - -@description('Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.') -param enableClientCertificate bool = false - -@description('Optional. Custom hostname configuration of the API Management service.') -param hostnameConfigurations array = [] - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.') -param minApiVersion string = '' - -@description('Optional. The notification sender email address for the service.') -param notificationSenderEmail string = 'apimgmt-noreply@mail.windowsazure.com' - -@description('Required. The email address of the owner of the service.') -param publisherEmail string - -@description('Required. The name of the owner of the service.') -param publisherName string - -@description('Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.') -param restore bool = false - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The pricing tier of this API Management service.') -@allowed([ - 'Consumption' - 'Developer' - 'Basic' - 'Standard' - 'Premium' -]) -param sku string = 'Developer' - -@description('Optional. The instance size of this API Management service.') -@allowed([ - 1 - 2 -]) -param skuCount int = 1 - -@description('Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in.') -param subnetResourceId string = '' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.') -@allowed([ - 'None' - 'External' - 'Internal' -]) -param virtualNetworkType string = 'None' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. A list of availability zones denoting where the resource needs to come from.') -param zones array = [] - -@description('Optional. Necessary to create a new GUID.') -param newGuidValue string = newGuid() - -@description('Optional. APIs.') -param apis array = [] - -@description('Optional. API Version Sets.') -param apiVersionSets array = [] - -@description('Optional. Authorization servers.') -@secure() -param authorizationServers object = {} - -@description('Optional. Backends.') -param backends array = [] - -@description('Optional. Caches.') -param caches array = [] - -@description('Optional. Identity providers.') -param identityProviders array = [] - -@description('Optional. Named values.') -param namedValues array = [] - -@description('Optional. Policies.') -param policies array = [] - -@description('Optional. Portal settings.') -param portalsettings array = [] - -@description('Optional. Products.') -param products array = [] - -@description('Optional. Subscriptions.') -param subscriptions array = [] - -var enableReferencedModulesTelemetry = false - -var authorizationServerList = !empty(authorizationServers) ? authorizationServers.secureList : [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'API Management Developer Portal Content Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729') - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' = { - name: name - location: location - tags: tags - sku: { - name: sku - capacity: skuCount - } - zones: zones - identity: identity - properties: { - publisherEmail: publisherEmail - publisherName: publisherName - notificationSenderEmail: notificationSenderEmail - hostnameConfigurations: hostnameConfigurations - additionalLocations: additionalLocations - customProperties: customProperties - certificates: certificates - enableClientCertificate: enableClientCertificate ? true : null - disableGateway: disableGateway - virtualNetworkType: virtualNetworkType - virtualNetworkConfiguration: !empty(subnetResourceId) ? { - subnetResourceId: subnetResourceId - } : null - apiVersionConstraint: !empty(minApiVersion) ? { - minApiVersion: minApiVersion - } : null - restore: restore - } -} - -module service_apis 'api/main.bicep' = [for (api, index) in apis: { - name: '${uniqueString(deployment().name, location)}-Apim-Api-${index}' - params: { - apiManagementServiceName: service.name - displayName: api.displayName - name: api.name - path: api.path - apiDescription: contains(api, 'apiDescription') ? api.apiDescription : '' - apiRevision: contains(api, 'apiRevision') ? api.apiRevision : '' - apiRevisionDescription: contains(api, 'apiRevisionDescription') ? api.apiRevisionDescription : '' - apiType: contains(api, 'apiType') ? api.apiType : 'http' - apiVersion: contains(api, 'apiVersion') ? api.apiVersion : '' - apiVersionDescription: contains(api, 'apiVersionDescription') ? api.apiVersionDescription : '' - apiVersionSetId: contains(api, 'apiVersionSetId') ? api.apiVersionSetId : '' - authenticationSettings: contains(api, 'authenticationSettings') ? api.authenticationSettings : {} - format: contains(api, 'format') ? api.format : 'openapi' - isCurrent: contains(api, 'isCurrent') ? api.isCurrent : true - protocols: contains(api, 'protocols') ? api.protocols : [ - 'https' - ] - policies: contains(api, 'policies') ? api.policies : [] - serviceUrl: contains(api, 'serviceUrl') ? api.serviceUrl : '' - sourceApiId: contains(api, 'sourceApiId') ? api.sourceApiId : '' - subscriptionKeyParameterNames: contains(api, 'subscriptionKeyParameterNames') ? api.subscriptionKeyParameterNames : {} - subscriptionRequired: contains(api, 'subscriptionRequired') ? api.subscriptionRequired : false - type: contains(api, 'type') ? api.type : 'http' - value: contains(api, 'value') ? api.value : '' - wsdlSelector: contains(api, 'wsdlSelector') ? api.wsdlSelector : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - service_apiVersionSets - ] -}] - -module service_apiVersionSets 'api-version-set/main.bicep' = [for (apiVersionSet, index) in apiVersionSets: { - name: '${uniqueString(deployment().name, location)}-Apim-ApiVersionSet-${index}' - params: { - apiManagementServiceName: service.name - name: apiVersionSet.name - properties: contains(apiVersionSet, 'properties') ? apiVersionSet.properties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_authorizationServers 'authorization-server/main.bicep' = [for (authorizationServer, index) in authorizationServerList: { - name: '${uniqueString(deployment().name, location)}-Apim-AuthorizationServer-${index}' - params: { - apiManagementServiceName: service.name - name: authorizationServer.name - authorizationEndpoint: authorizationServer.authorizationEndpoint - authorizationMethods: contains(authorizationServer, 'authorizationMethods') ? authorizationServer.authorizationMethods : [ - 'GET' - ] - bearerTokenSendingMethods: contains(authorizationServer, 'bearerTokenSendingMethods') ? authorizationServer.bearerTokenSendingMethods : [ - 'authorizationHeader' - ] - clientAuthenticationMethod: contains(authorizationServer, 'clientAuthenticationMethod') ? authorizationServer.clientAuthenticationMethod : [ - 'Basic' - ] - clientId: authorizationServer.clientId - clientSecret: authorizationServer.clientSecret - clientRegistrationEndpoint: contains(authorizationServer, 'clientRegistrationEndpoint') ? authorizationServer.clientRegistrationEndpoint : '' - defaultScope: contains(authorizationServer, 'defaultScope') ? authorizationServer.defaultScope : '' - grantTypes: authorizationServer.grantTypes - resourceOwnerPassword: contains(authorizationServer, 'resourceOwnerPassword') ? authorizationServer.resourceOwnerPassword : '' - resourceOwnerUsername: contains(authorizationServer, 'resourceOwnerUsername') ? authorizationServer.resourceOwnerUsername : '' - serverDescription: contains(authorizationServer, 'serverDescription') ? authorizationServer.serverDescription : '' - supportState: contains(authorizationServer, 'supportState') ? authorizationServer.supportState : false - tokenBodyParameters: contains(authorizationServer, 'tokenBodyParameters') ? authorizationServer.tokenBodyParameters : [] - tokenEndpoint: contains(authorizationServer, 'tokenEndpoint') ? authorizationServer.tokenEndpoint : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_backends 'backend/main.bicep' = [for (backend, index) in backends: { - name: '${uniqueString(deployment().name, location)}-Apim-Backend-${index}' - params: { - apiManagementServiceName: service.name - url: contains(backend, 'url') ? backend.url : '' - description: contains(backend, 'description') ? backend.description : '' - credentials: contains(backend, 'credentials') ? backend.credentials : {} - name: backend.name - protocol: contains(backend, 'protocol') ? backend.protocol : 'http' - proxy: contains(backend, 'proxy') ? backend.proxy : {} - resourceId: contains(backend, 'resourceId') ? backend.resourceId : '' - serviceFabricCluster: contains(backend, 'serviceFabricCluster') ? backend.serviceFabricCluster : {} - title: contains(backend, 'title') ? backend.title : '' - tls: contains(backend, 'tls') ? backend.tls : { - validateCertificateChain: false - validateCertificateName: false - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_caches 'cache/main.bicep' = [for (cache, index) in caches: { - name: '${uniqueString(deployment().name, location)}-Apim-Cache-${index}' - params: { - apiManagementServiceName: service.name - description: contains(cache, 'description') ? cache.description : '' - connectionString: cache.connectionString - name: cache.name - resourceId: contains(cache, 'resourceId') ? cache.resourceId : '' - useFromLocation: cache.useFromLocation - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_identityProviders 'identity-provider/main.bicep' = [for (identityProvider, index) in identityProviders: { - name: '${uniqueString(deployment().name, location)}-Apim-IdentityProvider-${index}' - params: { - apiManagementServiceName: service.name - name: identityProvider.name - enableIdentityProviders: contains(identityProvider, 'enableIdentityProviders') ? identityProvider.enableIdentityProviders : false - allowedTenants: contains(identityProvider, 'allowedTenants') ? identityProvider.allowedTenants : [] - authority: contains(identityProvider, 'authority') ? identityProvider.authority : '' - clientId: contains(identityProvider, 'clientId') ? identityProvider.clientId : '' - clientSecret: contains(identityProvider, 'clientSecret') ? identityProvider.clientSecret : '' - passwordResetPolicyName: contains(identityProvider, 'passwordResetPolicyName') ? identityProvider.passwordResetPolicyName : '' - profileEditingPolicyName: contains(identityProvider, 'profileEditingPolicyName') ? identityProvider.profileEditingPolicyName : '' - signInPolicyName: contains(identityProvider, 'signInPolicyName') ? identityProvider.signInPolicyName : '' - signInTenant: contains(identityProvider, 'signInTenant') ? identityProvider.signInTenant : '' - signUpPolicyName: contains(identityProvider, 'signUpPolicyName') ? identityProvider.signUpPolicyName : '' - type: contains(identityProvider, 'type') ? identityProvider.type : 'aad' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_namedValues 'named-value/main.bicep' = [for (namedValue, index) in namedValues: { - name: '${uniqueString(deployment().name, location)}-Apim-NamedValue-${index}' - params: { - apiManagementServiceName: service.name - displayName: namedValue.displayName - keyVault: contains(namedValue, 'keyVault') ? namedValue.keyVault : {} - name: namedValue.name - tags: namedValue.?tags // Note: these are not resource tags - secret: contains(namedValue, 'secret') ? namedValue.secret : false - value: contains(namedValue, 'value') ? namedValue.value : newGuidValue - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_portalsettings 'portalsetting/main.bicep' = [for (portalsetting, index) in portalsettings: { - name: '${uniqueString(deployment().name, location)}-Apim-PortalSetting-${index}' - params: { - apiManagementServiceName: service.name - name: portalsetting.name - properties: contains(portalsetting, 'properties') ? portalsetting.properties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_policies 'policy/main.bicep' = [for (policy, index) in policies: { - name: '${uniqueString(deployment().name, location)}-Apim-Policy-${index}' - params: { - apiManagementServiceName: service.name - value: policy.value - format: contains(policy, 'format') ? policy.format : 'xml' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module service_products 'product/main.bicep' = [for (product, index) in products: { - name: '${uniqueString(deployment().name, location)}-Apim-Product-${index}' - params: { - apiManagementServiceName: service.name - apis: contains(product, 'apis') ? product.apis : [] - approvalRequired: contains(product, 'approvalRequired') ? product.approvalRequired : false - groups: contains(product, 'groups') ? product.groups : [] - name: product.name - description: contains(product, 'description') ? product.description : '' - state: contains(product, 'state') ? product.state : 'published' - subscriptionRequired: contains(product, 'subscriptionRequired') ? product.subscriptionRequired : false - subscriptionsLimit: contains(product, 'subscriptionsLimit') ? product.subscriptionsLimit : 1 - terms: contains(product, 'terms') ? product.terms : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - service_apis - ] -}] - -module service_subscriptions 'subscription/main.bicep' = [for (subscription, index) in subscriptions: { - name: '${uniqueString(deployment().name, location)}-Apim-Subscription-${index}' - params: { - apiManagementServiceName: service.name - name: contains(subscription, 'name') ? subscription.name : '' - allowTracing: contains(subscription, 'allowTracing') ? subscription.allowTracing : false - ownerId: contains(subscription, 'ownerId') ? subscription.ownerId : '' - primaryKey: contains(subscription, 'primaryKey') ? subscription.primaryKey : '' - scope: contains(subscription, 'scope') ? subscription.scope : '/apis' - secondaryKey: contains(subscription, 'secondaryKey') ? subscription.secondaryKey : '' - state: contains(subscription, 'state') ? subscription.state : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource service_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: service -} - -resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: service -}] - -resource service_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(service.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: service -}] - -@description('The name of the API management service.') -output name string = service.name - -@description('The resource ID of the API management service.') -output resourceId string = service.id - -@description('The resource group the API management service was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(service.identity, 'principalId') ? service.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = service.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json deleted file mode 100644 index bb97234fb2..0000000000 --- a/modules/api-management/service/main.json +++ /dev/null @@ -1,3098 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12791748357960289440" - }, - "name": "API Management Services", - "description": "This module deploys an API Management Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "additionalLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Additional datacenter locations of the API Management service." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the API Management service." - } - }, - "certificates": { - "type": "array", - "defaultValue": [], - "maxLength": 10, - "metadata": { - "description": "Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "customProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Custom properties of the API Management service." - } - }, - "disableGateway": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region." - } - }, - "enableClientCertificate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway." - } - }, - "hostnameConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Custom hostname configuration of the API Management service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "minApiVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Limit control plane API calls to API Management service with version equal to or newer than this value." - } - }, - "notificationSenderEmail": { - "type": "string", - "defaultValue": "apimgmt-noreply@mail.windowsazure.com", - "metadata": { - "description": "Optional. The notification sender email address for the service." - } - }, - "publisherEmail": { - "type": "string", - "metadata": { - "description": "Required. The email address of the owner of the service." - } - }, - "publisherName": { - "type": "string", - "metadata": { - "description": "Required. The name of the owner of the service." - } - }, - "restore": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "sku": { - "type": "string", - "defaultValue": "Developer", - "allowedValues": [ - "Consumption", - "Developer", - "Basic", - "Standard", - "Premium" - ], - "metadata": { - "description": "Optional. The pricing tier of this API Management service." - } - }, - "skuCount": { - "type": "int", - "defaultValue": 1, - "allowedValues": [ - 1, - 2 - ], - "metadata": { - "description": "Optional. The instance size of this API Management service." - } - }, - "subnetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "virtualNetworkType": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "None", - "External", - "Internal" - ], - "metadata": { - "description": "Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting where the resource needs to come from." - } - }, - "newGuidValue": { - "type": "string", - "defaultValue": "[newGuid()]", - "metadata": { - "description": "Optional. Necessary to create a new GUID." - } - }, - "apis": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. APIs." - } - }, - "apiVersionSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. API Version Sets." - } - }, - "authorizationServers": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Authorization servers." - } - }, - "backends": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Backends." - } - }, - "caches": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Caches." - } - }, - "identityProviders": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Identity providers." - } - }, - "namedValues": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Named values." - } - }, - "policies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Policies." - } - }, - "portalsettings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Portal settings." - } - }, - "products": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Products." - } - }, - "subscriptions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Subscriptions." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]", - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "service": { - "type": "Microsoft.ApiManagement/service", - "apiVersion": "2021-08-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('sku')]", - "capacity": "[parameters('skuCount')]" - }, - "zones": "[parameters('zones')]", - "identity": "[variables('identity')]", - "properties": { - "publisherEmail": "[parameters('publisherEmail')]", - "publisherName": "[parameters('publisherName')]", - "notificationSenderEmail": "[parameters('notificationSenderEmail')]", - "hostnameConfigurations": "[parameters('hostnameConfigurations')]", - "additionalLocations": "[parameters('additionalLocations')]", - "customProperties": "[parameters('customProperties')]", - "certificates": "[parameters('certificates')]", - "enableClientCertificate": "[if(parameters('enableClientCertificate'), true(), null())]", - "disableGateway": "[parameters('disableGateway')]", - "virtualNetworkType": "[parameters('virtualNetworkType')]", - "virtualNetworkConfiguration": "[if(not(empty(parameters('subnetResourceId'))), createObject('subnetResourceId', parameters('subnetResourceId')), null())]", - "apiVersionConstraint": "[if(not(empty(parameters('minApiVersion'))), createObject('minApiVersion', parameters('minApiVersion')), null())]", - "restore": "[parameters('restore')]" - } - }, - "service_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "service" - ] - }, - "service_diagnosticSettings": { - "copy": { - "name": "service_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "service" - ] - }, - "service_roleAssignments": { - "copy": { - "name": "service_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ApiManagement/service', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "service" - ] - }, - "service_apis": { - "copy": { - "name": "service_apis", - "count": "[length(parameters('apis'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Api-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "displayName": { - "value": "[parameters('apis')[copyIndex()].displayName]" - }, - "name": { - "value": "[parameters('apis')[copyIndex()].name]" - }, - "path": { - "value": "[parameters('apis')[copyIndex()].path]" - }, - "apiDescription": "[if(contains(parameters('apis')[copyIndex()], 'apiDescription'), createObject('value', parameters('apis')[copyIndex()].apiDescription), createObject('value', ''))]", - "apiRevision": "[if(contains(parameters('apis')[copyIndex()], 'apiRevision'), createObject('value', parameters('apis')[copyIndex()].apiRevision), createObject('value', ''))]", - "apiRevisionDescription": "[if(contains(parameters('apis')[copyIndex()], 'apiRevisionDescription'), createObject('value', parameters('apis')[copyIndex()].apiRevisionDescription), createObject('value', ''))]", - "apiType": "[if(contains(parameters('apis')[copyIndex()], 'apiType'), createObject('value', parameters('apis')[copyIndex()].apiType), createObject('value', 'http'))]", - "apiVersion": "[if(contains(parameters('apis')[copyIndex()], 'apiVersion'), createObject('value', parameters('apis')[copyIndex()].apiVersion), createObject('value', ''))]", - "apiVersionDescription": "[if(contains(parameters('apis')[copyIndex()], 'apiVersionDescription'), createObject('value', parameters('apis')[copyIndex()].apiVersionDescription), createObject('value', ''))]", - "apiVersionSetId": "[if(contains(parameters('apis')[copyIndex()], 'apiVersionSetId'), createObject('value', parameters('apis')[copyIndex()].apiVersionSetId), createObject('value', ''))]", - "authenticationSettings": "[if(contains(parameters('apis')[copyIndex()], 'authenticationSettings'), createObject('value', parameters('apis')[copyIndex()].authenticationSettings), createObject('value', createObject()))]", - "format": "[if(contains(parameters('apis')[copyIndex()], 'format'), createObject('value', parameters('apis')[copyIndex()].format), createObject('value', 'openapi'))]", - "isCurrent": "[if(contains(parameters('apis')[copyIndex()], 'isCurrent'), createObject('value', parameters('apis')[copyIndex()].isCurrent), createObject('value', true()))]", - "protocols": "[if(contains(parameters('apis')[copyIndex()], 'protocols'), createObject('value', parameters('apis')[copyIndex()].protocols), createObject('value', createArray('https')))]", - "policies": "[if(contains(parameters('apis')[copyIndex()], 'policies'), createObject('value', parameters('apis')[copyIndex()].policies), createObject('value', createArray()))]", - "serviceUrl": "[if(contains(parameters('apis')[copyIndex()], 'serviceUrl'), createObject('value', parameters('apis')[copyIndex()].serviceUrl), createObject('value', ''))]", - "sourceApiId": "[if(contains(parameters('apis')[copyIndex()], 'sourceApiId'), createObject('value', parameters('apis')[copyIndex()].sourceApiId), createObject('value', ''))]", - "subscriptionKeyParameterNames": "[if(contains(parameters('apis')[copyIndex()], 'subscriptionKeyParameterNames'), createObject('value', parameters('apis')[copyIndex()].subscriptionKeyParameterNames), createObject('value', createObject()))]", - "subscriptionRequired": "[if(contains(parameters('apis')[copyIndex()], 'subscriptionRequired'), createObject('value', parameters('apis')[copyIndex()].subscriptionRequired), createObject('value', false()))]", - "type": "[if(contains(parameters('apis')[copyIndex()], 'type'), createObject('value', parameters('apis')[copyIndex()].type), createObject('value', 'http'))]", - "value": "[if(contains(parameters('apis')[copyIndex()], 'value'), createObject('value', parameters('apis')[copyIndex()].value), createObject('value', ''))]", - "wsdlSelector": "[if(contains(parameters('apis')[copyIndex()], 'wsdlSelector'), createObject('value', parameters('apis')[copyIndex()].wsdlSelector), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11512052528068634292" - }, - "name": "API Management Service APIs", - "description": "This module deploys an API Management Service API.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number." - } - }, - "policies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Policies to apply to the Service API." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "apiRevision": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Describes the Revision of the API. If no value is provided, default revision 1 is created." - } - }, - "apiRevisionDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API Revision." - } - }, - "apiType": { - "type": "string", - "defaultValue": "http", - "allowedValues": [ - "graphql", - "http", - "soap", - "websocket" - ], - "metadata": { - "description": "Optional. Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API." - } - }, - "apiVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the Version identifier of the API if the API is versioned." - } - }, - "apiVersionSetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the Version identifier of the API version set." - } - }, - "apiVersionDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API Version." - } - }, - "authenticationSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Collection of authentication settings included into this API." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "apiDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the API. May include HTML formatting tags." - } - }, - "displayName": { - "type": "string", - "maxLength": 300, - "metadata": { - "description": "Required. API name. Must be 1 to 300 characters long." - } - }, - "format": { - "type": "string", - "defaultValue": "openapi", - "allowedValues": [ - "wadl-xml", - "wadl-link-json", - "swagger-json", - "swagger-link-json", - "wsdl", - "wsdl-link", - "openapi", - "openapi+json", - "openapi-link", - "openapi+json-link" - ], - "metadata": { - "description": "Optional. Format of the Content in which the API is getting imported." - } - }, - "isCurrent": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates if API revision is current API revision." - } - }, - "path": { - "type": "string", - "metadata": { - "description": "Required. Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API." - } - }, - "protocols": { - "type": "array", - "defaultValue": [ - "https" - ], - "metadata": { - "description": "Optional. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS." - } - }, - "serviceUrl": { - "type": "string", - "defaultValue": "", - "maxLength": 2000, - "metadata": { - "description": "Optional. Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long." - } - }, - "sourceApiId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. API identifier of the source API." - } - }, - "subscriptionKeyParameterNames": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Protocols over which API is made available." - } - }, - "subscriptionRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether an API or Product subscription is required for accessing the API." - } - }, - "type": { - "type": "string", - "defaultValue": "http", - "allowedValues": [ - "graphql", - "http", - "soap", - "websocket" - ], - "metadata": { - "description": "Optional. Type of API." - } - }, - "value": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Content value when Importing an API." - } - }, - "wsdlSelector": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Criteria to limit import of WSDL to a subset of the document." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apis", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "apiRevision": "[if(not(empty(parameters('apiRevision'))), parameters('apiRevision'), null())]", - "apiRevisionDescription": "[if(not(empty(parameters('apiRevisionDescription'))), parameters('apiRevisionDescription'), null())]", - "apiType": "[if(not(empty(parameters('apiType'))), parameters('apiType'), null())]", - "apiVersion": "[if(not(empty(parameters('apiVersion'))), parameters('apiVersion'), null())]", - "apiVersionDescription": "[if(not(empty(parameters('apiVersionDescription'))), parameters('apiVersionDescription'), null())]", - "apiVersionSetId": "[if(not(empty(parameters('apiVersionSetId'))), parameters('apiVersionSetId'), null())]", - "authenticationSettings": "[parameters('authenticationSettings')]", - "description": "[parameters('apiDescription')]", - "displayName": "[parameters('displayName')]", - "format": "[if(not(empty(parameters('value'))), parameters('format'), null())]", - "isCurrent": "[parameters('isCurrent')]", - "path": "[parameters('path')]", - "protocols": "[parameters('protocols')]", - "serviceUrl": "[if(not(empty(parameters('serviceUrl'))), parameters('serviceUrl'), null())]", - "sourceApiId": "[if(not(empty(parameters('sourceApiId'))), parameters('sourceApiId'), null())]", - "subscriptionKeyParameterNames": "[if(not(empty(parameters('subscriptionKeyParameterNames'))), parameters('subscriptionKeyParameterNames'), null())]", - "subscriptionRequired": "[parameters('subscriptionRequired')]", - "type": "[parameters('type')]", - "value": "[if(not(empty(parameters('value'))), parameters('value'), null())]", - "wsdlSelector": "[parameters('wsdlSelector')]" - } - }, - { - "copy": { - "name": "policy", - "count": "[length(parameters('policies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Policy-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "apiName": { - "value": "[parameters('name')]" - }, - "format": "[if(contains(parameters('policies')[copyIndex()], 'format'), createObject('value', parameters('policies')[copyIndex()].format), createObject('value', 'xml'))]", - "value": { - "value": "[parameters('policies')[copyIndex()].value]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17230254380289042348" - }, - "name": "API Management Service APIs Policies", - "description": "This module deploys an API Management Service API Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "apiName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "policy", - "metadata": { - "description": "Optional. The name of the policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "format": { - "type": "string", - "defaultValue": "xml", - "allowedValues": [ - "rawxml", - "rawxml-link", - "xml", - "xml-link" - ], - "metadata": { - "description": "Optional. Format of the policyContent." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Contents of the Policy as defined by the format." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apis/policies", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]", - "properties": { - "format": "[parameters('format')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API policy." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apis/policies', parameters('apiManagementServiceName'), parameters('apiName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API policy." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API policy was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apiManagementServiceName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service API." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service API." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service API was deployed to." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service", - "service_apiVersionSets" - ] - }, - "service_apiVersionSets": { - "copy": { - "name": "service_apiVersionSets", - "count": "[length(parameters('apiVersionSets'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-ApiVersionSet-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('apiVersionSets')[copyIndex()].name]" - }, - "properties": "[if(contains(parameters('apiVersionSets')[copyIndex()], 'properties'), createObject('value', parameters('apiVersionSets')[copyIndex()].properties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16962621369738378491" - }, - "name": "API Management Service API Version Sets", - "description": "This module deploys an API Management Service API Version Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. API Version set name." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. API Version set properties." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/apiVersionSets", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API Version set." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API Version set." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API Version set was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_authorizationServers": { - "copy": { - "name": "service_authorizationServers", - "count": "[length(variables('authorizationServerList'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-AuthorizationServer-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[variables('authorizationServerList')[copyIndex()].name]" - }, - "authorizationEndpoint": { - "value": "[variables('authorizationServerList')[copyIndex()].authorizationEndpoint]" - }, - "authorizationMethods": "[if(contains(variables('authorizationServerList')[copyIndex()], 'authorizationMethods'), createObject('value', variables('authorizationServerList')[copyIndex()].authorizationMethods), createObject('value', createArray('GET')))]", - "bearerTokenSendingMethods": "[if(contains(variables('authorizationServerList')[copyIndex()], 'bearerTokenSendingMethods'), createObject('value', variables('authorizationServerList')[copyIndex()].bearerTokenSendingMethods), createObject('value', createArray('authorizationHeader')))]", - "clientAuthenticationMethod": "[if(contains(variables('authorizationServerList')[copyIndex()], 'clientAuthenticationMethod'), createObject('value', variables('authorizationServerList')[copyIndex()].clientAuthenticationMethod), createObject('value', createArray('Basic')))]", - "clientId": { - "value": "[variables('authorizationServerList')[copyIndex()].clientId]" - }, - "clientSecret": { - "value": "[variables('authorizationServerList')[copyIndex()].clientSecret]" - }, - "clientRegistrationEndpoint": "[if(contains(variables('authorizationServerList')[copyIndex()], 'clientRegistrationEndpoint'), createObject('value', variables('authorizationServerList')[copyIndex()].clientRegistrationEndpoint), createObject('value', ''))]", - "defaultScope": "[if(contains(variables('authorizationServerList')[copyIndex()], 'defaultScope'), createObject('value', variables('authorizationServerList')[copyIndex()].defaultScope), createObject('value', ''))]", - "grantTypes": { - "value": "[variables('authorizationServerList')[copyIndex()].grantTypes]" - }, - "resourceOwnerPassword": "[if(contains(variables('authorizationServerList')[copyIndex()], 'resourceOwnerPassword'), createObject('value', variables('authorizationServerList')[copyIndex()].resourceOwnerPassword), createObject('value', ''))]", - "resourceOwnerUsername": "[if(contains(variables('authorizationServerList')[copyIndex()], 'resourceOwnerUsername'), createObject('value', variables('authorizationServerList')[copyIndex()].resourceOwnerUsername), createObject('value', ''))]", - "serverDescription": "[if(contains(variables('authorizationServerList')[copyIndex()], 'serverDescription'), createObject('value', variables('authorizationServerList')[copyIndex()].serverDescription), createObject('value', ''))]", - "supportState": "[if(contains(variables('authorizationServerList')[copyIndex()], 'supportState'), createObject('value', variables('authorizationServerList')[copyIndex()].supportState), createObject('value', false()))]", - "tokenBodyParameters": "[if(contains(variables('authorizationServerList')[copyIndex()], 'tokenBodyParameters'), createObject('value', variables('authorizationServerList')[copyIndex()].tokenBodyParameters), createObject('value', createArray()))]", - "tokenEndpoint": "[if(contains(variables('authorizationServerList')[copyIndex()], 'tokenEndpoint'), createObject('value', variables('authorizationServerList')[copyIndex()].tokenEndpoint), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4791396269511004286" - }, - "name": "API Management Service Authorization Servers", - "description": "This module deploys an API Management Service Authorization Server.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Identifier of the authorization server." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "authorizationEndpoint": { - "type": "string", - "metadata": { - "description": "Required. OAuth authorization endpoint. See ." - } - }, - "authorizationMethods": { - "type": "array", - "defaultValue": [ - "GET" - ], - "metadata": { - "description": "Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE." - } - }, - "bearerTokenSendingMethods": { - "type": "array", - "defaultValue": [ - "authorizationHeader" - ], - "metadata": { - "description": "Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query." - } - }, - "clientAuthenticationMethod": { - "type": "array", - "defaultValue": [ - "Basic" - ], - "metadata": { - "description": "Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body." - } - }, - "clientId": { - "type": "securestring", - "metadata": { - "description": "Required. Client or app ID registered with this authorization server." - } - }, - "clientRegistrationEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced." - } - }, - "clientSecret": { - "type": "securestring", - "metadata": { - "description": "Required. Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "defaultScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values." - } - }, - "serverDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the authorization server. Can contain HTML formatting tags." - } - }, - "grantTypes": { - "type": "array", - "metadata": { - "description": "Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials." - } - }, - "resourceOwnerPassword": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password." - } - }, - "resourceOwnerUsername": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username." - } - }, - "supportState": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security." - } - }, - "tokenBodyParameters": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {\"name\" : \"name value\", \"value\": \"a value\"}. - TokenBodyParameterContract object." - } - }, - "tokenEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. OAuth token endpoint. Contains absolute URI to entity being referenced." - } - } - }, - "variables": { - "defaultAuthorizationMethods": [ - "GET" - ], - "setAuthorizationMethods": "[union(parameters('authorizationMethods'), variables('defaultAuthorizationMethods'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/authorizationServers", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[parameters('serverDescription')]", - "authorizationMethods": "[variables('setAuthorizationMethods')]", - "clientAuthenticationMethod": "[parameters('clientAuthenticationMethod')]", - "tokenBodyParameters": "[parameters('tokenBodyParameters')]", - "tokenEndpoint": "[parameters('tokenEndpoint')]", - "supportState": "[parameters('supportState')]", - "defaultScope": "[parameters('defaultScope')]", - "bearerTokenSendingMethods": "[parameters('bearerTokenSendingMethods')]", - "resourceOwnerUsername": "[parameters('resourceOwnerUsername')]", - "resourceOwnerPassword": "[parameters('resourceOwnerPassword')]", - "displayName": "[parameters('name')]", - "clientRegistrationEndpoint": "[parameters('clientRegistrationEndpoint')]", - "authorizationEndpoint": "[parameters('authorizationEndpoint')]", - "grantTypes": "[parameters('grantTypes')]", - "clientId": "[parameters('clientId')]", - "clientSecret": "[parameters('clientSecret')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service authorization server." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service authorization server." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/authorizationServers', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service authorization server was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_backends": { - "copy": { - "name": "service_backends", - "count": "[length(parameters('backends'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Backend-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "url": "[if(contains(parameters('backends')[copyIndex()], 'url'), createObject('value', parameters('backends')[copyIndex()].url), createObject('value', ''))]", - "description": "[if(contains(parameters('backends')[copyIndex()], 'description'), createObject('value', parameters('backends')[copyIndex()].description), createObject('value', ''))]", - "credentials": "[if(contains(parameters('backends')[copyIndex()], 'credentials'), createObject('value', parameters('backends')[copyIndex()].credentials), createObject('value', createObject()))]", - "name": { - "value": "[parameters('backends')[copyIndex()].name]" - }, - "protocol": "[if(contains(parameters('backends')[copyIndex()], 'protocol'), createObject('value', parameters('backends')[copyIndex()].protocol), createObject('value', 'http'))]", - "proxy": "[if(contains(parameters('backends')[copyIndex()], 'proxy'), createObject('value', parameters('backends')[copyIndex()].proxy), createObject('value', createObject()))]", - "resourceId": "[if(contains(parameters('backends')[copyIndex()], 'resourceId'), createObject('value', parameters('backends')[copyIndex()].resourceId), createObject('value', ''))]", - "serviceFabricCluster": "[if(contains(parameters('backends')[copyIndex()], 'serviceFabricCluster'), createObject('value', parameters('backends')[copyIndex()].serviceFabricCluster), createObject('value', createObject()))]", - "title": "[if(contains(parameters('backends')[copyIndex()], 'title'), createObject('value', parameters('backends')[copyIndex()].title), createObject('value', ''))]", - "tls": "[if(contains(parameters('backends')[copyIndex()], 'tls'), createObject('value', parameters('backends')[copyIndex()].tls), createObject('value', createObject('validateCertificateChain', false(), 'validateCertificateName', false())))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14371393063475773678" - }, - "name": "API Management Service Backends", - "description": "This module deploys an API Management Service Backend.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Backend Name." - } - }, - "credentials": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Credentials Contract Properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Backend Description." - } - }, - "protocol": { - "type": "string", - "defaultValue": "http", - "metadata": { - "description": "Optional. Backend communication protocol. - http or soap." - } - }, - "proxy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Proxy Contract Properties." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps." - } - }, - "serviceFabricCluster": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Backend Service Fabric Cluster Properties." - } - }, - "title": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Backend Title." - } - }, - "tls": { - "type": "object", - "defaultValue": { - "validateCertificateChain": false, - "validateCertificateName": false - }, - "metadata": { - "description": "Optional. Backend TLS Properties." - } - }, - "url": { - "type": "string", - "metadata": { - "description": "Required. Runtime URL of the Backend." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/backends", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "title": "[if(not(empty(parameters('title'))), parameters('title'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "resourceId": "[if(not(empty(parameters('resourceId'))), parameters('resourceId'), null())]", - "properties": { - "serviceFabricCluster": "[if(not(empty(parameters('serviceFabricCluster'))), parameters('serviceFabricCluster'), null())]" - }, - "credentials": "[if(not(empty(parameters('credentials'))), parameters('credentials'), null())]", - "proxy": "[if(not(empty(parameters('proxy'))), parameters('proxy'), null())]", - "tls": "[if(not(empty(parameters('tls'))), parameters('tls'), null())]", - "url": "[parameters('url')]", - "protocol": "[parameters('protocol')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service backend." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/backends', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service backend." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service backend was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_caches": { - "copy": { - "name": "service_caches", - "count": "[length(parameters('caches'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Cache-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('caches')[copyIndex()], 'description'), createObject('value', parameters('caches')[copyIndex()].description), createObject('value', ''))]", - "connectionString": { - "value": "[parameters('caches')[copyIndex()].connectionString]" - }, - "name": { - "value": "[parameters('caches')[copyIndex()].name]" - }, - "resourceId": "[if(contains(parameters('caches')[copyIndex()], 'resourceId'), createObject('value', parameters('caches')[copyIndex()].resourceId), createObject('value', ''))]", - "useFromLocation": { - "value": "[parameters('caches')[copyIndex()].useFromLocation]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10312358305910336044" - }, - "name": "API Management Service Caches", - "description": "This module deploys an API Management Service Cache.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier)." - } - }, - "connectionString": { - "type": "string", - "metadata": { - "description": "Required. Runtime connection string to cache. Can be referenced by a named value like so, {{}}." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Cache description." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Original uri of entity in external system cache points to." - } - }, - "useFromLocation": { - "type": "string", - "metadata": { - "description": "Required. Location identifier to use cache from (should be either 'default' or valid Azure region identifier)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/caches", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "connectionString": "[parameters('connectionString')]", - "useFromLocation": "[parameters('useFromLocation')]", - "resourceId": "[if(not(empty(parameters('resourceId'))), parameters('resourceId'), null())]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service cache." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/caches', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service cache." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service cache was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_identityProviders": { - "copy": { - "name": "service_identityProviders", - "count": "[length(parameters('identityProviders'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-IdentityProvider-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('identityProviders')[copyIndex()].name]" - }, - "enableIdentityProviders": "[if(contains(parameters('identityProviders')[copyIndex()], 'enableIdentityProviders'), createObject('value', parameters('identityProviders')[copyIndex()].enableIdentityProviders), createObject('value', false()))]", - "allowedTenants": "[if(contains(parameters('identityProviders')[copyIndex()], 'allowedTenants'), createObject('value', parameters('identityProviders')[copyIndex()].allowedTenants), createObject('value', createArray()))]", - "authority": "[if(contains(parameters('identityProviders')[copyIndex()], 'authority'), createObject('value', parameters('identityProviders')[copyIndex()].authority), createObject('value', ''))]", - "clientId": "[if(contains(parameters('identityProviders')[copyIndex()], 'clientId'), createObject('value', parameters('identityProviders')[copyIndex()].clientId), createObject('value', ''))]", - "clientSecret": "[if(contains(parameters('identityProviders')[copyIndex()], 'clientSecret'), createObject('value', parameters('identityProviders')[copyIndex()].clientSecret), createObject('value', ''))]", - "passwordResetPolicyName": "[if(contains(parameters('identityProviders')[copyIndex()], 'passwordResetPolicyName'), createObject('value', parameters('identityProviders')[copyIndex()].passwordResetPolicyName), createObject('value', ''))]", - "profileEditingPolicyName": "[if(contains(parameters('identityProviders')[copyIndex()], 'profileEditingPolicyName'), createObject('value', parameters('identityProviders')[copyIndex()].profileEditingPolicyName), createObject('value', ''))]", - "signInPolicyName": "[if(contains(parameters('identityProviders')[copyIndex()], 'signInPolicyName'), createObject('value', parameters('identityProviders')[copyIndex()].signInPolicyName), createObject('value', ''))]", - "signInTenant": "[if(contains(parameters('identityProviders')[copyIndex()], 'signInTenant'), createObject('value', parameters('identityProviders')[copyIndex()].signInTenant), createObject('value', ''))]", - "signUpPolicyName": "[if(contains(parameters('identityProviders')[copyIndex()], 'signUpPolicyName'), createObject('value', parameters('identityProviders')[copyIndex()].signUpPolicyName), createObject('value', ''))]", - "type": "[if(contains(parameters('identityProviders')[copyIndex()], 'type'), createObject('value', parameters('identityProviders')[copyIndex()].type), createObject('value', 'aad'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13036858747462562466" - }, - "name": "API Management Service Identity Providers", - "description": "This module deploys an API Management Service Identity Provider.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "enableIdentityProviders": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Used to enable the deployment of the identityProviders child resource." - } - }, - "allowedTenants": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string." - } - }, - "authority": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C." - } - }, - "clientId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Client ID of the Application in the external Identity Provider. Required if identity provider is used." - } - }, - "clientSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used." - } - }, - "passwordResetPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "profileEditingPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "signInPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "signInTenant": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The TenantId to use instead of Common when logging into Active Directory." - } - }, - "signUpPolicyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider." - } - }, - "type": { - "type": "string", - "defaultValue": "aad", - "allowedValues": [ - "aad", - "aadB2C", - "facebook", - "google", - "microsoft", - "twitter" - ], - "metadata": { - "description": "Optional. Identity Provider Type identifier." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Identity provider name." - } - } - }, - "variables": { - "isAadB2C": "[equals(parameters('type'), 'aadB2C')]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[parameters('enableIdentityProviders')]", - "type": "Microsoft.ApiManagement/service/identityProviders", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "type": "[parameters('type')]", - "signinTenant": "[parameters('signInTenant')]", - "allowedTenants": "[parameters('allowedTenants')]", - "authority": "[parameters('authority')]", - "signupPolicyName": "[if(variables('isAadB2C'), parameters('signUpPolicyName'), null())]", - "signinPolicyName": "[if(variables('isAadB2C'), parameters('signInPolicyName'), null())]", - "profileEditingPolicyName": "[if(variables('isAadB2C'), parameters('profileEditingPolicyName'), null())]", - "passwordResetPolicyName": "[if(variables('isAadB2C'), parameters('passwordResetPolicyName'), null())]", - "clientId": "[parameters('clientId')]", - "clientSecret": "[parameters('clientSecret')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service identity provider." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/identityProviders', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service identity provider." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service identity provider was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_namedValues": { - "copy": { - "name": "service_namedValues", - "count": "[length(parameters('namedValues'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-NamedValue-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "displayName": { - "value": "[parameters('namedValues')[copyIndex()].displayName]" - }, - "keyVault": "[if(contains(parameters('namedValues')[copyIndex()], 'keyVault'), createObject('value', parameters('namedValues')[copyIndex()].keyVault), createObject('value', createObject()))]", - "name": { - "value": "[parameters('namedValues')[copyIndex()].name]" - }, - "tags": { - "value": "[tryGet(parameters('namedValues')[copyIndex()], 'tags')]" - }, - "secret": "[if(contains(parameters('namedValues')[copyIndex()], 'secret'), createObject('value', parameters('namedValues')[copyIndex()].secret), createObject('value', false()))]", - "value": "[if(contains(parameters('namedValues')[copyIndex()], 'value'), createObject('value', parameters('namedValues')[copyIndex()].value), createObject('value', parameters('newGuidValue')))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14872932654104188944" - }, - "name": "API Management Service Named Values", - "description": "This module deploys an API Management Service Named Value.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters." - } - }, - "keyVault": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. KeyVault location details of the namedValue." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Named value Name." - } - }, - "tags": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Tags that when provided can be used to filter the NamedValue list. - string." - } - }, - "secret": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false." - } - }, - "value": { - "type": "string", - "defaultValue": "[newGuid()]", - "metadata": { - "description": "Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." - } - } - }, - "variables": { - "keyVaultEmpty": "[empty(parameters('keyVault'))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "service": { - "existing": true, - "type": "Microsoft.ApiManagement/service", - "apiVersion": "2021-08-01", - "name": "[parameters('apiManagementServiceName')]" - }, - "namedValue": { - "type": "Microsoft.ApiManagement/service/namedValues", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "tags": "[parameters('tags')]", - "secret": "[parameters('secret')]", - "displayName": "[parameters('displayName')]", - "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]", - "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]" - }, - "dependsOn": [ - "service" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the named value." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/namedValues', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the named value." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the named value was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_portalsettings": { - "copy": { - "name": "service_portalsettings", - "count": "[length(parameters('portalsettings'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-PortalSetting-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('portalsettings')[copyIndex()].name]" - }, - "properties": "[if(contains(parameters('portalsettings')[copyIndex()], 'properties'), createObject('value', parameters('portalsettings')[copyIndex()].properties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12676245745541867340" - }, - "name": "API Management Service Portal Settings", - "description": "This module deploys an API Management Service Portal Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "delegation", - "signin", - "signup" - ], - "metadata": { - "description": "Required. Portal setting name." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Portal setting properties." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[not(empty(parameters('properties')))]", - "type": "Microsoft.ApiManagement/service/portalsettings", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service portal setting." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/portalsettings', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service portal setting." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service portal setting was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_policies": { - "copy": { - "name": "service_policies", - "count": "[length(parameters('policies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Policy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "value": { - "value": "[parameters('policies')[copyIndex()].value]" - }, - "format": "[if(contains(parameters('policies')[copyIndex()], 'format'), createObject('value', parameters('policies')[copyIndex()].format), createObject('value', 'xml'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16586961527396343119" - }, - "name": "API Management Service Policies", - "description": "This module deploys an API Management Service Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "policy", - "metadata": { - "description": "Optional. The name of the policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "format": { - "type": "string", - "defaultValue": "xml", - "allowedValues": [ - "rawxml", - "rawxml-link", - "xml", - "xml-link" - ], - "metadata": { - "description": "Optional. Format of the policyContent." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Contents of the Policy as defined by the format." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/policies", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "format": "[parameters('format')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service policy." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/policies', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service policy." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service policy was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - }, - "service_products": { - "copy": { - "name": "service_products", - "count": "[length(parameters('products'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Product-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "apis": "[if(contains(parameters('products')[copyIndex()], 'apis'), createObject('value', parameters('products')[copyIndex()].apis), createObject('value', createArray()))]", - "approvalRequired": "[if(contains(parameters('products')[copyIndex()], 'approvalRequired'), createObject('value', parameters('products')[copyIndex()].approvalRequired), createObject('value', false()))]", - "groups": "[if(contains(parameters('products')[copyIndex()], 'groups'), createObject('value', parameters('products')[copyIndex()].groups), createObject('value', createArray()))]", - "name": { - "value": "[parameters('products')[copyIndex()].name]" - }, - "description": "[if(contains(parameters('products')[copyIndex()], 'description'), createObject('value', parameters('products')[copyIndex()].description), createObject('value', ''))]", - "state": "[if(contains(parameters('products')[copyIndex()], 'state'), createObject('value', parameters('products')[copyIndex()].state), createObject('value', 'published'))]", - "subscriptionRequired": "[if(contains(parameters('products')[copyIndex()], 'subscriptionRequired'), createObject('value', parameters('products')[copyIndex()].subscriptionRequired), createObject('value', false()))]", - "subscriptionsLimit": "[if(contains(parameters('products')[copyIndex()], 'subscriptionsLimit'), createObject('value', parameters('products')[copyIndex()].subscriptionsLimit), createObject('value', 1))]", - "terms": "[if(contains(parameters('products')[copyIndex()], 'terms'), createObject('value', parameters('products')[copyIndex()].terms), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8527180272588578376" - }, - "name": "API Management Service Products", - "description": "This module deploys an API Management Service Product.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "approvalRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Product description. May include HTML formatting tags." - } - }, - "apis": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Product APIs." - } - }, - "groups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Product Groups." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Product Name." - } - }, - "state": { - "type": "string", - "defaultValue": "published", - "metadata": { - "description": "Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published." - } - }, - "subscriptionRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as \"protected\" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as \"open\" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true." - } - }, - "subscriptionsLimit": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false." - } - }, - "terms": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "displayName": "[parameters('name')]", - "terms": "[parameters('terms')]", - "subscriptionRequired": "[parameters('subscriptionRequired')]", - "approvalRequired": "[if(parameters('subscriptionRequired'), parameters('approvalRequired'), null())]", - "subscriptionsLimit": "[if(parameters('subscriptionRequired'), parameters('subscriptionsLimit'), null())]", - "state": "[parameters('state')]" - } - }, - { - "copy": { - "name": "product_apis", - "count": "[length(parameters('apis'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Api-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "name": { - "value": "[parameters('apis')[copyIndex()].name]" - }, - "productName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17352324470715058273" - }, - "name": "API Management Service Products APIs", - "description": "This module deploys an API Management Service Product API.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product API." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/apis", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product API." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/apis', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product API." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product API was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - } - }, - { - "copy": { - "name": "product_groups", - "count": "[length(parameters('groups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Group-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "name": { - "value": "[parameters('groups')[copyIndex()].name]" - }, - "productName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16541523008963717147" - }, - "name": "API Management Service Products Groups", - "description": "This module deploys an API Management Service Product Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product group." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/groups", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product group." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/groups', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product group." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service product." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service product." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service product was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "apiResourceIds": { - "type": "array", - "metadata": { - "description": "The Resources IDs of the API management service product APIs." - }, - "copy": { - "count": "[length(range(0, length(parameters('apis'))))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Api-{1}', deployment().name, range(0, length(parameters('apis')))[copyIndex()])), '2022-09-01').outputs.resourceId.value]" - } - }, - "groupResourceIds": { - "type": "array", - "metadata": { - "description": "The Resources IDs of the API management service product groups." - }, - "copy": { - "count": "[length(range(0, length(parameters('groups'))))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Group-{1}', deployment().name, range(0, length(parameters('groups')))[copyIndex()])), '2022-09-01').outputs.resourceId.value]" - } - } - } - } - }, - "dependsOn": [ - "service", - "service_apis" - ] - }, - "service_subscriptions": { - "copy": { - "name": "service_subscriptions", - "count": "[length(parameters('subscriptions'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Subscription-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('subscriptions')[copyIndex()], 'name'), createObject('value', parameters('subscriptions')[copyIndex()].name), createObject('value', ''))]", - "allowTracing": "[if(contains(parameters('subscriptions')[copyIndex()], 'allowTracing'), createObject('value', parameters('subscriptions')[copyIndex()].allowTracing), createObject('value', false()))]", - "ownerId": "[if(contains(parameters('subscriptions')[copyIndex()], 'ownerId'), createObject('value', parameters('subscriptions')[copyIndex()].ownerId), createObject('value', ''))]", - "primaryKey": "[if(contains(parameters('subscriptions')[copyIndex()], 'primaryKey'), createObject('value', parameters('subscriptions')[copyIndex()].primaryKey), createObject('value', ''))]", - "scope": "[if(contains(parameters('subscriptions')[copyIndex()], 'scope'), createObject('value', parameters('subscriptions')[copyIndex()].scope), createObject('value', '/apis'))]", - "secondaryKey": "[if(contains(parameters('subscriptions')[copyIndex()], 'secondaryKey'), createObject('value', parameters('subscriptions')[copyIndex()].secondaryKey), createObject('value', ''))]", - "state": "[if(contains(parameters('subscriptions')[copyIndex()], 'state'), createObject('value', parameters('subscriptions')[copyIndex()].state), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15367144313924447449" - }, - "name": "API Management Service Subscriptions", - "description": "This module deploys an API Management Service Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "allowTracing": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether tracing can be enabled." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "ownerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User (user ID path) for whom subscription is being created in form /users/{userId}." - } - }, - "primaryKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Primary subscription key. If not specified during request key will be generated automatically." - } - }, - "scope": { - "type": "string", - "defaultValue": "/apis", - "metadata": { - "description": "Optional. Scope type to choose between a product, \"allAPIs\" or a specific API. Scope like \"/products/{productId}\" or \"/apis\" or \"/apis/{apiId}\"." - } - }, - "secondaryKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Secondary subscription key. If not specified during request key will be generated automatically." - } - }, - "state": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are \"*\" active \"?\" the subscription is active, \"*\" suspended \"?\" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Subscription name." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/subscriptions", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "scope": "[parameters('scope')]", - "displayName": "[parameters('name')]", - "ownerId": "[if(not(empty(parameters('ownerId'))), parameters('ownerId'), null())]", - "primaryKey": "[if(not(empty(parameters('primaryKey'))), parameters('primaryKey'), null())]", - "secondaryKey": "[if(not(empty(parameters('secondaryKey'))), parameters('secondaryKey'), null())]", - "state": "[if(not(empty(parameters('state'))), parameters('state'), null())]", - "allowTracing": "[parameters('allowTracing')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service subscription." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/subscriptions', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service subscription." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service subscription was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "service" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service." - }, - "value": "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('service', '2021-08-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md deleted file mode 100644 index a34ff1560b..0000000000 --- a/modules/api-management/service/named-value/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# API Management Service Named Values `[Microsoft.ApiManagement/service/namedValues]` - -This module deploys an API Management Service Named Value. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`displayName`](#parameter-displayname) | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. | -| [`name`](#parameter-name) | string | Named value Name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`keyVault`](#parameter-keyvault) | object | KeyVault location details of the namedValue. | -| [`secret`](#parameter-secret) | bool | Determines whether the value is a secret and should be encrypted or not. Default value is false. | -| [`tags`](#parameter-tags) | array | Tags that when provided can be used to filter the NamedValue list. - string. | -| [`value`](#parameter-value) | string | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | - -### Parameter: `displayName` - -Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Named value Name. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `keyVault` - -KeyVault location details of the namedValue. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `secret` - -Determines whether the value is a secret and should be encrypted or not. Default value is false. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags that when provided can be used to filter the NamedValue list. - string. - -- Required: No -- Type: array - -### Parameter: `value` - -Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. - -- Required: No -- Type: string -- Default: `[newGuid()]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the named value. | -| `resourceGroupName` | string | The resource group the named value was deployed into. | -| `resourceId` | string | The resource ID of the named value. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `keyVault` - -

- -Parameter JSON format - -```json -"keyVault": { - "value":{ - "secretIdentifier":"Key vault secret identifier for fetching secret.", - "identityClientId":"SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret." - } -} -``` - -
- -
- -Bicep format - -```bicep -keyVault: { - secretIdentifier:'Key vault secret identifier for fetching secret.' - identityClientId:'SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret.' -} -``` - -
-

diff --git a/modules/api-management/service/named-value/main.bicep b/modules/api-management/service/named-value/main.bicep deleted file mode 100644 index 87e4c66e5c..0000000000 --- a/modules/api-management/service/named-value/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'API Management Service Named Values' -metadata description = 'This module deploys an API Management Service Named Value.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters.') -param displayName string - -@description('Optional. KeyVault location details of the namedValue.') -param keyVault object = {} - -@description('Required. Named value Name.') -param name string - -@description('Optional. Tags that when provided can be used to filter the NamedValue list. - string.') -param tags array? - -@description('Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false.') -#disable-next-line secure-secrets-in-params // Not a secret -param secret bool = false - -@description('Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.') -param value string = newGuid() - -var keyVaultEmpty = empty(keyVault) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource namedValue 'Microsoft.ApiManagement/service/namedValues@2021-08-01' = { - name: name - parent: service - properties: { - tags: tags - secret: secret - displayName: displayName - value: keyVaultEmpty ? value : null - keyVault: !keyVaultEmpty ? keyVault : null - } -} - -@description('The resource ID of the named value.') -output resourceId string = namedValue.id - -@description('The name of the named value.') -output name string = namedValue.name - -@description('The resource group the named value was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/named-value/main.json b/modules/api-management/service/named-value/main.json deleted file mode 100644 index ad8627e752..0000000000 --- a/modules/api-management/service/named-value/main.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14872932654104188944" - }, - "name": "API Management Service Named Values", - "description": "This module deploys an API Management Service Named Value.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters." - } - }, - "keyVault": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. KeyVault location details of the namedValue." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Named value Name." - } - }, - "tags": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Tags that when provided can be used to filter the NamedValue list. - string." - } - }, - "secret": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false." - } - }, - "value": { - "type": "string", - "defaultValue": "[newGuid()]", - "metadata": { - "description": "Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." - } - } - }, - "variables": { - "keyVaultEmpty": "[empty(parameters('keyVault'))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "service": { - "existing": true, - "type": "Microsoft.ApiManagement/service", - "apiVersion": "2021-08-01", - "name": "[parameters('apiManagementServiceName')]" - }, - "namedValue": { - "type": "Microsoft.ApiManagement/service/namedValues", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "tags": "[parameters('tags')]", - "secret": "[parameters('secret')]", - "displayName": "[parameters('displayName')]", - "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]", - "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]" - }, - "dependsOn": [ - "service" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the named value." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/namedValues', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the named value." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the named value was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/named-value/version.json b/modules/api-management/service/named-value/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/named-value/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/policy/README.md b/modules/api-management/service/policy/README.md deleted file mode 100644 index 6b8af635b3..0000000000 --- a/modules/api-management/service/policy/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# API Management Service Policies `[Microsoft.ApiManagement/service/policies]` - -This module deploys an API Management Service Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`value`](#parameter-value) | string | Contents of the Policy as defined by the format. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`format`](#parameter-format) | string | Format of the policyContent. | -| [`name`](#parameter-name) | string | The name of the policy. | - -### Parameter: `value` - -Contents of the Policy as defined by the format. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `format` - -Format of the policyContent. - -- Required: No -- Type: string -- Default: `'xml'` -- Allowed: - ```Bicep - [ - 'rawxml' - 'rawxml-link' - 'xml' - 'xml-link' - ] - ``` - -### Parameter: `name` - -The name of the policy. - -- Required: No -- Type: string -- Default: `'policy'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service policy. | -| `resourceGroupName` | string | The resource group the API management service policy was deployed into. | -| `resourceId` | string | The resource ID of the API management service policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/policy/main.bicep b/modules/api-management/service/policy/main.bicep deleted file mode 100644 index a4d6c778c9..0000000000 --- a/modules/api-management/service/policy/main.bicep +++ /dev/null @@ -1,58 +0,0 @@ -metadata name = 'API Management Service Policies' -metadata description = 'This module deploys an API Management Service Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. The name of the policy.') -param name string = 'policy' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Format of the policyContent.') -@allowed([ - 'rawxml' - 'rawxml-link' - 'xml' - 'xml-link' -]) -param format string = 'xml' - -@description('Required. Contents of the Policy as defined by the format.') -param value string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource policy 'Microsoft.ApiManagement/service/policies@2021-08-01' = { - name: name - parent: service - properties: { - format: format - value: value - } -} - -@description('The resource ID of the API management service policy.') -output resourceId string = policy.id - -@description('The name of the API management service policy.') -output name string = policy.name - -@description('The resource group the API management service policy was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/policy/main.json b/modules/api-management/service/policy/main.json deleted file mode 100644 index bb5cfde55e..0000000000 --- a/modules/api-management/service/policy/main.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16586961527396343119" - }, - "name": "API Management Service Policies", - "description": "This module deploys an API Management Service Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "policy", - "metadata": { - "description": "Optional. The name of the policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "format": { - "type": "string", - "defaultValue": "xml", - "allowedValues": [ - "rawxml", - "rawxml-link", - "xml", - "xml-link" - ], - "metadata": { - "description": "Optional. Format of the policyContent." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Contents of the Policy as defined by the format." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/policies", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "format": "[parameters('format')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service policy." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/policies', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service policy." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service policy was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/policy/version.json b/modules/api-management/service/policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/portalsetting/README.md b/modules/api-management/service/portalsetting/README.md deleted file mode 100644 index 05641fe1d1..0000000000 --- a/modules/api-management/service/portalsetting/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# API Management Service Portal Settings `[Microsoft.ApiManagement/service/portalsettings]` - -This module deploys an API Management Service Portal Setting. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Portal setting name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`properties`](#parameter-properties) | object | Portal setting properties. | - -### Parameter: `name` - -Portal setting name. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'delegation' - 'signin' - 'signup' - ] - ``` - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `properties` - -Portal setting properties. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service portal setting. | -| `resourceGroupName` | string | The resource group the API management service portal setting was deployed into. | -| `resourceId` | string | The resource ID of the API management service portal setting. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/portalsetting/main.bicep b/modules/api-management/service/portalsetting/main.bicep deleted file mode 100644 index 8a2111b2d6..0000000000 --- a/modules/api-management/service/portalsetting/main.bicep +++ /dev/null @@ -1,51 +0,0 @@ -metadata name = 'API Management Service Portal Settings' -metadata description = 'This module deploys an API Management Service Portal Setting.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Portal setting name.') -@allowed([ - 'delegation' - 'signin' - 'signup' -]) -param name string - -@description('Optional. Portal setting properties.') -param properties object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource portalSetting 'Microsoft.ApiManagement/service/portalsettings@2021-08-01' = if (!empty(properties)) { - name: any(name) - parent: service - properties: properties -} - -@description('The resource ID of the API management service portal setting.') -output resourceId string = portalSetting.id - -@description('The name of the API management service portal setting.') -output name string = portalSetting.name - -@description('The resource group the API management service portal setting was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/portalsetting/main.json b/modules/api-management/service/portalsetting/main.json deleted file mode 100644 index 6320ca39fb..0000000000 --- a/modules/api-management/service/portalsetting/main.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12676245745541867340" - }, - "name": "API Management Service Portal Settings", - "description": "This module deploys an API Management Service Portal Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "delegation", - "signin", - "signup" - ], - "metadata": { - "description": "Required. Portal setting name." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Portal setting properties." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[not(empty(parameters('properties')))]", - "type": "Microsoft.ApiManagement/service/portalsettings", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service portal setting." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/portalsettings', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service portal setting." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service portal setting was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/portalsetting/version.json b/modules/api-management/service/portalsetting/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/portalsetting/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/product/README.md b/modules/api-management/service/product/README.md deleted file mode 100644 index faea3e798b..0000000000 --- a/modules/api-management/service/product/README.md +++ /dev/null @@ -1,147 +0,0 @@ -# API Management Service Products `[Microsoft.ApiManagement/service/products]` - -This module deploys an API Management Service Product. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) | -| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) | -| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Product Name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apis`](#parameter-apis) | array | Array of Product APIs. | -| [`approvalRequired`](#parameter-approvalrequired) | bool | Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. | -| [`description`](#parameter-description) | string | Product description. May include HTML formatting tags. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`groups`](#parameter-groups) | array | Array of Product Groups. | -| [`state`](#parameter-state) | string | whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. | -| [`subscriptionRequired`](#parameter-subscriptionrequired) | bool | Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. | -| [`subscriptionsLimit`](#parameter-subscriptionslimit) | int | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. | -| [`terms`](#parameter-terms) | string | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. | - -### Parameter: `name` - -Product Name. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `apis` - -Array of Product APIs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `approvalRequired` - -Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `description` - -Product description. May include HTML formatting tags. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `groups` - -Array of Product Groups. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `state` - -whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. - -- Required: No -- Type: string -- Default: `'published'` - -### Parameter: `subscriptionRequired` - -Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `subscriptionsLimit` - -Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `terms` - -Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `apiResourceIds` | array | The Resources IDs of the API management service product APIs. | -| `groupResourceIds` | array | The Resources IDs of the API management service product groups. | -| `name` | string | The name of the API management service product. | -| `resourceGroupName` | string | The resource group the API management service product was deployed into. | -| `resourceId` | string | The resource ID of the API management service product. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/product/api/README.md b/modules/api-management/service/product/api/README.md deleted file mode 100644 index 67e3cbc13c..0000000000 --- a/modules/api-management/service/product/api/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# API Management Service Products APIs `[Microsoft.ApiManagement/service/products/apis]` - -This module deploys an API Management Service Product API. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the product API. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| [`productName`](#parameter-productname) | string | The name of the parent Product. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -Name of the product API. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `productName` - -The name of the parent Product. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the product API. | -| `resourceGroupName` | string | The resource group the product API was deployed into. | -| `resourceId` | string | The resource ID of the product API. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/product/api/main.bicep b/modules/api-management/service/product/api/main.bicep deleted file mode 100644 index 0b3e018e5b..0000000000 --- a/modules/api-management/service/product/api/main.bicep +++ /dev/null @@ -1,49 +0,0 @@ -metadata name = 'API Management Service Products APIs' -metadata description = 'This module deploys an API Management Service Product API.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.') -param productName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Name of the product API.') -param name string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName - - resource product 'products@2021-04-01-preview' existing = { - name: productName - } -} - -resource api 'Microsoft.ApiManagement/service/products/apis@2021-08-01' = { - name: name - parent: service::product -} - -@description('The resource ID of the product API.') -output resourceId string = api.id - -@description('The name of the product API.') -output name string = api.name - -@description('The resource group the product API was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/product/api/main.json b/modules/api-management/service/product/api/main.json deleted file mode 100644 index f0565ff5ae..0000000000 --- a/modules/api-management/service/product/api/main.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17352324470715058273" - }, - "name": "API Management Service Products APIs", - "description": "This module deploys an API Management Service Product API.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product API." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/apis", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product API." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/apis', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product API." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product API was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/product/api/version.json b/modules/api-management/service/product/api/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/product/api/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/product/group/README.md b/modules/api-management/service/product/group/README.md deleted file mode 100644 index b5d1cf7d8d..0000000000 --- a/modules/api-management/service/product/group/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# API Management Service Products Groups `[Microsoft.ApiManagement/service/products/groups]` - -This module deploys an API Management Service Product Group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the product group. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| [`productName`](#parameter-productname) | string | The name of the parent Product. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -Name of the product group. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `productName` - -The name of the parent Product. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the product group. | -| `resourceGroupName` | string | The resource group the product group was deployed into. | -| `resourceId` | string | The resource ID of the product group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/product/group/main.bicep b/modules/api-management/service/product/group/main.bicep deleted file mode 100644 index 979884a78d..0000000000 --- a/modules/api-management/service/product/group/main.bicep +++ /dev/null @@ -1,49 +0,0 @@ -metadata name = 'API Management Service Products Groups' -metadata description = 'This module deploys an API Management Service Product Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.') -param productName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Name of the product group.') -param name string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName - - resource product 'products@2021-04-01-preview' existing = { - name: productName - } -} - -resource group 'Microsoft.ApiManagement/service/products/groups@2021-08-01' = { - name: name - parent: service::product -} - -@description('The resource ID of the product group.') -output resourceId string = group.id - -@description('The name of the product group.') -output name string = group.name - -@description('The resource group the product group was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/product/group/main.json b/modules/api-management/service/product/group/main.json deleted file mode 100644 index cc2f8d7988..0000000000 --- a/modules/api-management/service/product/group/main.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16541523008963717147" - }, - "name": "API Management Service Products Groups", - "description": "This module deploys an API Management Service Product Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product group." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/groups", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product group." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/groups', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product group." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/product/group/version.json b/modules/api-management/service/product/group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/product/group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/product/main.bicep b/modules/api-management/service/product/main.bicep deleted file mode 100644 index 0a064939bc..0000000000 --- a/modules/api-management/service/product/main.bicep +++ /dev/null @@ -1,103 +0,0 @@ -metadata name = 'API Management Service Products' -metadata description = 'This module deploys an API Management Service Product.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@sys.description('Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false.') -param approvalRequired bool = false - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Product description. May include HTML formatting tags.') -param description string = '' - -@sys.description('Optional. Array of Product APIs.') -param apis array = [] - -@sys.description('Optional. Array of Product Groups.') -param groups array = [] - -@sys.description('Required. Product Name.') -param name string - -@sys.description('Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published.') -param state string = 'published' - -@sys.description('Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it\'s value is assumed to be true.') -param subscriptionRequired bool = false - -@sys.description('Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false.') -param subscriptionsLimit int = 1 - -@sys.description('Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process.') -param terms string = '' - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource product 'Microsoft.ApiManagement/service/products@2021-08-01' = { - name: name - parent: service - properties: { - description: description - displayName: name - terms: terms - subscriptionRequired: subscriptionRequired - approvalRequired: subscriptionRequired ? approvalRequired : null - subscriptionsLimit: subscriptionRequired ? subscriptionsLimit : null - state: state - } -} - -module product_apis 'api/main.bicep' = [for (api, index) in apis: { - name: '${deployment().name}-Api-${index}' - params: { - apiManagementServiceName: apiManagementServiceName - name: api.name - productName: name - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module product_groups 'group/main.bicep' = [for (group, index) in groups: { - name: '${deployment().name}-Group-${index}' - params: { - apiManagementServiceName: apiManagementServiceName - name: group.name - productName: name - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@sys.description('The resource ID of the API management service product.') -output resourceId string = product.id - -@sys.description('The name of the API management service product.') -output name string = product.name - -@sys.description('The resource group the API management service product was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The Resources IDs of the API management service product APIs.') -output apiResourceIds array = [for index in range(0, length(apis)): product_apis[index].outputs.resourceId] - -@sys.description('The Resources IDs of the API management service product groups.') -output groupResourceIds array = [for index in range(0, length(groups)): product_groups[index].outputs.resourceId] diff --git a/modules/api-management/service/product/main.json b/modules/api-management/service/product/main.json deleted file mode 100644 index ac581fc5d6..0000000000 --- a/modules/api-management/service/product/main.json +++ /dev/null @@ -1,395 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8527180272588578376" - }, - "name": "API Management Service Products", - "description": "This module deploys an API Management Service Product.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "approvalRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Product description. May include HTML formatting tags." - } - }, - "apis": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Product APIs." - } - }, - "groups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Product Groups." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Product Name." - } - }, - "state": { - "type": "string", - "defaultValue": "published", - "metadata": { - "description": "Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published." - } - }, - "subscriptionRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as \"protected\" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as \"open\" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true." - } - }, - "subscriptionsLimit": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false." - } - }, - "terms": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "displayName": "[parameters('name')]", - "terms": "[parameters('terms')]", - "subscriptionRequired": "[parameters('subscriptionRequired')]", - "approvalRequired": "[if(parameters('subscriptionRequired'), parameters('approvalRequired'), null())]", - "subscriptionsLimit": "[if(parameters('subscriptionRequired'), parameters('subscriptionsLimit'), null())]", - "state": "[parameters('state')]" - } - }, - { - "copy": { - "name": "product_apis", - "count": "[length(parameters('apis'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Api-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "name": { - "value": "[parameters('apis')[copyIndex()].name]" - }, - "productName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17352324470715058273" - }, - "name": "API Management Service Products APIs", - "description": "This module deploys an API Management Service Product API.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product API." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/apis", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product API." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/apis', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product API." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product API was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - } - }, - { - "copy": { - "name": "product_groups", - "count": "[length(parameters('groups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Group-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "apiManagementServiceName": { - "value": "[parameters('apiManagementServiceName')]" - }, - "name": { - "value": "[parameters('groups')[copyIndex()].name]" - }, - "productName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16541523008963717147" - }, - "name": "API Management Service Products Groups", - "description": "This module deploys an API Management Service Product Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "productName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Product. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the product group." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/products/groups", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}/{2}', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the product group." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products/groups', parameters('apiManagementServiceName'), parameters('productName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the product group." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the product group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service product." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service product." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service product was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "apiResourceIds": { - "type": "array", - "metadata": { - "description": "The Resources IDs of the API management service product APIs." - }, - "copy": { - "count": "[length(range(0, length(parameters('apis'))))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Api-{1}', deployment().name, range(0, length(parameters('apis')))[copyIndex()])), '2022-09-01').outputs.resourceId.value]" - } - }, - "groupResourceIds": { - "type": "array", - "metadata": { - "description": "The Resources IDs of the API management service product groups." - }, - "copy": { - "count": "[length(range(0, length(parameters('groups'))))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Group-{1}', deployment().name, range(0, length(parameters('groups')))[copyIndex()])), '2022-09-01').outputs.resourceId.value]" - } - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/product/version.json b/modules/api-management/service/product/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/product/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/subscription/README.md b/modules/api-management/service/subscription/README.md deleted file mode 100644 index a140d3d3a6..0000000000 --- a/modules/api-management/service/subscription/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# API Management Service Subscriptions `[Microsoft.ApiManagement/service/subscriptions]` - -This module deploys an API Management Service Subscription. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Subscription name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowTracing`](#parameter-allowtracing) | bool | Determines whether tracing can be enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ownerId`](#parameter-ownerid) | string | User (user ID path) for whom subscription is being created in form /users/{userId}. | -| [`primaryKey`](#parameter-primarykey) | string | Primary subscription key. If not specified during request key will be generated automatically. | -| [`scope`](#parameter-scope) | string | Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". | -| [`secondaryKey`](#parameter-secondarykey) | string | Secondary subscription key. If not specified during request key will be generated automatically. | -| [`state`](#parameter-state) | string | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. | - -### Parameter: `name` - -Subscription name. - -- Required: Yes -- Type: string - -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allowTracing` - -Determines whether tracing can be enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ownerId` - -User (user ID path) for whom subscription is being created in form /users/{userId}. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `primaryKey` - -Primary subscription key. If not specified during request key will be generated automatically. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `scope` - -Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". - -- Required: No -- Type: string -- Default: `'/apis'` - -### Parameter: `secondaryKey` - -Secondary subscription key. If not specified during request key will be generated automatically. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `state` - -Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service subscription. | -| `resourceGroupName` | string | The resource group the API management service subscription was deployed into. | -| `resourceId` | string | The resource ID of the API management service subscription. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/subscription/main.bicep b/modules/api-management/service/subscription/main.bicep deleted file mode 100644 index 93f54c62a0..0000000000 --- a/modules/api-management/service/subscription/main.bicep +++ /dev/null @@ -1,69 +0,0 @@ -metadata name = 'API Management Service Subscriptions' -metadata description = 'This module deploys an API Management Service Subscription.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Determines whether tracing can be enabled.') -param allowTracing bool = true - -@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.') -param apiManagementServiceName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. User (user ID path) for whom subscription is being created in form /users/{userId}.') -param ownerId string = '' - -@description('Optional. Primary subscription key. If not specified during request key will be generated automatically.') -param primaryKey string = '' - -@description('Optional. Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}".') -param scope string = '/apis' - -@description('Optional. Secondary subscription key. If not specified during request key will be generated automatically.') -param secondaryKey string = '' - -@description('Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled.') -param state string = '' - -@description('Required. Subscription name.') -param name string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = { - name: apiManagementServiceName -} - -resource subscription 'Microsoft.ApiManagement/service/subscriptions@2021-08-01' = { - name: name - parent: service - properties: { - scope: scope - displayName: name - ownerId: !empty(ownerId) ? ownerId : null - primaryKey: !empty(primaryKey) ? primaryKey : null - secondaryKey: !empty(secondaryKey) ? secondaryKey : null - state: !empty(state) ? state : null - allowTracing: allowTracing - } -} - -@description('The resource ID of the API management service subscription.') -output resourceId string = subscription.id - -@description('The name of the API management service subscription.') -output name string = subscription.name - -@description('The resource group the API management service subscription was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/api-management/service/subscription/main.json b/modules/api-management/service/subscription/main.json deleted file mode 100644 index 174a7585d5..0000000000 --- a/modules/api-management/service/subscription/main.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15367144313924447449" - }, - "name": "API Management Service Subscriptions", - "description": "This module deploys an API Management Service Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "allowTracing": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether tracing can be enabled." - } - }, - "apiManagementServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "ownerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User (user ID path) for whom subscription is being created in form /users/{userId}." - } - }, - "primaryKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Primary subscription key. If not specified during request key will be generated automatically." - } - }, - "scope": { - "type": "string", - "defaultValue": "/apis", - "metadata": { - "description": "Optional. Scope type to choose between a product, \"allAPIs\" or a specific API. Scope like \"/products/{productId}\" or \"/apis\" or \"/apis/{apiId}\"." - } - }, - "secondaryKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Secondary subscription key. If not specified during request key will be generated automatically." - } - }, - "state": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are \"*\" active \"?\" the subscription is active, \"*\" suspended \"?\" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Subscription name." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ApiManagement/service/subscriptions", - "apiVersion": "2021-08-01", - "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", - "properties": { - "scope": "[parameters('scope')]", - "displayName": "[parameters('name')]", - "ownerId": "[if(not(empty(parameters('ownerId'))), parameters('ownerId'), null())]", - "primaryKey": "[if(not(empty(parameters('primaryKey'))), parameters('primaryKey'), null())]", - "secondaryKey": "[if(not(empty(parameters('secondaryKey'))), parameters('secondaryKey'), null())]", - "state": "[if(not(empty(parameters('state'))), parameters('state'), null())]", - "allowTracing": "[parameters('allowTracing')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the API management service subscription." - }, - "value": "[resourceId('Microsoft.ApiManagement/service/subscriptions', parameters('apiManagementServiceName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the API management service subscription." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the API management service subscription was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/api-management/service/subscription/version.json b/modules/api-management/service/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/api-management/service/tests/e2e/defaults/main.test.bicep b/modules/api-management/service/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 693a2e0673..0000000000 --- a/modules/api-management/service/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,51 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - } -}] diff --git a/modules/api-management/service/tests/e2e/max/dependencies.bicep b/modules/api-management/service/tests/e2e/max/dependencies.bicep deleted file mode 100644 index bd63a95634..0000000000 --- a/modules/api-management/service/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5a03a93afb..0000000000 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,230 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. The secret to leverage for authorization server authentication.') -@secure() -param customSecret string = newGuid() - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' - clientId: 'apimclientid' - clientSecret: customSecret - clientRegistrationEndpoint: 'http://localhost' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - scope: '/apis' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep b/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index bd63a95634..0000000000 --- a/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 497fa84bc5..0000000000 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,213 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apiswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. The secret to leverage for authorization server authentication.') -@secure() -param customSecret string = newGuid() - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' - clientId: 'apimclientid' - clientSecret: customSecret - clientRegistrationEndpoint: 'http://localhost' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - scope: '/apis' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/api-management/service/version.json b/modules/api-management/service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/api-management/service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/app-configuration/configuration-store/MOVED-TO-AVM.md b/modules/app-configuration/configuration-store/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/app-configuration/configuration-store/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 0240ff324c..851d20f22d 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -1,1405 +1,7 @@ -# App Configuration Stores `[Microsoft.AppConfiguration/configurationStores]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/app-configuration/configuration-store](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/app-configuration/configuration-store).** -This module deploys an App Configuration Store. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/app-configuration/configuration-store). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.AppConfiguration/configurationStores` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores) | -| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores/keyValues) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/app-configuration.configuration-store:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Pe](#example-4-pe) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accmin' - params: { - // Required parameters - name: 'accmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accencr' - params: { - // Required parameters - name: 'accencr001' - // Non-required parameters - createMode: 'Default' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - disableLocalAuth: false - enableDefaultTelemetry: '' - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - value: 'valueName' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - softDeleteRetentionInDays: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accencr001" - }, - // Non-required parameters - "createMode": { - "value": "Default" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "keyValues": { - "value": [ - { - "contentType": "contentType", - "name": "keyName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "value": "valueName" - } - ] - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "softDeleteRetentionInDays": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accmax' - params: { - // Required parameters - name: 'accmax001' - // Non-required parameters - createMode: 'Default' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: false - enableDefaultTelemetry: '' - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - softDeleteRetentionInDays: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accmax001" - }, - // Non-required parameters - "createMode": { - "value": "Default" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "keyValues": { - "value": [ - { - "contentType": "contentType", - "name": "keyName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "value": "valueName" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "softDeleteRetentionInDays": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Pe_ - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accpe' - params: { - // Required parameters - name: 'accpe001' - // Non-required parameters - createMode: 'Default' - disableLocalAuth: false - enableDefaultTelemetry: '' - enablePurgeProtection: false - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - softDeleteRetentionInDays: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accpe001" - }, - // Non-required parameters - "createMode": { - "value": "Default" - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "softDeleteRetentionInDays": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accwaf' - params: { - // Required parameters - name: 'accwaf001' - // Non-required parameters - createMode: 'Default' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: false - enableDefaultTelemetry: '' - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - softDeleteRetentionInDays: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accwaf001" - }, - // Non-required parameters - "createMode": { - "value": "Default" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "keyValues": { - "value": [ - { - "contentType": "contentType", - "name": "keyName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "value": "valueName" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "softDeleteRetentionInDays": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure App Configuration. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`createMode`](#parameter-createmode) | string | Indicates whether the configuration store need to be recovered. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Property specifying whether protection against purge is enabled for this configuration store. | -| [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. Requires local authentication to be enabled. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | Pricing tier of App Configuration. | -| [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Azure App Configuration. - -- Required: Yes -- Type: string - -### Parameter: `createMode` - -Indicates whether the configuration store need to be recovered. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'Recover' - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -Disables all authentication methods other than AAD authentication. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enablePurgeProtection` - -Property specifying whether protection against purge is enabled for this configuration store. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `keyValues` - -All Key / Values to create. Requires local authentication to be enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -Pricing tier of App Configuration. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `softDeleteRetentionInDays` - -The amount of time in days that the configuration store will be retained when it is soft deleted. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the app configuration. | -| `resourceGroupName` | string | The resource group the app configuration store was deployed into. | -| `resourceId` | string | The resource ID of the app configuration. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md deleted file mode 100644 index 6f6a67e760..0000000000 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# App Configuration Stores Key Values `[Microsoft.AppConfiguration/configurationStores/keyValues]` - -This module deploys an App Configuration Store Key Value. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores/keyValues) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the key. | -| [`value`](#parameter-value) | string | Name of the value. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appConfigurationName`](#parameter-appconfigurationname) | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`contentType`](#parameter-contenttype) | string | The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the key. - -- Required: Yes -- Type: string - -### Parameter: `value` - -Name of the value. - -- Required: Yes -- Type: string - -### Parameter: `appConfigurationName` - -The name of the parent app configuration store. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `contentType` - -The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the key values. | -| `resourceGroupName` | string | The resource group the batch account was deployed into. | -| `resourceId` | string | The resource ID of the key values. | - -## Cross-referenced modules - -_None_ diff --git a/modules/app-configuration/configuration-store/key-value/main.bicep b/modules/app-configuration/configuration-store/key-value/main.bicep deleted file mode 100644 index acc8bbc774..0000000000 --- a/modules/app-configuration/configuration-store/key-value/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'App Configuration Stores Key Values' -metadata description = 'This module deploys an App Configuration Store Key Value.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the key.') -param name string - -@description('Required. Name of the value.') -param value string - -@description('Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment.') -param appConfigurationName string - -@description('Optional. The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications.') -param contentType string = '' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') // update all the descriptions -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { - name: appConfigurationName -} - -resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2023-03-01' = { - name: name - parent: appConfiguration - properties: { - contentType: contentType - tags: tags - value: value - } -} -@description('The name of the key values.') -output name string = keyValues.name - -@description('The resource ID of the key values.') -output resourceId string = keyValues.id - -@description('The resource group the batch account was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/app-configuration/configuration-store/key-value/main.json b/modules/app-configuration/configuration-store/key-value/main.json deleted file mode 100644 index 560a51de67..0000000000 --- a/modules/app-configuration/configuration-store/key-value/main.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11370563001494590361" - }, - "name": "App Configuration Stores Key Values", - "description": "This module deploys an App Configuration Store Key Value.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the key." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Name of the value." - } - }, - "appConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment." - } - }, - "contentType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appConfiguration": { - "existing": true, - "type": "Microsoft.AppConfiguration/configurationStores", - "apiVersion": "2023-03-01", - "name": "[parameters('appConfigurationName')]" - }, - "keyValues": { - "type": "Microsoft.AppConfiguration/configurationStores/keyValues", - "apiVersion": "2023-03-01", - "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", - "properties": { - "contentType": "[parameters('contentType')]", - "tags": "[parameters('tags')]", - "value": "[parameters('value')]" - }, - "dependsOn": [ - "appConfiguration" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the key values." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the key values." - }, - "value": "[resourceId('Microsoft.AppConfiguration/configurationStores/keyValues', parameters('appConfigurationName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the batch account was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/app-configuration/configuration-store/key-value/version.json b/modules/app-configuration/configuration-store/key-value/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/app-configuration/configuration-store/key-value/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep deleted file mode 100644 index f4bc48c14c..0000000000 --- a/modules/app-configuration/configuration-store/main.bicep +++ /dev/null @@ -1,402 +0,0 @@ -metadata name = 'App Configuration Stores' -metadata description = 'This module deploys an App Configuration Store.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure App Configuration.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@allowed([ - 'Free' - 'Standard' -]) -@description('Optional. Pricing tier of App Configuration.') -param sku string = 'Standard' - -@allowed([ - 'Default' - 'Recover' -]) -@description('Optional. Indicates whether the configuration store need to be recovered.') -param createMode string = 'Default' - -@description('Optional. Disables all authentication methods other than AAD authentication.') -param disableLocalAuth bool = false - -@description('Optional. Property specifying whether protection against purge is enabled for this configuration store.') -param enablePurgeProtection bool = false - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. The amount of time in days that the configuration store will be retained when it is soft deleted.') -@minValue(1) -@maxValue(7) -param softDeleteRetentionInDays int = 1 - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. All Key / Values to create. Requires local authentication to be enabled.') -param keyValues array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') - 'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b') - 'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = { - name: name - location: location - tags: tags - sku: { - name: sku - } - identity: identity - properties: { - createMode: createMode - disableLocalAuth: disableLocalAuth - enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection - encryption: !empty(customerManagedKey) ? { - keyVaultProperties: { - keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - identityClientId: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.properties.clientId : null - } - } : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : null - softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays - } -} - -module configurationStore_keyValues 'key-value/main.bicep' = [for (keyValue, index) in keyValues: { - name: '${uniqueString(deployment().name, location)}-AppConfig-KeyValues-${index}' - params: { - appConfigurationName: configurationStore.name - name: keyValue.name - value: keyValue.value - contentType: contains(keyValue, 'contentType') ? keyValue.contentType : '' - tags: keyValue.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource configurationStore_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: configurationStore -} - -resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: configurationStore -}] - -resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(configurationStore.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: configurationStore -}] - -module configurationStore_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-configurationStore-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'configurationStores' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(configurationStore.id, '/'))}-${privateEndpoint.?service ?? 'configurationStores'}-${index}' - serviceResourceId: configurationStore.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the app configuration.') -output name string = configurationStore.name - -@description('The resource ID of the app configuration.') -output resourceId string = configurationStore.id - -@description('The resource group the app configuration store was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = configurationStore.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json deleted file mode 100644 index 8356549175..0000000000 --- a/modules/app-configuration/configuration-store/main.json +++ /dev/null @@ -1,1520 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1035721071234192840" - }, - "name": "App Configuration Stores", - "description": "This module deploys an App Configuration Store.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure App Configuration." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. Pricing tier of App Configuration." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "Recover" - ], - "metadata": { - "description": "Optional. Indicates whether the configuration store need to be recovered." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Disables all authentication methods other than AAD authentication." - } - }, - "enablePurgeProtection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property specifying whether protection against purge is enabled for this configuration store." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "softDeleteRetentionInDays": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 7, - "metadata": { - "description": "Optional. The amount of time in days that the configuration store will be retained when it is soft deleted." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "keyValues": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. All Key / Values to create. Requires local authentication to be enabled." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", - "App Configuration Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "configurationStore": { - "type": "Microsoft.AppConfiguration/configurationStores", - "apiVersion": "2023-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('sku')]" - }, - "identity": "[variables('identity')]", - "properties": { - "createMode": "[parameters('createMode')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "enablePurgeProtection": "[if(equals(parameters('sku'), 'Free'), false(), parameters('enablePurgeProtection'))]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'identityClientId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()))), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), null())]", - "softDeleteRetentionInDays": "[if(equals(parameters('sku'), 'Free'), 0, parameters('softDeleteRetentionInDays'))]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "configurationStore_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "configurationStore" - ] - }, - "configurationStore_diagnosticSettings": { - "copy": { - "name": "configurationStore_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "configurationStore" - ] - }, - "configurationStore_roleAssignments": { - "copy": { - "name": "configurationStore_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "configurationStore" - ] - }, - "configurationStore_keyValues": { - "copy": { - "name": "configurationStore_keyValues", - "count": "[length(parameters('keyValues'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppConfig-KeyValues-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appConfigurationName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('keyValues')[copyIndex()].name]" - }, - "value": { - "value": "[parameters('keyValues')[copyIndex()].value]" - }, - "contentType": "[if(contains(parameters('keyValues')[copyIndex()], 'contentType'), createObject('value', parameters('keyValues')[copyIndex()].contentType), createObject('value', ''))]", - "tags": { - "value": "[coalesce(tryGet(parameters('keyValues')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11370563001494590361" - }, - "name": "App Configuration Stores Key Values", - "description": "This module deploys an App Configuration Store Key Value.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the key." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Name of the value." - } - }, - "appConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment." - } - }, - "contentType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appConfiguration": { - "existing": true, - "type": "Microsoft.AppConfiguration/configurationStores", - "apiVersion": "2023-03-01", - "name": "[parameters('appConfigurationName')]" - }, - "keyValues": { - "type": "Microsoft.AppConfiguration/configurationStores/keyValues", - "apiVersion": "2023-03-01", - "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", - "properties": { - "contentType": "[parameters('contentType')]", - "tags": "[parameters('tags')]", - "value": "[parameters('value')]" - }, - "dependsOn": [ - "appConfiguration" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the key values." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the key values." - }, - "value": "[resourceId('Microsoft.AppConfiguration/configurationStores/keyValues', parameters('appConfigurationName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the batch account was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "configurationStore" - ] - }, - "configurationStore_privateEndpoints": { - "copy": { - "name": "configurationStore_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-configurationStore-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'configurationStores')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'configurationStores'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "configurationStore" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the app configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the app configuration." - }, - "value": "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the app configuration store was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('configurationStore', '2023-03-01', 'full').identity, 'principalId')), reference('configurationStore', '2023-03-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('configurationStore', '2023-03-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 895734bd01..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index bebad9a289..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 90 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2023-02-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 8c676e3be7..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,110 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accencr' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - } -}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep deleted file mode 100644 index bd63a95634..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep deleted file mode 100644 index a3bba846cd..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,135 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index ee93b3e1e3..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azconfig.io' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetworkName}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep deleted file mode 100644 index 59ca3034ed..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - disableLocalAuth: false - enablePurgeProtection: false - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - softDeleteRetentionInDays: 1 - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index bd63a95634..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 11ffe42dcc..0000000000 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - softDeleteRetentionInDays: 1 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/app-configuration/configuration-store/version.json b/modules/app-configuration/configuration-store/version.json deleted file mode 100644 index b3d560b1ad..0000000000 --- a/modules/app-configuration/configuration-store/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.3", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/app/container-app/MOVED-TO-AVM.md b/modules/app/container-app/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/app/container-app/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 12d9e8cbb4..6f95c5024a 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -1,902 +1,7 @@ -# Container Apps `[Microsoft.App/containerApps]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/app/container-app](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/app/container-app).** -This module deploys a Container App. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/app/container-app). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.App/containerApps` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2022-10-01/containerApps) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.container-app:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mcappmin' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'mcappmin001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "mcappmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mcappmax' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'mcappmax001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "mcappmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mcappwaf' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'mcappwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "mcappwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | -| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | -| [`name`](#parameter-name) | string | Name of the Container App. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`activeRevisionsMode`](#parameter-activerevisionsmode) | string | ActiveRevisionsMode controls how active revisions are handled for the Container app. | -| [`customDomains`](#parameter-customdomains) | array | Custom domain bindings for Container App hostnames. | -| [`dapr`](#parameter-dapr) | object | Dapr configuration for the Container App. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exposedPort`](#parameter-exposedport) | int | Exposed Port in containers for TCP traffic from ingress. | -| [`ingressAllowInsecure`](#parameter-ingressallowinsecure) | bool | Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. | -| [`ingressExternal`](#parameter-ingressexternal) | bool | Bool indicating if app exposes an external http endpoint. | -| [`ingressTargetPort`](#parameter-ingresstargetport) | int | Target Port in containers for traffic from ingress. | -| [`ingressTransport`](#parameter-ingresstransport) | string | Ingress transport protocol. | -| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | -| [`ipSecurityRestrictions`](#parameter-ipsecurityrestrictions) | array | Rules to restrict incoming IP address. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`maxInactiveRevisions`](#parameter-maxinactiverevisions) | int | Max inactive revisions a Container App can have. | -| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | -| [`revisionSuffix`](#parameter-revisionsuffix) | string | User friendly suffix that is appended to the revision name. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | -| [`scaleMaxReplicas`](#parameter-scalemaxreplicas) | int | Maximum number of container replicas. Defaults to 10 if not set. | -| [`scaleMinReplicas`](#parameter-scaleminreplicas) | int | Minimum number of container replicas. | -| [`scaleRules`](#parameter-scalerules) | array | Scaling rules. | -| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`trafficLabel`](#parameter-trafficlabel) | string | Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. | -| [`trafficLatestRevision`](#parameter-trafficlatestrevision) | bool | Indicates that the traffic weight belongs to a latest stable revision. | -| [`trafficRevisionName`](#parameter-trafficrevisionname) | string | Name of a revision. | -| [`trafficWeight`](#parameter-trafficweight) | int | Traffic weight assigned to a revision. | -| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | -| [`workloadProfileType`](#parameter-workloadprofiletype) | string | Workload profile type to pin for container app execution. | - -### Parameter: `containers` - -List of container definitions for the Container App. - -- Required: Yes -- Type: array - -### Parameter: `environmentId` - -Resource ID of environment. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Container App. - -- Required: Yes -- Type: string - -### Parameter: `activeRevisionsMode` - -ActiveRevisionsMode controls how active revisions are handled for the Container app. - -- Required: No -- Type: string -- Default: `'Single'` -- Allowed: - ```Bicep - [ - 'Multiple' - 'Single' - ] - ``` - -### Parameter: `customDomains` - -Custom domain bindings for Container App hostnames. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dapr` - -Dapr configuration for the Container App. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exposedPort` - -Exposed Port in containers for TCP traffic from ingress. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `ingressAllowInsecure` - -Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ingressExternal` - -Bool indicating if app exposes an external http endpoint. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ingressTargetPort` - -Target Port in containers for traffic from ingress. - -- Required: No -- Type: int -- Default: `80` - -### Parameter: `ingressTransport` - -Ingress transport protocol. - -- Required: No -- Type: string -- Default: `'auto'` -- Allowed: - ```Bicep - [ - 'auto' - 'http' - 'http2' - 'tcp' - ] - ``` - -### Parameter: `initContainersTemplate` - -List of specialized containers that run before app containers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipSecurityRestrictions` - -Rules to restrict incoming IP address. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `maxInactiveRevisions` - -Max inactive revisions a Container App can have. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `registries` - -Collection of private container registry credentials for containers used by the Container app. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `revisionSuffix` - -User friendly suffix that is appended to the revision name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scaleMaxReplicas` - -Maximum number of container replicas. Defaults to 10 if not set. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `scaleMinReplicas` - -Minimum number of container replicas. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `scaleRules` - -Scaling rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `secrets` - -The secrets of the Container App. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `trafficLabel` - -Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. - -- Required: No -- Type: string -- Default: `'label-1'` - -### Parameter: `trafficLatestRevision` - -Indicates that the traffic weight belongs to a latest stable revision. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `trafficRevisionName` - -Name of a revision. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `trafficWeight` - -Traffic weight assigned to a revision. - -- Required: No -- Type: int -- Default: `100` - -### Parameter: `volumes` - -List of volume definitions for the Container App. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `workloadProfileType` - -Workload profile type to pin for container app execution. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Container App. | -| `resourceGroupName` | string | The name of the resource group the Container App was deployed into. | -| `resourceId` | string | The resource ID of the Container App. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep deleted file mode 100644 index 939f2bed5c..0000000000 --- a/modules/app/container-app/main.bicep +++ /dev/null @@ -1,267 +0,0 @@ -metadata name = 'Container Apps' -metadata description = 'This module deploys a Container App.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Container App.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Bool indicating if app exposes an external http endpoint.') -param ingressExternal bool = true - -@allowed([ - 'auto' - 'http' - 'http2' - 'tcp' -]) -@description('Optional. Ingress transport protocol.') -param ingressTransport string = 'auto' - -@description('Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections.') -param ingressAllowInsecure bool = true - -@description('Optional. Target Port in containers for traffic from ingress.') -param ingressTargetPort int = 80 - -@description('Optional. Maximum number of container replicas. Defaults to 10 if not set.') -param scaleMaxReplicas int = 1 - -@description('Optional. Minimum number of container replicas.') -param scaleMinReplicas int = 0 - -@description('Optional. Scaling rules.') -param scaleRules array = [] - -@allowed([ - 'Multiple' - 'Single' -]) -@description('Optional. ActiveRevisionsMode controls how active revisions are handled for the Container app.') -param activeRevisionsMode string = 'Single' - -@description('Required. Resource ID of environment.') -param environmentId string - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Collection of private container registry credentials for containers used by the Container app.') -param registries array = [] - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Custom domain bindings for Container App hostnames.') -param customDomains array = [] - -@description('Optional. Exposed Port in containers for TCP traffic from ingress.') -param exposedPort int = 0 - -@description('Optional. Rules to restrict incoming IP address.') -param ipSecurityRestrictions array = [] - -@description('Optional. Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes.') -param trafficLabel string = 'label-1' - -@description('Optional. Indicates that the traffic weight belongs to a latest stable revision.') -param trafficLatestRevision bool = true - -@description('Optional. Name of a revision.') -param trafficRevisionName string = '' - -@description('Optional. Traffic weight assigned to a revision.') -param trafficWeight int = 100 - -@description('Optional. Dapr configuration for the Container App.') -param dapr object = {} - -@description('Optional. Max inactive revisions a Container App can have.') -param maxInactiveRevisions int = 0 - -@description('Required. List of container definitions for the Container App.') -param containers array - -@description('Optional. List of specialized containers that run before app containers.') -param initContainersTemplate array = [] - -@description('Optional. The secrets of the Container App.') -@secure() -param secrets object = {} - -@description('Optional. User friendly suffix that is appended to the revision name.') -param revisionSuffix string = '' - -@description('Optional. List of volume definitions for the Container App.') -param volumes array = [] - -@description('Optional. Workload profile type to pin for container app execution.') -param workloadProfileType string = '' - -var secretList = !empty(secrets) ? secrets.secureList : [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { - name: name - tags: tags - location: location - identity: identity - properties: { - environmentId: environmentId - configuration: { - activeRevisionsMode: activeRevisionsMode - dapr: !empty(dapr) ? dapr : null - ingress: { - allowInsecure: ingressAllowInsecure - customDomains: !empty(customDomains) ? customDomains : null - exposedPort: exposedPort - external: ingressExternal - ipSecurityRestrictions: !empty(ipSecurityRestrictions) ? ipSecurityRestrictions : null - targetPort: ingressTargetPort - traffic: [ - { - label: trafficLabel - latestRevision: trafficLatestRevision - revisionName: trafficRevisionName - weight: trafficWeight - } - ] - transport: ingressTransport - } - maxInactiveRevisions: maxInactiveRevisions - registries: !empty(registries) ? registries : null - secrets: secretList - } - template: { - containers: containers - initContainers: !empty(initContainersTemplate) ? initContainersTemplate : null - revisionSuffix: revisionSuffix - scale: { - maxReplicas: scaleMaxReplicas - minReplicas: scaleMinReplicas - rules: !empty(scaleRules) ? scaleRules : null - } - volumes: !empty(volumes) ? volumes : null - } - workloadProfileType: workloadProfileType - } -} - -resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: containerApp -} - -resource containerApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(containerApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: containerApp -}] - -@description('The resource ID of the Container App.') -output resourceId string = containerApp.id - -@description('The name of the resource group the Container App was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Container App.') -output name string = containerApp.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerApp.identity, 'principalId') ? containerApp.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = containerApp.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json deleted file mode 100644 index 151294bb80..0000000000 --- a/modules/app/container-app/main.json +++ /dev/null @@ -1,510 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3664175856787955387" - }, - "name": "Container Apps", - "description": "This module deploys a Container App.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container App." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "ingressExternal": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if app exposes an external http endpoint." - } - }, - "ingressTransport": { - "type": "string", - "defaultValue": "auto", - "allowedValues": [ - "auto", - "http", - "http2", - "tcp" - ], - "metadata": { - "description": "Optional. Ingress transport protocol." - } - }, - "ingressAllowInsecure": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections." - } - }, - "ingressTargetPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. Target Port in containers for traffic from ingress." - } - }, - "scaleMaxReplicas": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Maximum number of container replicas. Defaults to 10 if not set." - } - }, - "scaleMinReplicas": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Minimum number of container replicas." - } - }, - "scaleRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Scaling rules." - } - }, - "activeRevisionsMode": { - "type": "string", - "defaultValue": "Single", - "allowedValues": [ - "Multiple", - "Single" - ], - "metadata": { - "description": "Optional. ActiveRevisionsMode controls how active revisions are handled for the Container app." - } - }, - "environmentId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of environment." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "registries": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of private container registry credentials for containers used by the Container app." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "customDomains": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Custom domain bindings for Container App hostnames." - } - }, - "exposedPort": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Exposed Port in containers for TCP traffic from ingress." - } - }, - "ipSecurityRestrictions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Rules to restrict incoming IP address." - } - }, - "trafficLabel": { - "type": "string", - "defaultValue": "label-1", - "metadata": { - "description": "Optional. Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes." - } - }, - "trafficLatestRevision": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates that the traffic weight belongs to a latest stable revision." - } - }, - "trafficRevisionName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of a revision." - } - }, - "trafficWeight": { - "type": "int", - "defaultValue": 100, - "metadata": { - "description": "Optional. Traffic weight assigned to a revision." - } - }, - "dapr": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dapr configuration for the Container App." - } - }, - "maxInactiveRevisions": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Max inactive revisions a Container App can have." - } - }, - "containers": { - "type": "array", - "metadata": { - "description": "Required. List of container definitions for the Container App." - } - }, - "initContainersTemplate": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of specialized containers that run before app containers." - } - }, - "secrets": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. The secrets of the Container App." - } - }, - "revisionSuffix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User friendly suffix that is appended to the revision name." - } - }, - "volumes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of volume definitions for the Container App." - } - }, - "workloadProfileType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Workload profile type to pin for container app execution." - } - } - }, - "variables": { - "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "containerApp": { - "type": "Microsoft.App/containerApps", - "apiVersion": "2022-10-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "properties": { - "environmentId": "[parameters('environmentId')]", - "configuration": { - "activeRevisionsMode": "[parameters('activeRevisionsMode')]", - "dapr": "[if(not(empty(parameters('dapr'))), parameters('dapr'), null())]", - "ingress": { - "allowInsecure": "[parameters('ingressAllowInsecure')]", - "customDomains": "[if(not(empty(parameters('customDomains'))), parameters('customDomains'), null())]", - "exposedPort": "[parameters('exposedPort')]", - "external": "[parameters('ingressExternal')]", - "ipSecurityRestrictions": "[if(not(empty(parameters('ipSecurityRestrictions'))), parameters('ipSecurityRestrictions'), null())]", - "targetPort": "[parameters('ingressTargetPort')]", - "traffic": [ - { - "label": "[parameters('trafficLabel')]", - "latestRevision": "[parameters('trafficLatestRevision')]", - "revisionName": "[parameters('trafficRevisionName')]", - "weight": "[parameters('trafficWeight')]" - } - ], - "transport": "[parameters('ingressTransport')]" - }, - "maxInactiveRevisions": "[parameters('maxInactiveRevisions')]", - "registries": "[if(not(empty(parameters('registries'))), parameters('registries'), null())]", - "secrets": "[variables('secretList')]" - }, - "template": { - "containers": "[parameters('containers')]", - "initContainers": "[if(not(empty(parameters('initContainersTemplate'))), parameters('initContainersTemplate'), null())]", - "revisionSuffix": "[parameters('revisionSuffix')]", - "scale": { - "maxReplicas": "[parameters('scaleMaxReplicas')]", - "minReplicas": "[parameters('scaleMinReplicas')]", - "rules": "[if(not(empty(parameters('scaleRules'))), parameters('scaleRules'), null())]" - }, - "volumes": "[if(not(empty(parameters('volumes'))), parameters('volumes'), null())]" - }, - "workloadProfileType": "[parameters('workloadProfileType')]" - } - }, - "containerApp_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerApp_roleAssignments": { - "copy": { - "name": "containerApp_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "containerApp" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Container App." - }, - "value": "[resourceId('Microsoft.App/containerApps', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Container App was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Container App." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containerApp', '2022-10-01', 'full').identity, 'principalId')), reference('containerApp', '2022-10-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('containerApp', '2022-10-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/app/container-app/tests/e2e/defaults/dependencies.bicep b/modules/app/container-app/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index edf4adee4b..0000000000 --- a/modules/app/container-app/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,17 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment to create.') -param managedEnvironmentName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { - name: managedEnvironmentName - location: location - sku: { - name: 'Consumption' - } - properties: {} -} - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/container-app/tests/e2e/defaults/main.test.bicep b/modules/app/container-app/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index b00bf36743..0000000000 --- a/modules/app/container-app/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mcappmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - location: location - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - } - ] - } -}] diff --git a/modules/app/container-app/tests/e2e/max/dependencies.bicep b/modules/app/container-app/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a6700c9d60..0000000000 --- a/modules/app/container-app/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment for Container Apps to create.') -param managedEnvironmentName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { - name: managedEnvironmentName - location: location - sku: { - name: 'Consumption' - } - properties: {} -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/container-app/tests/e2e/max/main.test.bicep b/modules/app/container-app/tests/e2e/max/main.test.bicep deleted file mode 100644 index a9397c8777..0000000000 --- a/modules/app/container-app/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,110 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mcappmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: guid(deployment().name) - } - ] - } - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - probes: [ - { - type: 'Liveness' - httpGet: { - path: '/health' - port: 8080 - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - } - initialDelaySeconds: 3 - periodSeconds: 3 - } - ] - } - ] - } -}] diff --git a/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a6700c9d60..0000000000 --- a/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment for Container Apps to create.') -param managedEnvironmentName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { - name: managedEnvironmentName - location: location - sku: { - name: 'Consumption' - } - properties: {} -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f7be7ad1bc..0000000000 --- a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,110 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mcappwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: guid(deployment().name) - } - ] - } - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - probes: [ - { - type: 'Liveness' - httpGet: { - path: '/health' - port: 8080 - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - } - initialDelaySeconds: 3 - periodSeconds: 3 - } - ] - } - ] - } -}] diff --git a/modules/app/container-app/version.json b/modules/app/container-app/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/app/container-app/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/app/job/README.md b/modules/app/job/README.md index c041013706..d30892db91 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -1,854 +1,7 @@ -# Container App Jobs `[Microsoft.App/jobs]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Container App Job. +**This module has been evolved into the following AVM module: [avm/res/app/job](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/app/job).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/app/job). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.App/jobs` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/jobs) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.job:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajmin' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajmin001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajmin001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajmax' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajmax001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'ContainerApp Reader' - } - ] - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfileName: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajmax001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "ContainerApp Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfileName": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajwaf' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajwaf001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfileName: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajwaf001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfileName": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | -| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | -| [`name`](#parameter-name) | string | Name of the Container App. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventTriggerConfig`](#parameter-eventtriggerconfig) | object | Required if TriggerType is Event. Configuration of an event driven job. | -| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`manualTriggerConfig`](#parameter-manualtriggerconfig) | object | Required if TriggerType is Manual. Configuration of a manual job. | -| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | -| [`replicaRetryLimit`](#parameter-replicaretrylimit) | int | The maximum number of times a replica can be retried. | -| [`replicaTimeout`](#parameter-replicatimeout) | int | Maximum number of seconds a replica is allowed to run. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | -| [`scheduleTriggerConfig`](#parameter-scheduletriggerconfig) | object | Required if TriggerType is Schedule. Configuration of a schedule based job. | -| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`triggerType`](#parameter-triggertype) | string | Trigger type of the job. | -| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | -| [`workloadProfileName`](#parameter-workloadprofilename) | string | The name of the workload profile to use. | - -### Parameter: `containers` - -List of container definitions for the Container App. - -- Required: Yes -- Type: array - -### Parameter: `environmentId` - -Resource ID of environment. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Container App. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventTriggerConfig` - -Required if TriggerType is Event. Configuration of an event driven job. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `initContainersTemplate` - -List of specialized containers that run before app containers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - -- Required: No -- Type: array - -### Parameter: `manualTriggerConfig` - -Required if TriggerType is Manual. Configuration of a manual job. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `registries` - -Collection of private container registry credentials for containers used by the Container app. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `replicaRetryLimit` - -The maximum number of times a replica can be retried. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `replicaTimeout` - -Maximum number of seconds a replica is allowed to run. - -- Required: No -- Type: int -- Default: `1800` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource ID of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource ID of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scheduleTriggerConfig` - -Required if TriggerType is Schedule. Configuration of a schedule based job. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `secrets` - -The secrets of the Container App. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `triggerType` - -Trigger type of the job. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Event' - 'Manual' - 'Schedule' - ] - ``` - -### Parameter: `volumes` - -List of volume definitions for the Container App. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `workloadProfileName` - -The name of the workload profile to use. - -- Required: No -- Type: string -- Default: `'Consumption'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Container App Job. | -| `resourceGroupName` | string | The name of the resource group the Container App Job was deployed into. | -| `resourceId` | string | The resource ID of the Container App Job. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep deleted file mode 100644 index 15d8106352..0000000000 --- a/modules/app/job/main.bicep +++ /dev/null @@ -1,205 +0,0 @@ -metadata name = 'Container App Jobs' -metadata description = 'This module deploys a Container App Job.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Container App.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Required. Resource ID of environment.') -param environmentId string - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Collection of private container registry credentials for containers used by the Container app.') -param registries array = [] - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. List of container definitions for the Container App.') -param containers array - -@description('Optional. List of specialized containers that run before app containers.') -param initContainersTemplate array = [] - -@description('Optional. Required if TriggerType is Event. Configuration of an event driven job.') -param eventTriggerConfig object = {} - -@description('Optional. Required if TriggerType is Schedule. Configuration of a schedule based job.') -param scheduleTriggerConfig object = {} - -@description('Optional. Required if TriggerType is Manual. Configuration of a manual job.') -param manualTriggerConfig object = {} - -@description('Optional. The maximum number of times a replica can be retried.') -param replicaRetryLimit int = 0 - -@description('Optional. The name of the workload profile to use.') -param workloadProfileName string = 'Consumption' - -@description('Optional. The secrets of the Container App.') -@secure() -param secrets object = {} - -@description('Optional. List of volume definitions for the Container App.') -param volumes array = [] - -@description('Optional. Maximum number of seconds a replica is allowed to run.') -param replicaTimeout int = 1800 - -@allowed([ - 'Event' - 'Manual' - 'Schedule' -]) -@description('Optional. Trigger type of the job.') -param triggerType string - -var secretList = !empty(secrets) ? secrets.secureList : [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource containerAppJob 'Microsoft.App/jobs@2023-05-01' = { - name: name - tags: tags - location: location - identity: identity - properties: { - environmentId: environmentId - configuration: { - eventTriggerConfig: triggerType == 'Event' ? eventTriggerConfig : null - manualTriggerConfig: triggerType == 'Manual' ? manualTriggerConfig : null - scheduleTriggerConfig: triggerType == 'Schedule' ? scheduleTriggerConfig : null - replicaRetryLimit: replicaRetryLimit - replicaTimeout: replicaTimeout - registries: !empty(registries) ? registries : null - secrets: secretList - triggerType: triggerType - } - template: { - containers: containers - initContainers: !empty(initContainersTemplate) ? initContainersTemplate : null - volumes: !empty(volumes) ? volumes : null - } - workloadProfileName: workloadProfileName - } -} - -resource containerAppJob_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: containerAppJob -} - -resource containerAppJob_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(containerAppJob.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: containerAppJob -}] - -@description('The resource ID of the Container App Job.') -output resourceId string = containerAppJob.id - -@description('The name of the resource group the Container App Job was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Container App Job.') -output name string = containerAppJob.name - -@description('The location the resource was deployed into.') -output location string = containerAppJob.location - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerAppJob.identity, 'principalId') ? containerAppJob.identity.principalId : '' - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource ID of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') - userAssignedResourceIds: string[]? -}? diff --git a/modules/app/job/main.json b/modules/app/job/main.json deleted file mode 100644 index 2913e527df..0000000000 --- a/modules/app/job/main.json +++ /dev/null @@ -1,400 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5076851392653441401" - }, - "name": "Container App Jobs", - "description": "This module deploys a Container App Job.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource ID of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container App." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "environmentId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of environment." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "registries": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of private container registry credentials for containers used by the Container app." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "containers": { - "type": "array", - "metadata": { - "description": "Required. List of container definitions for the Container App." - } - }, - "initContainersTemplate": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of specialized containers that run before app containers." - } - }, - "eventTriggerConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Required if TriggerType is Event. Configuration of an event driven job." - } - }, - "scheduleTriggerConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Required if TriggerType is Schedule. Configuration of a schedule based job." - } - }, - "manualTriggerConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Required if TriggerType is Manual. Configuration of a manual job." - } - }, - "replicaRetryLimit": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The maximum number of times a replica can be retried." - } - }, - "workloadProfileName": { - "type": "string", - "defaultValue": "Consumption", - "metadata": { - "description": "Optional. The name of the workload profile to use." - } - }, - "secrets": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. The secrets of the Container App." - } - }, - "volumes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of volume definitions for the Container App." - } - }, - "replicaTimeout": { - "type": "int", - "defaultValue": 1800, - "metadata": { - "description": "Optional. Maximum number of seconds a replica is allowed to run." - } - }, - "triggerType": { - "type": "string", - "allowedValues": [ - "Event", - "Manual", - "Schedule" - ], - "metadata": { - "description": "Optional. Trigger type of the job." - } - } - }, - "variables": { - "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "containerAppJob": { - "type": "Microsoft.App/jobs", - "apiVersion": "2023-05-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "properties": { - "environmentId": "[parameters('environmentId')]", - "configuration": { - "eventTriggerConfig": "[if(equals(parameters('triggerType'), 'Event'), parameters('eventTriggerConfig'), null())]", - "manualTriggerConfig": "[if(equals(parameters('triggerType'), 'Manual'), parameters('manualTriggerConfig'), null())]", - "scheduleTriggerConfig": "[if(equals(parameters('triggerType'), 'Schedule'), parameters('scheduleTriggerConfig'), null())]", - "replicaRetryLimit": "[parameters('replicaRetryLimit')]", - "replicaTimeout": "[parameters('replicaTimeout')]", - "registries": "[if(not(empty(parameters('registries'))), parameters('registries'), null())]", - "secrets": "[variables('secretList')]", - "triggerType": "[parameters('triggerType')]" - }, - "template": { - "containers": "[parameters('containers')]", - "initContainers": "[if(not(empty(parameters('initContainersTemplate'))), parameters('initContainersTemplate'), null())]", - "volumes": "[if(not(empty(parameters('volumes'))), parameters('volumes'), null())]" - }, - "workloadProfileName": "[parameters('workloadProfileName')]" - } - }, - "containerAppJob_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "containerAppJob" - ] - }, - "containerAppJob_roleAssignments": { - "copy": { - "name": "containerAppJob_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.App/jobs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "containerAppJob" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Container App Job." - }, - "value": "[resourceId('Microsoft.App/jobs', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Container App Job was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Container App Job." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('containerAppJob', '2023-05-01', 'full').location]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containerAppJob', '2023-05-01', 'full').identity, 'principalId')), reference('containerAppJob', '2023-05-01', 'full').identity.principalId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/app/job/tests/e2e/defaults/dependencies.bicep b/modules/app/job/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index bb2af3d0f8..0000000000 --- a/modules/app/job/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,21 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment to create.') -param managedEnvironmentName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { - name: managedEnvironmentName - location: location - properties: { - workloadProfiles: [ - { - workloadProfileType: 'Consumption' - name: 'Consumption' - } - ] - } -} - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/job/tests/e2e/defaults/main.test.bicep b/modules/app/job/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index d09eaa87c6..0000000000 --- a/modules/app/job/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,79 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ajmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - location: location - triggerType: 'Manual' - manualTriggerConfig: { - replicaCompletionCount: 1 - parallelism: 1 - } - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - } - ] - } -} diff --git a/modules/app/job/tests/e2e/max/dependencies.bicep b/modules/app/job/tests/e2e/max/dependencies.bicep deleted file mode 100644 index b03d4aca93..0000000000 --- a/modules/app/job/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,40 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment for Container Apps to create.') -param managedEnvironmentName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the workload profile to create.') -param workloadProfileName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { - name: managedEnvironmentName - location: location - properties: { - workloadProfiles: [ - { - name: workloadProfileName - workloadProfileType: 'D4' - maximumCount: 1 - minimumCount: 1 - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/app/job/tests/e2e/max/main.test.bicep b/modules/app/job/tests/e2e/max/main.test.bicep deleted file mode 100644 index 10751e7801..0000000000 --- a/modules/app/job/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,124 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ajmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - workloadProfileName: serviceShort - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - workloadProfileName: serviceShort - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: guid(deployment().name) - } - ] - } - triggerType: 'Manual' - manualTriggerConfig: { - replicaCompletionCount: 1 - parallelism: 1 - } - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - probes: [ - { - type: 'Liveness' - httpGet: { - path: '/health' - port: 8080 - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - } - initialDelaySeconds: 3 - periodSeconds: 3 - } - ] - } - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'ContainerApp Reader' - principalType: 'ServicePrincipal' - } - ] - } -} diff --git a/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index b03d4aca93..0000000000 --- a/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,40 +0,0 @@ -@description('Required. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Environment for Container Apps to create.') -param managedEnvironmentName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the workload profile to create.') -param workloadProfileName string - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { - name: managedEnvironmentName - location: location - properties: { - workloadProfiles: [ - { - name: workloadProfileName - workloadProfileType: 'D4' - maximumCount: 1 - minimumCount: 1 - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Managed Environment.') -output managedEnvironmentResourceId string = managedEnvironment.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 5de0b2f354..0000000000 --- a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,117 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ajwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - location: location - managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - workloadProfileName: serviceShort - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - enableDefaultTelemetry: enableDefaultTelemetry - environmentId: nestedDependencies.outputs.managedEnvironmentResourceId - workloadProfileName: serviceShort - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: guid(deployment().name) - } - ] - } - triggerType: 'Manual' - manualTriggerConfig: { - replicaCompletionCount: 1 - parallelism: 1 - } - containers: [ - { - name: 'simple-hello-world-container' - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - resources: { - // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 - cpu: json('0.25') - memory: '0.5Gi' - } - probes: [ - { - type: 'Liveness' - httpGet: { - path: '/health' - port: 8080 - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - } - initialDelaySeconds: 3 - periodSeconds: 3 - } - ] - } - ] - } -} diff --git a/modules/app/job/version.json b/modules/app/job/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/app/job/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/app/managed-environment/MOVED-TO-AVM.md b/modules/app/managed-environment/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/app/managed-environment/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 2c75e23c35..6b61c5513c 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -1,618 +1,7 @@ -# App ManagedEnvironments `[Microsoft.App/managedEnvironments]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/app/managed-environment](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/app/managed-environment).** -This module deploys an App Managed Environment (also known as a Container App Environment). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/app/managed-environment). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.App/managedEnvironments` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/managedEnvironments) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.managed-environment:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-amemin' - params: { - // Required parameters - enableDefaultTelemetry: '' - logAnalyticsWorkspaceResourceId: '' - name: 'amemin001' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "" - }, - "name": { - "value": "amemin001" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-amemax' - params: { - // Required parameters - enableDefaultTelemetry: '' - logAnalyticsWorkspaceResourceId: '' - name: 'amemax001' - // Non-required parameters - dockerBridgeCidr: '172.16.0.1/28' - infrastructureResourceGroupName: '' - infrastructureSubnetId: '' - internal: true - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - platformReservedCidr: '172.17.17.0/24' - platformReservedDnsIP: '172.17.17.17' - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfiles: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "" - }, - "name": { - "value": "amemax001" - }, - // Non-required parameters - "dockerBridgeCidr": { - "value": "172.16.0.1/28" - }, - "infrastructureResourceGroupName": { - "value": "" - }, - "infrastructureSubnetId": { - "value": "" - }, - "internal": { - "value": true - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "platformReservedCidr": { - "value": "172.17.17.0/24" - }, - "platformReservedDnsIP": { - "value": "172.17.17.17" - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfiles": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-amewaf' - params: { - // Required parameters - enableDefaultTelemetry: '' - logAnalyticsWorkspaceResourceId: '' - name: 'amewaf001' - // Non-required parameters - dockerBridgeCidr: '172.16.0.1/28' - infrastructureResourceGroupName: '' - infrastructureSubnetId: '' - internal: true - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - platformReservedCidr: '172.17.17.0/24' - platformReservedDnsIP: '172.17.17.17' - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfiles: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "" - }, - "name": { - "value": "amewaf001" - }, - // Non-required parameters - "dockerBridgeCidr": { - "value": "172.16.0.1/28" - }, - "infrastructureResourceGroupName": { - "value": "" - }, - "infrastructureSubnetId": { - "value": "" - }, - "internal": { - "value": true - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "platformReservedCidr": { - "value": "172.17.17.0/24" - }, - "platformReservedDnsIP": { - "value": "172.17.17.17" - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfiles": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceResourceId`](#parameter-loganalyticsworkspaceresourceid) | string | Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). | -| [`name`](#parameter-name) | string | Name of the Container Apps Managed Environment. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`infrastructureSubnetId`](#parameter-infrastructuresubnetid) | string | Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`certificatePassword`](#parameter-certificatepassword) | securestring | Password of the certificate used by the custom domain. | -| [`certificateValue`](#parameter-certificatevalue) | securestring | Certificate to use for the custom domain. PFX or PEM. | -| [`daprAIConnectionString`](#parameter-dapraiconnectionstring) | securestring | Application Insights connection string used by Dapr to export Service to Service communication telemetry. | -| [`daprAIInstrumentationKey`](#parameter-dapraiinstrumentationkey) | securestring | Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. | -| [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix for the environment domain. | -| [`dockerBridgeCidr`](#parameter-dockerbridgecidr) | string | CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`infrastructureResourceGroupName`](#parameter-infrastructureresourcegroupname) | string | Name of the infrastructure resource group. If not provided, it will be set with a default value. | -| [`internal`](#parameter-internal) | bool | Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`logsDestination`](#parameter-logsdestination) | string | Logs destination. | -| [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this Managed Environment is zone-redundant. | - -### Parameter: `logAnalyticsWorkspaceResourceId` - -Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Container Apps Managed Environment. - -- Required: Yes -- Type: string - -### Parameter: `infrastructureSubnetId` - -Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `certificatePassword` - -Password of the certificate used by the custom domain. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `certificateValue` - -Certificate to use for the custom domain. PFX or PEM. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `daprAIConnectionString` - -Application Insights connection string used by Dapr to export Service to Service communication telemetry. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `daprAIInstrumentationKey` - -Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `dnsSuffix` - -DNS suffix for the environment domain. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dockerBridgeCidr` - -CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: Yes -- Type: bool - -### Parameter: `infrastructureResourceGroupName` - -Name of the infrastructure resource group. If not provided, it will be set with a default value. - -- Required: No -- Type: string -- Default: `[take(format('ME_{0}', parameters('name')), 63)]` - -### Parameter: `internal` - -Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `logsDestination` - -Logs destination. - -- Required: No -- Type: string -- Default: `'log-analytics'` - -### Parameter: `platformReservedCidr` - -IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `platformReservedDnsIP` - -An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `workloadProfiles` - -Workload profiles configured for the Managed Environment. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `zoneRedundant` - -Whether or not this Managed Environment is zone-redundant. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `defaultDomain` | string | The Default domain of the Managed Environment. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Managed Environment. | -| `resourceGroupName` | string | The name of the resource group the Managed Environment was deployed into. | -| `resourceId` | string | The resource ID of the Managed Environment. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep deleted file mode 100644 index 93e9920902..0000000000 --- a/modules/app/managed-environment/main.bicep +++ /dev/null @@ -1,200 +0,0 @@ -metadata name = 'App ManagedEnvironments' -metadata description = 'This module deploys an App Managed Environment (also known as a Container App Environment).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Container Apps Managed Environment.') -param name string - -@description('Required. Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990).') -param logAnalyticsWorkspaceResourceId string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Logs destination.') -param logsDestination string = 'log-analytics' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool - -@description('Optional. Application Insights connection string used by Dapr to export Service to Service communication telemetry.') -@secure() -param daprAIConnectionString string = '' - -@description('Optional. Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry.') -@secure() -param daprAIInstrumentationKey string = '' - -@description('Optional. CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform.') -param dockerBridgeCidr string = '' - -@description('Conditional. Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true.') -param infrastructureSubnetId string = '' - -@description('Optional. Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided.') -param internal bool = false - -@description('Optional. IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform.') -param platformReservedCidr string = '' - -@description('Optional. An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform.') -param platformReservedDnsIP string = '' - -@description('Optional. Whether or not this Managed Environment is zone-redundant.') -param zoneRedundant bool = false - -@description('Optional. Password of the certificate used by the custom domain.') -@secure() -param certificatePassword string = '' - -@description('Optional. Certificate to use for the custom domain. PFX or PEM.') -@secure() -param certificateValue string = '' - -@description('Optional. DNS suffix for the environment domain.') -param dnsSuffix string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Workload profiles configured for the Managed Environment.') -param workloadProfiles array = [] - -@description('Optional. Name of the infrastructure resource group. If not provided, it will be set with a default value.') -param infrastructureResourceGroupName string = take('ME_${name}', 63) - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(logAnalyticsWorkspaceResourceId)) { - name: last(split(logAnalyticsWorkspaceResourceId, '/'))! - scope: resourceGroup(split(logAnalyticsWorkspaceResourceId, '/')[2], split(logAnalyticsWorkspaceResourceId, '/')[4]) -} - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { - name: name - location: location - tags: tags - properties: { - appLogsConfiguration: { - destination: logsDestination - logAnalyticsConfiguration: { - customerId: logAnalyticsWorkspace.properties.customerId - sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey - } - } - daprAIConnectionString: daprAIConnectionString - daprAIInstrumentationKey: daprAIInstrumentationKey - customDomainConfiguration: { - certificatePassword: certificatePassword - certificateValue: !empty(certificateValue) ? certificateValue : null - dnsSuffix: dnsSuffix - } - vnetConfiguration: { - internal: internal - infrastructureSubnetId: !empty(infrastructureSubnetId) ? infrastructureSubnetId : null - dockerBridgeCidr: !empty(infrastructureSubnetId) ? dockerBridgeCidr : null - platformReservedCidr: empty(workloadProfiles) && !empty(infrastructureSubnetId) ? platformReservedCidr : null - platformReservedDnsIP: empty(workloadProfiles) && !empty(infrastructureSubnetId) ? platformReservedDnsIP : null - } - workloadProfiles: !empty(workloadProfiles) ? workloadProfiles : null - zoneRedundant: zoneRedundant - infrastructureResourceGroup: infrastructureResourceGroupName - } -} - -resource managedEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(managedEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: managedEnvironment -}] - -resource managedEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: managedEnvironment -} - -@description('The name of the resource group the Managed Environment was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = managedEnvironment.location - -@description('The name of the Managed Environment.') -output name string = managedEnvironment.name - -@description('The resource ID of the Managed Environment.') -output resourceId string = managedEnvironment.id - -@description('The Default domain of the Managed Environment.') -output defaultDomain string = managedEnvironment.properties.defaultDomain - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json deleted file mode 100644 index d3860b25fa..0000000000 --- a/modules/app/managed-environment/main.json +++ /dev/null @@ -1,395 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6452494198386670014" - }, - "name": "App ManagedEnvironments", - "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container Apps Managed Environment." - } - }, - "logAnalyticsWorkspaceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "logsDestination": { - "type": "string", - "defaultValue": "log-analytics", - "metadata": { - "description": "Optional. Logs destination." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "daprAIConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Application Insights connection string used by Dapr to export Service to Service communication telemetry." - } - }, - "daprAIInstrumentationKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry." - } - }, - "dockerBridgeCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform." - } - }, - "infrastructureSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if \"internal\" is set to true." - } - }, - "internal": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then \"infrastructureSubnetId\" must be provided." - } - }, - "platformReservedCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform." - } - }, - "platformReservedDnsIP": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. An IP address from the IP range defined by \"platformReservedCidr\" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this Managed Environment is zone-redundant." - } - }, - "certificatePassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Password of the certificate used by the custom domain." - } - }, - "certificateValue": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Certificate to use for the custom domain. PFX or PEM." - } - }, - "dnsSuffix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. DNS suffix for the environment domain." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "workloadProfiles": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Workload profiles configured for the Managed Environment." - } - }, - "infrastructureResourceGroupName": { - "type": "string", - "defaultValue": "[take(format('ME_{0}', parameters('name')), 63)]", - "metadata": { - "description": "Optional. Name of the infrastructure resource group. If not provided, it will be set with a default value." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "logAnalyticsWorkspace": { - "condition": "[not(empty(parameters('logAnalyticsWorkspaceResourceId')))]", - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-06-01", - "subscriptionId": "[split(parameters('logAnalyticsWorkspaceResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('logAnalyticsWorkspaceResourceId'), '/')[4]]", - "name": "[last(split(parameters('logAnalyticsWorkspaceResourceId'), '/'))]" - }, - "managedEnvironment": { - "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2023-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "appLogsConfiguration": { - "destination": "[parameters('logsDestination')]", - "logAnalyticsConfiguration": { - "customerId": "[reference('logAnalyticsWorkspace').customerId]", - "sharedKey": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('logAnalyticsWorkspaceResourceId'), '/')[2], split(parameters('logAnalyticsWorkspaceResourceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('logAnalyticsWorkspaceResourceId'), '/'))), '2021-06-01').primarySharedKey]" - } - }, - "daprAIConnectionString": "[parameters('daprAIConnectionString')]", - "daprAIInstrumentationKey": "[parameters('daprAIInstrumentationKey')]", - "customDomainConfiguration": { - "certificatePassword": "[parameters('certificatePassword')]", - "certificateValue": "[if(not(empty(parameters('certificateValue'))), parameters('certificateValue'), null())]", - "dnsSuffix": "[parameters('dnsSuffix')]" - }, - "vnetConfiguration": { - "internal": "[parameters('internal')]", - "infrastructureSubnetId": "[if(not(empty(parameters('infrastructureSubnetId'))), parameters('infrastructureSubnetId'), null())]", - "dockerBridgeCidr": "[if(not(empty(parameters('infrastructureSubnetId'))), parameters('dockerBridgeCidr'), null())]", - "platformReservedCidr": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetId')))), parameters('platformReservedCidr'), null())]", - "platformReservedDnsIP": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetId')))), parameters('platformReservedDnsIP'), null())]" - }, - "workloadProfiles": "[if(not(empty(parameters('workloadProfiles'))), parameters('workloadProfiles'), null())]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "infrastructureResourceGroup": "[parameters('infrastructureResourceGroupName')]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "managedEnvironment_roleAssignments": { - "copy": { - "name": "managedEnvironment_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.App/managedEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "managedEnvironment" - ] - }, - "managedEnvironment_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "managedEnvironment" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Managed Environment was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('managedEnvironment', '2023-05-01', 'full').location]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Managed Environment." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Managed Environment." - }, - "value": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" - }, - "defaultDomain": { - "type": "string", - "metadata": { - "description": "The Default domain of the Managed Environment." - }, - "value": "[reference('managedEnvironment').defaultDomain]" - } - } -} \ No newline at end of file diff --git a/modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep b/modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 737827c1fd..0000000000 --- a/modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,22 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location - properties: any({ - retentionInDays: 30 - features: { - searchVersion: 1 - } - sku: { - name: 'PerGB2018' - } - }) -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep b/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 40a1ae5178..0000000000 --- a/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'amemin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - } -}] diff --git a/modules/app/managed-environment/tests/e2e/max/dependencies.bicep b/modules/app/managed-environment/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8d908b1603..0000000000 --- a/modules/app/managed-environment/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,59 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location - properties: any({ - retentionInDays: 30 - features: { - searchVersion: 1 - } - sku: { - name: 'PerGB2018' - } - }) -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'Microsoft.App.environments' - properties: { - serviceName: 'Microsoft.App/environments' - } - } - ] - } - } - ] - } - -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/app/managed-environment/tests/e2e/max/main.test.bicep b/modules/app/managed-environment/tests/e2e/max/main.test.bicep deleted file mode 100644 index 1646791a1b..0000000000 --- a/modules/app/managed-environment/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,87 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' - -@description('Optional. The name of the infrastructre resource group to deploy for testing purposes.') -param infrastructureResourceGroupName string = 'me-dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'amemax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. WorkloadProfile') -param workloadProfiles array = [ - { - workloadProfileType: 'D4' - name: 'CAW01' - minimumCount: 0 - maximumCount: 3 - } -] - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - location: location - workloadProfiles: workloadProfiles - internal: true - dockerBridgeCidr: '172.16.0.1/28' - platformReservedCidr: '172.17.17.0/24' - platformReservedDnsIP: '172.17.17.17' - infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId - infrastructureResourceGroupName: infrastructureResourceGroupName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - } -}] diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8d908b1603..0000000000 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,59 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location - properties: any({ - retentionInDays: 30 - features: { - searchVersion: 1 - } - sku: { - name: 'PerGB2018' - } - }) -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'Microsoft.App.environments' - properties: { - serviceName: 'Microsoft.App/environments' - } - } - ] - } - } - ] - } - -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 11807a0ea4..0000000000 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,86 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' - -@description('Optional. The name of the infrastructre resource group to deploy for testing purposes.') -param infrastructureResourceGroupName string = 'me-dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'amewaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. WorkloadProfile') -param workloadProfiles array = [ - { - workloadProfileType: 'D4' - name: 'CAW01' - minimumCount: 0 - maximumCount: 3 - } -] -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - location: location - workloadProfiles: workloadProfiles - internal: true - dockerBridgeCidr: '172.16.0.1/28' - platformReservedCidr: '172.17.17.0/24' - platformReservedDnsIP: '172.17.17.17' - infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId - infrastructureResourceGroupName: infrastructureResourceGroupName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Env: 'test' - } - } -}] diff --git a/modules/app/managed-environment/version.json b/modules/app/managed-environment/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/app/managed-environment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 20a037b24f..d35fa91a1a 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -1,226 +1,7 @@ -# Authorization Locks (All scopes) `[Microsoft.Authorization/locks]` +

⚠️ Retired ⚠️

-This module deploys an Authorization Lock at a Subscription or Resource Group scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/lock). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.lock:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module lock 'br:bicep/modules/authorization.lock:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-almax' - params: { - // Required parameters - level: 'CanNotDelete' - // Non-required parameters - enableDefaultTelemetry: '' - resourceGroupName: '' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "level": { - "value": "CanNotDelete" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "resourceGroupName": { - "value": "" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module lock 'br:bicep/modules/authorization.lock:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-alwaf' - params: { - // Required parameters - level: 'CanNotDelete' - // Non-required parameters - enableDefaultTelemetry: '' - resourceGroupName: '' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "level": { - "value": "CanNotDelete" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "resourceGroupName": { - "value": "" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`level`](#parameter-level) | string | Set lock level. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`notes`](#parameter-notes) | string | The decription attached to the lock. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. | - -### Parameter: `level` - -Set lock level. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'ReadOnly' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `notes` - -The decription attached to the lock. - -- Required: No -- Type: string -- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` - -### Parameter: `resourceGroupName` - -Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. - -- Required: No -- Type: string -- Default: `[subscription().id]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lock. | -| `resourceId` | string | The resource ID of the lock. | -| `scope` | string | The scope this lock applies to. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/lock/main.bicep b/modules/authorization/lock/main.bicep deleted file mode 100644 index 47261c8205..0000000000 --- a/modules/authorization/lock/main.bicep +++ /dev/null @@ -1,75 +0,0 @@ -metadata name = 'Authorization Locks (All scopes)' -metadata description = 'This module deploys an Authorization Lock at a Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@allowed([ - 'CanNotDelete' - 'ReadOnly' -]) -@description('Required. Set lock level.') -param level string - -@description('Optional. The decription attached to the lock.') -param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group.') -param resourceGroupName string = '' - -@description('Optional. Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription.') -param subscriptionId string = subscription().id - -@description('Optional. Location for all resources.') -param location string = deployment().location - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module lock_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-Lock-Sub-Module' - scope: subscription(subscriptionId) - params: { - name: '${subscription().displayName}-${level}-lock' - level: level - notes: notes - // owners: owners // Not intended to be applied by users (ref https://github.com/Azure/azure-cli/issues/22528) - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module lock_rg 'resource-group/main.bicep' = if (!empty(subscriptionId) && !empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-Lock-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - name: '${resourceGroupName}-${level}-lock' - level: level - notes: notes - // owners: owners // Not intended to be applied by users (ref https://github.com/Azure/azure-cli/issues/22528) - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@description('The name of the lock.') -output name string = empty(resourceGroupName) ? lock_sub.outputs.name : lock_rg.outputs.name - -@description('The resource ID of the lock.') -output resourceId string = empty(resourceGroupName) ? lock_sub.outputs.resourceId : lock_rg.outputs.resourceId - -@sys.description('The scope this lock applies to.') -output scope string = empty(resourceGroupName) ? lock_sub.outputs.scope : lock_rg.outputs.scope diff --git a/modules/authorization/lock/main.json b/modules/authorization/lock/main.json deleted file mode 100644 index 5aaf036ee8..0000000000 --- a/modules/authorization/lock/main.json +++ /dev/null @@ -1,364 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16738109321180473178" - }, - "name": "Authorization Locks (All scopes)", - "description": "This module deploys an Authorization Lock at a Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { - "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", - "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().id]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lock-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}-{1}-lock', subscription().displayName, parameters('level'))]" - }, - "level": { - "value": "[parameters('level')]" - }, - "notes": { - "value": "[parameters('notes')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15541007349238410358" - }, - "name": "Authorization Locks (Subscription scope)", - "description": "This module deploys an Authorization Lock at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-lock', parameters('level'))]", - "metadata": { - "description": "Optional. The name of the lock." - } - }, - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { - "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", - "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "name": "[parameters('name')]", - "properties": { - "level": "[parameters('level')]", - "notes": "[parameters('notes')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/locks', parameters('name'))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The subscription name the lock was deployed into." - }, - "value": "[subscription().displayName]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[subscription().id]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), not(empty(parameters('resourceGroupName'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lock-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}-{1}-lock', parameters('resourceGroupName'), parameters('level'))]" - }, - "level": { - "value": "[parameters('level')]" - }, - "notes": { - "value": "[parameters('notes')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11141983424917801407" - }, - "name": "Authorization Locks (Resource Group scope)", - "description": "This module deploys an Authorization Lock at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-lock', parameters('level'))]", - "metadata": { - "description": "Optional. The name of the lock." - } - }, - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { - "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", - "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "name": "[parameters('name')]", - "properties": { - "level": "[parameters('level')]", - "notes": "[parameters('notes')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[resourceId('Microsoft.Authorization/locks', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group name the lock was applied to." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[resourceGroup().id]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[if(empty(parameters('resourceGroupName')), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Lock-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Lock-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value)]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[if(empty(parameters('resourceGroupName')), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Lock-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Lock-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value)]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[if(empty(parameters('resourceGroupName')), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Lock-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Lock-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value)]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/lock/resource-group/README.md b/modules/authorization/lock/resource-group/README.md deleted file mode 100644 index a74295ef1a..0000000000 --- a/modules/authorization/lock/resource-group/README.md +++ /dev/null @@ -1,84 +0,0 @@ -# Authorization Locks (Resource Group scope) `[Microsoft.Authorization/locks]` - -This module deploys an Authorization Lock at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`level`](#parameter-level) | string | Set lock level. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the lock. | -| [`notes`](#parameter-notes) | string | The decription attached to the lock. | - -### Parameter: `level` - -Set lock level. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'ReadOnly' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the lock. - -- Required: No -- Type: string -- Default: `[format('{0}-lock', parameters('level'))]` - -### Parameter: `notes` - -The decription attached to the lock. - -- Required: No -- Type: string -- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lock. | -| `resourceGroupName` | string | The name of the resource group name the lock was applied to. | -| `resourceId` | string | The resource ID of the lock. | -| `scope` | string | The scope this lock applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/lock/resource-group/main.bicep b/modules/authorization/lock/resource-group/main.bicep deleted file mode 100644 index 72013c33e2..0000000000 --- a/modules/authorization/lock/resource-group/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'Authorization Locks (Resource Group scope)' -metadata description = 'This module deploys an Authorization Lock at a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@description('Optional. The name of the lock.') -param name string = '${level}-lock' - -@allowed([ - 'CanNotDelete' - 'ReadOnly' -]) -@description('Required. Set lock level.') -param level string - -@description('Optional. The decription attached to the lock.') -param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lock 'Microsoft.Authorization/locks@2020-05-01' = { - name: name - properties: { - level: level - notes: notes - // owners: owners // Not intended to be applied by users (ref https://github.com/Azure/azure-cli/issues/22528) - } -} - -@description('The name of the lock.') -output name string = lock.name - -@description('The resource ID of the lock.') -output resourceId string = lock.id - -@description('The name of the resource group name the lock was applied to.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The scope this lock applies to.') -output scope string = resourceGroup().id diff --git a/modules/authorization/lock/resource-group/main.json b/modules/authorization/lock/resource-group/main.json deleted file mode 100644 index c49325ae7e..0000000000 --- a/modules/authorization/lock/resource-group/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11141983424917801407" - }, - "name": "Authorization Locks (Resource Group scope)", - "description": "This module deploys an Authorization Lock at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-lock', parameters('level'))]", - "metadata": { - "description": "Optional. The name of the lock." - } - }, - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { - "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", - "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "name": "[parameters('name')]", - "properties": { - "level": "[parameters('level')]", - "notes": "[parameters('notes')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[resourceId('Microsoft.Authorization/locks', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group name the lock was applied to." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[resourceGroup().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/lock/resource-group/version.json b/modules/authorization/lock/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/lock/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/lock/subscription/README.md b/modules/authorization/lock/subscription/README.md deleted file mode 100644 index 2458071e3c..0000000000 --- a/modules/authorization/lock/subscription/README.md +++ /dev/null @@ -1,84 +0,0 @@ -# Authorization Locks (Subscription scope) `[Microsoft.Authorization/locks]` - -This module deploys an Authorization Lock at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`level`](#parameter-level) | string | Set lock level. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the lock. | -| [`notes`](#parameter-notes) | string | The decription attached to the lock. | - -### Parameter: `level` - -Set lock level. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'ReadOnly' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the lock. - -- Required: No -- Type: string -- Default: `[format('{0}-lock', parameters('level'))]` - -### Parameter: `notes` - -The decription attached to the lock. - -- Required: No -- Type: string -- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lock. | -| `resourceId` | string | The resource ID of the lock. | -| `scope` | string | The scope this lock applies to. | -| `subscriptionName` | string | The subscription name the lock was deployed into. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/lock/subscription/main.bicep b/modules/authorization/lock/subscription/main.bicep deleted file mode 100644 index 8736ff5997..0000000000 --- a/modules/authorization/lock/subscription/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'Authorization Locks (Subscription scope)' -metadata description = 'This module deploys an Authorization Lock at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Optional. The name of the lock.') -param name string = '${level}-lock' - -@allowed([ - 'CanNotDelete' - 'ReadOnly' -]) -@description('Required. Set lock level.') -param level string - -@description('Optional. The decription attached to the lock.') -param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lock 'Microsoft.Authorization/locks@2020-05-01' = { - name: name - properties: { - level: level - notes: notes - // owners: owners // Not intended to be applied by users (ref https://github.com/Azure/azure-cli/issues/22528) - } -} - -@description('The name of the lock.') -output name string = lock.name - -@description('The resource ID of the lock.') -output resourceId string = lock.id - -@description('The subscription name the lock was deployed into.') -output subscriptionName string = subscription().displayName - -@sys.description('The scope this lock applies to.') -output scope string = subscription().id diff --git a/modules/authorization/lock/subscription/main.json b/modules/authorization/lock/subscription/main.json deleted file mode 100644 index 178b86e853..0000000000 --- a/modules/authorization/lock/subscription/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15541007349238410358" - }, - "name": "Authorization Locks (Subscription scope)", - "description": "This module deploys an Authorization Lock at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-lock', parameters('level'))]", - "metadata": { - "description": "Optional. The name of the lock." - } - }, - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { - "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", - "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "name": "[parameters('name')]", - "properties": { - "level": "[parameters('level')]", - "notes": "[parameters('notes')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/locks', parameters('name'))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The subscription name the lock was deployed into." - }, - "value": "[subscription().displayName]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[subscription().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/lock/subscription/version.json b/modules/authorization/lock/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/lock/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/lock/tests/e2e/max/main.test.bicep b/modules/authorization/lock/tests/e2e/max/main.test.bicep deleted file mode 100644 index b0a46425c0..0000000000 --- a/modules/authorization/lock/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'almax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - level: 'CanNotDelete' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 0ed75a7621..0000000000 --- a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'alwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - level: 'CanNotDelete' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/lock/version.json b/modules/authorization/lock/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/lock/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-assignment/README.md b/modules/authorization/policy-assignment/README.md index fcbd860880..276421f4fe 100644 --- a/modules/authorization/policy-assignment/README.md +++ b/modules/authorization/policy-assignment/README.md @@ -1,1163 +1,7 @@ -# Policy Assignments (All scopes) `[Microsoft.Authorization/policyAssignments]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope. +**This module has been evolved into the following AVM module: [avm/ptn/authorization/policy-assignment](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/authorization/policy-assignment).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/policy-assignment). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyAssignments` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-06-01/policyAssignments) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-assignment:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apamgcom' - params: { - // Required parameters - name: 'apamgcom001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - // Non-required parameters - description: '[Description] Policy Assignment at the management group scope' - displayName: '[Display Name] Policy Assignment at the management group scope' - enableDefaultTelemetry: '' - enforcementMode: 'DoNotEnforce' - identity: 'SystemAssigned' - location: '' - managementGroupId: '' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apamgcom001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" - }, - // Non-required parameters - "description": { - "value": "[Description] Policy Assignment at the management group scope" - }, - "displayName": { - "value": "[Display Name] Policy Assignment at the management group scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enforcementMode": { - "value": "DoNotEnforce" - }, - "identity": { - "value": "SystemAssigned" - }, - "location": { - "value": "" - }, - "managementGroupId": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] - }, - "roleDefinitionIds": { - "value": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apamgmin' - params: { - // Required parameters - name: 'apamgmin001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - // Non-required parameters - enableDefaultTelemetry: '' - metadata: { - assignedBy: 'Bicep' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apamgmin001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep" - } - } - } -} -``` - -
-

- -### Example 3: _Rg.Common_ - -

- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apargcom' - params: { - // Required parameters - name: 'apargcom001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - // Non-required parameters - description: '[Description] Policy Assignment at the resource group scope' - displayName: '[Display Name] Policy Assignment at the resource group scope' - enableDefaultTelemetry: '' - enforcementMode: 'DoNotEnforce' - identity: 'UserAssigned' - location: '' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - resourceGroupName: '' - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - subscriptionId: '' - userAssignedIdentityId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apargcom001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" - }, - // Non-required parameters - "description": { - "value": "[Description] Policy Assignment at the resource group scope" - }, - "displayName": { - "value": "[Display Name] Policy Assignment at the resource group scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enforcementMode": { - "value": "DoNotEnforce" - }, - "identity": { - "value": "UserAssigned" - }, - "location": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "resourceGroupName": { - "value": "" - }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] - }, - "roleDefinitionIds": { - "value": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] - }, - "subscriptionId": { - "value": "" - }, - "userAssignedIdentityId": { - "value": "" - } - } -} -``` - -
-

- -### Example 4: _Rg.Min_ - -

- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apargmin' - params: { - // Required parameters - name: 'apargmin001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - // Non-required parameters - enableDefaultTelemetry: '' - metadata: { - assignedBy: 'Bicep' - } - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apargmin001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep" - } - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Sub.Common_ - -

- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apasubcom' - params: { - // Required parameters - name: 'apasubcom001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - // Non-required parameters - description: '[Description] Policy Assignment at the subscription scope' - displayName: '[Display Name] Policy Assignment at the subscription scope' - enableDefaultTelemetry: '' - enforcementMode: 'DoNotEnforce' - identity: 'UserAssigned' - location: '' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - subscriptionId: '' - userAssignedIdentityId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apasubcom001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" - }, - // Non-required parameters - "description": { - "value": "[Description] Policy Assignment at the subscription scope" - }, - "displayName": { - "value": "[Display Name] Policy Assignment at the subscription scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enforcementMode": { - "value": "DoNotEnforce" - }, - "identity": { - "value": "UserAssigned" - }, - "location": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] - }, - "roleDefinitionIds": { - "value": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] - }, - "subscriptionId": { - "value": "" - }, - "userAssignedIdentityId": { - "value": "" - } - } -} -``` - -
-

- -### Example 6: _Sub.Min_ - -

- -via Bicep module - -```bicep -module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apasubmin' - params: { - // Required parameters - name: 'apasubmin001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - // Non-required parameters - enableDefaultTelemetry: '' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apasubmin001" - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | -| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | -| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | -| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy assignment. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. | -| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | - -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. - -- Required: Yes -- Type: string - -### Parameter: `description` - -This message will be part of response in case of policy violation. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy assignment. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enforcementMode` - -The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'DoNotEnforce' - ] - ``` - -### Parameter: `identity` - -The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. - -- Required: No -- Type: string -- Default: `'SystemAssigned'` -- Allowed: - ```Bicep - [ - 'None' - 'SystemAssigned' - 'UserAssigned' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `metadata` - -The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nonComplianceMessages` - -The messages that describe why a resource is non-compliant with the policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notScopes` - -The policy excluded scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `overrides` - -The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `parameters` - -Parameters for the policy assignment if needed. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceGroupName` - -The Target Scope for the Policy. The name of the resource group for the policy assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleDefinitionIds` - -The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `userAssignedIdentityId` - -The Resource ID for the user assigned identity to assign to the policy assignment. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | Policy Assignment Name. | -| `principalId` | string | Policy Assignment principal ID. | -| `resourceId` | string | Policy Assignment resource ID. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-assignment.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policyassignment 'yourpath/module/authorization/policy-assignment/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/policy-assignment/main.bicep b/modules/authorization/policy-assignment/main.bicep deleted file mode 100644 index f937dcdbc8..0000000000 --- a/modules/authorization/policy-assignment/main.bicep +++ /dev/null @@ -1,171 +0,0 @@ -metadata name = 'Policy Assignments (All scopes)' -metadata description = 'This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.') -param name string - -@sys.description('Optional. This message will be part of response in case of policy violation.') -param description string = '' - -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') -param policyDefinitionId string - -@sys.description('Optional. Parameters for the policy assignment if needed.') -param parameters object = {} - -@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.') -@allowed([ - 'SystemAssigned' - 'UserAssigned' - 'None' -]) -param identity string = 'SystemAssigned' - -@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.') -param userAssignedIdentityId string = '' - -@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') -param roleDefinitionIds array = [] - -@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.') -param nonComplianceMessages array = [] - -@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.') -@allowed([ - 'Default' - 'DoNotEnforce' -]) -param enforcementMode string = 'Default' - -@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment.') -param subscriptionId string = '' - -@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment.') -param resourceGroupName string = '' - -@sys.description('Optional. The policy excluded scopes.') -param notScopes array = [] - -@sys.description('Optional. Location for all resources.') -param location string = deployment().location - -@sys.description('Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition.') -param overrides array = [] - -@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module policyAssignment_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module' - scope: managementGroup(managementGroupId) - params: { - name: name - policyDefinitionId: policyDefinitionId - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - parameters: !empty(parameters) ? parameters : {} - identity: identity - userAssignedIdentityId: userAssignedIdentityId - roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : [] - metadata: !empty(metadata) ? metadata : {} - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - managementGroupId: managementGroupId - location: location - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policyAssignment_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module' - scope: subscription(subscriptionId) - params: { - name: name - policyDefinitionId: policyDefinitionId - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - parameters: !empty(parameters) ? parameters : {} - identity: identity - userAssignedIdentityId: userAssignedIdentityId - roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : [] - metadata: !empty(metadata) ? metadata : {} - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - subscriptionId: subscriptionId - location: location - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policyAssignment_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - name: name - policyDefinitionId: policyDefinitionId - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - parameters: !empty(parameters) ? parameters : {} - identity: identity - userAssignedIdentityId: userAssignedIdentityId - roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : [] - metadata: !empty(metadata) ? metadata : {} - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - subscriptionId: subscriptionId - location: location - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('Policy Assignment Name.') -output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.name : policyAssignment_rg.outputs.name) - -@sys.description('Policy Assignment principal ID.') -output principalId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.principalId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.principalId : policyAssignment_rg.outputs.principalId) - -@sys.description('Policy Assignment resource ID.') -output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.resourceId : policyAssignment_rg.outputs.resourceId) - -@sys.description('The location the resource was deployed into.') -output location string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.location : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.location : policyAssignment_rg.outputs.location) diff --git a/modules/authorization/policy-assignment/main.json b/modules/authorization/policy-assignment/main.json deleted file mode 100644 index 7b8b74787d..0000000000 --- a/modules/authorization/policy-assignment/main.json +++ /dev/null @@ -1,1060 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16217430690270754728" - }, - "name": "Policy Assignments (All scopes)", - "description": "This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "policyDefinitionId": { - "value": "[parameters('policyDefinitionId')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "identity": { - "value": "[parameters('identity')]" - }, - "userAssignedIdentityId": { - "value": "[parameters('userAssignedIdentityId')]" - }, - "roleDefinitionIds": "[if(not(empty(parameters('roleDefinitionIds'))), createObject('value', parameters('roleDefinitionIds')), createObject('value', createArray()))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), createObject('value', parameters('nonComplianceMessages')), createObject('value', createArray()))]", - "enforcementMode": { - "value": "[parameters('enforcementMode')]" - }, - "notScopes": "[if(not(empty(parameters('notScopes'))), createObject('value', parameters('notScopes')), createObject('value', createArray()))]", - "managementGroupId": { - "value": "[parameters('managementGroupId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "overrides": "[if(not(empty(parameters('overrides'))), createObject('value', parameters('overrides')), createObject('value', createArray()))]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7850011262143738057" - }, - "name": "Policy Assignments (Management Group scope)", - "description": "This module deploys a Policy Assignment at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('managementGroupId'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "policyDefinitionId": { - "value": "[parameters('policyDefinitionId')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "identity": { - "value": "[parameters('identity')]" - }, - "userAssignedIdentityId": { - "value": "[parameters('userAssignedIdentityId')]" - }, - "roleDefinitionIds": "[if(not(empty(parameters('roleDefinitionIds'))), createObject('value', parameters('roleDefinitionIds')), createObject('value', createArray()))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), createObject('value', parameters('nonComplianceMessages')), createObject('value', createArray()))]", - "enforcementMode": { - "value": "[parameters('enforcementMode')]" - }, - "notScopes": "[if(not(empty(parameters('notScopes'))), createObject('value', parameters('notScopes')), createObject('value', createArray()))]", - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "overrides": "[if(not(empty(parameters('overrides'))), createObject('value', parameters('overrides')), createObject('value', createArray()))]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6792324469101659711" - }, - "name": "Policy Assignments (Subscription scope)", - "description": "This module deploys a Policy Assignment at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "policyDefinitionId": { - "value": "[parameters('policyDefinitionId')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "identity": { - "value": "[parameters('identity')]" - }, - "userAssignedIdentityId": { - "value": "[parameters('userAssignedIdentityId')]" - }, - "roleDefinitionIds": "[if(not(empty(parameters('roleDefinitionIds'))), createObject('value', parameters('roleDefinitionIds')), createObject('value', createArray()))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), createObject('value', parameters('nonComplianceMessages')), createObject('value', createArray()))]", - "enforcementMode": { - "value": "[parameters('enforcementMode')]" - }, - "notScopes": "[if(not(empty(parameters('notScopes'))), createObject('value', parameters('notScopes')), createObject('value', createArray()))]", - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "overrides": "[if(not(empty(parameters('overrides'))), createObject('value', parameters('overrides')), createObject('value', createArray()))]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16072203882278482118" - }, - "name": "Policy Assignments (Resource Group scope)", - "description": "This module deploys a Policy Assignment at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[resourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy was assigned to." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.principalId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.principalId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.principalId.value))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-assignment/management-group/README.md b/modules/authorization/policy-assignment/management-group/README.md deleted file mode 100644 index c49026c652..0000000000 --- a/modules/authorization/policy-assignment/management-group/README.md +++ /dev/null @@ -1,209 +0,0 @@ -# Policy Assignments (Management Group scope) `[Microsoft.Authorization/policyAssignments]` - -This module deploys a Policy Assignment at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyAssignments` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-06-01/policyAssignments) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. | -| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | -| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | -| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | - -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. - -- Required: Yes -- Type: string - -### Parameter: `description` - -This message will be part of response in case of policy violation. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy assignment. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enforcementMode` - -The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'DoNotEnforce' - ] - ``` - -### Parameter: `identity` - -The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. - -- Required: No -- Type: string -- Default: `'SystemAssigned'` -- Allowed: - ```Bicep - [ - 'None' - 'SystemAssigned' - 'UserAssigned' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `metadata` - -The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nonComplianceMessages` - -The messages that describe why a resource is non-compliant with the policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notScopes` - -The policy excluded scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `overrides` - -The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `parameters` - -Parameters for the policy assignment if needed. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleDefinitionIds` - -The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `userAssignedIdentityId` - -The Resource ID for the user assigned identity to assign to the policy assignment. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | Policy Assignment Name. | -| `principalId` | string | Policy Assignment principal ID. | -| `resourceId` | string | Policy Assignment resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-assignment/management-group/main.bicep b/modules/authorization/policy-assignment/management-group/main.bicep deleted file mode 100644 index 7a7e8005f3..0000000000 --- a/modules/authorization/policy-assignment/management-group/main.bicep +++ /dev/null @@ -1,128 +0,0 @@ -metadata name = 'Policy Assignments (Management Group scope)' -metadata description = 'This module deploys a Policy Assignment at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.') -@maxLength(24) -param name string - -@sys.description('Optional. This message will be part of response in case of policy violation.') -param description string = '' - -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') -param policyDefinitionId string - -@sys.description('Optional. Parameters for the policy assignment if needed.') -param parameters object = {} - -@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.') -@allowed([ - 'SystemAssigned' - 'UserAssigned' - 'None' -]) -param identity string = 'SystemAssigned' - -@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.') -param userAssignedIdentityId string = '' - -@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') -param roleDefinitionIds array = [] - -@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.') -param nonComplianceMessages array = [] - -@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.') -@allowed([ - 'Default' - 'DoNotEnforce' -]) -param enforcementMode string = 'Default' - -@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The policy excluded scopes.') -param notScopes array = [] - -@sys.description('Optional. Location for all resources.') -param location string = deployment().location - -@sys.description('Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition.') -param overrides array = [] - -@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var identityVar = identity == 'SystemAssigned' ? { - type: identity -} : identity == 'UserAssigned' ? { - type: identity - userAssignedIdentities: { - '${userAssignedIdentityId}': {} - } -} : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { - name: name - location: location - properties: { - displayName: !empty(displayName) ? displayName : null - metadata: !empty(metadata) ? metadata : null - description: !empty(description) ? description : null - policyDefinitionId: policyDefinitionId - parameters: parameters - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - } - identity: identityVar -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') { - name: guid(managementGroupId, roleDefinitionId, location, name) - properties: { - roleDefinitionId: roleDefinitionId - principalId: policyAssignment.identity.principalId - principalType: 'ServicePrincipal' - } -}] - -@sys.description('Policy Assignment Name.') -output name string = policyAssignment.name - -@sys.description('Policy Assignment principal ID.') -output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' - -@sys.description('Policy Assignment resource ID.') -output resourceId string = policyAssignment.id - -@sys.description('The location the resource was deployed into.') -output location string = policyAssignment.location diff --git a/modules/authorization/policy-assignment/management-group/main.json b/modules/authorization/policy-assignment/management-group/main.json deleted file mode 100644 index 4d9bb31953..0000000000 --- a/modules/authorization/policy-assignment/management-group/main.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7850011262143738057" - }, - "name": "Policy Assignments (Management Group scope)", - "description": "This module deploys a Policy Assignment at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('managementGroupId'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-assignment/management-group/version.json b/modules/authorization/policy-assignment/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-assignment/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-assignment/resource-group/README.md b/modules/authorization/policy-assignment/resource-group/README.md deleted file mode 100644 index da543f77c1..0000000000 --- a/modules/authorization/policy-assignment/resource-group/README.md +++ /dev/null @@ -1,219 +0,0 @@ -# Policy Assignments (Resource Group scope) `[Microsoft.Authorization/policyAssignments]` - -This module deploys a Policy Assignment at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyAssignments` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-06-01/policyAssignments) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. | -| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | -| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | -| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | -| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | - -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. - -- Required: Yes -- Type: string - -### Parameter: `description` - -This message will be part of response in case of policy violation. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy assignment. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enforcementMode` - -The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'DoNotEnforce' - ] - ``` - -### Parameter: `identity` - -The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. - -- Required: No -- Type: string -- Default: `'SystemAssigned'` -- Allowed: - ```Bicep - [ - 'None' - 'SystemAssigned' - 'UserAssigned' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `metadata` - -The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nonComplianceMessages` - -The messages that describe why a resource is non-compliant with the policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notScopes` - -The policy excluded scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `overrides` - -The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `parameters` - -Parameters for the policy assignment if needed. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceGroupName` - -The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleDefinitionIds` - -The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - -### Parameter: `userAssignedIdentityId` - -The Resource ID for the user assigned identity to assign to the policy assignment. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | Policy Assignment Name. | -| `principalId` | string | Policy Assignment principal ID. | -| `resourceGroupName` | string | The name of the resource group the policy was assigned to. | -| `resourceId` | string | Policy Assignment resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-assignment/resource-group/main.bicep b/modules/authorization/policy-assignment/resource-group/main.bicep deleted file mode 100644 index 049e8babe2..0000000000 --- a/modules/authorization/policy-assignment/resource-group/main.bicep +++ /dev/null @@ -1,133 +0,0 @@ -metadata name = 'Policy Assignments (Resource Group scope)' -metadata description = 'This module deploys a Policy Assignment at a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope.') -@maxLength(64) -param name string - -@sys.description('Optional. This message will be part of response in case of policy violation.') -param description string = '' - -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') -param policyDefinitionId string - -@sys.description('Optional. Parameters for the policy assignment if needed.') -param parameters object = {} - -@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.') -@allowed([ - 'SystemAssigned' - 'UserAssigned' - 'None' -]) -param identity string = 'SystemAssigned' - -@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.') -param userAssignedIdentityId string = '' - -@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') -param roleDefinitionIds array = [] - -@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.') -param nonComplianceMessages array = [] - -@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.') -@allowed([ - 'Default' - 'DoNotEnforce' -]) -param enforcementMode string = 'Default' - -@sys.description('Optional. The policy excluded scopes.') -param notScopes array = [] - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition.') -param overrides array = [] - -@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location.') -param resourceSelectors array = [] - -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment.') -param resourceGroupName string = resourceGroup().name - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -var identityVar = identity == 'SystemAssigned' ? { - type: identity -} : identity == 'UserAssigned' ? { - type: identity - userAssignedIdentities: { - '${userAssignedIdentityId}': {} - } -} : null - -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { - name: name - location: location - properties: { - displayName: !empty(displayName) ? displayName : null - metadata: !empty(metadata) ? metadata : null - description: !empty(description) ? description : null - policyDefinitionId: policyDefinitionId - parameters: parameters - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - } - identity: identityVar -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') { - name: guid(subscriptionId, resourceGroupName, roleDefinitionId, location, name) - properties: { - roleDefinitionId: roleDefinitionId - principalId: policyAssignment.identity.principalId - principalType: 'ServicePrincipal' - } -}] - -@sys.description('Policy Assignment Name.') -output name string = policyAssignment.name - -@sys.description('Policy Assignment principal ID.') -output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' - -@sys.description('Policy Assignment resource ID.') -output resourceId string = policyAssignment.id - -@sys.description('The name of the resource group the policy was assigned to.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = policyAssignment.location diff --git a/modules/authorization/policy-assignment/resource-group/main.json b/modules/authorization/policy-assignment/resource-group/main.json deleted file mode 100644 index d29fb42006..0000000000 --- a/modules/authorization/policy-assignment/resource-group/main.json +++ /dev/null @@ -1,244 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16072203882278482118" - }, - "name": "Policy Assignments (Resource Group scope)", - "description": "This module deploys a Policy Assignment at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[resourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy was assigned to." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-assignment/resource-group/version.json b/modules/authorization/policy-assignment/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-assignment/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-assignment/subscription/README.md b/modules/authorization/policy-assignment/subscription/README.md deleted file mode 100644 index 3cdd823dd4..0000000000 --- a/modules/authorization/policy-assignment/subscription/README.md +++ /dev/null @@ -1,209 +0,0 @@ -# Policy Assignments (Subscription scope) `[Microsoft.Authorization/policyAssignments]` - -This module deploys a Policy Assignment at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyAssignments` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-06-01/policyAssignments) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. | -| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | -| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | -| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | -| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | - -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. - -- Required: Yes -- Type: string - -### Parameter: `description` - -This message will be part of response in case of policy violation. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy assignment. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enforcementMode` - -The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'DoNotEnforce' - ] - ``` - -### Parameter: `identity` - -The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. - -- Required: No -- Type: string -- Default: `'SystemAssigned'` -- Allowed: - ```Bicep - [ - 'None' - 'SystemAssigned' - 'UserAssigned' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nonComplianceMessages` - -The messages that describe why a resource is non-compliant with the policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notScopes` - -The policy excluded scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `overrides` - -The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `parameters` - -Parameters for the policy assignment if needed. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleDefinitionIds` - -The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - -### Parameter: `userAssignedIdentityId` - -The Resource ID for the user assigned identity to assign to the policy assignment. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | Policy Assignment Name. | -| `principalId` | string | Policy Assignment principal ID. | -| `resourceId` | string | Policy Assignment resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-assignment/subscription/main.bicep b/modules/authorization/policy-assignment/subscription/main.bicep deleted file mode 100644 index fd7cad4047..0000000000 --- a/modules/authorization/policy-assignment/subscription/main.bicep +++ /dev/null @@ -1,128 +0,0 @@ -metadata name = 'Policy Assignments (Subscription scope)' -metadata description = 'This module deploys a Policy Assignment at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope.') -@maxLength(64) -param name string - -@sys.description('Optional. This message will be part of response in case of policy violation.') -param description string = '' - -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') -param policyDefinitionId string - -@sys.description('Optional. Parameters for the policy assignment if needed.') -param parameters object = {} - -@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.') -@allowed([ - 'SystemAssigned' - 'UserAssigned' - 'None' -]) -param identity string = 'SystemAssigned' - -@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.') -param userAssignedIdentityId string = '' - -@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') -param roleDefinitionIds array = [] - -@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.') -param nonComplianceMessages array = [] - -@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.') -@allowed([ - 'Default' - 'DoNotEnforce' -]) -param enforcementMode string = 'Default' - -@sys.description('Optional. The policy excluded scopes.') -param notScopes array = [] - -@sys.description('Optional. Location for all resources.') -param location string = deployment().location - -@sys.description('Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition.') -param overrides array = [] - -@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location.') -param resourceSelectors array = [] - -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var identityVar = identity == 'SystemAssigned' ? { - type: identity -} : identity == 'UserAssigned' ? { - type: identity - userAssignedIdentities: { - '${userAssignedIdentityId}': {} - } -} : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { - name: name - location: location - properties: { - displayName: !empty(displayName) ? displayName : null - metadata: !empty(metadata) ? metadata : null - description: !empty(description) ? description : null - policyDefinitionId: policyDefinitionId - parameters: parameters - nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : [] - enforcementMode: enforcementMode - notScopes: !empty(notScopes) ? notScopes : [] - overrides: !empty(overrides) ? overrides : [] - resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : [] - } - identity: identityVar -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') { - name: guid(subscriptionId, roleDefinitionId, location, name) - properties: { - roleDefinitionId: roleDefinitionId - principalId: policyAssignment.identity.principalId - principalType: 'ServicePrincipal' - } -}] - -@sys.description('Policy Assignment Name.') -output name string = policyAssignment.name - -@sys.description('Policy Assignment principal ID.') -output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' - -@sys.description('Policy Assignment resource ID.') -output resourceId string = policyAssignment.id - -@sys.description('The location the resource was deployed into.') -output location string = policyAssignment.location diff --git a/modules/authorization/policy-assignment/subscription/main.json b/modules/authorization/policy-assignment/subscription/main.json deleted file mode 100644 index 2c40c5d10a..0000000000 --- a/modules/authorization/policy-assignment/subscription/main.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6792324469101659711" - }, - "name": "Policy Assignments (Subscription scope)", - "description": "This module deploys a Policy Assignment at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This message will be part of response in case of policy violation." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "policyDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None" - ], - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "userAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID for the user assigned identity to assign to the policy assignment." - } - }, - "roleDefinitionIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "nonComplianceMessages": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The messages that describe why a resource is non-compliant with the policy." - } - }, - "enforcementMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "metadata": { - "description": "Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce." - } - }, - "notScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy excluded scopes." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "overrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "identityVar": "[if(equals(parameters('identity'), 'SystemAssigned'), createObject('type', parameters('identity')), if(equals(parameters('identity'), 'UserAssigned'), createObject('type', parameters('identity'), 'userAssignedIdentities', createObject(format('{0}', parameters('userAssignedIdentityId')), createObject())), null()))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "parameters": "[parameters('parameters')]", - "nonComplianceMessages": "[if(not(empty(parameters('nonComplianceMessages'))), parameters('nonComplianceMessages'), createArray())]", - "enforcementMode": "[parameters('enforcementMode')]", - "notScopes": "[if(not(empty(parameters('notScopes'))), parameters('notScopes'), createArray())]", - "overrides": "[if(not(empty(parameters('overrides'))), parameters('overrides'), createArray())]", - "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), createArray())]" - }, - "identity": "[variables('identityVar')]" - }, - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleDefinitionIds'))]" - }, - "condition": "[and(not(empty(parameters('roleDefinitionIds'))), equals(parameters('identity'), 'SystemAssigned'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('roleDefinitionIds')[copyIndex()], parameters('location'), parameters('name'))]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionIds')[copyIndex()]]", - "principalId": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Assignment Name." - }, - "value": "[parameters('name')]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Policy Assignment principal ID." - }, - "value": "[if(equals(parameters('identity'), 'SystemAssigned'), reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Assignment resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', parameters('name')), '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-assignment/subscription/version.json b/modules/authorization/policy-assignment/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-assignment/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index 95285f90ac..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apamgcom' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - description: '[Description] Policy Assignment at the management group scope' - displayName: '[Display Name] Policy Assignment at the management group scope' - enforcementMode: 'DoNotEnforce' - identity: 'SystemAssigned' - location: location - managementGroupId: last(split(managementGroup().id, '/')) - metadata: { - category: 'Security' - version: '1.0' - assignedBy: 'Bicep' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg' - ] - parameters: { - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - effect: { - value: 'Disabled' - } - } - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - overrides: [ - { - kind: 'policyEffect' - value: 'Disabled' - selectors: [ - { - kind: 'policyDefinitionReferenceId' - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - } - ] - } - ] - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - kind: 'resourceType' - in: [ - 'Microsoft.Compute/virtualMachines' - ] - } - { - kind: 'resourceLocation' - in: [ - 'westeurope' - ] - } - ] - } - ] - } -} diff --git a/modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index d0d00c55f3..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,30 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apamgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - metadata: { - assignedBy: 'Bicep' - } - } -} diff --git a/modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep deleted file mode 100644 index f4151d61c7..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep +++ /dev/null @@ -1,33 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - accessPolicies: [] - } -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id diff --git a/modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep deleted file mode 100644 index 3c64f5e2c1..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep +++ /dev/null @@ -1,121 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apargcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - description: '[Description] Policy Assignment at the resource group scope' - displayName: '[Display Name] Policy Assignment at the resource group scope' - enforcementMode: 'DoNotEnforce' - identity: 'UserAssigned' - location: location - metadata: { - category: 'Security' - version: '1.0' - assignedBy: 'Bicep' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - nestedDependencies.outputs.keyVaultResourceId - ] - parameters: { - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - effect: { - value: 'Disabled' - } - } - resourceGroupName: resourceGroup.name - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - overrides: [ - { - kind: 'policyEffect' - value: 'Disabled' - selectors: [ - { - kind: 'policyDefinitionReferenceId' - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - } - ] - } - ] - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - kind: 'resourceType' - in: [ - 'Microsoft.Compute/virtualMachines' - ] - } - { - kind: 'resourceLocation' - in: [ - 'westeurope' - ] - } - ] - } - ] - subscriptionId: subscription().subscriptionId - userAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - } -} diff --git a/modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep deleted file mode 100644 index 2953f4aace..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apargmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - subscriptionId: subscription().subscriptionId - metadata: { - assignedBy: 'Bicep' - } - } -} diff --git a/modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep deleted file mode 100644 index f17c563bb2..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index cb3c088c6c..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apasubcom' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - description: '[Description] Policy Assignment at the subscription scope' - displayName: '[Display Name] Policy Assignment at the subscription scope' - enforcementMode: 'DoNotEnforce' - identity: 'UserAssigned' - location: location - metadata: { - category: 'Security' - version: '1.0' - assignedBy: 'Bicep' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg' - ] - parameters: { - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - effect: { - value: 'Disabled' - } - } - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - overrides: [ - { - kind: 'policyEffect' - value: 'Disabled' - selectors: [ - { - kind: 'policyDefinitionReferenceId' - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - } - ] - } - ] - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - kind: 'resourceType' - in: [ - 'Microsoft.Compute/virtualMachines' - ] - } - { - kind: 'resourceLocation' - in: [ - 'westeurope' - ] - } - ] - } - ] - subscriptionId: subscription().subscriptionId - userAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - } -} diff --git a/modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index d9039eca58..0000000000 --- a/modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,33 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apasubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - subscriptionId: subscription().subscriptionId - metadata: { - category: 'Security' - version: '1.0' - assignedBy: 'Bicep' - } - } -} diff --git a/modules/authorization/policy-assignment/version.json b/modules/authorization/policy-assignment/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-assignment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-definition/README.md b/modules/authorization/policy-definition/README.md index 94191d66bd..e416312377 100644 --- a/modules/authorization/policy-definition/README.md +++ b/modules/authorization/policy-definition/README.md @@ -1,741 +1,7 @@ -# Policy Definitions (All scopes) `[Microsoft.Authorization/policyDefinitions]` +

⚠️ Retired ⚠️

-This module deploys a Policy Definition at a Management Group or Subscription scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/policy-definition). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-definition:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Sub.Common](#example-3-subcommon) -- [Sub.Min](#example-4-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apdmgcom' - params: { - // Required parameters - name: 'apdmgcom001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.Resources/subscriptions' - field: 'type' - } - { - exists: 'false' - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - } - ] - } - then: { - details: { - operations: [ - { - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - operation: 'add' - value: '[parameters(\'tagValue\')]' - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - ] - } - effect: 'modify' - } - } - // Non-required parameters - description: '[Description] This policy definition is deployed at the management group scope' - displayName: '[DisplayName] This policy definition is deployed at the management group scope' - enableDefaultTelemetry: '' - metadata: { - category: 'Security' - } - parameters: { - tagName: { - metadata: { - description: 'Name of the tag such as \'environment\'' - displayName: 'Tag Name' - } - type: 'String' - } - tagValue: { - metadata: { - description: 'Value of the tag such as \'environment\'' - displayName: 'Tag Value' - } - type: 'String' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apdmgcom001" - }, - "policyRule": { - "value": { - "if": { - "allOf": [ - { - "equals": "Microsoft.Resources/subscriptions", - "field": "type" - }, - { - "exists": "false", - "field": "[concat(\"tags[\", parameters(\"tagName\"), \"]\")]" - } - ] - }, - "then": { - "details": { - "operations": [ - { - "field": "[concat(\"tags[\", parameters(\"tagName\"), \"]\")]", - "operation": "add", - "value": "[parameters(\"tagValue\")]" - } - ], - "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f" - ] - }, - "effect": "modify" - } - } - }, - // Non-required parameters - "description": { - "value": "[Description] This policy definition is deployed at the management group scope" - }, - "displayName": { - "value": "[DisplayName] This policy definition is deployed at the management group scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "parameters": { - "value": { - "tagName": { - "metadata": { - "description": "Name of the tag such as \"environment\"", - "displayName": "Tag Name" - }, - "type": "String" - }, - "tagValue": { - "metadata": { - "description": "Value of the tag such as \"environment\"", - "displayName": "Tag Value" - }, - "type": "String" - } - } - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apdmgmin' - params: { - // Required parameters - name: 'apdmgmin001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - // Non-required parameters - enableDefaultTelemetry: '' - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apdmgmin001" - }, - "policyRule": { - "value": { - "if": { - "allOf": [ - { - "equals": "Microsoft.KeyVault/vaults", - "field": "type" - } - ] - }, - "then": { - "effect": "[parameters(\"effect\")]" - } - } - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "parameters": { - "value": { - "effect": { - "allowedValues": [ - "Audit" - ], - "defaultValue": "Audit", - "type": "String" - } - } - } - } -} -``` - -
-

- -### Example 3: _Sub.Common_ - -

- -via Bicep module - -```bicep -module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apdsubcom' - params: { - // Required parameters - name: 'apdsubcom001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.Resources/subscriptions' - field: 'type' - } - { - exists: 'false' - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - } - ] - } - then: { - details: { - operations: [ - { - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - operation: 'add' - value: '[parameters(\'tagValue\')]' - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - ] - } - effect: 'modify' - } - } - // Non-required parameters - description: '[Description] This policy definition is deployed at subscription scope' - displayName: '[DisplayName] This policy definition is deployed at subscription scope' - enableDefaultTelemetry: '' - metadata: { - category: 'Security' - } - parameters: { - tagName: { - metadata: { - description: 'Name of the tag such as \'environment\'' - displayName: 'Tag Name' - } - type: 'String' - } - tagValue: { - metadata: { - description: 'Value of the tag such as \'production\'' - displayName: 'Tag Value' - } - type: 'String' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apdsubcom001" - }, - "policyRule": { - "value": { - "if": { - "allOf": [ - { - "equals": "Microsoft.Resources/subscriptions", - "field": "type" - }, - { - "exists": "false", - "field": "[concat(\"tags[\", parameters(\"tagName\"), \"]\")]" - } - ] - }, - "then": { - "details": { - "operations": [ - { - "field": "[concat(\"tags[\", parameters(\"tagName\"), \"]\")]", - "operation": "add", - "value": "[parameters(\"tagValue\")]" - } - ], - "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f" - ] - }, - "effect": "modify" - } - } - }, - // Non-required parameters - "description": { - "value": "[Description] This policy definition is deployed at subscription scope" - }, - "displayName": { - "value": "[DisplayName] This policy definition is deployed at subscription scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "parameters": { - "value": { - "tagName": { - "metadata": { - "description": "Name of the tag such as \"environment\"", - "displayName": "Tag Name" - }, - "type": "String" - }, - "tagValue": { - "metadata": { - "description": "Value of the tag such as \"production\"", - "displayName": "Tag Value" - }, - "type": "String" - } - } - } - } -} -``` - -
-

- -### Example 4: _Sub.Min_ - -

- -via Bicep module - -```bicep -module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apdsubmin' - params: { - // Required parameters - name: 'apdsubmin001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - // Non-required parameters - enableDefaultTelemetry: '' - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apdsubmin001" - }, - "policyRule": { - "value": { - "if": { - "allOf": [ - { - "equals": "Microsoft.KeyVault/vaults", - "field": "type" - } - ] - }, - "then": { - "effect": "[parameters(\"effect\")]" - } - } - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "parameters": { - "value": { - "effect": { - "allowedValues": [ - "Audit" - ], - "defaultValue": "Audit", - "type": "String" - } - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | -| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The policy definition description. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | -| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | - -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. - -- Required: Yes -- Type: string - -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. - -- Required: Yes -- Type: object - -### Parameter: `description` - -The policy definition description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy definition. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `metadata` - -The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `mode` - -The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. - -- Required: No -- Type: string -- Default: `'All'` -- Allowed: - ```Bicep - [ - 'All' - 'Indexed' - 'Microsoft.ContainerService.Data' - 'Microsoft.KeyVault.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' - ] - ``` - -### Parameter: `parameters` - -The policy definition parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `subscriptionId` - -The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Definition Name. | -| `resourceId` | string | Policy Definition resource ID. | -| `roleDefinitionIds` | array | Policy Definition Role Definition IDs. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policydefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-definition.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policydefinition 'yourpath/module/authorization/policy-definition/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/policy-definition/main.bicep b/modules/authorization/policy-definition/main.bicep deleted file mode 100644 index 8649c39875..0000000000 --- a/modules/authorization/policy-definition/main.bicep +++ /dev/null @@ -1,104 +0,0 @@ -metadata name = 'Policy Definitions (All scopes)' -metadata description = 'This module deploys a Policy Definition at a Management Group or Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The policy definition description.') -param description string = '' - -@sys.description('Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data.') -@allowed([ - 'All' - 'Indexed' - 'Microsoft.KeyVault.Data' - 'Microsoft.ContainerService.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' -]) -param mode string = 'All' - -@sys.description('Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy definition parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Required. The Policy Rule details for the Policy Definition.') -param policyRule object - -@sys.description('Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId.') -param subscriptionId string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module policyDefinition_mg 'management-group/main.bicep' = if (empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicyDefinition-MG-Module' - scope: managementGroup(managementGroupId) - params: { - name: name - mode: mode - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - metadata: !empty(metadata) ? metadata : {} - parameters: !empty(parameters) ? parameters : {} - policyRule: policyRule - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policyDefinition_sub 'subscription/main.bicep' = if (!empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicyDefinition-Sub-Module' - scope: subscription(subscriptionId) - params: { - name: name - mode: mode - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - metadata: !empty(metadata) ? metadata : {} - parameters: !empty(parameters) ? parameters : {} - policyRule: policyRule - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('Policy Definition Name.') -output name string = empty(subscriptionId) ? policyDefinition_mg.outputs.name : policyDefinition_sub.outputs.name - -@sys.description('Policy Definition resource ID.') -output resourceId string = empty(subscriptionId) ? policyDefinition_mg.outputs.resourceId : policyDefinition_sub.outputs.resourceId - -@sys.description('Policy Definition Role Definition IDs.') -output roleDefinitionIds array = empty(subscriptionId) ? policyDefinition_mg.outputs.roleDefinitionIds : policyDefinition_sub.outputs.roleDefinitionIds diff --git a/modules/authorization/policy-definition/main.json b/modules/authorization/policy-definition/main.json deleted file mode 100644 index a299944baf..0000000000 --- a/modules/authorization/policy-definition/main.json +++ /dev/null @@ -1,496 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1518485483876836980" - }, - "name": "Policy Definitions (All scopes)", - "description": "This module deploys a Policy Definition at a Management Group or Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy definition. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition description." - } - }, - "mode": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Indexed", - "Microsoft.KeyVault.Data", - "Microsoft.ContainerService.Data", - "Microsoft.Kubernetes.Data", - "Microsoft.Network.Data" - ], - "metadata": { - "description": "Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy definition parameters that can be used in policy definition references." - } - }, - "policyRule": { - "type": "object", - "metadata": { - "description": "Required. The Policy Rule details for the Policy Definition." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[empty(parameters('subscriptionId'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "mode": { - "value": "[parameters('mode')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "policyRule": { - "value": "[parameters('policyRule')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2259464056966333575" - }, - "name": "Policy Definitions (Management Group scope)", - "description": "This module deploys a Policy Definition at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy definition. Maximum length is 64 characters." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy definition. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition description." - } - }, - "mode": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Indexed", - "Microsoft.KeyVault.Data", - "Microsoft.ContainerService.Data", - "Microsoft.Kubernetes.Data", - "Microsoft.Network.Data" - ], - "metadata": { - "description": "Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy definition parameters that can be used in policy definition references." - } - }, - "policyRule": { - "type": "object", - "metadata": { - "description": "Required. The Policy Rule details for the Policy Definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "mode": "[parameters('mode')]", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyRule": "[parameters('policyRule')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Definition resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name'))]" - }, - "roleDefinitionIds": { - "type": "array", - "metadata": { - "description": "Policy Definition Role Definition IDs." - }, - "value": "[if(contains(reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then, 'details'), if(contains(reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details, 'roleDefinitionIds'), reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details.roleDefinitionIds, createArray()), createArray())]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('subscriptionId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "mode": { - "value": "[parameters('mode')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "policyRule": { - "value": "[parameters('policyRule')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12007737347705921951" - }, - "name": "Policy Definitions (Subscription scope)", - "description": "This module deploys a Policy Definition at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy definition. Maximum length is 64 characters." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy definition. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition description." - } - }, - "mode": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Indexed", - "Microsoft.KeyVault.Data", - "Microsoft.ContainerService.Data", - "Microsoft.Kubernetes.Data", - "Microsoft.Network.Data" - ], - "metadata": { - "description": "Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy definition parameters that can be used in policy definition references." - } - }, - "policyRule": { - "type": "object", - "metadata": { - "description": "Required. The Policy Rule details for the Policy Definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "mode": "[parameters('mode')]", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyRule": "[parameters('policyRule')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Definition resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name'))]" - }, - "roleDefinitionIds": { - "type": "array", - "metadata": { - "description": "Policy Definition Role Definition IDs." - }, - "value": "[if(contains(reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then, 'details'), if(contains(reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details, 'roleDefinitionIds'), reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details.roleDefinitionIds, createArray()), createArray())]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Definition Name." - }, - "value": "[if(empty(parameters('subscriptionId')), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value)]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Definition resource ID." - }, - "value": "[if(empty(parameters('subscriptionId')), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value)]" - }, - "roleDefinitionIds": { - "type": "array", - "metadata": { - "description": "Policy Definition Role Definition IDs." - }, - "value": "[if(empty(parameters('subscriptionId')), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.roleDefinitionIds.value, reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.roleDefinitionIds.value)]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-definition/management-group/README.md b/modules/authorization/policy-definition/management-group/README.md deleted file mode 100644 index 610d78baf7..0000000000 --- a/modules/authorization/policy-definition/management-group/README.md +++ /dev/null @@ -1,131 +0,0 @@ -# Policy Definitions (Management Group scope) `[Microsoft.Authorization/policyDefinitions]` - -This module deploys a Policy Definition at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters. | -| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The policy definition description. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | - -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters. - -- Required: Yes -- Type: string - -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. - -- Required: Yes -- Type: object - -### Parameter: `description` - -The policy definition description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy definition. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `mode` - -The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. - -- Required: No -- Type: string -- Default: `'All'` -- Allowed: - ```Bicep - [ - 'All' - 'Indexed' - 'Microsoft.ContainerService.Data' - 'Microsoft.KeyVault.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' - ] - ``` - -### Parameter: `parameters` - -The policy definition parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Definition Name. | -| `resourceId` | string | Policy Definition resource ID. | -| `roleDefinitionIds` | array | Policy Definition Role Definition IDs. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-definition/management-group/main.bicep b/modules/authorization/policy-definition/management-group/main.bicep deleted file mode 100644 index 3d14724f81..0000000000 --- a/modules/authorization/policy-definition/management-group/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Policy Definitions (Management Group scope)' -metadata description = 'This module deploys a Policy Definition at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The policy definition description.') -param description string = '' - -@sys.description('Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data.') -@allowed([ - 'All' - 'Indexed' - 'Microsoft.KeyVault.Data' - 'Microsoft.ContainerService.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' -]) -param mode string = 'All' - -@sys.description('Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy definition parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Required. The Policy Rule details for the Policy Definition.') -param policyRule object - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: name - properties: { - policyType: 'Custom' - mode: mode - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - parameters: !empty(parameters) ? parameters : null - policyRule: policyRule - } -} - -@sys.description('Policy Definition Name.') -output name string = policyDefinition.name - -@sys.description('Policy Definition resource ID.') -output resourceId string = policyDefinition.id - -@sys.description('Policy Definition Role Definition IDs.') -output roleDefinitionIds array = (contains(policyDefinition.properties.policyRule.then, 'details') ? ((contains(policyDefinition.properties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinition.properties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/modules/authorization/policy-definition/management-group/main.json b/modules/authorization/policy-definition/management-group/main.json deleted file mode 100644 index 41f0e262e6..0000000000 --- a/modules/authorization/policy-definition/management-group/main.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2259464056966333575" - }, - "name": "Policy Definitions (Management Group scope)", - "description": "This module deploys a Policy Definition at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy definition. Maximum length is 64 characters." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy definition. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition description." - } - }, - "mode": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Indexed", - "Microsoft.KeyVault.Data", - "Microsoft.ContainerService.Data", - "Microsoft.Kubernetes.Data", - "Microsoft.Network.Data" - ], - "metadata": { - "description": "Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy definition parameters that can be used in policy definition references." - } - }, - "policyRule": { - "type": "object", - "metadata": { - "description": "Required. The Policy Rule details for the Policy Definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "mode": "[parameters('mode')]", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyRule": "[parameters('policyRule')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Definition resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name'))]" - }, - "roleDefinitionIds": { - "type": "array", - "metadata": { - "description": "Policy Definition Role Definition IDs." - }, - "value": "[if(contains(reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then, 'details'), if(contains(reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details, 'roleDefinitionIds'), reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details.roleDefinitionIds, createArray()), createArray())]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-definition/management-group/version.json b/modules/authorization/policy-definition/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-definition/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-definition/subscription/README.md b/modules/authorization/policy-definition/subscription/README.md deleted file mode 100644 index 6de136d33a..0000000000 --- a/modules/authorization/policy-definition/subscription/README.md +++ /dev/null @@ -1,131 +0,0 @@ -# Policy Definitions (Subscription scope) `[Microsoft.Authorization/policyDefinitions]` - -This module deploys a Policy Definition at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters. | -| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The policy definition description. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | - -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters. - -- Required: Yes -- Type: string - -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. - -- Required: Yes -- Type: object - -### Parameter: `description` - -The policy definition description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy definition. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `mode` - -The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. - -- Required: No -- Type: string -- Default: `'All'` -- Allowed: - ```Bicep - [ - 'All' - 'Indexed' - 'Microsoft.ContainerService.Data' - 'Microsoft.KeyVault.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' - ] - ``` - -### Parameter: `parameters` - -The policy definition parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Definition Name. | -| `resourceId` | string | Policy Definition resource ID. | -| `roleDefinitionIds` | array | Policy Definition Role Definition IDs. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-definition/subscription/main.bicep b/modules/authorization/policy-definition/subscription/main.bicep deleted file mode 100644 index 8bdb6898d5..0000000000 --- a/modules/authorization/policy-definition/subscription/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Policy Definitions (Subscription scope)' -metadata description = 'This module deploys a Policy Definition at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The policy definition description.') -param description string = '' - -@sys.description('Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data.') -@allowed([ - 'All' - 'Indexed' - 'Microsoft.KeyVault.Data' - 'Microsoft.ContainerService.Data' - 'Microsoft.Kubernetes.Data' - 'Microsoft.Network.Data' -]) -param mode string = 'All' - -@sys.description('Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy definition parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Required. The Policy Rule details for the Policy Definition.') -param policyRule object - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: name - properties: { - policyType: 'Custom' - mode: mode - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - parameters: !empty(parameters) ? parameters : null - policyRule: policyRule - } -} - -@sys.description('Policy Definition Name.') -output name string = policyDefinition.name - -@sys.description('Policy Definition resource ID.') -output resourceId string = policyDefinition.id - -@sys.description('Policy Definition Role Definition IDs.') -output roleDefinitionIds array = (contains(policyDefinition.properties.policyRule.then, 'details') ? ((contains(policyDefinition.properties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinition.properties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/modules/authorization/policy-definition/subscription/main.json b/modules/authorization/policy-definition/subscription/main.json deleted file mode 100644 index c7c9979db4..0000000000 --- a/modules/authorization/policy-definition/subscription/main.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12007737347705921951" - }, - "name": "Policy Definitions (Subscription scope)", - "description": "This module deploys a Policy Definition at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy definition. Maximum length is 64 characters." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy definition. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition description." - } - }, - "mode": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Indexed", - "Microsoft.KeyVault.Data", - "Microsoft.ContainerService.Data", - "Microsoft.Kubernetes.Data", - "Microsoft.Network.Data" - ], - "metadata": { - "description": "Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy definition parameters that can be used in policy definition references." - } - }, - "policyRule": { - "type": "object", - "metadata": { - "description": "Required. The Policy Rule details for the Policy Definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "mode": "[parameters('mode')]", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyRule": "[parameters('policyRule')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Definition resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name'))]" - }, - "roleDefinitionIds": { - "type": "array", - "metadata": { - "description": "Policy Definition Role Definition IDs." - }, - "value": "[if(contains(reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then, 'details'), if(contains(reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details, 'roleDefinitionIds'), reference(subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('name')), '2021-06-01').policyRule.then.details.roleDefinitionIds, createArray()), createArray())]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-definition/subscription/version.json b/modules/authorization/policy-definition/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-definition/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index df669b50c3..0000000000 --- a/modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,76 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apdmgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.Resources/subscriptions' - field: 'type' - } - { - exists: 'false' - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - } - ] - } - then: { - details: { - operations: [ - { - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - operation: 'add' - value: '[parameters(\'tagValue\')]' - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - ] - } - effect: 'modify' - } - } - description: '[Description] This policy definition is deployed at the management group scope' - displayName: '[DisplayName] This policy definition is deployed at the management group scope' - metadata: { - category: 'Security' - } - parameters: { - tagName: { - metadata: { - description: 'Name of the tag such as \'environment\'' - displayName: 'Tag Name' - } - type: 'String' - } - tagValue: { - metadata: { - description: 'Value of the tag such as \'environment\'' - displayName: 'Tag Value' - } - type: 'String' - } - } - } -} diff --git a/modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index 26408738b1..0000000000 --- a/modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apdmgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} diff --git a/modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index 735058877b..0000000000 --- a/modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,76 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apdsubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.Resources/subscriptions' - field: 'type' - } - { - exists: 'false' - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - } - ] - } - then: { - details: { - operations: [ - { - field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' - operation: 'add' - value: '[parameters(\'tagValue\')]' - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - ] - } - effect: 'modify' - } - } - description: '[Description] This policy definition is deployed at subscription scope' - displayName: '[DisplayName] This policy definition is deployed at subscription scope' - metadata: { - category: 'Security' - } - parameters: { - tagName: { - metadata: { - description: 'Name of the tag such as \'environment\'' - displayName: 'Tag Name' - } - type: 'String' - } - tagValue: { - metadata: { - description: 'Value of the tag such as \'production\'' - displayName: 'Tag Value' - } - type: 'String' - } - } - } -} diff --git a/modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index 8e0f2c8c48..0000000000 --- a/modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apdsubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} diff --git a/modules/authorization/policy-definition/version.json b/modules/authorization/policy-definition/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-definition/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-exemption/README.md b/modules/authorization/policy-exemption/README.md index 365732cdd7..0430f274c7 100644 --- a/modules/authorization/policy-exemption/README.md +++ b/modules/authorization/policy-exemption/README.md @@ -1,839 +1,7 @@ -# Policy Exemptions (All scopes) `[Microsoft.Authorization/policyExemptions]` +

⚠️ Retired ⚠️

-This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/policy-exemption). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-exemption:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apemgcom' - params: { - // Required parameters - name: 'apemgcom001' - policyAssignmentId: '' - // Non-required parameters - assignmentScopeValidation: 'Default' - description: 'My description' - displayName: '[Display Name] policy exempt (management group scope)' - enableDefaultTelemetry: '' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - policyDefinitionReferenceIds: [ - '' - ] - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - in: [ - 'westcentralus' - ] - kind: 'resourceLocation' - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apemgcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "assignmentScopeValidation": { - "value": "Default" - }, - "description": { - "value": "My description" - }, - "displayName": { - "value": "[Display Name] policy exempt (management group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "exemptionCategory": { - "value": "Waiver" - }, - "expiresOn": { - "value": "2025-10-02T03:57:00Z" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "policyDefinitionReferenceIds": { - "value": [ - "" - ] - }, - "resourceSelectors": { - "value": [ - { - "name": "TemporaryMitigation", - "selectors": [ - { - "in": [ - "westcentralus" - ], - "kind": "resourceLocation" - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apemgmin' - params: { - // Required parameters - name: 'apemgmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apemgmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Rg.Common_ - -

- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apergcom' - params: { - // Required parameters - name: 'apergcom001' - policyAssignmentId: '' - // Non-required parameters - assignmentScopeValidation: 'Default' - description: 'My description' - displayName: '[Display Name] policy exempt (resource group scope)' - enableDefaultTelemetry: '' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - policyDefinitionReferenceIds: [ - '' - ] - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - in: [ - 'westcentralus' - ] - kind: 'resourceLocation' - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apergcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "assignmentScopeValidation": { - "value": "Default" - }, - "description": { - "value": "My description" - }, - "displayName": { - "value": "[Display Name] policy exempt (resource group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "exemptionCategory": { - "value": "Waiver" - }, - "expiresOn": { - "value": "2025-10-02T03:57:00Z" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "policyDefinitionReferenceIds": { - "value": [ - "" - ] - }, - "resourceSelectors": { - "value": [ - { - "name": "TemporaryMitigation", - "selectors": [ - { - "in": [ - "westcentralus" - ], - "kind": "resourceLocation" - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 4: _Rg.Min_ - -

- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apergmin' - params: { - // Required parameters - name: 'apergmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apergmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Sub.Common_ - -

- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apesubcom' - params: { - // Required parameters - name: 'apesubcom001' - policyAssignmentId: '' - // Non-required parameters - assignmentScopeValidation: 'Default' - description: 'My description' - displayName: '[Display Name] policy exempt (subscription scope)' - enableDefaultTelemetry: '' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - policyDefinitionReferenceIds: [ - '' - ] - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - in: [ - 'westcentralus' - ] - kind: 'resourceLocation' - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apesubcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "assignmentScopeValidation": { - "value": "Default" - }, - "description": { - "value": "My description" - }, - "displayName": { - "value": "[Display Name] policy exempt (subscription scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "exemptionCategory": { - "value": "Waiver" - }, - "expiresOn": { - "value": "2025-10-02T03:57:00Z" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "policyDefinitionReferenceIds": { - "value": [ - "" - ] - }, - "resourceSelectors": { - "value": [ - { - "name": "TemporaryMitigation", - "selectors": [ - { - "in": [ - "westcentralus" - ], - "kind": "resourceLocation" - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 6: _Sub.Min_ - -

- -via Bicep module - -```bicep -module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apesubmin' - params: { - // Required parameters - name: 'apesubmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apesubmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | -| [`description`](#parameter-description) | string | The description of the policy exemption. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | -| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | - -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. - -- Required: Yes -- Type: string - -### Parameter: `assignmentScopeValidation` - -The option whether validate the exemption is at or under the assignment scope. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Default' - 'DoNotValidate' - ] - ``` - -### Parameter: `description` - -The description of the policy exemption. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy exemption. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exemptionCategory` - -The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. - -- Required: No -- Type: string -- Default: `'Mitigated'` -- Allowed: - ```Bicep - [ - 'Mitigated' - 'Waiver' - ] - ``` - -### Parameter: `expiresOn` - -The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `metadata` - -The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionReferenceIds` - -The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceGroupName` - -The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Exemption Name. | -| `resourceId` | string | Policy Exemption resource ID. | -| `scope` | string | Policy Exemption Scope. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policyexemption 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-exemption.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policyexemption 'yourpath/module/authorization/policy-exemption/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -### Parameter Usage: `resourceSelectors` - -To deploy Resource Selectors, you can apply the following syntax - - -

- -Parameter JSON format - -```json -"resourceSelectors": [ - { - "name": "TemporaryMitigation", - "selectors": [ - { - "kind": "resourceLocation", - "in": [ - "westcentralus" - ] - } - ] - } -] -``` - -
- -
- -Bicep format - -```bicep -resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - kind: 'resourceLocation' - in: [ - 'westcentralus' - ] - } - ] - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/policy-exemption/main.bicep b/modules/authorization/policy-exemption/main.bicep deleted file mode 100644 index cbb2469f61..0000000000 --- a/modules/authorization/policy-exemption/main.bicep +++ /dev/null @@ -1,137 +0,0 @@ -metadata name = 'Policy Exemptions (All scopes)' -metadata description = 'This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description of the policy exemption.') -param description string = '' - -@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated.') -@allowed([ - 'Mitigated' - 'Waiver' -]) -param exemptionCategory string = 'Mitigated' - -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') -param policyDefinitionReferenceIds array = [] - -@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z.') -param expiresOn string = '' - -@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter.') -param subscriptionId string = '' - -@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter.') -param resourceGroupName string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. The option whether validate the exemption is at or under the assignment scope.') -@allowed([ - '' - 'Default' - 'DoNotValidate' -]) -param assignmentScopeValidation string = '' - -@sys.description('Optional. The resource selector list to filter policies by resource properties.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module policyExemption_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' - scope: managementGroup(managementGroupId) - params: { - name: name - displayName: displayName - description: description - metadata: metadata - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: policyDefinitionReferenceIds - expiresOn: expiresOn - location: location - assignmentScopeValidation: assignmentScopeValidation - resourceSelectors: resourceSelectors - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policyExemption_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-PolicyExemption-Sub-Module' - scope: subscription(subscriptionId) - params: { - name: name - displayName: displayName - description: description - metadata: metadata - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: policyDefinitionReferenceIds - expiresOn: expiresOn - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policyExemption_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicyExemption-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - name: name - displayName: displayName - description: description - metadata: metadata - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: policyDefinitionReferenceIds - expiresOn: expiresOn - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('Policy Exemption Name.') -output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.name : policyExemption_rg.outputs.name) - -@sys.description('Policy Exemption resource ID.') -output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.resourceId : policyExemption_rg.outputs.resourceId) - -@sys.description('Policy Exemption Scope.') -output scope string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.scope : policyExemption_rg.outputs.scope) diff --git a/modules/authorization/policy-exemption/main.json b/modules/authorization/policy-exemption/main.json deleted file mode 100644 index 8603600205..0000000000 --- a/modules/authorization/policy-exemption/main.json +++ /dev/null @@ -1,808 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17158026498364887660" - }, - "name": "Policy Exemptions (All scopes)", - "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "displayName": { - "value": "[parameters('displayName')]" - }, - "description": { - "value": "[parameters('description')]" - }, - "metadata": { - "value": "[parameters('metadata')]" - }, - "exemptionCategory": { - "value": "[parameters('exemptionCategory')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceIds": { - "value": "[parameters('policyDefinitionReferenceIds')]" - }, - "expiresOn": { - "value": "[parameters('expiresOn')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "assignmentScopeValidation": { - "value": "[parameters('assignmentScopeValidation')]" - }, - "resourceSelectors": { - "value": "[parameters('resourceSelectors')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9567732291130716323" - }, - "name": "Policy Exemptions (Management Group scope)", - "description": "This module deploys a Policy Exemption at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[managementGroup().id]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "displayName": { - "value": "[parameters('displayName')]" - }, - "description": { - "value": "[parameters('description')]" - }, - "metadata": { - "value": "[parameters('metadata')]" - }, - "exemptionCategory": { - "value": "[parameters('exemptionCategory')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceIds": { - "value": "[parameters('policyDefinitionReferenceIds')]" - }, - "expiresOn": { - "value": "[parameters('expiresOn')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15478604165722569737" - }, - "name": "Policy Exemptions (Subscription scope)", - "description": "This module deploys a Policy Exemption at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[subscription().id]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "displayName": { - "value": "[parameters('displayName')]" - }, - "description": { - "value": "[parameters('description')]" - }, - "metadata": { - "value": "[parameters('metadata')]" - }, - "exemptionCategory": { - "value": "[parameters('exemptionCategory')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceIds": { - "value": "[parameters('policyDefinitionReferenceIds')]" - }, - "expiresOn": { - "value": "[parameters('expiresOn')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16772443718148714979" - }, - "name": "Policy Exemptions (Resource Group scope)", - "description": "This module deploys a Policy Exemption at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[resourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[resourceGroup().id]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy exemption was applied at." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-exemption/management-group/README.md b/modules/authorization/policy-exemption/management-group/README.md deleted file mode 100644 index 303d90d848..0000000000 --- a/modules/authorization/policy-exemption/management-group/README.md +++ /dev/null @@ -1,162 +0,0 @@ -# Policy Exemptions (Management Group scope) `[Microsoft.Authorization/policyExemptions]` - -This module deploys a Policy Exemption at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | -| [`description`](#parameter-description) | string | The description of the policy exemption. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | - -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. - -- Required: Yes -- Type: string - -### Parameter: `assignmentScopeValidation` - -The option whether validate the exemption is at or under the assignment scope. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Default' - 'DoNotValidate' - ] - ``` - -### Parameter: `description` - -The description of the policy exemption. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy assignment. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exemptionCategory` - -The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. - -- Required: No -- Type: string -- Default: `'Mitigated'` -- Allowed: - ```Bicep - [ - 'Mitigated' - 'Waiver' - ] - ``` - -### Parameter: `expiresOn` - -The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionReferenceIds` - -The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Exemption Name. | -| `resourceId` | string | Policy Exemption resource ID. | -| `scope` | string | Policy Exemption Scope. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-exemption/management-group/main.bicep b/modules/authorization/policy-exemption/management-group/main.bicep deleted file mode 100644 index add07a7130..0000000000 --- a/modules/authorization/policy-exemption/management-group/main.bicep +++ /dev/null @@ -1,89 +0,0 @@ -metadata name = 'Policy Exemptions (Management Group scope)' -metadata description = 'This module deploys a Policy Exemption at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description of the policy exemption.') -param description string = '' - -@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated.') -@allowed([ - 'Mitigated' - 'Waiver' -]) -param exemptionCategory string = 'Mitigated' - -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') -param policyDefinitionReferenceIds array = [] - -@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z.') -param expiresOn string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. The option whether validate the exemption is at or under the assignment scope.') -@allowed([ - '' - 'Default' - 'DoNotValidate' -]) -param assignmentScopeValidation string = '' - -@sys.description('Optional. The resource selector list to filter policies by resource properties.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { - name: name - properties: { - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : [] - expiresOn: !empty(expiresOn) ? expiresOn : null - assignmentScopeValidation: !empty(assignmentScopeValidation) ? assignmentScopeValidation : null - resourceSelectors: resourceSelectors - } -} - -@sys.description('Policy Exemption Name.') -output name string = policyExemption.name - -@sys.description('Policy Exemption resource ID.') -output resourceId string = policyExemption.id - -@sys.description('Policy Exemption Scope.') -output scope string = managementGroup().id diff --git a/modules/authorization/policy-exemption/management-group/main.json b/modules/authorization/policy-exemption/management-group/main.json deleted file mode 100644 index da990d6e2c..0000000000 --- a/modules/authorization/policy-exemption/management-group/main.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9567732291130716323" - }, - "name": "Policy Exemptions (Management Group scope)", - "description": "This module deploys a Policy Exemption at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy assignment. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[managementGroup().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-exemption/management-group/version.json b/modules/authorization/policy-exemption/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-exemption/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-exemption/resource-group/README.md b/modules/authorization/policy-exemption/resource-group/README.md deleted file mode 100644 index 0db23d6178..0000000000 --- a/modules/authorization/policy-exemption/resource-group/README.md +++ /dev/null @@ -1,154 +0,0 @@ -# Policy Exemptions (Resource Group scope) `[Microsoft.Authorization/policyExemptions]` - -This module deploys a Policy Exemption at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | -| [`description`](#parameter-description) | string | The description of the policy exemption. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | - -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. - -- Required: Yes -- Type: string - -### Parameter: `assignmentScopeValidation` - -The option whether validate the exemption is at or under the assignment scope. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Default' - 'DoNotValidate' - ] - ``` - -### Parameter: `description` - -The description of the policy exemption. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy exemption. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exemptionCategory` - -The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. - -- Required: No -- Type: string -- Default: `'Mitigated'` -- Allowed: - ```Bicep - [ - 'Mitigated' - 'Waiver' - ] - ``` - -### Parameter: `expiresOn` - -The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `metadata` - -The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionReferenceIds` - -The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Exemption Name. | -| `resourceGroupName` | string | The name of the resource group the policy exemption was applied at. | -| `resourceId` | string | Policy Exemption resource ID. | -| `scope` | string | Policy Exemption Scope. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-exemption/resource-group/main.bicep b/modules/authorization/policy-exemption/resource-group/main.bicep deleted file mode 100644 index ed9737da0e..0000000000 --- a/modules/authorization/policy-exemption/resource-group/main.bicep +++ /dev/null @@ -1,88 +0,0 @@ -metadata name = 'Policy Exemptions (Resource Group scope)' -metadata description = 'This module deploys a Policy Exemption at a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description of the policy exemption.') -param description string = '' - -@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated.') -@allowed([ - 'Mitigated' - 'Waiver' -]) -param exemptionCategory string = 'Mitigated' - -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') -param policyDefinitionReferenceIds array = [] - -@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z.') -param expiresOn string = '' - -@sys.description('Optional. The option whether validate the exemption is at or under the assignment scope.') -@allowed([ - '' - 'Default' - 'DoNotValidate' -]) -param assignmentScopeValidation string = '' - -@sys.description('Optional. The resource selector list to filter policies by resource properties.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { - name: name - properties: { - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : [] - expiresOn: !empty(expiresOn) ? expiresOn : null - assignmentScopeValidation: !empty(assignmentScopeValidation) ? assignmentScopeValidation : null - resourceSelectors: resourceSelectors - } -} - -@sys.description('Policy Exemption Name.') -output name string = policyExemption.name - -@sys.description('Policy Exemption resource ID.') -output resourceId string = policyExemption.id - -@sys.description('Policy Exemption Scope.') -output scope string = resourceGroup().id - -@sys.description('The name of the resource group the policy exemption was applied at.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/authorization/policy-exemption/resource-group/main.json b/modules/authorization/policy-exemption/resource-group/main.json deleted file mode 100644 index ef2c732777..0000000000 --- a/modules/authorization/policy-exemption/resource-group/main.json +++ /dev/null @@ -1,164 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16772443718148714979" - }, - "name": "Policy Exemptions (Resource Group scope)", - "description": "This module deploys a Policy Exemption at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[resourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[resourceGroup().id]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy exemption was applied at." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-exemption/resource-group/version.json b/modules/authorization/policy-exemption/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-exemption/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-exemption/subscription/README.md b/modules/authorization/policy-exemption/subscription/README.md deleted file mode 100644 index 3240cff663..0000000000 --- a/modules/authorization/policy-exemption/subscription/README.md +++ /dev/null @@ -1,162 +0,0 @@ -# Policy Exemptions (Subscription scope) `[Microsoft.Authorization/policyExemptions]` - -This module deploys a Policy Exemption at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | -| [`description`](#parameter-description) | string | The description of the policy exemption. | -| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | - -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. - -- Required: Yes -- Type: string - -### Parameter: `assignmentScopeValidation` - -The option whether validate the exemption is at or under the assignment scope. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Default' - 'DoNotValidate' - ] - ``` - -### Parameter: `description` - -The description of the policy exemption. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the policy exemption. Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exemptionCategory` - -The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. - -- Required: No -- Type: string -- Default: `'Mitigated'` -- Allowed: - ```Bicep - [ - 'Mitigated' - 'Waiver' - ] - ``` - -### Parameter: `expiresOn` - -The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionReferenceIds` - -The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceSelectors` - -The resource selector list to filter policies by resource properties. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Exemption Name. | -| `resourceId` | string | Policy Exemption resource ID. | -| `scope` | string | Policy Exemption Scope. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-exemption/subscription/main.bicep b/modules/authorization/policy-exemption/subscription/main.bicep deleted file mode 100644 index 2b96396e4b..0000000000 --- a/modules/authorization/policy-exemption/subscription/main.bicep +++ /dev/null @@ -1,89 +0,0 @@ -metadata name = 'Policy Exemptions (Subscription scope)' -metadata description = 'This module deploys a Policy Exemption at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description of the policy exemption.') -param description string = '' - -@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated.') -@allowed([ - 'Mitigated' - 'Waiver' -]) -param exemptionCategory string = 'Mitigated' - -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') -param policyDefinitionReferenceIds array = [] - -@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z.') -param expiresOn string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. The option whether validate the exemption is at or under the assignment scope.') -@allowed([ - '' - 'Default' - 'DoNotValidate' -]) -param assignmentScopeValidation string = '' - -@sys.description('Optional. The resource selector list to filter policies by resource properties.') -param resourceSelectors array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { - name: name - properties: { - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : [] - expiresOn: !empty(expiresOn) ? expiresOn : null - assignmentScopeValidation: !empty(assignmentScopeValidation) ? assignmentScopeValidation : null - resourceSelectors: resourceSelectors - } -} - -@sys.description('Policy Exemption Name.') -output name string = policyExemption.name - -@sys.description('Policy Exemption resource ID.') -output resourceId string = policyExemption.id - -@sys.description('Policy Exemption Scope.') -output scope string = subscription().id diff --git a/modules/authorization/policy-exemption/subscription/main.json b/modules/authorization/policy-exemption/subscription/main.json deleted file mode 100644 index b199d7110c..0000000000 --- a/modules/authorization/policy-exemption/subscription/main.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15478604165722569737" - }, - "name": "Policy Exemptions (Subscription scope)", - "description": "This module deploys a Policy Exemption at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy exemption." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "exemptionCategory": { - "type": "string", - "defaultValue": "Mitigated", - "allowedValues": [ - "Mitigated", - "Waiver" - ], - "metadata": { - "description": "Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that is being exempted." - } - }, - "policyDefinitionReferenceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." - } - }, - "expiresOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignmentScopeValidation": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "DoNotValidate" - ], - "metadata": { - "description": "Optional. The option whether validate the exemption is at or under the assignment scope." - } - }, - "resourceSelectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The resource selector list to filter policies by resource properties." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policyExemptions", - "apiVersion": "2022-07-01-preview", - "name": "[parameters('name')]", - "properties": { - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "exemptionCategory": "[parameters('exemptionCategory')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), createArray())]", - "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", - "assignmentScopeValidation": "[if(not(empty(parameters('assignmentScopeValidation'))), parameters('assignmentScopeValidation'), null())]", - "resourceSelectors": "[parameters('resourceSelectors')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Exemption Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Exemption resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "Policy Exemption Scope." - }, - "value": "[subscription().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-exemption/subscription/version.json b/modules/authorization/policy-exemption/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-exemption/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index 4832fa018c..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,115 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apemgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= - -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policySetAssignment.id - displayName: '[Display Name] policy exempt (management group scope)' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - assignmentScopeValidation: 'Default' - description: 'My description' - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - kind: 'resourceLocation' - in: [ - 'westcentralus' - ] - } - ] - } - ] - policyDefinitionReferenceIds: [ - policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - ] - } -} diff --git a/modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index d34ab40cdb..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,45 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apemgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-${serviceShort}-rgloc' - location: location - properties: { - displayName: '[Depedency] Audit resource location matches resource group location (management group scope)' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -} diff --git a/modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep deleted file mode 100644 index 650cefa0b3..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep +++ /dev/null @@ -1,124 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.policyexemptions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apergcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policySetAssignment.id - displayName: '[Display Name] policy exempt (resource group scope)' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - assignmentScopeValidation: 'Default' - description: 'My description' - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - kind: 'resourceLocation' - in: [ - 'westcentralus' - ] - } - ] - } - ] - policyDefinitionReferenceIds: [ - policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - ] - } -} diff --git a/modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep deleted file mode 100644 index 49828f611d..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep +++ /dev/null @@ -1,55 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.policyexemptions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apergmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-${serviceShort}-rgloc' - location: location - properties: { - displayName: '[Depedency] Audit resource location matches resource group location (management group scope)' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -} diff --git a/modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index ac0f4d16eb..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,114 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apesubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policySetAssignment.id - displayName: '[Display Name] policy exempt (subscription scope)' - exemptionCategory: 'Waiver' - expiresOn: '2025-10-02T03:57:00Z' - metadata: { - category: 'Security' - } - assignmentScopeValidation: 'Default' - description: 'My description' - resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - kind: 'resourceLocation' - in: [ - 'westcentralus' - ] - } - ] - } - ] - policyDefinitionReferenceIds: [ - policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - ] - } -} diff --git a/modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index c3a5b57b44..0000000000 --- a/modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,45 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apesubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-${serviceShort}-rgloc' - location: location - properties: { - displayName: '[Depedency] Audit resource location matches resource group location (management group scope)' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -} diff --git a/modules/authorization/policy-exemption/version.json b/modules/authorization/policy-exemption/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-exemption/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-set-definition/README.md b/modules/authorization/policy-set-definition/README.md index 7cca9b5479..7d85c3e0b9 100644 --- a/modules/authorization/policy-set-definition/README.md +++ b/modules/authorization/policy-set-definition/README.md @@ -1,663 +1,7 @@ -# Policy Set Definitions (Initiatives) (All scopes) `[Microsoft.Authorization/policySetDefinitions]` +

⚠️ Retired ⚠️

-This module deploys a Policy Set Definition (Initiative) at a Management Group or Subscription scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/policy-set-definition). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policySetDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-set-definition:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Sub.Common](#example-3-subcommon) -- [Sub.Min](#example-4-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apsdmgcom' - params: { - // Required parameters - name: 'apsdmgcom001' - policyDefinitions: [ - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - policyDefinitionReferenceId: 'Allowed locations_1' - } - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - policyDefinitionReferenceId: 'Allowed locations for resource groups_1' - } - ] - // Non-required parameters - description: '[Description] This policy set definition is deployed at management group scope' - displayName: '[DisplayName] This policy set definition is deployed at management group scope' - enableDefaultTelemetry: '' - metadata: { - category: 'Security' - version: '1' - } - policyDefinitionGroups: [ - { - name: 'Network' - } - { - name: 'ARM' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apsdmgcom001" - }, - "policyDefinitions": { - "value": [ - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "policyDefinitionReferenceId": "Allowed locations_1" - }, - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "policyDefinitionReferenceId": "Allowed locations for resource groups_1" - } - ] - }, - // Non-required parameters - "description": { - "value": "[Description] This policy set definition is deployed at management group scope" - }, - "displayName": { - "value": "[DisplayName] This policy set definition is deployed at management group scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "category": "Security", - "version": "1" - } - }, - "policyDefinitionGroups": { - "value": [ - { - "name": "Network" - }, - { - "name": "ARM" - } - ] - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apsdmgmin' - params: { - // Required parameters - name: 'apsdmgmin001' - policyDefinitions: [ - { - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apsdmgmin001" - }, - "policyDefinitions": { - "value": [ - { - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Sub.Common_ - -

- -via Bicep module - -```bicep -module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apsdsubcom' - params: { - // Required parameters - name: 'apsdsubcom001' - policyDefinitions: [ - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - policyDefinitionReferenceId: 'Allowed locations_1' - } - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - policyDefinitionReferenceId: 'Allowed locations for resource groups_1' - } - ] - // Non-required parameters - description: '[Description] This policy set definition is deployed at subscription scope' - displayName: '[DisplayName] This policy set definition is deployed at subscription scope' - enableDefaultTelemetry: '' - metadata: { - category: 'Security' - version: '1' - } - policyDefinitionGroups: [ - { - name: 'Network' - } - { - name: 'ARM' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apsdsubcom001" - }, - "policyDefinitions": { - "value": [ - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "policyDefinitionReferenceId": "Allowed locations_1" - }, - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "policyDefinitionReferenceId": "Allowed locations for resource groups_1" - } - ] - }, - // Non-required parameters - "description": { - "value": "[Description] This policy set definition is deployed at subscription scope" - }, - "displayName": { - "value": "[DisplayName] This policy set definition is deployed at subscription scope" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "metadata": { - "value": { - "category": "Security", - "version": "1" - } - }, - "policyDefinitionGroups": { - "value": [ - { - "name": "Network" - }, - { - "name": "ARM" - } - ] - } - } -} -``` - -
-

- -### Example 4: _Sub.Min_ - -

- -via Bicep module - -```bicep -module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-apsdsubmin' - params: { - // Required parameters - name: 'apsdsubmin001' - policyDefinitions: [ - { - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apsdsubmin001" - }, - "policyDefinitions": { - "value": [ - { - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). | -| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | -| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | -| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | - -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. - -- Required: Yes -- Type: array - -### Parameter: `description` - -The description name of the Set Definition (Initiative). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the Set Definition (Initiative). Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `metadata` - -The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `parameters` - -The Set Definition (Initiative) parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionGroups` - -The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Set Definition Name. | -| `resourceId` | string | Policy Set Definition resource ID. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policysetdefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-set-definition.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policysetdefinition 'yourpath/module/authorization/policy-set-definition/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/policy-set-definition/main.bicep b/modules/authorization/policy-set-definition/main.bicep deleted file mode 100644 index c011271cdc..0000000000 --- a/modules/authorization/policy-set-definition/main.bicep +++ /dev/null @@ -1,93 +0,0 @@ -metadata name = 'Policy Set Definitions (Initiatives) (All scopes)' -metadata description = 'This module deploys a Policy Set Definition (Initiative) at a Management Group or Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description name of the Set Definition (Initiative).') -param description string = '' - -@sys.description('Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId.') -param subscriptionId string = '' - -@sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters.') -param policyDefinitions array - -@sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') -param policyDefinitionGroups array = [] - -@sys.description('Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module policySetDefinition_mg 'management-group/main.bicep' = if (empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-MG-Module' - scope: managementGroup(managementGroupId) - params: { - name: name - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - metadata: !empty(metadata) ? metadata : {} - parameters: !empty(parameters) ? parameters : {} - policyDefinitions: policyDefinitions - policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module policySetDefinition_sub 'subscription/main.bicep' = if (!empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-Sub-Module' - scope: subscription(subscriptionId) - params: { - name: name - displayName: !empty(displayName) ? displayName : '' - description: !empty(description) ? description : '' - metadata: !empty(metadata) ? metadata : {} - parameters: !empty(parameters) ? parameters : {} - policyDefinitions: policyDefinitions - policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('Policy Set Definition Name.') -output name string = empty(subscriptionId) ? policySetDefinition_mg.outputs.name : policySetDefinition_sub.outputs.name - -@sys.description('Policy Set Definition resource ID.') -output resourceId string = empty(subscriptionId) ? policySetDefinition_mg.outputs.resourceId : policySetDefinition_sub.outputs.resourceId diff --git a/modules/authorization/policy-set-definition/main.json b/modules/authorization/policy-set-definition/main.json deleted file mode 100644 index 36759a1b88..0000000000 --- a/modules/authorization/policy-set-definition/main.json +++ /dev/null @@ -1,447 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13920267319234015315" - }, - "name": "Policy Set Definitions (Initiatives) (All scopes)", - "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group or Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy Set Definition (Initiative)." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description name of the Set Definition (Initiative)." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "policyDefinitions": { - "type": "array", - "metadata": { - "description": "Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters." - } - }, - "policyDefinitionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative)." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) parameters that can be used in policy definition references." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[empty(parameters('subscriptionId'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicySetDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "policyDefinitions": { - "value": "[parameters('policyDefinitions')]" - }, - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), createObject('value', parameters('policyDefinitionGroups')), createObject('value', createArray()))]", - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11109083846476796782" - }, - "name": "Policy Set Definitions (Initiatives) (Management Group scope)", - "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy Set Definition (Initiative)." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description name of the Set Definition (Initiative)." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "policyDefinitions": { - "type": "array", - "metadata": { - "description": "Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters." - } - }, - "policyDefinitionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative)." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) parameters that can be used in policy definition references." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyDefinitions": "[parameters('policyDefinitions')]", - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), parameters('policyDefinitionGroups'), createArray())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Set Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Set Definition resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policySetDefinitions', parameters('name'))]" - } - } - } - } - }, - { - "condition": "[not(empty(parameters('subscriptionId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PolicySetDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', ''))]", - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', createObject()))]", - "parameters": "[if(not(empty(parameters('parameters'))), createObject('value', parameters('parameters')), createObject('value', createObject()))]", - "policyDefinitions": { - "value": "[parameters('policyDefinitions')]" - }, - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), createObject('value', parameters('policyDefinitionGroups')), createObject('value', createArray()))]", - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14930393896542927337" - }, - "name": "Policy Set Definitions (Initiatives) (Subscription scope)", - "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description name of the Set Definition (Initiative)." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "policyDefinitions": { - "type": "array", - "metadata": { - "description": "Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters." - } - }, - "policyDefinitionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative)." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) parameters that can be used in policy definition references." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyDefinitions": "[parameters('policyDefinitions')]", - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), parameters('policyDefinitionGroups'), createArray())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Set Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Set Definition resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', parameters('name'))]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Set Definition Name." - }, - "value": "[if(empty(parameters('subscriptionId')), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicySetDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicySetDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value)]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Set Definition resource ID." - }, - "value": "[if(empty(parameters('subscriptionId')), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicySetDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicySetDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value)]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-set-definition/management-group/README.md b/modules/authorization/policy-set-definition/management-group/README.md deleted file mode 100644 index b34845fcab..0000000000 --- a/modules/authorization/policy-set-definition/management-group/README.md +++ /dev/null @@ -1,119 +0,0 @@ -# Policy Set Definitions (Initiatives) (Management Group scope) `[Microsoft.Authorization/policySetDefinitions]` - -This module deploys a Policy Set Definition (Initiative) at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policySetDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). | -| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | -| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | - -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. - -- Required: Yes -- Type: array - -### Parameter: `description` - -The description name of the Set Definition (Initiative). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the Set Definition (Initiative). Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `parameters` - -The Set Definition (Initiative) parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionGroups` - -The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Set Definition Name. | -| `resourceId` | string | Policy Set Definition resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-set-definition/management-group/main.bicep b/modules/authorization/policy-set-definition/management-group/main.bicep deleted file mode 100644 index 29f7971392..0000000000 --- a/modules/authorization/policy-set-definition/management-group/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'Policy Set Definitions (Initiatives) (Management Group scope)' -metadata description = 'This module deploys a Policy Set Definition (Initiative) at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description name of the Set Definition (Initiative).') -param description string = '' - -@sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters.') -param policyDefinitions array - -@sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') -param policyDefinitionGroups array = [] - -@sys.description('Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: name - properties: { - policyType: 'Custom' - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - parameters: !empty(parameters) ? parameters : null - policyDefinitions: policyDefinitions - policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] - } -} - -@sys.description('Policy Set Definition Name.') -output name string = policySetDefinition.name - -@sys.description('Policy Set Definition resource ID.') -output resourceId string = policySetDefinition.id diff --git a/modules/authorization/policy-set-definition/management-group/main.json b/modules/authorization/policy-set-definition/management-group/main.json deleted file mode 100644 index c83e9df9dd..0000000000 --- a/modules/authorization/policy-set-definition/management-group/main.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11109083846476796782" - }, - "name": "Policy Set Definitions (Initiatives) (Management Group scope)", - "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy Set Definition (Initiative)." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description name of the Set Definition (Initiative)." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "policyDefinitions": { - "type": "array", - "metadata": { - "description": "Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters." - } - }, - "policyDefinitionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative)." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) parameters that can be used in policy definition references." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyDefinitions": "[parameters('policyDefinitions')]", - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), parameters('policyDefinitionGroups'), createArray())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Set Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Set Definition resource ID." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policySetDefinitions', parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-set-definition/management-group/version.json b/modules/authorization/policy-set-definition/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-set-definition/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-set-definition/subscription/README.md b/modules/authorization/policy-set-definition/subscription/README.md deleted file mode 100644 index 1b567eeea5..0000000000 --- a/modules/authorization/policy-set-definition/subscription/README.md +++ /dev/null @@ -1,119 +0,0 @@ -# Policy Set Definitions (Initiatives) (Subscription scope) `[Microsoft.Authorization/policySetDefinitions]` - -This module deploys a Policy Set Definition (Initiative) at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/policySetDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | -| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | -| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | - -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. - -- Required: Yes -- Type: string - -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. - -- Required: Yes -- Type: array - -### Parameter: `description` - -The description name of the Set Definition (Initiative). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The display name of the Set Definition (Initiative). Maximum length is 128 characters. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `metadata` - -The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `parameters` - -The Set Definition (Initiative) parameters that can be used in policy definition references. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policyDefinitionGroups` - -The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Set Definition Name. | -| `resourceId` | string | Policy Set Definition resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/policy-set-definition/subscription/main.bicep b/modules/authorization/policy-set-definition/subscription/main.bicep deleted file mode 100644 index 0442dc4946..0000000000 --- a/modules/authorization/policy-set-definition/subscription/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'Policy Set Definitions (Initiatives) (Subscription scope)' -metadata description = 'This module deploys a Policy Set Definition (Initiative) at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope.') -@maxLength(64) -param name string - -@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') -@maxLength(128) -param displayName string = '' - -@sys.description('Optional. The description name of the Set Definition (Initiative).') -param description string = '' - -@sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') -param metadata object = {} - -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters.') -param policyDefinitions array - -@sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') -param policyDefinitionGroups array = [] - -@sys.description('Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.') -param parameters object = {} - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: name - properties: { - policyType: 'Custom' - displayName: !empty(displayName) ? displayName : null - description: !empty(description) ? description : null - metadata: !empty(metadata) ? metadata : null - parameters: !empty(parameters) ? parameters : null - policyDefinitions: policyDefinitions - policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] - } -} - -@sys.description('Policy Set Definition Name.') -output name string = policySetDefinition.name - -@sys.description('Policy Set Definition resource ID.') -output resourceId string = policySetDefinition.id diff --git a/modules/authorization/policy-set-definition/subscription/main.json b/modules/authorization/policy-set-definition/subscription/main.json deleted file mode 100644 index d75060d8dd..0000000000 --- a/modules/authorization/policy-set-definition/subscription/main.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14930393896542927337" - }, - "name": "Policy Set Definitions (Initiatives) (Subscription scope)", - "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "maxLength": 128, - "metadata": { - "description": "Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description name of the Set Definition (Initiative)." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs." - } - }, - "policyDefinitions": { - "type": "array", - "metadata": { - "description": "Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters." - } - }, - "policyDefinitionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative)." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Set Definition (Initiative) parameters that can be used in policy definition references." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "properties": { - "policyType": "Custom", - "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", - "parameters": "[if(not(empty(parameters('parameters'))), parameters('parameters'), null())]", - "policyDefinitions": "[parameters('policyDefinitions')]", - "policyDefinitionGroups": "[if(not(empty(parameters('policyDefinitionGroups'))), parameters('policyDefinitionGroups'), createArray())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "Policy Set Definition Name." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Policy Set Definition resource ID." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/policy-set-definition/subscription/version.json b/modules/authorization/policy-set-definition/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-set-definition/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index 0f5653cc1f..0000000000 --- a/modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,71 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apsdmgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitions: [ - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - policyDefinitionReferenceId: 'Allowed locations_1' - } - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - policyDefinitionReferenceId: 'Allowed locations for resource groups_1' - } - ] - // Non-required parameters - description: '[Description] This policy set definition is deployed at management group scope' - displayName: '[DisplayName] This policy set definition is deployed at management group scope' - metadata: { - category: 'Security' - version: '1' - } - policyDefinitionGroups: [ - { - name: 'Network' - } - { - name: 'ARM' - } - ] - } -} diff --git a/modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index 8ad45325f9..0000000000 --- a/modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,38 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apsdmgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitions: [ - { - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - } - ] - } -} diff --git a/modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index dfe66dba51..0000000000 --- a/modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,71 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apsdsubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitions: [ - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - policyDefinitionReferenceId: 'Allowed locations_1' - } - { - groupNames: [ - 'ARM' - ] - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' - policyDefinitionReferenceId: 'Allowed locations for resource groups_1' - } - ] - // Non-required parameters - description: '[Description] This policy set definition is deployed at subscription scope' - displayName: '[DisplayName] This policy set definition is deployed at subscription scope' - metadata: { - category: 'Security' - version: '1' - } - policyDefinitionGroups: [ - { - name: 'Network' - } - { - name: 'ARM' - } - ] - } -} diff --git a/modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index 9057a849b5..0000000000 --- a/modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,38 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apsdsubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyDefinitions: [ - { - parameters: { - listOfAllowedLocations: { - value: [ - 'australiaeast' - ] - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' - } - ] - } -} diff --git a/modules/authorization/policy-set-definition/version.json b/modules/authorization/policy-set-definition/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/policy-set-definition/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-assignment/README.md b/modules/authorization/role-assignment/README.md index f71f9cf46a..6027b0c16e 100644 --- a/modules/authorization/role-assignment/README.md +++ b/modules/authorization/role-assignment/README.md @@ -1,655 +1,7 @@ -# Role Assignments (All scopes) `[Microsoft.Authorization/roleAssignments]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope. +**This module has been evolved into the following AVM module: [avm/ptn/authorization/role-assignment](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/authorization/role-assignment).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/role-assignment). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.role-assignment:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-aramgcom' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Backup Reader' - // Non-required parameters - description: 'Role Assignment (management group scope)' - enableDefaultTelemetry: '' - managementGroupId: '' - principalType: 'ServicePrincipal' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Backup Reader" - }, - // Non-required parameters - "description": { - "value": "Role Assignment (management group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managementGroupId": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-aramgmin' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' - // Non-required parameters - enableDefaultTelemetry: '' - principalType: 'ServicePrincipal' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - } - } -} -``` - -
-

- -### Example 3: _Rg.Common_ - -

- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-arargcom' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Backup Reader' - // Non-required parameters - description: 'Role Assignment (resource group scope)' - enableDefaultTelemetry: '' - principalType: 'ServicePrincipal' - resourceGroupName: '' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Backup Reader" - }, - // Non-required parameters - "description": { - "value": "Role Assignment (resource group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - }, - "resourceGroupName": { - "value": "" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- -### Example 4: _Rg.Min_ - -

- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-arargmin' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' - // Non-required parameters - enableDefaultTelemetry: '' - principalType: 'ServicePrincipal' - resourceGroupName: '' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - }, - "resourceGroupName": { - "value": "" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Sub.Common_ - -

- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-arasubcom' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Backup Reader' - // Non-required parameters - description: 'Role Assignment (subscription scope)' - enableDefaultTelemetry: '' - principalType: 'ServicePrincipal' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Backup Reader" - }, - // Non-required parameters - "description": { - "value": "Role Assignment (subscription scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- -### Example 6: _Sub.Min_ - -

- -via Bicep module - -```bicep -module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-arasubmin' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' - // Non-required parameters - enableDefaultTelemetry: '' - principalType: 'ServicePrincipal' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "principalType": { - "value": "ServicePrincipal" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `resourceGroupName` - -Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module roleassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.role-assignment.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module roleassignment 'yourpath/module/authorization/role-assignment/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/role-assignment/main.bicep b/modules/authorization/role-assignment/main.bicep deleted file mode 100644 index 829c6f4267..0000000000 --- a/modules/authorization/role-assignment/main.bicep +++ /dev/null @@ -1,127 +0,0 @@ -metadata name = 'Role Assignments (All scopes)' -metadata description = 'This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleDefinitionIdOrName string - -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') -param principalId string - -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group.') -param resourceGroupName string = '' - -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') -param subscriptionId string = '' - -@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. ID of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') -param condition string = '' - -@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module roleAssignment_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' - scope: managementGroup(managementGroupId) - params: { - roleDefinitionIdOrName: roleDefinitionIdOrName - principalId: principalId - managementGroupId: managementGroupId - description: !empty(description) ? description : '' - principalType: !empty(principalType) ? principalType : '' - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' - conditionVersion: conditionVersion - condition: !empty(condition) ? condition : '' - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module roleAssignment_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' - scope: subscription(subscriptionId) - params: { - roleDefinitionIdOrName: roleDefinitionIdOrName - principalId: principalId - subscriptionId: subscriptionId - description: !empty(description) ? description : '' - principalType: !empty(principalType) ? principalType : '' - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' - conditionVersion: conditionVersion - condition: !empty(condition) ? condition : '' - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module roleAssignment_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - roleDefinitionIdOrName: roleDefinitionIdOrName - principalId: principalId - subscriptionId: subscriptionId - resourceGroupName: resourceGroupName - description: !empty(description) ? description : '' - principalType: !empty(principalType) ? principalType : '' - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' - conditionVersion: conditionVersion - condition: !empty(condition) ? condition : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('The GUID of the Role Assignment.') -output name string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.name : roleAssignment_rg.outputs.name) - -@sys.description('The resource ID of the Role Assignment.') -output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.resourceId : roleAssignment_rg.outputs.resourceId) - -@sys.description('The scope this Role Assignment applies to.') -output scope string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.scope : roleAssignment_rg.outputs.scope) diff --git a/modules/authorization/role-assignment/main.json b/modules/authorization/role-assignment/main.json deleted file mode 100644 index 118704a484..0000000000 --- a/modules/authorization/role-assignment/main.json +++ /dev/null @@ -1,750 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2663041221460783528" - }, - "name": "Role Assignments (All scopes)", - "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleDefinitionIdOrName": { - "value": "[parameters('roleDefinitionIdOrName')]" - }, - "principalId": { - "value": "[parameters('principalId')]" - }, - "managementGroupId": { - "value": "[parameters('managementGroupId')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", - "conditionVersion": { - "value": "[parameters('conditionVersion')]" - }, - "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]", - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16507104263145087588" - }, - "name": "Role Assignments (Management Group scope)", - "description": "This module deploys a Role Assignment at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleAssignments', guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleDefinitionIdOrName": { - "value": "[parameters('roleDefinitionIdOrName')]" - }, - "principalId": { - "value": "[parameters('principalId')]" - }, - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", - "conditionVersion": { - "value": "[parameters('conditionVersion')]" - }, - "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]", - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4504500051244266304" - }, - "name": "Role Assignments (Subscription scope)", - "description": "This module deploys a Role Assignment at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[subscription().id]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleDefinitionIdOrName": { - "value": "[parameters('roleDefinitionIdOrName')]" - }, - "principalId": { - "value": "[parameters('principalId')]" - }, - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", - "conditionVersion": { - "value": "[parameters('conditionVersion')]" - }, - "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6411559413209094837" - }, - "name": "Role Assignments (Resource Group scope)", - "description": "This module deploys a Role Assignment at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role assignment was applied at." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceGroup().id]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-assignment/management-group/README.md b/modules/authorization/role-assignment/management-group/README.md deleted file mode 100644 index e021e05271..0000000000 --- a/modules/authorization/role-assignment/management-group/README.md +++ /dev/null @@ -1,146 +0,0 @@ -# Role Assignments (Management Group scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-assignment/management-group/main.bicep b/modules/authorization/role-assignment/management-group/main.bicep deleted file mode 100644 index 382599a094..0000000000 --- a/modules/authorization/role-assignment/management-group/main.bicep +++ /dev/null @@ -1,92 +0,0 @@ -metadata name = 'Role Assignments (Management Group scope)' -metadata description = 'This module deploys a Role Assignment at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleDefinitionIdOrName string - -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') -param principalId string - -@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. ID of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') -param condition string = '' - -@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(managementGroupId, roleDefinitionIdVar, principalId) - properties: { - roleDefinitionId: roleDefinitionIdVar - principalId: principalId - description: !empty(description) ? description : null - principalType: !empty(principalType) ? any(principalType) : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - condition: !empty(condition) ? condition : null - } -} - -@sys.description('The GUID of the Role Assignment.') -output name string = roleAssignment.name - -@sys.description('The resource ID of the Role Assignment.') -output resourceId string = roleAssignment.id - -@sys.description('The scope this Role Assignment applies to.') -output scope string = az.resourceId('Microsoft.Management/managementGroups', managementGroupId) diff --git a/modules/authorization/role-assignment/management-group/main.json b/modules/authorization/role-assignment/management-group/main.json deleted file mode 100644 index 5db7c6f28e..0000000000 --- a/modules/authorization/role-assignment/management-group/main.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16507104263145087588" - }, - "name": "Role Assignments (Management Group scope)", - "description": "This module deploys a Role Assignment at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleAssignments', guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-assignment/management-group/version.json b/modules/authorization/role-assignment/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-assignment/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-assignment/resource-group/README.md b/modules/authorization/role-assignment/resource-group/README.md deleted file mode 100644 index 1a09562d67..0000000000 --- a/modules/authorization/role-assignment/resource-group/README.md +++ /dev/null @@ -1,147 +0,0 @@ -# Role Assignments (Resource Group scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `resourceGroupName` - -Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-assignment/resource-group/main.bicep b/modules/authorization/role-assignment/resource-group/main.bicep deleted file mode 100644 index 4382d3694d..0000000000 --- a/modules/authorization/role-assignment/resource-group/main.bicep +++ /dev/null @@ -1,93 +0,0 @@ -metadata name = 'Role Assignments (Resource Group scope)' -metadata description = 'This module deploys a Role Assignment at a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleDefinitionIdOrName string - -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') -param principalId string - -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') -param resourceGroupName string = resourceGroup().name - -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. ID of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') -param condition string = '' - -@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscriptionId, resourceGroupName, roleDefinitionIdVar, principalId) - properties: { - roleDefinitionId: roleDefinitionIdVar - principalId: principalId - description: !empty(description) ? description : null - principalType: !empty(principalType) ? any(principalType) : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - condition: !empty(condition) ? condition : null - } -} - -@sys.description('The GUID of the Role Assignment.') -output name string = roleAssignment.name - -@sys.description('The resource ID of the Role Assignment.') -output resourceId string = roleAssignment.id - -@sys.description('The name of the resource group the role assignment was applied at.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The scope this Role Assignment applies to.') -output scope string = resourceGroup().id diff --git a/modules/authorization/role-assignment/resource-group/main.json b/modules/authorization/role-assignment/resource-group/main.json deleted file mode 100644 index 44381a2b4c..0000000000 --- a/modules/authorization/role-assignment/resource-group/main.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6411559413209094837" - }, - "name": "Role Assignments (Resource Group scope)", - "description": "This module deploys a Role Assignment at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role assignment was applied at." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceGroup().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-assignment/resource-group/version.json b/modules/authorization/role-assignment/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-assignment/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-assignment/subscription/README.md b/modules/authorization/role-assignment/subscription/README.md deleted file mode 100644 index 7f0b4ada16..0000000000 --- a/modules/authorization/role-assignment/subscription/README.md +++ /dev/null @@ -1,146 +0,0 @@ -# Role Assignments (Subscription scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-assignment/subscription/main.bicep b/modules/authorization/role-assignment/subscription/main.bicep deleted file mode 100644 index 277e9c2a15..0000000000 --- a/modules/authorization/role-assignment/subscription/main.bicep +++ /dev/null @@ -1,90 +0,0 @@ -metadata name = 'Role Assignments (Subscription scope)' -metadata description = 'This module deploys a Role Assignment at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleDefinitionIdOrName string - -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') -param principalId string - -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. ID of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') -param condition string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscriptionId, roleDefinitionIdVar, principalId) - properties: { - roleDefinitionId: roleDefinitionIdVar - principalId: principalId - description: !empty(description) ? description : null - principalType: !empty(principalType) ? any(principalType) : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - condition: !empty(condition) ? condition : null - } -} - -@sys.description('The GUID of the Role Assignment.') -output name string = roleAssignment.name - -@sys.description('The resource ID of the Role Assignment.') -output resourceId string = roleAssignment.id -@sys.description('The scope this Role Assignment applies to.') -output scope string = subscription().id diff --git a/modules/authorization/role-assignment/subscription/main.json b/modules/authorization/role-assignment/subscription/main.json deleted file mode 100644 index 9812552a62..0000000000 --- a/modules/authorization/role-assignment/subscription/main.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4504500051244266304" - }, - "name": "Role Assignments (Subscription scope)", - "description": "This module deploys a Role Assignment at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[subscription().id]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-assignment/subscription/version.json b/modules/authorization/role-assignment/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-assignment/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep deleted file mode 100644 index d367770432..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep deleted file mode 100644 index b6b3cef622..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -targetScope = 'subscription' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Required. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: managedIdentityName - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index 336f3cd4bd..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,53 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aramgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -module nestedDependencies 'interim.dependencies.bicep' = { - scope: subscription('[[subscriptionId]]') - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - resourceGroupName: resourceGroupName - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' - description: 'Role Assignment (management group scope)' - managementGroupId: last(split(managementGroup().id, '/')) - principalType: 'ServicePrincipal' - } -} diff --git a/modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep deleted file mode 100644 index d367770432..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep deleted file mode 100644 index b6b3cef622..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -targetScope = 'subscription' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Required. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: managedIdentityName - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index 62cc16085c..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,51 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aramgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -module nestedDependencies 'interim.dependencies.bicep' = { - scope: subscription('[[subscriptionId]]') - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - resourceGroupName: resourceGroupName - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' - principalType: 'ServicePrincipal' - } -} diff --git a/modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep deleted file mode 100644 index 5681a89989..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep deleted file mode 100644 index c4a6b7ea07..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arargcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' - description: 'Role Assignment (resource group scope)' - principalType: 'ServicePrincipal' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep deleted file mode 100644 index 5681a89989..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep deleted file mode 100644 index ca2f37a9ab..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arargmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' - principalType: 'ServicePrincipal' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep deleted file mode 100644 index 5681a89989..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index 77a6b7883c..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,56 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arasubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' - description: 'Role Assignment (subscription scope)' - principalType: 'ServicePrincipal' - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep deleted file mode 100644 index 5681a89989..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index 90242be1d0..0000000000 --- a/modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,55 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arasubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' - principalType: 'ServicePrincipal' - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/role-assignment/version.json b/modules/authorization/role-assignment/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-assignment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-definition/README.md b/modules/authorization/role-definition/README.md index 626454d49c..0f890cee33 100644 --- a/modules/authorization/role-definition/README.md +++ b/modules/authorization/role-definition/README.md @@ -1,719 +1,7 @@ -# Role Definitions (All scopes) `[Microsoft.Authorization/roleDefinitions]` +

⚠️ Retired ⚠️

-This module deploys a Role Definition at a Management Group, Subscription or Resource Group scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/authorization/role-definition). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleDefinitions` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleDefinitions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.role-definition:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardmgcom' - params: { - // Required parameters - roleName: 'testRole-ardmgcom' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - '' - ] - description: 'Test Custom Role Definition Standard (management group scope)' - enableDefaultTelemetry: '' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardmgcom" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/*", - "Microsoft.Network/virtualNetworks/read" - ] - }, - "assignableScopes": { - "value": [ - "" - ] - }, - "description": { - "value": "Test Custom Role Definition Standard (management group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "notActions": { - "value": [ - "Microsoft.Compute/images/delete", - "Microsoft.Compute/images/write", - "Microsoft.Network/virtualNetworks/subnets/join/action" - ] - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardmgmin' - params: { - // Required parameters - roleName: 'testRole-ardmgmin' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardmgmin" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/images/read", - "Microsoft.Compute/galleries/read" - ] - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Rg.Common_ - -

- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardrgcom' - params: { - // Required parameters - roleName: 'testRole-ardrgcom' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - '' - ] - dataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/*/read' - ] - description: 'Test Custom Role Definition Standard (resource group scope)' - enableDefaultTelemetry: '' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - notDataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardrgcom" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/*", - "Microsoft.Network/virtualNetworks/read" - ] - }, - "assignableScopes": { - "value": [ - "" - ] - }, - "dataActions": { - "value": [ - "Microsoft.Storage/storageAccounts/blobServices/*/read" - ] - }, - "description": { - "value": "Test Custom Role Definition Standard (resource group scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "notActions": { - "value": [ - "Microsoft.Compute/images/delete", - "Microsoft.Compute/images/write", - "Microsoft.Network/virtualNetworks/subnets/join/action" - ] - }, - "notDataActions": { - "value": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" - ] - } - } -} -``` - -
-

- -### Example 4: _Rg.Min_ - -

- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardrgmin' - params: { - // Required parameters - roleName: 'testRole-ardrgmin' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardrgmin" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/images/read", - "Microsoft.Compute/galleries/read" - ] - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Sub.Common_ - -

- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardsubcom' - params: { - // Required parameters - roleName: 'testRole-ardsubcom' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - '' - ] - dataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/*/read' - ] - description: 'Test Custom Role Definition Standard (subscription scope)' - enableDefaultTelemetry: '' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - notDataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardsubcom" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/*", - "Microsoft.Network/virtualNetworks/read" - ] - }, - "assignableScopes": { - "value": [ - "" - ] - }, - "dataActions": { - "value": [ - "Microsoft.Storage/storageAccounts/blobServices/*/read" - ] - }, - "description": { - "value": "Test Custom Role Definition Standard (subscription scope)" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "notActions": { - "value": [ - "Microsoft.Compute/images/delete", - "Microsoft.Compute/images/write", - "Microsoft.Network/virtualNetworks/subnets/join/action" - ] - }, - "notDataActions": { - "value": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" - ] - } - } -} -``` - -
-

- -### Example 6: _Sub.Min_ - -

- -via Bicep module - -```bicep -module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-ardsubmin' - params: { - // Required parameters - roleName: 'testRole-ardsubmin' - // Non-required parameters - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - enableDefaultTelemetry: '' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "roleName": { - "value": "testRole-ardsubmin" - }, - // Non-required parameters - "actions": { - "value": [ - "Microsoft.Compute/galleries/images/read", - "Microsoft.Compute/galleries/read" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "subscriptionId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | List of allowed actions. | -| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | -| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| [`notActions`](#parameter-notactions) | array | List of denied actions. | -| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | - -### Parameter: `roleName` - -Name of the custom RBAC role to be created. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -List of allowed actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `assignableScopes` - -Role definition assignable scopes. If not provided, will use the current scope provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dataActions` - -List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -Description of the custom RBAC role to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `notActions` - -List of denied actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notDataActions` - -List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceGroupName` - -The name of the Resource Group where the Role Definition and Target Scope will be applied to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionId` - -The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Definition. | -| `resourceId` | string | The resource ID of the Role Definition. | -| `scope` | string | The scope this Role Definition applies to. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module roledefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.role-definition.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module roledefinition 'yourpath/module/authorization/role-definition/subscription/main.bicep' = {} -``` - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/authorization/role-definition/main.bicep b/modules/authorization/role-definition/main.bicep deleted file mode 100644 index 2e9db282b8..0000000000 --- a/modules/authorization/role-definition/main.bicep +++ /dev/null @@ -1,114 +0,0 @@ -metadata name = 'Role Definitions (All scopes)' -metadata description = 'This module deploys a Role Definition at a Management Group, Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Name of the custom RBAC role to be created.') -param roleName string - -@sys.description('Optional. Description of the custom RBAC role to be created.') -param description string = '' - -@sys.description('Optional. List of allowed actions.') -param actions array = [] - -@sys.description('Optional. List of denied actions.') -param notActions array = [] - -@sys.description('Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param dataActions array = [] - -@sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param notDataActions array = [] - -@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') -param subscriptionId string = '' - -@sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') -param resourceGroupName string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') -param assignableScopes array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module roleDefinition_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-RoleDefinition-MG-Module' - scope: managementGroup(managementGroupId) - params: { - roleName: roleName - description: !empty(description) ? description : '' - actions: !empty(actions) ? actions : [] - notActions: !empty(notActions) ? notActions : [] - assignableScopes: !empty(assignableScopes) ? assignableScopes : [] - managementGroupId: managementGroupId - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module roleDefinition_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-RoleDefinition-Sub-Module' - scope: subscription(subscriptionId) - params: { - roleName: roleName - description: !empty(description) ? description : '' - actions: !empty(actions) ? actions : [] - notActions: !empty(notActions) ? notActions : [] - dataActions: !empty(dataActions) ? dataActions : [] - notDataActions: !empty(notDataActions) ? notDataActions : [] - assignableScopes: !empty(assignableScopes) ? assignableScopes : [] - subscriptionId: subscriptionId - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module roleDefinition_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-RoleDefinition-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - roleName: roleName - description: !empty(description) ? description : '' - actions: !empty(actions) ? actions : [] - notActions: !empty(notActions) ? notActions : [] - dataActions: !empty(dataActions) ? dataActions : [] - notDataActions: !empty(notDataActions) ? notDataActions : [] - assignableScopes: !empty(assignableScopes) ? assignableScopes : [] - subscriptionId: subscriptionId - resourceGroupName: resourceGroupName - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@sys.description('The GUID of the Role Definition.') -output name string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.name : roleDefinition_rg.outputs.name) - -@sys.description('The resource ID of the Role Definition.') -output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.resourceId : roleDefinition_rg.outputs.resourceId) - -@sys.description('The scope this Role Definition applies to.') -output scope string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.scope : roleDefinition_rg.outputs.scope) diff --git a/modules/authorization/role-definition/main.json b/modules/authorization/role-definition/main.json deleted file mode 100644 index 6626d49464..0000000000 --- a/modules/authorization/role-definition/main.json +++ /dev/null @@ -1,664 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3377145363217957068" - }, - "name": "Role Definitions (All scopes)", - "description": "This module deploys a Role Definition at a Management Group, Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleName": { - "value": "[parameters('roleName')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "actions": "[if(not(empty(parameters('actions'))), createObject('value', parameters('actions')), createObject('value', createArray()))]", - "notActions": "[if(not(empty(parameters('notActions'))), createObject('value', parameters('notActions')), createObject('value', createArray()))]", - "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), createObject('value', parameters('assignableScopes')), createObject('value', createArray()))]", - "managementGroupId": { - "value": "[parameters('managementGroupId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15617520602952688455" - }, - "name": "Role Definitions (Management Group scope)", - "description": "This module deploys a Role Definition at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('managementGroupId'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]" - } - ], - "assignableScopes": "[if(equals(parameters('assignableScopes'), createArray()), array(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))), parameters('assignableScopes'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('managementGroupId'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[managementGroup().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('managementGroupId')))]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleName": { - "value": "[parameters('roleName')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "actions": "[if(not(empty(parameters('actions'))), createObject('value', parameters('actions')), createObject('value', createArray()))]", - "notActions": "[if(not(empty(parameters('notActions'))), createObject('value', parameters('notActions')), createObject('value', createArray()))]", - "dataActions": "[if(not(empty(parameters('dataActions'))), createObject('value', parameters('dataActions')), createObject('value', createArray()))]", - "notDataActions": "[if(not(empty(parameters('notDataActions'))), createObject('value', parameters('notDataActions')), createObject('value', createArray()))]", - "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), createObject('value', parameters('assignableScopes')), createObject('value', createArray()))]", - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9622245925766749041" - }, - "name": "Role Definitions (Subscription scope)", - "description": "This module deploys a Role Definition at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('subscriptionId'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), parameters('assignableScopes'), array(subscription().id))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('subscriptionId'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[subscription().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('subscriptionId')))]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RoleDefinition-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleName": { - "value": "[parameters('roleName')]" - }, - "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", - "actions": "[if(not(empty(parameters('actions'))), createObject('value', parameters('actions')), createObject('value', createArray()))]", - "notActions": "[if(not(empty(parameters('notActions'))), createObject('value', parameters('notActions')), createObject('value', createArray()))]", - "dataActions": "[if(not(empty(parameters('dataActions'))), createObject('value', parameters('dataActions')), createObject('value', createArray()))]", - "notDataActions": "[if(not(empty(parameters('notDataActions'))), createObject('value', parameters('notDataActions')), createObject('value', createArray()))]", - "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), createObject('value', parameters('assignableScopes')), createObject('value', createArray()))]", - "subscriptionId": { - "value": "[parameters('subscriptionId')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16590569046115003591" - }, - "name": "Role Definitions (Resource Group scope)", - "description": "This module deploys a Role Definition at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": "[if(equals(parameters('assignableScopes'), createArray()), array(resourceGroup().id), parameters('assignableScopes'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[resourceGroup().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role definition was created at." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleDefinition-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-definition/management-group/README.md b/modules/authorization/role-definition/management-group/README.md deleted file mode 100644 index 0c9b29c7a5..0000000000 --- a/modules/authorization/role-definition/management-group/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# Role Definitions (Management Group scope) `[Microsoft.Authorization/roleDefinitions]` - -This module deploys a Role Definition at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleDefinitions` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | List of allowed actions. | -| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | -| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| [`notActions`](#parameter-notactions) | array | List of denied actions. | - -### Parameter: `roleName` - -Name of the custom RBAC role to be created. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -List of allowed actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `assignableScopes` - -Role definition assignable scopes. If not provided, will use the current scope provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -Description of the custom RBAC role to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `notActions` - -List of denied actions. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Definition. | -| `resourceId` | string | The resource ID of the Role Definition. | -| `scope` | string | The scope this Role Definition applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-definition/management-group/main.bicep b/modules/authorization/role-definition/management-group/main.bicep deleted file mode 100644 index 0a382f224f..0000000000 --- a/modules/authorization/role-definition/management-group/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Role Definitions (Management Group scope)' -metadata description = 'This module deploys a Role Definition at a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Name of the custom RBAC role to be created.') -param roleName string - -@sys.description('Optional. Description of the custom RBAC role to be created.') -param description string = '' - -@sys.description('Optional. List of allowed actions.') -param actions array = [] - -@sys.description('Optional. List of denied actions.') -param notActions array = [] - -@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') -param assignableScopes array = [] - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { - name: guid(roleName, managementGroupId) - properties: { - roleName: roleName - description: description - type: 'customRole' - permissions: [ - { - actions: actions - notActions: notActions - } - ] - assignableScopes: assignableScopes == [] ? array(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId)) : assignableScopes - } -} - -@sys.description('The GUID of the Role Definition.') -output name string = roleDefinition.name - -@sys.description('The scope this Role Definition applies to.') -output scope string = managementGroup().id - -@sys.description('The resource ID of the Role Definition.') -output resourceId string = roleDefinition.id diff --git a/modules/authorization/role-definition/management-group/main.json b/modules/authorization/role-definition/management-group/main.json deleted file mode 100644 index 86daa4679b..0000000000 --- a/modules/authorization/role-definition/management-group/main.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15617520602952688455" - }, - "name": "Role Definitions (Management Group scope)", - "description": "This module deploys a Role Definition at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('managementGroupId'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]" - } - ], - "assignableScopes": "[if(equals(parameters('assignableScopes'), createArray()), array(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))), parameters('assignableScopes'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('managementGroupId'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[managementGroup().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('managementGroupId')))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-definition/management-group/version.json b/modules/authorization/role-definition/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-definition/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-definition/resource-group/README.md b/modules/authorization/role-definition/resource-group/README.md deleted file mode 100644 index f8a299f434..0000000000 --- a/modules/authorization/role-definition/resource-group/README.md +++ /dev/null @@ -1,131 +0,0 @@ -# Role Definitions (Resource Group scope) `[Microsoft.Authorization/roleDefinitions]` - -This module deploys a Role Definition at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleDefinitions` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | List of allowed actions. | -| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | -| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`notActions`](#parameter-notactions) | array | List of denied actions. | -| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | - -### Parameter: `roleName` - -Name of the custom RBAC role to be created. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -List of allowed actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `assignableScopes` - -Role definition assignable scopes. If not provided, will use the current scope provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dataActions` - -List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -Description of the custom RBAC role to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `notActions` - -List of denied actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notDataActions` - -List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `resourceGroupName` - -The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `subscriptionId` - -The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Definition. | -| `resourceGroupName` | string | The name of the resource group the role definition was created at. | -| `resourceId` | string | The resource ID of the Role Definition. | -| `scope` | string | The scope this Role Definition applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-definition/resource-group/main.bicep b/modules/authorization/role-definition/resource-group/main.bicep deleted file mode 100644 index c79207c1c5..0000000000 --- a/modules/authorization/role-definition/resource-group/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Role Definitions (Resource Group scope)' -metadata description = 'This module deploys a Role Definition at a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@sys.description('Required. Name of the custom RBAC role to be created.') -param roleName string - -@sys.description('Optional. Description of the custom RBAC role to be created.') -param description string = '' - -@sys.description('Optional. List of allowed actions.') -param actions array = [] - -@sys.description('Optional. List of denied actions.') -param notActions array = [] - -@sys.description('Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param dataActions array = [] - -@sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param notDataActions array = [] - -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') -param resourceGroupName string = resourceGroup().name - -@sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') -param assignableScopes array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { - name: guid(roleName, subscriptionId, resourceGroupName) - properties: { - roleName: roleName - description: description - type: 'customRole' - permissions: [ - { - actions: actions - notActions: notActions - dataActions: dataActions - notDataActions: notDataActions - } - ] - assignableScopes: assignableScopes == [] ? array(resourceGroup().id) : assignableScopes - } -} - -@sys.description('The GUID of the Role Definition.') -output name string = roleDefinition.name - -@sys.description('The scope this Role Definition applies to.') -output scope string = resourceGroup().id - -@sys.description('The resource ID of the Role Definition.') -output resourceId string = roleDefinition.id - -@sys.description('The name of the resource group the role definition was created at.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/authorization/role-definition/resource-group/main.json b/modules/authorization/role-definition/resource-group/main.json deleted file mode 100644 index 0e6b83a68e..0000000000 --- a/modules/authorization/role-definition/resource-group/main.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16590569046115003591" - }, - "name": "Role Definitions (Resource Group scope)", - "description": "This module deploys a Role Definition at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": "[if(equals(parameters('assignableScopes'), createArray()), array(resourceGroup().id), parameters('assignableScopes'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[resourceGroup().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('subscriptionId'), parameters('resourceGroupName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role definition was created at." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-definition/resource-group/version.json b/modules/authorization/role-definition/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-definition/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-definition/subscription/README.md b/modules/authorization/role-definition/subscription/README.md deleted file mode 100644 index 5737fd2aff..0000000000 --- a/modules/authorization/role-definition/subscription/README.md +++ /dev/null @@ -1,130 +0,0 @@ -# Role Definitions (Subscription scope) `[Microsoft.Authorization/roleDefinitions]` - -This module deploys a Role Definition at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleDefinitions` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleDefinitions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | List of allowed actions. | -| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | -| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`notActions`](#parameter-notactions) | array | List of denied actions. | -| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | - -### Parameter: `roleName` - -Name of the custom RBAC role to be created. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -List of allowed actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `assignableScopes` - -Role definition assignable scopes. If not provided, will use the current scope provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dataActions` - -List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -Description of the custom RBAC role to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `notActions` - -List of denied actions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `notDataActions` - -List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `subscriptionId` - -The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Definition. | -| `resourceId` | string | The resource ID of the Role Definition. | -| `scope` | string | The scope this Role Definition applies to. | - -## Cross-referenced modules - -_None_ diff --git a/modules/authorization/role-definition/subscription/main.bicep b/modules/authorization/role-definition/subscription/main.bicep deleted file mode 100644 index 928e32e41b..0000000000 --- a/modules/authorization/role-definition/subscription/main.bicep +++ /dev/null @@ -1,75 +0,0 @@ -metadata name = 'Role Definitions (Subscription scope)' -metadata description = 'This module deploys a Role Definition at a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Name of the custom RBAC role to be created.') -param roleName string - -@sys.description('Optional. Description of the custom RBAC role to be created.') -param description string = '' - -@sys.description('Optional. List of allowed actions.') -param actions array = [] - -@sys.description('Optional. List of denied actions.') -param notActions array = [] - -@sys.description('Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param dataActions array = [] - -@sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes.') -param notDataActions array = [] - -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') -param subscriptionId string = subscription().subscriptionId - -@sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') -param assignableScopes array = [] - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { - name: guid(roleName, subscriptionId) - properties: { - roleName: roleName - description: description - type: 'customRole' - permissions: [ - { - actions: actions - notActions: notActions - dataActions: dataActions - notDataActions: notDataActions - } - ] - assignableScopes: !empty(assignableScopes) ? assignableScopes : array(subscription().id) - } -} - -@sys.description('The GUID of the Role Definition.') -output name string = roleDefinition.name - -@sys.description('The scope this Role Definition applies to.') -output scope string = subscription().id - -@sys.description('The resource ID of the Role Definition.') -output resourceId string = roleDefinition.id diff --git a/modules/authorization/role-definition/subscription/main.json b/modules/authorization/role-definition/subscription/main.json deleted file mode 100644 index 58ef47ed1a..0000000000 --- a/modules/authorization/role-definition/subscription/main.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9622245925766749041" - }, - "name": "Role Definitions (Subscription scope)", - "description": "This module deploys a Role Definition at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment." - } - }, - "assignableScopes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Role definition assignable scopes. If not provided, will use the current scope provided." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('roleName'), parameters('subscriptionId'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('description')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), parameters('assignableScopes'), array(subscription().id))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Definition." - }, - "value": "[guid(parameters('roleName'), parameters('subscriptionId'))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Definition applies to." - }, - "value": "[subscription().id]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Definition." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), parameters('subscriptionId')))]" - } - } -} \ No newline at end of file diff --git a/modules/authorization/role-definition/subscription/version.json b/modules/authorization/role-definition/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-definition/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index 4a11b95b59..0000000000 --- a/modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,39 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardmgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - managementGroup().id - ] - description: 'Test Custom Role Definition Standard (management group scope)' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - } -} diff --git a/modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index 67848fd6db..0000000000 --- a/modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,30 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardmgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - } -} diff --git a/modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep deleted file mode 100644 index b4f16419dc..0000000000 --- a/modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep +++ /dev/null @@ -1,64 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roledefinitions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardrgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - resourceGroup.id - ] - dataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/*/read' - ] - description: 'Test Custom Role Definition Standard (resource group scope)' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - notDataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - ] - } -} diff --git a/modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep deleted file mode 100644 index 632a73d713..0000000000 --- a/modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roledefinitions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardrgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - } -} diff --git a/modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index 9e7bdf1096..0000000000 --- a/modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,45 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardsubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/*' - 'Microsoft.Network/virtualNetworks/read' - ] - assignableScopes: [ - subscription().id - ] - dataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/*/read' - ] - description: 'Test Custom Role Definition Standard (subscription scope)' - notActions: [ - 'Microsoft.Compute/images/delete' - 'Microsoft.Compute/images/write' - 'Microsoft.Network/virtualNetworks/subnets/join/action' - ] - notDataActions: [ - 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - ] - } -} diff --git a/modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index e03ba0142c..0000000000 --- a/modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,31 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ardsubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - roleName: '${namePrefix}-testRole-${serviceShort}' - actions: [ - 'Microsoft.Compute/galleries/images/read' - 'Microsoft.Compute/galleries/read' - ] - subscriptionId: subscription().subscriptionId - } -} diff --git a/modules/authorization/role-definition/version.json b/modules/authorization/role-definition/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/authorization/role-definition/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/MOVED-TO-AVM.md b/modules/automation/automation-account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/automation/automation-account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 7517eecfda..dffc5391a8 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -1,1807 +1,7 @@ -# Automation Accounts `[Microsoft.Automation/automationAccounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/automation/automation-account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/automation/automation-account).** -This module deploys an Azure Automation Account. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/automation/automation-account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Automation/automationAccounts` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts) | -| `Microsoft.Automation/automationAccounts/jobSchedules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/jobSchedules) | -| `Microsoft.Automation/automationAccounts/modules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/modules) | -| `Microsoft.Automation/automationAccounts/runbooks` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/runbooks) | -| `Microsoft.Automation/automationAccounts/schedules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/schedules) | -| `Microsoft.Automation/automationAccounts/softwareUpdateConfigurations` | [2019-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2019-06-01/automationAccounts/softwareUpdateConfigurations) | -| `Microsoft.Automation/automationAccounts/variables` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/variables) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) | -| `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/automation.automation-account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aamin' - params: { - // Required parameters - name: 'aamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaencr' - params: { - // Required parameters - name: 'aaencr001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aaencr001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aamax' - params: { - // Required parameters - name: 'aamax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - linkedWorkspaceResourceId: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'Webhook' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'DSCAndHybridWorker' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aamax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gallerySolutions": { - "value": [ - { - "name": "Updates", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] - }, - "jobSchedules": { - "value": [ - { - "runbookName": "TestRunbook", - "scheduleName": "TestSchedule" - } - ] - }, - "linkedWorkspaceResourceId": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "modules": { - "value": [ - { - "name": "PSWindowsUpdate", - "uri": "https://www.powershellgallery.com/api/v2/package", - "version": "latest" - } - ] - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "Webhook", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "DSCAndHybridWorker", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "runbooks": { - "value": [ - { - "description": "Test runbook", - "name": "TestRunbook", - "type": "PowerShell", - "uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1", - "version": "1.0.0.0" - } - ] - }, - "schedules": { - "value": [ - { - "advancedSchedule": {}, - "expiryTime": "9999-12-31T13:00", - "frequency": "Hour", - "interval": 12, - "name": "TestSchedule", - "startTime": "", - "timeZone": "Europe/Berlin" - } - ] - }, - "softwareUpdateConfigurations": { - "value": [ - { - "excludeUpdates": [ - "123456" - ], - "frequency": "Month", - "includeUpdates": [ - "654321" - ], - "interval": 1, - "maintenanceWindow": "PT4H", - "monthlyOccurrences": [ - { - "day": "Friday", - "occurrence": 3 - } - ], - "name": "Windows_ZeroDay", - "operatingSystem": "Windows", - "rebootSetting": "IfRequired", - "scopeByTags": { - "Update": [ - "Automatic-Wave1" - ] - }, - "startTime": "22:00", - "updateClassifications": [ - "Critical", - "Definition", - "FeaturePack", - "Security", - "ServicePack", - "Tools", - "UpdateRollup", - "Updates" - ] - }, - { - "excludeUpdates": [ - "icacls" - ], - "frequency": "OneTime", - "includeUpdates": [ - "kernel" - ], - "maintenanceWindow": "PT4H", - "name": "Linux_ZeroDay", - "operatingSystem": "Linux", - "rebootSetting": "IfRequired", - "startTime": "22:00", - "updateClassifications": [ - "Critical", - "Other", - "Security" - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "variables": { - "value": [ - { - "description": "TestStringDescription", - "name": "TestString", - "value": "\"TestString\"" - }, - { - "description": "TestIntegerDescription", - "name": "TestInteger", - "value": "500" - }, - { - "description": "TestBooleanDescription", - "name": "TestBoolean", - "value": "false" - }, - { - "description": "TestDateTimeDescription", - "isEncrypted": false, - "name": "TestDateTime", - "value": "\"\\/Date(1637934042656)\\/\"" - }, - { - "description": "TestEncryptedDescription", - "name": "TestEncryptedVariable", - "value": "\"TestEncryptedValue\"" - } - ] - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aawaf' - params: { - // Required parameters - name: 'aawaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - linkedWorkspaceResourceId: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'Webhook' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'DSCAndHybridWorker' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aawaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gallerySolutions": { - "value": [ - { - "name": "Updates", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] - }, - "jobSchedules": { - "value": [ - { - "runbookName": "TestRunbook", - "scheduleName": "TestSchedule" - } - ] - }, - "linkedWorkspaceResourceId": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "modules": { - "value": [ - { - "name": "PSWindowsUpdate", - "uri": "https://www.powershellgallery.com/api/v2/package", - "version": "latest" - } - ] - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "Webhook", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "DSCAndHybridWorker", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "runbooks": { - "value": [ - { - "description": "Test runbook", - "name": "TestRunbook", - "type": "PowerShell", - "uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1", - "version": "1.0.0.0" - } - ] - }, - "schedules": { - "value": [ - { - "advancedSchedule": {}, - "expiryTime": "9999-12-31T13:00", - "frequency": "Hour", - "interval": 12, - "name": "TestSchedule", - "startTime": "", - "timeZone": "Europe/Berlin" - } - ] - }, - "softwareUpdateConfigurations": { - "value": [ - { - "excludeUpdates": [ - "123456" - ], - "frequency": "Month", - "includeUpdates": [ - "654321" - ], - "interval": 1, - "maintenanceWindow": "PT4H", - "monthlyOccurrences": [ - { - "day": "Friday", - "occurrence": 3 - } - ], - "name": "Windows_ZeroDay", - "operatingSystem": "Windows", - "rebootSetting": "IfRequired", - "scopeByTags": { - "Update": [ - "Automatic-Wave1" - ] - }, - "startTime": "22:00", - "updateClassifications": [ - "Critical", - "Definition", - "FeaturePack", - "Security", - "ServicePack", - "Tools", - "UpdateRollup", - "Updates" - ] - }, - { - "excludeUpdates": [ - "icacls" - ], - "frequency": "OneTime", - "includeUpdates": [ - "kernel" - ], - "maintenanceWindow": "PT4H", - "name": "Linux_ZeroDay", - "operatingSystem": "Linux", - "rebootSetting": "IfRequired", - "startTime": "22:00", - "updateClassifications": [ - "Critical", - "Other", - "Security" - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "variables": { - "value": [ - { - "description": "TestStringDescription", - "name": "TestString", - "value": "\"TestString\"" - }, - { - "description": "TestIntegerDescription", - "name": "TestInteger", - "value": "500" - }, - { - "description": "TestBooleanDescription", - "name": "TestBoolean", - "value": "false" - }, - { - "description": "TestDateTimeDescription", - "isEncrypted": false, - "name": "TestDateTime", - "value": "\"\\/Date(1637934042656)\\/\"" - }, - { - "description": "TestEncryptedDescription", - "name": "TestEncryptedVariable", - "value": "\"TestEncryptedValue\"" - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Automation Account. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disable local authentication profile used within the resource. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the linked log analytics workspace. | -| [`jobSchedules`](#parameter-jobschedules) | array | List of jobSchedules to be created in the automation account. | -| [`linkedWorkspaceResourceId`](#parameter-linkedworkspaceresourceid) | string | ID of the log analytics workspace to be linked to the deployed automation account. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`runbooks`](#parameter-runbooks) | array | List of runbooks to be created in the automation account. | -| [`schedules`](#parameter-schedules) | array | List of schedules to be created in the automation account. | -| [`skuName`](#parameter-skuname) | string | SKU name of the account. | -| [`softwareUpdateConfigurations`](#parameter-softwareupdateconfigurations) | array | List of softwareUpdateConfigurations to be created in the automation account. | -| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | -| [`variables`](#parameter-variables) | array | List of variables to be created in the automation account. | - -### Parameter: `name` - -Name of the Automation Account. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -Disable local authentication profile used within the resource. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gallerySolutions` - -List of gallerySolutions to be created in the linked log analytics workspace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `jobSchedules` - -List of jobSchedules to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `linkedWorkspaceResourceId` - -ID of the log analytics workspace to be linked to the deployed automation account. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `modules` - -List of modules to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `runbooks` - -List of runbooks to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `schedules` - -List of schedules to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `skuName` - -SKU name of the account. - -- Required: No -- Type: string -- Default: `'Basic'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Free' - ] - ``` - -### Parameter: `softwareUpdateConfigurations` - -List of softwareUpdateConfigurations to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the Automation Account resource. - -- Required: No -- Type: object - -### Parameter: `variables` - -List of variables to be created in the automation account. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed automation account. | -| `resourceGroupName` | string | The resource group of the deployed automation account. | -| `resourceId` | string | The resource ID of the deployed automation account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | -| `modules/operational-insights/workspace/linked-service` | Local reference | -| `modules/operations-management/solution` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/automation/automation-account/job-schedule/README.md b/modules/automation/automation-account/job-schedule/README.md deleted file mode 100644 index 05dd4ccf1e..0000000000 --- a/modules/automation/automation-account/job-schedule/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# Automation Account Job Schedules `[Microsoft.Automation/automationAccounts/jobSchedules]` - -This module deploys an Azure Automation Account Job Schedule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/jobSchedules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/jobSchedules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`runbookName`](#parameter-runbookname) | string | The runbook property associated with the entity. | -| [`scheduleName`](#parameter-schedulename) | string | The schedule property associated with the entity. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`parameters`](#parameter-parameters) | object | List of job properties. | -| [`runOn`](#parameter-runon) | string | The hybrid worker group that the scheduled job should run on. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. | - -### Parameter: `runbookName` - -The runbook property associated with the entity. - -- Required: Yes -- Type: string - -### Parameter: `scheduleName` - -The schedule property associated with the entity. - -- Required: Yes -- Type: string - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `parameters` - -List of job properties. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `runOn` - -The hybrid worker group that the scheduled job should run on. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `name` - -Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. - -- Required: No -- Type: string -- Default: `[newGuid()]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed job schedule. | -| `resourceGroupName` | string | The resource group of the deployed job schedule. | -| `resourceId` | string | The resource ID of the deployed job schedule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/automation/automation-account/job-schedule/main.bicep b/modules/automation/automation-account/job-schedule/main.bicep deleted file mode 100644 index 4ef7162b08..0000000000 --- a/modules/automation/automation-account/job-schedule/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'Automation Account Job Schedules' -metadata description = 'This module deploys an Azure Automation Account Job Schedule.' -metadata owner = 'Azure/module-maintainers' - -@description('Generated. Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value.') -param name string = newGuid() - -@description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@description('Required. The runbook property associated with the entity.') -param runbookName string - -@description('Required. The schedule property associated with the entity.') -param scheduleName string - -@description('Optional. List of job properties.') -param parameters object = {} - -@description('Optional. The hybrid worker group that the scheduled job should run on.') -param runOn string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource jobSchedule 'Microsoft.Automation/automationAccounts/jobSchedules@2022-08-08' = { - // For each job schedule deployed with an ARM template, the GUID must be unique. Even if you're rescheduling an existing schedule, you'll need to change the GUID. This applies even if you've previously deleted an existing job schedule that was created with the same template. Reusing the same GUID results in a failed deployment. - #disable-next-line use-stable-resource-identifiers - name: name - parent: automationAccount - properties: { - parameters: parameters - runbook: { - name: runbookName - } - runOn: !empty(runOn) ? runOn : null - schedule: { - name: scheduleName - } - } -} - -@description('The name of the deployed job schedule.') -output name string = jobSchedule.name - -@description('The resource ID of the deployed job schedule.') -output resourceId string = jobSchedule.id - -@description('The resource group of the deployed job schedule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/automation/automation-account/job-schedule/main.json b/modules/automation/automation-account/job-schedule/main.json deleted file mode 100644 index 8c6c38ea2d..0000000000 --- a/modules/automation/automation-account/job-schedule/main.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7940366869013991296" - }, - "name": "Automation Account Job Schedules", - "description": "This module deploys an Azure Automation Account Job Schedule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[newGuid()]", - "metadata": { - "description": "Generated. Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "runbookName": { - "type": "string", - "metadata": { - "description": "Required. The runbook property associated with the entity." - } - }, - "scheduleName": { - "type": "string", - "metadata": { - "description": "Required. The schedule property associated with the entity." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. List of job properties." - } - }, - "runOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The hybrid worker group that the scheduled job should run on." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/jobSchedules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "parameters": "[parameters('parameters')]", - "runbook": { - "name": "[parameters('runbookName')]" - }, - "runOn": "[if(not(empty(parameters('runOn'))), parameters('runOn'), null())]", - "schedule": { - "name": "[parameters('scheduleName')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed job schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed job schedule." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/jobSchedules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed job schedule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/job-schedule/version.json b/modules/automation/automation-account/job-schedule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/job-schedule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep deleted file mode 100644 index a2dfa7b527..0000000000 --- a/modules/automation/automation-account/main.bicep +++ /dev/null @@ -1,551 +0,0 @@ -metadata name = 'Automation Accounts' -metadata description = 'This module deploys an Azure Automation Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Automation Account.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. SKU name of the account.') -@allowed([ - 'Free' - 'Basic' -]) -param skuName string = 'Basic' - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. List of modules to be created in the automation account.') -param modules array = [] - -@description('Optional. List of runbooks to be created in the automation account.') -param runbooks array = [] - -@description('Optional. List of schedules to be created in the automation account.') -param schedules array = [] - -@description('Optional. List of jobSchedules to be created in the automation account.') -param jobSchedules array = [] - -@description('Optional. List of variables to be created in the automation account.') -param variables array = [] - -@description('Optional. ID of the log analytics workspace to be linked to the deployed automation account.') -param linkedWorkspaceResourceId string = '' - -@description('Optional. List of gallerySolutions to be created in the linked log analytics workspace.') -param gallerySolutions array = [] - -@description('Optional. List of softwareUpdateConfigurations to be created in the automation account.') -param softwareUpdateConfigurations array = [] - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Disable local authentication profile used within the resource.') -param disableLocalAuth bool = true - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the Automation Account resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { - name: name - location: location - tags: tags - identity: identity - properties: { - sku: { - name: skuName - } - encryption: !empty(customerManagedKey) ? { - keySource: 'Microsoft.KeyVault' - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - keyVaultProperties: { - keyName: customerManagedKey!.keyName - keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - } : null - publicNetworkAccess: !empty(publicNetworkAccess) ? (publicNetworkAccess == 'Disabled' ? false : true) : (!empty(privateEndpoints) ? false : null) - disableLocalAuth: disableLocalAuth - } -} - -module automationAccount_modules 'module/main.bicep' = [for (module, index) in modules: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Module-${index}' - params: { - name: module.name - automationAccountName: automationAccount.name - version: module.version - uri: module.uri - location: location - tags: module.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module automationAccount_schedules 'schedule/main.bicep' = [for (schedule, index) in schedules: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Schedule-${index}' - params: { - name: schedule.name - automationAccountName: automationAccount.name - advancedSchedule: contains(schedule, 'advancedSchedule') ? schedule.advancedSchedule : null - description: contains(schedule, 'description') ? schedule.description : '' - expiryTime: contains(schedule, 'expiryTime') ? schedule.expiryTime : '' - frequency: contains(schedule, 'frequency') ? schedule.frequency : 'OneTime' - interval: contains(schedule, 'interval') ? schedule.interval : 0 - startTime: contains(schedule, 'startTime') ? schedule.startTime : '' - timeZone: contains(schedule, 'timeZone') ? schedule.timeZone : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module automationAccount_runbooks 'runbook/main.bicep' = [for (runbook, index) in runbooks: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Runbook-${index}' - params: { - name: runbook.name - automationAccountName: automationAccount.name - type: runbook.type - description: contains(runbook, 'description') ? runbook.description : '' - uri: contains(runbook, 'uri') ? runbook.uri : '' - version: contains(runbook, 'version') ? runbook.version : '' - sasTokenValidityLength: runbook.?sasTokenValidityLength - scriptStorageAccountResourceId: runbook.?scriptStorageAccountResourceId - location: location - tags: runbook.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module automationAccount_jobSchedules 'job-schedule/main.bicep' = [for (jobSchedule, index) in jobSchedules: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-JobSchedule-${index}' - params: { - automationAccountName: automationAccount.name - runbookName: jobSchedule.runbookName - scheduleName: jobSchedule.scheduleName - parameters: contains(jobSchedule, 'parameters') ? jobSchedule.parameters : {} - runOn: contains(jobSchedule, 'runOn') ? jobSchedule.runOn : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - automationAccount_schedules - automationAccount_runbooks - ] -}] - -module automationAccount_variables 'variable/main.bicep' = [for (variable, index) in variables: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Variable-${index}' - params: { - automationAccountName: automationAccount.name - name: variable.name - description: contains(variable, 'description') ? variable.description : '' - value: variable.value - isEncrypted: contains(variable, 'isEncrypted') ? variable.isEncrypted : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module automationAccount_linkedService '../../operational-insights/workspace/linked-service/main.bicep' = if (!empty(linkedWorkspaceResourceId)) { - name: '${uniqueString(deployment().name, location)}-AutoAccount-LinkedService' - params: { - name: 'automation' - logAnalyticsWorkspaceName: last(split(linkedWorkspaceResourceId, '/'))! - enableDefaultTelemetry: enableReferencedModulesTelemetry - resourceId: automationAccount.id - tags: tags - } - // This is to support linked services to law in different subscription and resource group than the automation account. - // The current scope is used by default if no linked service is intended to be created. - scope: resourceGroup((!empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '//'), '/')[2]) : subscription().subscriptionId), !empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '////'), '/')[4]) : resourceGroup().name) -} - -module automationAccount_solutions '../../operations-management/solution/main.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(linkedWorkspaceResourceId)) { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Solution-${index}' - params: { - name: gallerySolution.name - location: location - logAnalyticsWorkspaceName: last(split(linkedWorkspaceResourceId, '/'))! - product: contains(gallerySolution, 'product') ? gallerySolution.product : 'OMSGallery' - publisher: contains(gallerySolution, 'publisher') ? gallerySolution.publisher : 'Microsoft' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - // This is to support solution to law in different subscription and resource group than the automation account. - // The current scope is used by default if no linked service is intended to be created. - scope: resourceGroup((!empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '//'), '/')[2]) : subscription().subscriptionId), !empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '////'), '/')[4]) : resourceGroup().name) - dependsOn: [ - automationAccount_linkedService - ] -}] - -module automationAccount_softwareUpdateConfigurations 'software-update-configuration/main.bicep' = [for (softwareUpdateConfiguration, index) in softwareUpdateConfigurations: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-SwUpdateConfig-${index}' - params: { - name: softwareUpdateConfiguration.name - automationAccountName: automationAccount.name - frequency: softwareUpdateConfiguration.frequency - operatingSystem: softwareUpdateConfiguration.operatingSystem - rebootSetting: softwareUpdateConfiguration.rebootSetting - azureVirtualMachines: contains(softwareUpdateConfiguration, 'azureVirtualMachines') ? softwareUpdateConfiguration.azureVirtualMachines : [] - excludeUpdates: contains(softwareUpdateConfiguration, 'excludeUpdates') ? softwareUpdateConfiguration.excludeUpdates : [] - expiryTime: contains(softwareUpdateConfiguration, 'expiryTime') ? softwareUpdateConfiguration.expiryTime : '' - expiryTimeOffsetMinutes: contains(softwareUpdateConfiguration, 'expiryTimeOffsetMinutes') ? softwareUpdateConfiguration.expiryTimeOffsetMinute : 0 - includeUpdates: contains(softwareUpdateConfiguration, 'includeUpdates') ? softwareUpdateConfiguration.includeUpdates : [] - interval: contains(softwareUpdateConfiguration, 'interval') ? softwareUpdateConfiguration.interval : 1 - isEnabled: contains(softwareUpdateConfiguration, 'isEnabled') ? softwareUpdateConfiguration.isEnabled : true - maintenanceWindow: contains(softwareUpdateConfiguration, 'maintenanceWindow') ? softwareUpdateConfiguration.maintenanceWindow : 'PT2H' - monthDays: contains(softwareUpdateConfiguration, 'monthDays') ? softwareUpdateConfiguration.monthDays : [] - monthlyOccurrences: contains(softwareUpdateConfiguration, 'monthlyOccurrences') ? softwareUpdateConfiguration.monthlyOccurrences : [] - nextRun: contains(softwareUpdateConfiguration, 'nextRun') ? softwareUpdateConfiguration.nextRun : '' - nextRunOffsetMinutes: contains(softwareUpdateConfiguration, 'nextRunOffsetMinutes') ? softwareUpdateConfiguration.nextRunOffsetMinutes : 0 - nonAzureComputerNames: contains(softwareUpdateConfiguration, 'nonAzureComputerNames') ? softwareUpdateConfiguration.nonAzureComputerNames : [] - nonAzureQueries: contains(softwareUpdateConfiguration, 'nonAzureQueries') ? softwareUpdateConfiguration.nonAzureQueries : [] - postTaskParameters: contains(softwareUpdateConfiguration, 'postTaskParameters') ? softwareUpdateConfiguration.postTaskParameters : {} - postTaskSource: contains(softwareUpdateConfiguration, 'postTaskSource') ? softwareUpdateConfiguration.postTaskSource : '' - preTaskParameters: contains(softwareUpdateConfiguration, 'preTaskParameters') ? softwareUpdateConfiguration.preTaskParameters : {} - preTaskSource: contains(softwareUpdateConfiguration, 'preTaskSource') ? softwareUpdateConfiguration.preTaskSource : '' - scheduleDescription: contains(softwareUpdateConfiguration, 'scheduleDescription') ? softwareUpdateConfiguration.scheduleDescription : '' - scopeByLocations: contains(softwareUpdateConfiguration, 'scopeByLocations') ? softwareUpdateConfiguration.scopeByLocations : [] - scopeByResources: contains(softwareUpdateConfiguration, 'scopeByResources') ? softwareUpdateConfiguration.scopeByResources : [ - subscription().id - ] - scopeByTags: contains(softwareUpdateConfiguration, 'scopeByTags') ? softwareUpdateConfiguration.scopeByTags : {} - scopeByTagsOperation: contains(softwareUpdateConfiguration, 'scopeByTagsOperation') ? softwareUpdateConfiguration.scopeByTagsOperation : 'All' - startTime: contains(softwareUpdateConfiguration, 'startTime') ? softwareUpdateConfiguration.startTime : '' - timeZone: contains(softwareUpdateConfiguration, 'timeZone') ? softwareUpdateConfiguration.timeZone : 'UTC' - updateClassifications: contains(softwareUpdateConfiguration, 'updateClassifications') ? softwareUpdateConfiguration.updateClassifications : [ - 'Critical' - 'Security' - ] - weekDays: contains(softwareUpdateConfiguration, 'weekDays') ? softwareUpdateConfiguration.weekDays : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - automationAccount_solutions - ] -}] - -resource automationAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: automationAccount -} - -resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: automationAccount -}] - -module automationAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-automationAccount-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(automationAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: automationAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource automationAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(automationAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: automationAccount -}] - -@description('The name of the deployed automation account.') -output name string = automationAccount.name - -@description('The resource ID of the deployed automation account.') -output resourceId string = automationAccount.id - -@description('The resource group of the deployed automation account.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(automationAccount.identity, 'principalId') ? automationAccount.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = automationAccount.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json deleted file mode 100644 index 369cf74eb5..0000000000 --- a/modules/automation/automation-account/main.json +++ /dev/null @@ -1,3078 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15622091278066868534" - }, - "name": "Automation Accounts", - "description": "This module deploys an Azure Automation Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Free", - "Basic" - ], - "metadata": { - "description": "Optional. SKU name of the account." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "modules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of modules to be created in the automation account." - } - }, - "runbooks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of runbooks to be created in the automation account." - } - }, - "schedules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of schedules to be created in the automation account." - } - }, - "jobSchedules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of jobSchedules to be created in the automation account." - } - }, - "variables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of variables to be created in the automation account." - } - }, - "linkedWorkspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the log analytics workspace to be linked to the deployed automation account." - } - }, - "gallerySolutions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of gallerySolutions to be created in the linked log analytics workspace." - } - }, - "softwareUpdateConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of softwareUpdateConfigurations to be created in the automation account." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Disable local authentication profile used within the resource." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "automationAccount": { - "type": "Microsoft.Automation/automationAccounts", - "apiVersion": "2022-08-08", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "sku": { - "name": "[parameters('skuName')]" - }, - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), if(equals(parameters('publicNetworkAccess'), 'Disabled'), false(), true()), if(not(empty(parameters('privateEndpoints'))), false(), null()))]", - "disableLocalAuth": "[parameters('disableLocalAuth')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "automationAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_diagnosticSettings": { - "copy": { - "name": "automationAccount_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_roleAssignments": { - "copy": { - "name": "automationAccount_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_modules": { - "copy": { - "name": "automationAccount_modules", - "count": "[length(parameters('modules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Module-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('modules')[copyIndex()].name]" - }, - "automationAccountName": { - "value": "[parameters('name')]" - }, - "version": { - "value": "[parameters('modules')[copyIndex()].version]" - }, - "uri": { - "value": "[parameters('modules')[copyIndex()].uri]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('modules')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6971821068699927304" - }, - "name": "Automation Account Modules", - "description": "This module deploys an Azure Automation Account Module.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account module." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "uri": { - "type": "string", - "metadata": { - "description": "Required. Module package URI, e.g. https://www.powershellgallery.com/api/v2/package." - } - }, - "version": { - "type": "string", - "defaultValue": "latest", - "metadata": { - "description": "Optional. Module version or specify latest to get the latest version." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "automationAccount": { - "existing": true, - "type": "Microsoft.Automation/automationAccounts", - "apiVersion": "2022-08-08", - "name": "[parameters('automationAccountName')]" - }, - "module": { - "type": "Microsoft.Automation/automationAccounts/modules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "contentLink": { - "uri": "[if(not(equals(parameters('version'), 'latest')), format('{0}/{1}/{2}', parameters('uri'), parameters('name'), parameters('version')), format('{0}/{1}', parameters('uri'), parameters('name')))]", - "version": "[if(not(equals(parameters('version'), 'latest')), parameters('version'), null())]" - } - }, - "dependsOn": [ - "automationAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed module." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed module." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/modules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed module." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('module', '2022-08-08', 'full').location]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_schedules": { - "copy": { - "name": "automationAccount_schedules", - "count": "[length(parameters('schedules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Schedule-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('schedules')[copyIndex()].name]" - }, - "automationAccountName": { - "value": "[parameters('name')]" - }, - "advancedSchedule": "[if(contains(parameters('schedules')[copyIndex()], 'advancedSchedule'), createObject('value', parameters('schedules')[copyIndex()].advancedSchedule), createObject('value', null()))]", - "description": "[if(contains(parameters('schedules')[copyIndex()], 'description'), createObject('value', parameters('schedules')[copyIndex()].description), createObject('value', ''))]", - "expiryTime": "[if(contains(parameters('schedules')[copyIndex()], 'expiryTime'), createObject('value', parameters('schedules')[copyIndex()].expiryTime), createObject('value', ''))]", - "frequency": "[if(contains(parameters('schedules')[copyIndex()], 'frequency'), createObject('value', parameters('schedules')[copyIndex()].frequency), createObject('value', 'OneTime'))]", - "interval": "[if(contains(parameters('schedules')[copyIndex()], 'interval'), createObject('value', parameters('schedules')[copyIndex()].interval), createObject('value', 0))]", - "startTime": "[if(contains(parameters('schedules')[copyIndex()], 'startTime'), createObject('value', parameters('schedules')[copyIndex()].startTime), createObject('value', ''))]", - "timeZone": "[if(contains(parameters('schedules')[copyIndex()], 'timeZone'), createObject('value', parameters('schedules')[copyIndex()].timeZone), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3941184452068098954" - }, - "name": "Automation Account Schedules", - "description": "This module deploys an Azure Automation Account Schedule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account schedule." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "advancedSchedule": { - "type": "object", - "defaultValue": {}, - "metadata": { - "monthDays": "Days of the month that the job should execute on. Must be between 1 and 31.", - "monthlyOccurrences": "Occurrences of days within a month.", - "weekDays": "Days of the week that the job should execute on.", - "description": "Optional. The properties of the create Advanced Schedule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the schedule." - } - }, - "expiryTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end time of the schedule." - } - }, - "frequency": { - "type": "string", - "defaultValue": "OneTime", - "allowedValues": [ - "Day", - "Hour", - "Minute", - "Month", - "OneTime", - "Week" - ], - "metadata": { - "description": "Optional. The frequency of the schedule." - } - }, - "interval": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Anything." - } - }, - "startTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The start time of the schedule." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The time zone of the schedule." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Time used as a basis for e.g. the schedule start date." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/schedules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "advancedSchedule": "[if(not(empty(parameters('advancedSchedule'))), parameters('advancedSchedule'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "expiryTime": "[if(not(empty(parameters('expiryTime'))), parameters('expiryTime'), null())]", - "frequency": "[if(not(empty(parameters('frequency'))), parameters('frequency'), 'OneTime')]", - "interval": "[if(not(equals(parameters('interval'), 0)), parameters('interval'), null())]", - "startTime": "[if(not(empty(parameters('startTime'))), parameters('startTime'), dateTimeAdd(parameters('baseTime'), 'PT10M'))]", - "timeZone": "[if(not(empty(parameters('timeZone'))), parameters('timeZone'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed schedule." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/schedules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed schedule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_runbooks": { - "copy": { - "name": "automationAccount_runbooks", - "count": "[length(parameters('runbooks'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Runbook-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('runbooks')[copyIndex()].name]" - }, - "automationAccountName": { - "value": "[parameters('name')]" - }, - "type": { - "value": "[parameters('runbooks')[copyIndex()].type]" - }, - "description": "[if(contains(parameters('runbooks')[copyIndex()], 'description'), createObject('value', parameters('runbooks')[copyIndex()].description), createObject('value', ''))]", - "uri": "[if(contains(parameters('runbooks')[copyIndex()], 'uri'), createObject('value', parameters('runbooks')[copyIndex()].uri), createObject('value', ''))]", - "version": "[if(contains(parameters('runbooks')[copyIndex()], 'version'), createObject('value', parameters('runbooks')[copyIndex()].version), createObject('value', ''))]", - "sasTokenValidityLength": { - "value": "[tryGet(parameters('runbooks')[copyIndex()], 'sasTokenValidityLength')]" - }, - "scriptStorageAccountResourceId": { - "value": "[tryGet(parameters('runbooks')[copyIndex()], 'scriptStorageAccountResourceId')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('runbooks')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3054091660106074138" - }, - "name": "Automation Account Runbooks", - "description": "This module deploys an Azure Automation Account Runbook.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account runbook." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Graph", - "GraphPowerShell", - "GraphPowerShellWorkflow", - "PowerShell", - "PowerShellWorkflow" - ], - "metadata": { - "description": "Required. The type of the runbook." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the runbook." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The uri of the runbook content." - } - }, - "version": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the runbook content." - } - }, - "scriptStorageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource Id of the runbook storage account." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Time used as a basis for e.g. the schedule start date." - } - }, - "sasTokenValidityLength": { - "type": "string", - "defaultValue": "PT8H", - "metadata": { - "description": "Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "accountSasProperties": { - "signedServices": "b", - "signedPermission": "r", - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", - "signedResourceTypes": "o", - "signedProtocol": "https" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "automationAccount": { - "existing": true, - "type": "Microsoft.Automation/automationAccounts", - "apiVersion": "2022-08-08", - "name": "[parameters('automationAccountName')]" - }, - "storageAccount": { - "condition": "[not(empty(parameters('scriptStorageAccountResourceId')))]", - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "subscriptionId": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))]" - }, - "runbook": { - "type": "Microsoft.Automation/automationAccounts/runbooks", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "runbookType": "[parameters('type')]", - "description": "[parameters('description')]", - "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountResourceId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2], split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" - }, - "dependsOn": [ - "automationAccount", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed runbook." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed runbook." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/runbooks', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed runbook." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('runbook', '2022-08-08', 'full').location]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_jobSchedules": { - "copy": { - "name": "automationAccount_jobSchedules", - "count": "[length(parameters('jobSchedules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-JobSchedule-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "automationAccountName": { - "value": "[parameters('name')]" - }, - "runbookName": { - "value": "[parameters('jobSchedules')[copyIndex()].runbookName]" - }, - "scheduleName": { - "value": "[parameters('jobSchedules')[copyIndex()].scheduleName]" - }, - "parameters": "[if(contains(parameters('jobSchedules')[copyIndex()], 'parameters'), createObject('value', parameters('jobSchedules')[copyIndex()].parameters), createObject('value', createObject()))]", - "runOn": "[if(contains(parameters('jobSchedules')[copyIndex()], 'runOn'), createObject('value', parameters('jobSchedules')[copyIndex()].runOn), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7940366869013991296" - }, - "name": "Automation Account Job Schedules", - "description": "This module deploys an Azure Automation Account Job Schedule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[newGuid()]", - "metadata": { - "description": "Generated. Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "runbookName": { - "type": "string", - "metadata": { - "description": "Required. The runbook property associated with the entity." - } - }, - "scheduleName": { - "type": "string", - "metadata": { - "description": "Required. The schedule property associated with the entity." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. List of job properties." - } - }, - "runOn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The hybrid worker group that the scheduled job should run on." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/jobSchedules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "parameters": "[parameters('parameters')]", - "runbook": { - "name": "[parameters('runbookName')]" - }, - "runOn": "[if(not(empty(parameters('runOn'))), parameters('runOn'), null())]", - "schedule": { - "name": "[parameters('scheduleName')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed job schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed job schedule." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/jobSchedules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed job schedule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "automationAccount", - "automationAccount_runbooks", - "automationAccount_schedules" - ] - }, - "automationAccount_variables": { - "copy": { - "name": "automationAccount_variables", - "count": "[length(parameters('variables'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Variable-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "automationAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('variables')[copyIndex()].name]" - }, - "description": "[if(contains(parameters('variables')[copyIndex()], 'description'), createObject('value', parameters('variables')[copyIndex()].description), createObject('value', ''))]", - "value": { - "value": "[parameters('variables')[copyIndex()].value]" - }, - "isEncrypted": "[if(contains(parameters('variables')[copyIndex()], 'isEncrypted'), createObject('value', parameters('variables')[copyIndex()].isEncrypted), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13399277967950966124" - }, - "name": "Automation Account Variables", - "description": "This module deploys an Azure Automation Account Variable.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the variable." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the \"isEncrypted\" property is set to true." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the variable." - } - }, - "isEncrypted": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If the variable should be encrypted. For security reasons encryption of variables should be enabled." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/variables", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "isEncrypted": "[parameters('isEncrypted')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed variable." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed variable." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/variables', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed variable." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_linkedService": { - "condition": "[not(empty(parameters('linkedWorkspaceResourceId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-LinkedService', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '//'), '/')[2], subscription().subscriptionId)]", - "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '////'), '/')[4], resourceGroup().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "automation" - }, - "logAnalyticsWorkspaceName": { - "value": "[last(split(parameters('linkedWorkspaceResourceId'), '/'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4319942183601642190" - }, - "name": "Log Analytics Workspace Linked Services", - "description": "This module deploys a Log Analytics Workspace Linked Service.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the link." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access." - } - }, - "writeAccessResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "linkedService": { - "type": "Microsoft.OperationalInsights/workspaces/linkedServices", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resourceId": "[parameters('resourceId')]", - "writeAccessResourceId": "[if(empty(parameters('writeAccessResourceId')), null(), parameters('writeAccessResourceId'))]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed linked service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed linked service." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/linkedServices', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the linked service is deployed." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - }, - "automationAccount_solutions": { - "copy": { - "name": "automationAccount_solutions", - "count": "[length(parameters('gallerySolutions'))]" - }, - "condition": "[not(empty(parameters('linkedWorkspaceResourceId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Solution-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '//'), '/')[2], subscription().subscriptionId)]", - "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '////'), '/')[4], resourceGroup().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('gallerySolutions')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[last(split(parameters('linkedWorkspaceResourceId'), '/'))]" - }, - "product": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'product'), createObject('value', parameters('gallerySolutions')[copyIndex()].product), createObject('value', 'OMSGallery'))]", - "publisher": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'publisher'), createObject('value', parameters('gallerySolutions')[copyIndex()].publisher), createObject('value', 'Microsoft'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6590935071601965866" - }, - "name": "Operations Management Solutions", - "description": "This module deploys an Operations Management Solution.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`." - } - }, - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Log Analytics workspace where the solution will be deployed/enabled." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "product": { - "type": "string", - "defaultValue": "OMSGallery", - "metadata": { - "description": "Optional. The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive." - } - }, - "publisher": { - "type": "string", - "defaultValue": "Microsoft", - "metadata": { - "description": "Optional. The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "solutionName": "[if(equals(parameters('publisher'), 'Microsoft'), format('{0}({1})', parameters('name'), parameters('logAnalyticsWorkspaceName')), parameters('name'))]", - "solutionProduct": "[if(equals(parameters('publisher'), 'Microsoft'), format('OMSGallery/{0}', parameters('name')), parameters('product'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[variables('solutionName')]", - "location": "[parameters('location')]", - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "plan": { - "name": "[variables('solutionName')]", - "promotionCode": "", - "product": "[variables('solutionProduct')]", - "publisher": "[parameters('publisher')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed solution." - }, - "value": "[variables('solutionName')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed solution." - }, - "value": "[resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the solution is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName')), '2015-11-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "automationAccount_linkedService" - ] - }, - "automationAccount_softwareUpdateConfigurations": { - "copy": { - "name": "automationAccount_softwareUpdateConfigurations", - "count": "[length(parameters('softwareUpdateConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-SwUpdateConfig-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('softwareUpdateConfigurations')[copyIndex()].name]" - }, - "automationAccountName": { - "value": "[parameters('name')]" - }, - "frequency": { - "value": "[parameters('softwareUpdateConfigurations')[copyIndex()].frequency]" - }, - "operatingSystem": { - "value": "[parameters('softwareUpdateConfigurations')[copyIndex()].operatingSystem]" - }, - "rebootSetting": { - "value": "[parameters('softwareUpdateConfigurations')[copyIndex()].rebootSetting]" - }, - "azureVirtualMachines": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'azureVirtualMachines'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].azureVirtualMachines), createObject('value', createArray()))]", - "excludeUpdates": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'excludeUpdates'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].excludeUpdates), createObject('value', createArray()))]", - "expiryTime": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'expiryTime'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].expiryTime), createObject('value', ''))]", - "expiryTimeOffsetMinutes": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'expiryTimeOffsetMinutes'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].expiryTimeOffsetMinute), createObject('value', 0))]", - "includeUpdates": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'includeUpdates'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].includeUpdates), createObject('value', createArray()))]", - "interval": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'interval'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].interval), createObject('value', 1))]", - "isEnabled": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'isEnabled'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].isEnabled), createObject('value', true()))]", - "maintenanceWindow": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'maintenanceWindow'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].maintenanceWindow), createObject('value', 'PT2H'))]", - "monthDays": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'monthDays'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].monthDays), createObject('value', createArray()))]", - "monthlyOccurrences": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'monthlyOccurrences'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].monthlyOccurrences), createObject('value', createArray()))]", - "nextRun": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'nextRun'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].nextRun), createObject('value', ''))]", - "nextRunOffsetMinutes": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'nextRunOffsetMinutes'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].nextRunOffsetMinutes), createObject('value', 0))]", - "nonAzureComputerNames": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'nonAzureComputerNames'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].nonAzureComputerNames), createObject('value', createArray()))]", - "nonAzureQueries": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'nonAzureQueries'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].nonAzureQueries), createObject('value', createArray()))]", - "postTaskParameters": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'postTaskParameters'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].postTaskParameters), createObject('value', createObject()))]", - "postTaskSource": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'postTaskSource'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].postTaskSource), createObject('value', ''))]", - "preTaskParameters": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'preTaskParameters'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].preTaskParameters), createObject('value', createObject()))]", - "preTaskSource": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'preTaskSource'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].preTaskSource), createObject('value', ''))]", - "scheduleDescription": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'scheduleDescription'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].scheduleDescription), createObject('value', ''))]", - "scopeByLocations": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'scopeByLocations'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].scopeByLocations), createObject('value', createArray()))]", - "scopeByResources": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'scopeByResources'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].scopeByResources), createObject('value', createArray(subscription().id)))]", - "scopeByTags": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'scopeByTags'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].scopeByTags), createObject('value', createObject()))]", - "scopeByTagsOperation": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'scopeByTagsOperation'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].scopeByTagsOperation), createObject('value', 'All'))]", - "startTime": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'startTime'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].startTime), createObject('value', ''))]", - "timeZone": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'timeZone'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].timeZone), createObject('value', 'UTC'))]", - "updateClassifications": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'updateClassifications'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].updateClassifications), createObject('value', createArray('Critical', 'Security')))]", - "weekDays": "[if(contains(parameters('softwareUpdateConfigurations')[copyIndex()], 'weekDays'), createObject('value', parameters('softwareUpdateConfigurations')[copyIndex()].weekDays), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17152541334253964982" - }, - "name": "Automation Account Software Update Configurations", - "description": "This module deploys an Azure Automation Account Software Update Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Deployment schedule." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "operatingSystem": { - "type": "string", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Required. The operating system to be configured by the deployment schedule." - } - }, - "rebootSetting": { - "type": "string", - "allowedValues": [ - "IfRequired", - "Never", - "RebootOnly", - "Always" - ], - "metadata": { - "description": "Required. Reboot setting for the deployment schedule." - } - }, - "frequency": { - "type": "string", - "allowedValues": [ - "OneTime", - "Hour", - "Day", - "Week", - "Month" - ], - "metadata": { - "description": "Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided." - } - }, - "maintenanceWindow": { - "type": "string", - "defaultValue": "PT2H", - "metadata": { - "description": "Optional. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601." - } - }, - "updateClassifications": { - "type": "array", - "defaultValue": [ - "Critical", - "Security" - ], - "allowedValues": [ - "Critical", - "Security", - "UpdateRollup", - "FeaturePack", - "ServicePack", - "Definition", - "Tools", - "Updates", - "Other" - ], - "metadata": { - "description": "Optional. Update classification included in the deployment schedule." - } - }, - "excludeUpdates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. KB numbers or Linux packages excluded in the deployment schedule." - } - }, - "includeUpdates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. KB numbers or Linux packages included in the deployment schedule." - } - }, - "scopeByResources": { - "type": "array", - "defaultValue": [ - "[subscription().id]" - ], - "metadata": { - "description": "Optional. Specify the resources to scope the deployment schedule to." - } - }, - "scopeByTags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specify tags to which to scope the deployment schedule to." - } - }, - "scopeByTagsOperation": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Any" - ], - "metadata": { - "description": "Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B)." - } - }, - "scopeByLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify locations to which to scope the deployment schedule to." - } - }, - "preTaskParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters provided to the task running before the deployment schedule." - } - }, - "preTaskSource": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source of the task running before the deployment schedule." - } - }, - "postTaskParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters provided to the task running after the deployment schedule." - } - }, - "postTaskSource": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source of the task running after the deployment schedule." - } - }, - "interval": { - "type": "int", - "defaultValue": 1, - "maxValue": 100, - "metadata": { - "description": "Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc." - } - }, - "isEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enables the deployment schedule." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "UTC", - "metadata": { - "description": "Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID." - } - }, - "nonAzureQueries": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule." - } - }, - "azureVirtualMachines": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of azure resource IDs for azure virtual machines in scope for the deployment schedule." - } - }, - "nonAzureComputerNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of names of non-azure machines in scope for the deployment schedule." - } - }, - "weekDays": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", - "Sunday" - ], - "metadata": { - "description": "Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule." - } - }, - "monthDays": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7, - 8, - 9, - 10, - 11, - 12, - 13, - 14, - 15, - 16, - 17, - 18, - 19, - 20, - 21, - 22, - 23, - 24, - 25, - 26, - 27, - 28, - 29, - 30, - 31 - ], - "metadata": { - "description": "Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule." - } - }, - "monthlyOccurrences": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule." - } - }, - "startTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00." - } - }, - "expiryTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00." - } - }, - "expiryTimeOffsetMinutes": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The expiry time's offset in minutes." - } - }, - "nextRun": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00." - } - }, - "nextRunOffsetMinutes": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The next run's offset in minutes." - } - }, - "scheduleDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The schedules description." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "updateClassificationsVar": "[replace(replace(replace(replace(string(parameters('updateClassifications')), ',', ', '), '[', ''), ']', ''), '\"', '')]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations", - "apiVersion": "2019-06-01", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "updateConfiguration": { - "operatingSystem": "[parameters('operatingSystem')]", - "duration": "[parameters('maintenanceWindow')]", - "linux": "[if(equals(parameters('operatingSystem'), 'Linux'), createObject('excludedPackageNameMasks', parameters('excludeUpdates'), 'includedPackageNameMasks', parameters('includeUpdates'), 'includedPackageClassifications', variables('updateClassificationsVar'), 'rebootSetting', parameters('rebootSetting')), null())]", - "windows": "[if(equals(parameters('operatingSystem'), 'Windows'), createObject('excludedKbNumbers', parameters('excludeUpdates'), 'includedKbNumbers', parameters('includeUpdates'), 'includedUpdateClassifications', variables('updateClassificationsVar'), 'rebootSetting', parameters('rebootSetting')), null())]", - "targets": { - "azureQueries": [ - { - "scope": "[parameters('scopeByResources')]", - "tagSettings": { - "tags": "[parameters('scopeByTags')]", - "filterOperator": "[parameters('scopeByTagsOperation')]" - }, - "locations": "[parameters('scopeByLocations')]" - } - ], - "nonAzureQueries": "[parameters('nonAzureQueries')]" - }, - "azureVirtualMachines": "[parameters('azureVirtualMachines')]", - "nonAzureComputerNames": "[parameters('nonAzureComputerNames')]" - }, - "tasks": { - "preTask": { - "parameters": "[if(empty(parameters('preTaskParameters')), null(), parameters('preTaskParameters'))]", - "source": "[if(empty(parameters('preTaskSource')), null(), parameters('preTaskSource'))]" - }, - "postTask": { - "parameters": "[if(empty(parameters('postTaskParameters')), null(), parameters('postTaskParameters'))]", - "source": "[if(empty(parameters('postTaskSource')), null(), parameters('postTaskSource'))]" - } - }, - "scheduleInfo": { - "interval": "[parameters('interval')]", - "frequency": "[parameters('frequency')]", - "isEnabled": "[parameters('isEnabled')]", - "timeZone": "[parameters('timeZone')]", - "advancedSchedule": { - "weekDays": "[if(empty(parameters('weekDays')), null(), parameters('weekDays'))]", - "monthDays": "[if(empty(parameters('monthDays')), null(), parameters('monthDays'))]", - "monthlyOccurrences": "[if(empty(parameters('monthlyOccurrences')), null(), parameters('monthlyOccurrences'))]" - }, - "startTime": "[if(empty(parameters('startTime')), dateTimeAdd(parameters('baseTime'), 'PT10M'), parameters('startTime'))]", - "expiryTime": "[parameters('expiryTime')]", - "expiryTimeOffsetMinutes": "[parameters('expiryTimeOffsetMinutes')]", - "nextRun": "[parameters('nextRun')]", - "nextRunOffsetMinutes": "[parameters('nextRunOffsetMinutes')]", - "description": "[parameters('scheduleDescription')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed softwareUpdateConfiguration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed softwareUpdateConfiguration." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/softwareUpdateConfigurations', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed softwareUpdateConfiguration." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "automationAccount", - "automationAccount_solutions" - ] - }, - "automationAccount_privateEndpoints": { - "copy": { - "name": "automationAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-automationAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "automationAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed automation account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed automation account." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed automation account." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('automationAccount', '2022-08-08', 'full').identity, 'principalId')), reference('automationAccount', '2022-08-08', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('automationAccount', '2022-08-08', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/module/README.md b/modules/automation/automation-account/module/README.md deleted file mode 100644 index 558c759726..0000000000 --- a/modules/automation/automation-account/module/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Automation Account Modules `[Microsoft.Automation/automationAccounts/modules]` - -This module deploys an Azure Automation Account Module. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/modules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/modules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Automation Account module. | -| [`uri`](#parameter-uri) | string | Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | -| [`version`](#parameter-version) | string | Module version or specify latest to get the latest version. | - -### Parameter: `name` - -Name of the Automation Account module. - -- Required: Yes -- Type: string - -### Parameter: `uri` - -Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. - -- Required: Yes -- Type: string - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `tags` - -Tags of the Automation Account resource. - -- Required: No -- Type: object - -### Parameter: `version` - -Module version or specify latest to get the latest version. - -- Required: No -- Type: string -- Default: `'latest'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed module. | -| `resourceGroupName` | string | The resource group of the deployed module. | -| `resourceId` | string | The resource ID of the deployed module. | - -## Cross-referenced modules - -_None_ diff --git a/modules/automation/automation-account/module/main.bicep b/modules/automation/automation-account/module/main.bicep deleted file mode 100644 index 7af6b346bc..0000000000 --- a/modules/automation/automation-account/module/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'Automation Account Modules' -metadata description = 'This module deploys an Azure Automation Account Module.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Automation Account module.') -param name string - -@description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@description('Required. Module package URI, e.g. https://www.powershellgallery.com/api/v2/package.') -param uri string - -@description('Optional. Module version or specify latest to get the latest version.') -param version string = 'latest' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the Automation Account resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource module 'Microsoft.Automation/automationAccounts/modules@2022-08-08' = { - name: name - parent: automationAccount - location: location - tags: tags - properties: { - contentLink: { - uri: version != 'latest' ? '${uri}/${name}/${version}' : '${uri}/${name}' - version: version != 'latest' ? version : null - } - } -} - -@description('The name of the deployed module.') -output name string = module.name - -@description('The resource ID of the deployed module.') -output resourceId string = module.id - -@description('The resource group of the deployed module.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = module.location diff --git a/modules/automation/automation-account/module/main.json b/modules/automation/automation-account/module/main.json deleted file mode 100644 index 06805114ac..0000000000 --- a/modules/automation/automation-account/module/main.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6971821068699927304" - }, - "name": "Automation Account Modules", - "description": "This module deploys an Azure Automation Account Module.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account module." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "uri": { - "type": "string", - "metadata": { - "description": "Required. Module package URI, e.g. https://www.powershellgallery.com/api/v2/package." - } - }, - "version": { - "type": "string", - "defaultValue": "latest", - "metadata": { - "description": "Optional. Module version or specify latest to get the latest version." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "automationAccount": { - "existing": true, - "type": "Microsoft.Automation/automationAccounts", - "apiVersion": "2022-08-08", - "name": "[parameters('automationAccountName')]" - }, - "module": { - "type": "Microsoft.Automation/automationAccounts/modules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "contentLink": { - "uri": "[if(not(equals(parameters('version'), 'latest')), format('{0}/{1}/{2}', parameters('uri'), parameters('name'), parameters('version')), format('{0}/{1}', parameters('uri'), parameters('name')))]", - "version": "[if(not(equals(parameters('version'), 'latest')), parameters('version'), null())]" - } - }, - "dependsOn": [ - "automationAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed module." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed module." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/modules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed module." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('module', '2022-08-08', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/module/version.json b/modules/automation/automation-account/module/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/module/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/runbook/README.md b/modules/automation/automation-account/runbook/README.md deleted file mode 100644 index 6baba0a6a7..0000000000 --- a/modules/automation/automation-account/runbook/README.md +++ /dev/null @@ -1,165 +0,0 @@ -# Automation Account Runbooks `[Microsoft.Automation/automationAccounts/runbooks]` - -This module deploys an Azure Automation Account Runbook. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/runbooks` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/runbooks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Automation Account runbook. | -| [`type`](#parameter-type) | string | The type of the runbook. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description of the runbook. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| [`scriptStorageAccountResourceId`](#parameter-scriptstorageaccountresourceid) | string | Resource Id of the runbook storage account. | -| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | -| [`uri`](#parameter-uri) | string | The uri of the runbook content. | -| [`version`](#parameter-version) | string | The version of the runbook content. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | - -### Parameter: `name` - -Name of the Automation Account runbook. - -- Required: Yes -- Type: string - -### Parameter: `type` - -The type of the runbook. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Graph' - 'GraphPowerShell' - 'GraphPowerShellWorkflow' - 'PowerShell' - 'PowerShellWorkflow' - ] - ``` - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -The description of the runbook. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `sasTokenValidityLength` - -SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. - -- Required: No -- Type: string -- Default: `'PT8H'` - -### Parameter: `scriptStorageAccountResourceId` - -Resource Id of the runbook storage account. - -- Required: No -- Type: string - -### Parameter: `tags` - -Tags of the Automation Account resource. - -- Required: No -- Type: object - -### Parameter: `uri` - -The uri of the runbook content. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `version` - -The version of the runbook content. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `baseTime` - -Time used as a basis for e.g. the schedule start date. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed runbook. | -| `resourceGroupName` | string | The resource group of the deployed runbook. | -| `resourceId` | string | The resource ID of the deployed runbook. | - -## Cross-referenced modules - -_None_ diff --git a/modules/automation/automation-account/runbook/main.bicep b/modules/automation/automation-account/runbook/main.bicep deleted file mode 100644 index 992643abe4..0000000000 --- a/modules/automation/automation-account/runbook/main.bicep +++ /dev/null @@ -1,104 +0,0 @@ -metadata name = 'Automation Account Runbooks' -metadata description = 'This module deploys an Azure Automation Account Runbook.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the Automation Account runbook.') -param name string - -@sys.description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@allowed([ - 'Graph' - 'GraphPowerShell' - 'GraphPowerShellWorkflow' - 'PowerShell' - 'PowerShellWorkflow' -]) -@sys.description('Required. The type of the runbook.') -param type string - -@sys.description('Optional. The description of the runbook.') -param description string = '' - -@sys.description('Optional. The uri of the runbook content.') -param uri string = '' - -@sys.description('Optional. The version of the runbook content.') -param version string = '' - -@sys.description('Optional. Resource Id of the runbook storage account.') -param scriptStorageAccountResourceId string? - -@sys.description('Generated. Time used as a basis for e.g. the schedule start date.') -param baseTime string = utcNow('u') - -@sys.description('Optional. SAS token validity length. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours.') -param sasTokenValidityLength string = 'PT8H' - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. Tags of the Automation Account resource.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var accountSasProperties = { - signedServices: 'b' - signedPermission: 'r' - signedExpiry: dateTimeAdd(baseTime, sasTokenValidityLength) - signedResourceTypes: 'o' - signedProtocol: 'https' -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = if (!empty(scriptStorageAccountResourceId)) { - name: last(split((scriptStorageAccountResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((scriptStorageAccountResourceId ?? '//'), '/')[2], split((scriptStorageAccountResourceId ?? '////'), '/')[4]) -} - -var publishContentLink = empty(uri) ? null : { - uri: !empty(uri) ? (empty(scriptStorageAccountResourceId) ? uri : '${uri}?${storageAccount.listAccountSas('2021-04-01', accountSasProperties).accountSasToken}') : null - version: !empty(version) ? version : null -} - -resource runbook 'Microsoft.Automation/automationAccounts/runbooks@2022-08-08' = { - name: name - parent: automationAccount - location: location - tags: tags - properties: { - runbookType: type - description: description - publishContentLink: !empty(uri) ? publishContentLink : null - } -} - -@sys.description('The name of the deployed runbook.') -output name string = runbook.name - -@sys.description('The resource ID of the deployed runbook.') -output resourceId string = runbook.id - -@sys.description('The resource group of the deployed runbook.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = runbook.location diff --git a/modules/automation/automation-account/runbook/main.json b/modules/automation/automation-account/runbook/main.json deleted file mode 100644 index a089f92bde..0000000000 --- a/modules/automation/automation-account/runbook/main.json +++ /dev/null @@ -1,191 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3054091660106074138" - }, - "name": "Automation Account Runbooks", - "description": "This module deploys an Azure Automation Account Runbook.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account runbook." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Graph", - "GraphPowerShell", - "GraphPowerShellWorkflow", - "PowerShell", - "PowerShellWorkflow" - ], - "metadata": { - "description": "Required. The type of the runbook." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the runbook." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The uri of the runbook content." - } - }, - "version": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the runbook content." - } - }, - "scriptStorageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource Id of the runbook storage account." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Time used as a basis for e.g. the schedule start date." - } - }, - "sasTokenValidityLength": { - "type": "string", - "defaultValue": "PT8H", - "metadata": { - "description": "Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "accountSasProperties": { - "signedServices": "b", - "signedPermission": "r", - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", - "signedResourceTypes": "o", - "signedProtocol": "https" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "automationAccount": { - "existing": true, - "type": "Microsoft.Automation/automationAccounts", - "apiVersion": "2022-08-08", - "name": "[parameters('automationAccountName')]" - }, - "storageAccount": { - "condition": "[not(empty(parameters('scriptStorageAccountResourceId')))]", - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "subscriptionId": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))]" - }, - "runbook": { - "type": "Microsoft.Automation/automationAccounts/runbooks", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "runbookType": "[parameters('type')]", - "description": "[parameters('description')]", - "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountResourceId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2], split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" - }, - "dependsOn": [ - "automationAccount", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed runbook." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed runbook." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/runbooks', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed runbook." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('runbook', '2022-08-08', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/runbook/version.json b/modules/automation/automation-account/runbook/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/runbook/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/schedule/README.md b/modules/automation/automation-account/schedule/README.md deleted file mode 100644 index c322245c12..0000000000 --- a/modules/automation/automation-account/schedule/README.md +++ /dev/null @@ -1,159 +0,0 @@ -# Automation Account Schedules `[Microsoft.Automation/automationAccounts/schedules]` - -This module deploys an Azure Automation Account Schedule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/schedules` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/schedules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Automation Account schedule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`advancedSchedule`](#parameter-advancedschedule) | object | The properties of the create Advanced Schedule. | -| [`description`](#parameter-description) | string | The description of the schedule. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`expiryTime`](#parameter-expirytime) | string | The end time of the schedule. | -| [`frequency`](#parameter-frequency) | string | The frequency of the schedule. | -| [`interval`](#parameter-interval) | int | Anything. | -| [`startTime`](#parameter-starttime) | string | The start time of the schedule. | -| [`timeZone`](#parameter-timezone) | string | The time zone of the schedule. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | - -### Parameter: `name` - -Name of the Automation Account schedule. - -- Required: Yes -- Type: string - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `advancedSchedule` - -The properties of the create Advanced Schedule. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `description` - -The description of the schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `expiryTime` - -The end time of the schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `frequency` - -The frequency of the schedule. - -- Required: No -- Type: string -- Default: `'OneTime'` -- Allowed: - ```Bicep - [ - 'Day' - 'Hour' - 'Minute' - 'Month' - 'OneTime' - 'Week' - ] - ``` - -### Parameter: `interval` - -Anything. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `startTime` - -The start time of the schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `timeZone` - -The time zone of the schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `baseTime` - -Time used as a basis for e.g. the schedule start date. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed schedule. | -| `resourceGroupName` | string | The resource group of the deployed schedule. | -| `resourceId` | string | The resource ID of the deployed schedule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/automation/automation-account/schedule/main.bicep b/modules/automation/automation-account/schedule/main.bicep deleted file mode 100644 index f887e3b843..0000000000 --- a/modules/automation/automation-account/schedule/main.bicep +++ /dev/null @@ -1,88 +0,0 @@ -metadata name = 'Automation Account Schedules' -metadata description = 'This module deploys an Azure Automation Account Schedule.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the Automation Account schedule.') -param name string - -@sys.description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@sys.description('Optional. The properties of the create Advanced Schedule.') -@metadata({ - monthDays: 'Days of the month that the job should execute on. Must be between 1 and 31.' - monthlyOccurrences: 'Occurrences of days within a month.' - weekDays: 'Days of the week that the job should execute on.' -}) -param advancedSchedule object = {} - -@sys.description('Optional. The description of the schedule.') -param description string = '' - -@sys.description('Optional. The end time of the schedule.') -param expiryTime string = '' - -@allowed([ - 'Day' - 'Hour' - 'Minute' - 'Month' - 'OneTime' - 'Week' -]) -@sys.description('Optional. The frequency of the schedule.') -param frequency string = 'OneTime' - -@sys.description('Optional. Anything.') -param interval int = 0 - -@sys.description('Optional. The start time of the schedule.') -param startTime string = '' - -@sys.description('Optional. The time zone of the schedule.') -param timeZone string = '' - -@sys.description('Generated. Time used as a basis for e.g. the schedule start date.') -param baseTime string = utcNow('u') - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource schedule 'Microsoft.Automation/automationAccounts/schedules@2022-08-08' = { - name: name - parent: automationAccount - properties: { - advancedSchedule: !empty(advancedSchedule) ? advancedSchedule : null - description: !empty(description) ? description : null - expiryTime: !empty(expiryTime) ? expiryTime : null - frequency: !empty(frequency) ? frequency : 'OneTime' - interval: (interval != 0) ? interval : null - startTime: !empty(startTime) ? startTime : dateTimeAdd(baseTime, 'PT10M') - timeZone: !empty(timeZone) ? timeZone : null - } -} - -@sys.description('The name of the deployed schedule.') -output name string = schedule.name - -@sys.description('The resource ID of the deployed schedule.') -output resourceId string = schedule.id - -@sys.description('The resource group of the deployed schedule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/automation/automation-account/schedule/main.json b/modules/automation/automation-account/schedule/main.json deleted file mode 100644 index 489a4c3022..0000000000 --- a/modules/automation/automation-account/schedule/main.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3941184452068098954" - }, - "name": "Automation Account Schedules", - "description": "This module deploys an Azure Automation Account Schedule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Automation Account schedule." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "advancedSchedule": { - "type": "object", - "defaultValue": {}, - "metadata": { - "monthDays": "Days of the month that the job should execute on. Must be between 1 and 31.", - "monthlyOccurrences": "Occurrences of days within a month.", - "weekDays": "Days of the week that the job should execute on.", - "description": "Optional. The properties of the create Advanced Schedule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the schedule." - } - }, - "expiryTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end time of the schedule." - } - }, - "frequency": { - "type": "string", - "defaultValue": "OneTime", - "allowedValues": [ - "Day", - "Hour", - "Minute", - "Month", - "OneTime", - "Week" - ], - "metadata": { - "description": "Optional. The frequency of the schedule." - } - }, - "interval": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Anything." - } - }, - "startTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The start time of the schedule." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The time zone of the schedule." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Time used as a basis for e.g. the schedule start date." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/schedules", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "advancedSchedule": "[if(not(empty(parameters('advancedSchedule'))), parameters('advancedSchedule'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "expiryTime": "[if(not(empty(parameters('expiryTime'))), parameters('expiryTime'), null())]", - "frequency": "[if(not(empty(parameters('frequency'))), parameters('frequency'), 'OneTime')]", - "interval": "[if(not(equals(parameters('interval'), 0)), parameters('interval'), null())]", - "startTime": "[if(not(empty(parameters('startTime'))), parameters('startTime'), dateTimeAdd(parameters('baseTime'), 'PT10M'))]", - "timeZone": "[if(not(empty(parameters('timeZone'))), parameters('timeZone'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed schedule." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/schedules', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed schedule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/schedule/version.json b/modules/automation/automation-account/schedule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/schedule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/software-update-configuration/README.md b/modules/automation/automation-account/software-update-configuration/README.md deleted file mode 100644 index da37b18b6e..0000000000 --- a/modules/automation/automation-account/software-update-configuration/README.md +++ /dev/null @@ -1,557 +0,0 @@ -# Automation Account Software Update Configurations `[Microsoft.Automation/automationAccounts/softwareUpdateConfigurations]` - -This module deploys an Azure Automation Account Software Update Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/softwareUpdateConfigurations` | [2019-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2019-06-01/automationAccounts/softwareUpdateConfigurations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`frequency`](#parameter-frequency) | string | The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | -| [`name`](#parameter-name) | string | The name of the Deployment schedule. | -| [`operatingSystem`](#parameter-operatingsystem) | string | The operating system to be configured by the deployment schedule. | -| [`rebootSetting`](#parameter-rebootsetting) | string | Reboot setting for the deployment schedule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`azureVirtualMachines`](#parameter-azurevirtualmachines) | array | List of azure resource IDs for azure virtual machines in scope for the deployment schedule. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`excludeUpdates`](#parameter-excludeupdates) | array | KB numbers or Linux packages excluded in the deployment schedule. | -| [`expiryTime`](#parameter-expirytime) | string | The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | -| [`expiryTimeOffsetMinutes`](#parameter-expirytimeoffsetminutes) | int | The expiry time's offset in minutes. | -| [`includeUpdates`](#parameter-includeupdates) | array | KB numbers or Linux packages included in the deployment schedule. | -| [`interval`](#parameter-interval) | int | The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | -| [`isEnabled`](#parameter-isenabled) | bool | Enables the deployment schedule. | -| [`maintenanceWindow`](#parameter-maintenancewindow) | string | Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. | -| [`monthDays`](#parameter-monthdays) | array | Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | -| [`monthlyOccurrences`](#parameter-monthlyoccurrences) | array | Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | -| [`nextRun`](#parameter-nextrun) | string | The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | -| [`nextRunOffsetMinutes`](#parameter-nextrunoffsetminutes) | int | The next run's offset in minutes. | -| [`nonAzureComputerNames`](#parameter-nonazurecomputernames) | array | List of names of non-azure machines in scope for the deployment schedule. | -| [`nonAzureQueries`](#parameter-nonazurequeries) | array | Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | -| [`postTaskParameters`](#parameter-posttaskparameters) | object | Parameters provided to the task running after the deployment schedule. | -| [`postTaskSource`](#parameter-posttasksource) | string | The source of the task running after the deployment schedule. | -| [`preTaskParameters`](#parameter-pretaskparameters) | object | Parameters provided to the task running before the deployment schedule. | -| [`preTaskSource`](#parameter-pretasksource) | string | The source of the task running before the deployment schedule. | -| [`scheduleDescription`](#parameter-scheduledescription) | string | The schedules description. | -| [`scopeByLocations`](#parameter-scopebylocations) | array | Specify locations to which to scope the deployment schedule to. | -| [`scopeByResources`](#parameter-scopebyresources) | array | Specify the resources to scope the deployment schedule to. | -| [`scopeByTags`](#parameter-scopebytags) | object | Specify tags to which to scope the deployment schedule to. | -| [`scopeByTagsOperation`](#parameter-scopebytagsoperation) | string | Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | -| [`startTime`](#parameter-starttime) | string | The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | -| [`timeZone`](#parameter-timezone) | string | Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | -| [`updateClassifications`](#parameter-updateclassifications) | array | Update classification included in the deployment schedule. | -| [`weekDays`](#parameter-weekdays) | array | Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | - -### Parameter: `frequency` - -The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Day' - 'Hour' - 'Month' - 'OneTime' - 'Week' - ] - ``` - -### Parameter: `name` - -The name of the Deployment schedule. - -- Required: Yes -- Type: string - -### Parameter: `operatingSystem` - -The operating system to be configured by the deployment schedule. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `rebootSetting` - -Reboot setting for the deployment schedule. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Always' - 'IfRequired' - 'Never' - 'RebootOnly' - ] - ``` - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `azureVirtualMachines` - -List of azure resource IDs for azure virtual machines in scope for the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `excludeUpdates` - -KB numbers or Linux packages excluded in the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `expiryTime` - -The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `expiryTimeOffsetMinutes` - -The expiry time's offset in minutes. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `includeUpdates` - -KB numbers or Linux packages included in the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `interval` - -The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `isEnabled` - -Enables the deployment schedule. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `maintenanceWindow` - -Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. - -- Required: No -- Type: string -- Default: `'PT2H'` - -### Parameter: `monthDays` - -Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 - 21 - 22 - 23 - 24 - 25 - 26 - 27 - 28 - 29 - 30 - 31 - ] - ``` - -### Parameter: `monthlyOccurrences` - -Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `nextRun` - -The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `nextRunOffsetMinutes` - -The next run's offset in minutes. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `nonAzureComputerNames` - -List of names of non-azure machines in scope for the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `nonAzureQueries` - -Array of functions from a Log Analytics workspace, used to scope the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `postTaskParameters` - -Parameters provided to the task running after the deployment schedule. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `postTaskSource` - -The source of the task running after the deployment schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `preTaskParameters` - -Parameters provided to the task running before the deployment schedule. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `preTaskSource` - -The source of the task running before the deployment schedule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `scheduleDescription` - -The schedules description. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `scopeByLocations` - -Specify locations to which to scope the deployment schedule to. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `scopeByResources` - -Specify the resources to scope the deployment schedule to. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - '[subscription().id]' - ] - ``` - -### Parameter: `scopeByTags` - -Specify tags to which to scope the deployment schedule to. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `scopeByTagsOperation` - -Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). - -- Required: No -- Type: string -- Default: `'All'` -- Allowed: - ```Bicep - [ - 'All' - 'Any' - ] - ``` - -### Parameter: `startTime` - -The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `timeZone` - -Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. - -- Required: No -- Type: string -- Default: `'UTC'` - -### Parameter: `updateClassifications` - -Update classification included in the deployment schedule. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'Critical' - 'Security' - ] - ``` -- Allowed: - ```Bicep - [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Other' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - ``` - -### Parameter: `weekDays` - -Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Friday' - 'Monday' - 'Saturday' - 'Sunday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - ``` - -### Parameter: `baseTime` - -Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed softwareUpdateConfiguration. | -| `resourceGroupName` | string | The resource group of the deployed softwareUpdateConfiguration. | -| `resourceId` | string | The resource ID of the deployed softwareUpdateConfiguration. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `scopeByTags` - -Provide tag keys, with an array of values, filtering in machines that should be included in the deployment schedule. - -| Property name | Type | Possible values | Description | -| :------------ | :---- | :-------------- | :---------- | -| \ | array | string | tag values | - - -

- -Parameter JSON format - -```json -"scopeByTags": { - "value": { - "Update": [ - "Automatic" - ], - "MaintenanceWindow": [ - "1-Sat-22" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -scopeByTags: { - Update: [ - 'Automatic' - ] - MaintenanceWindow: [ - '1-Sat-22' - ] -} -``` - -
-

- -### Parameter Usage: `monthlyOccurrences` - -Occurrences of days within a month. - -| Property name | Type | Possible values | Description | -| :------------ | :----- | :------------------------------------------------------------- | :----------------------------------------------------------------------------------- | -| `occurance` | int | 1-5 | Occurrence of the week within the month. Must be between 1 and 5, where 5 is "last". | -| `day` | string | Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday | Day of the occurrence. | - -

- -Parameter JSON format - -```json -"monthlyOccurrences": { - "value": [ - { - "occurrence": 1, - "day": "Monday" - }, - { - "occurrence": 2, - "day": "Friday" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -monthlyOccurrences: [ - { - occurrence: 1 - day: 'Monday' - } - { - occurrence: 2 - day: 'Friday' - } -] -``` - -
-

diff --git a/modules/automation/automation-account/software-update-configuration/main.bicep b/modules/automation/automation-account/software-update-configuration/main.bicep deleted file mode 100644 index c7d1c57ad9..0000000000 --- a/modules/automation/automation-account/software-update-configuration/main.bicep +++ /dev/null @@ -1,277 +0,0 @@ -metadata name = 'Automation Account Software Update Configurations' -metadata description = 'This module deploys an Azure Automation Account Software Update Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Deployment schedule.') -param name string - -@description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@description('Required. The operating system to be configured by the deployment schedule.') -@allowed([ - 'Windows' - 'Linux' -]) -param operatingSystem string - -@description('Required. Reboot setting for the deployment schedule.') -@allowed([ - 'IfRequired' - 'Never' - 'RebootOnly' - 'Always' -]) -param rebootSetting string - -@description('Required. The frequency of the deployment schedule. When using \'Hour\', \'Day\', \'Week\' or \'Month\', an interval needs to be provided.') -@allowed([ - 'OneTime' - 'Hour' - 'Day' - 'Week' - 'Month' -]) -param frequency string - -@description('Optional. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601.') -param maintenanceWindow string = 'PT2H' - -@description('Optional. Update classification included in the deployment schedule.') -@allowed([ - 'Critical' - 'Security' - 'UpdateRollup' - 'FeaturePack' - 'ServicePack' - 'Definition' - 'Tools' - 'Updates' - 'Other' -]) -param updateClassifications array = [ - 'Critical' - 'Security' -] - -@description('Optional. KB numbers or Linux packages excluded in the deployment schedule.') -param excludeUpdates array = [] - -@description('Optional. KB numbers or Linux packages included in the deployment schedule.') -param includeUpdates array = [] - -@description('Optional. Specify the resources to scope the deployment schedule to.') -param scopeByResources array = [ - subscription().id -] - -@description('Optional. Specify tags to which to scope the deployment schedule to.') -param scopeByTags object = {} - -@description('Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B).') -@allowed([ - 'All' - 'Any' -]) -param scopeByTagsOperation string = 'All' - -@description('Optional. Specify locations to which to scope the deployment schedule to.') -param scopeByLocations array = [] - -@description('Optional. Parameters provided to the task running before the deployment schedule.') -param preTaskParameters object = {} - -@description('Optional. The source of the task running before the deployment schedule.') -param preTaskSource string = '' - -@description('Optional. Parameters provided to the task running after the deployment schedule.') -param postTaskParameters object = {} - -@description('Optional. The source of the task running after the deployment schedule.') -param postTaskSource string = '' - -@description('Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc.') -@maxValue(100) -param interval int = 1 - -@description('Optional. Enables the deployment schedule.') -param isEnabled bool = true - -@description('Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID.') -param timeZone string = 'UTC' - -@description('Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule.') -param nonAzureQueries array = [] - -@description('Optional. List of azure resource IDs for azure virtual machines in scope for the deployment schedule.') -param azureVirtualMachines array = [] - -@description('Optional. List of names of non-azure machines in scope for the deployment schedule.') -param nonAzureComputerNames array = [] - -@description('Optional. Required when used with frequency \'Week\'. Specified the day of the week to run the deployment schedule.') -@allowed([ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - 'Saturday' - 'Sunday' -]) -param weekDays array = [] - -@description('Optional. Can be used with frequency \'Month\'. Provides the specific days of the month to run the deployment schedule.') -@allowed([ - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 - 21 - 22 - 23 - 24 - 25 - 26 - 27 - 28 - 29 - 30 - 31 -]) -param monthDays array = [] - -@description('Optional. Can be used with frequency \'Month\'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule.') -param monthlyOccurrences array = [] - -@description('Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00.') -param startTime string = '' - -@description('Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00.') -param expiryTime string = '' - -@description('Optional. The expiry time\'s offset in minutes.') -param expiryTimeOffsetMinutes int = 0 - -@description('Optional. The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00.') -param nextRun string = '' - -@description('Optional. The next run\'s offset in minutes.') -param nextRunOffsetMinutes int = 0 - -@description('Optional. The schedules description.') -param scheduleDescription string = '' - -@description('Generated. Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var updateClassificationsVar = replace(replace(replace(replace(string(updateClassifications), ',', ', '), '[', ''), ']', ''), '"', '') - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource softwareUpdateConfiguration 'Microsoft.Automation/automationAccounts/softwareUpdateConfigurations@2019-06-01' = { - name: name - parent: automationAccount - properties: { - updateConfiguration: { - operatingSystem: operatingSystem - duration: maintenanceWindow - linux: ((operatingSystem == 'Linux') ? { - excludedPackageNameMasks: excludeUpdates - includedPackageNameMasks: includeUpdates - includedPackageClassifications: updateClassificationsVar - rebootSetting: rebootSetting - } : null) - windows: ((operatingSystem == 'Windows') ? { - excludedKbNumbers: excludeUpdates - includedKbNumbers: includeUpdates - includedUpdateClassifications: updateClassificationsVar - rebootSetting: rebootSetting - } : null) - targets: { - azureQueries: [ - { - scope: scopeByResources - tagSettings: { - tags: scopeByTags - filterOperator: scopeByTagsOperation - } - locations: scopeByLocations - } - ] - nonAzureQueries: nonAzureQueries - } - azureVirtualMachines: azureVirtualMachines - nonAzureComputerNames: nonAzureComputerNames - } - tasks: { - preTask: { - parameters: (empty(preTaskParameters) ? null : preTaskParameters) - source: (empty(preTaskSource) ? null : preTaskSource) - } - postTask: { - parameters: (empty(postTaskParameters) ? null : postTaskParameters) - source: (empty(postTaskSource) ? null : postTaskSource) - } - } - scheduleInfo: { - interval: interval - frequency: frequency - isEnabled: isEnabled - timeZone: timeZone - advancedSchedule: { - weekDays: (empty(weekDays) ? null : weekDays) - monthDays: (empty(monthDays) ? null : monthDays) - monthlyOccurrences: (empty(monthlyOccurrences) ? null : monthlyOccurrences) - } - startTime: (empty(startTime) ? dateTimeAdd(baseTime, 'PT10M') : startTime) - expiryTime: expiryTime - expiryTimeOffsetMinutes: expiryTimeOffsetMinutes - nextRun: nextRun - nextRunOffsetMinutes: nextRunOffsetMinutes - description: scheduleDescription - } - } -} - -@description('The name of the deployed softwareUpdateConfiguration.') -output name string = softwareUpdateConfiguration.name - -@description('The resource ID of the deployed softwareUpdateConfiguration.') -output resourceId string = softwareUpdateConfiguration.id - -@description('The resource group of the deployed softwareUpdateConfiguration.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/automation/automation-account/software-update-configuration/main.json b/modules/automation/automation-account/software-update-configuration/main.json deleted file mode 100644 index 9612d02f44..0000000000 --- a/modules/automation/automation-account/software-update-configuration/main.json +++ /dev/null @@ -1,426 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17152541334253964982" - }, - "name": "Automation Account Software Update Configurations", - "description": "This module deploys an Azure Automation Account Software Update Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Deployment schedule." - } - }, - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "operatingSystem": { - "type": "string", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Required. The operating system to be configured by the deployment schedule." - } - }, - "rebootSetting": { - "type": "string", - "allowedValues": [ - "IfRequired", - "Never", - "RebootOnly", - "Always" - ], - "metadata": { - "description": "Required. Reboot setting for the deployment schedule." - } - }, - "frequency": { - "type": "string", - "allowedValues": [ - "OneTime", - "Hour", - "Day", - "Week", - "Month" - ], - "metadata": { - "description": "Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided." - } - }, - "maintenanceWindow": { - "type": "string", - "defaultValue": "PT2H", - "metadata": { - "description": "Optional. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601." - } - }, - "updateClassifications": { - "type": "array", - "defaultValue": [ - "Critical", - "Security" - ], - "allowedValues": [ - "Critical", - "Security", - "UpdateRollup", - "FeaturePack", - "ServicePack", - "Definition", - "Tools", - "Updates", - "Other" - ], - "metadata": { - "description": "Optional. Update classification included in the deployment schedule." - } - }, - "excludeUpdates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. KB numbers or Linux packages excluded in the deployment schedule." - } - }, - "includeUpdates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. KB numbers or Linux packages included in the deployment schedule." - } - }, - "scopeByResources": { - "type": "array", - "defaultValue": [ - "[subscription().id]" - ], - "metadata": { - "description": "Optional. Specify the resources to scope the deployment schedule to." - } - }, - "scopeByTags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specify tags to which to scope the deployment schedule to." - } - }, - "scopeByTagsOperation": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "All", - "Any" - ], - "metadata": { - "description": "Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B)." - } - }, - "scopeByLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify locations to which to scope the deployment schedule to." - } - }, - "preTaskParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters provided to the task running before the deployment schedule." - } - }, - "preTaskSource": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source of the task running before the deployment schedule." - } - }, - "postTaskParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters provided to the task running after the deployment schedule." - } - }, - "postTaskSource": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source of the task running after the deployment schedule." - } - }, - "interval": { - "type": "int", - "defaultValue": 1, - "maxValue": 100, - "metadata": { - "description": "Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc." - } - }, - "isEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enables the deployment schedule." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "UTC", - "metadata": { - "description": "Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID." - } - }, - "nonAzureQueries": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule." - } - }, - "azureVirtualMachines": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of azure resource IDs for azure virtual machines in scope for the deployment schedule." - } - }, - "nonAzureComputerNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of names of non-azure machines in scope for the deployment schedule." - } - }, - "weekDays": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", - "Sunday" - ], - "metadata": { - "description": "Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule." - } - }, - "monthDays": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7, - 8, - 9, - 10, - 11, - 12, - 13, - 14, - 15, - 16, - 17, - 18, - 19, - 20, - 21, - 22, - 23, - 24, - 25, - 26, - 27, - 28, - 29, - 30, - 31 - ], - "metadata": { - "description": "Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule." - } - }, - "monthlyOccurrences": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule." - } - }, - "startTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00." - } - }, - "expiryTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00." - } - }, - "expiryTimeOffsetMinutes": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The expiry time's offset in minutes." - } - }, - "nextRun": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00." - } - }, - "nextRunOffsetMinutes": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The next run's offset in minutes." - } - }, - "scheduleDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The schedules description." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "updateClassificationsVar": "[replace(replace(replace(replace(string(parameters('updateClassifications')), ',', ', '), '[', ''), ']', ''), '\"', '')]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations", - "apiVersion": "2019-06-01", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "updateConfiguration": { - "operatingSystem": "[parameters('operatingSystem')]", - "duration": "[parameters('maintenanceWindow')]", - "linux": "[if(equals(parameters('operatingSystem'), 'Linux'), createObject('excludedPackageNameMasks', parameters('excludeUpdates'), 'includedPackageNameMasks', parameters('includeUpdates'), 'includedPackageClassifications', variables('updateClassificationsVar'), 'rebootSetting', parameters('rebootSetting')), null())]", - "windows": "[if(equals(parameters('operatingSystem'), 'Windows'), createObject('excludedKbNumbers', parameters('excludeUpdates'), 'includedKbNumbers', parameters('includeUpdates'), 'includedUpdateClassifications', variables('updateClassificationsVar'), 'rebootSetting', parameters('rebootSetting')), null())]", - "targets": { - "azureQueries": [ - { - "scope": "[parameters('scopeByResources')]", - "tagSettings": { - "tags": "[parameters('scopeByTags')]", - "filterOperator": "[parameters('scopeByTagsOperation')]" - }, - "locations": "[parameters('scopeByLocations')]" - } - ], - "nonAzureQueries": "[parameters('nonAzureQueries')]" - }, - "azureVirtualMachines": "[parameters('azureVirtualMachines')]", - "nonAzureComputerNames": "[parameters('nonAzureComputerNames')]" - }, - "tasks": { - "preTask": { - "parameters": "[if(empty(parameters('preTaskParameters')), null(), parameters('preTaskParameters'))]", - "source": "[if(empty(parameters('preTaskSource')), null(), parameters('preTaskSource'))]" - }, - "postTask": { - "parameters": "[if(empty(parameters('postTaskParameters')), null(), parameters('postTaskParameters'))]", - "source": "[if(empty(parameters('postTaskSource')), null(), parameters('postTaskSource'))]" - } - }, - "scheduleInfo": { - "interval": "[parameters('interval')]", - "frequency": "[parameters('frequency')]", - "isEnabled": "[parameters('isEnabled')]", - "timeZone": "[parameters('timeZone')]", - "advancedSchedule": { - "weekDays": "[if(empty(parameters('weekDays')), null(), parameters('weekDays'))]", - "monthDays": "[if(empty(parameters('monthDays')), null(), parameters('monthDays'))]", - "monthlyOccurrences": "[if(empty(parameters('monthlyOccurrences')), null(), parameters('monthlyOccurrences'))]" - }, - "startTime": "[if(empty(parameters('startTime')), dateTimeAdd(parameters('baseTime'), 'PT10M'), parameters('startTime'))]", - "expiryTime": "[parameters('expiryTime')]", - "expiryTimeOffsetMinutes": "[parameters('expiryTimeOffsetMinutes')]", - "nextRun": "[parameters('nextRun')]", - "nextRunOffsetMinutes": "[parameters('nextRunOffsetMinutes')]", - "description": "[parameters('scheduleDescription')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed softwareUpdateConfiguration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed softwareUpdateConfiguration." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/softwareUpdateConfigurations', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed softwareUpdateConfiguration." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/software-update-configuration/version.json b/modules/automation/automation-account/software-update-configuration/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/software-update-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep b/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 2e93cc9a4a..0000000000 --- a/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/automation/automation-account/tests/e2e/encr/dependencies.bicep b/modules/automation/automation-account/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index c0fbbed613..0000000000 --- a/modules/automation/automation-account/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,58 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - softDeleteRetentionInDays: 7 - enablePurgeProtection: true - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep deleted file mode 100644 index ec8c934c0d..0000000000 --- a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,69 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aaencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } -}] diff --git a/modules/automation/automation-account/tests/e2e/max/dependencies.bicep b/modules/automation/automation-account/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 3a979dc83b..0000000000 --- a/modules/automation/automation-account/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azure-automation.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/automation/automation-account/tests/e2e/max/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep deleted file mode 100644 index b77d8bbd82..0000000000 --- a/modules/automation/automation-account/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,272 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - disableLocalAuth: true - linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Webhook' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'DSCAndHybridWorker' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 3a979dc83b..0000000000 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azure-automation.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e4d4913905..0000000000 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,255 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - disableLocalAuth: true - linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Webhook' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'DSCAndHybridWorker' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/automation/automation-account/variable/README.md b/modules/automation/automation-account/variable/README.md deleted file mode 100644 index f6b15abae7..0000000000 --- a/modules/automation/automation-account/variable/README.md +++ /dev/null @@ -1,152 +0,0 @@ -# Automation Account Variables `[Microsoft.Automation/automationAccounts/variables]` - -This module deploys an Azure Automation Account Variable. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Automation/automationAccounts/variables` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Automation/2022-08-08/automationAccounts/variables) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the variable. | -| [`value`](#parameter-value) | securestring | The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description of the variable. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`isEncrypted`](#parameter-isencrypted) | bool | If the variable should be encrypted. For security reasons encryption of variables should be enabled. | - -### Parameter: `name` - -The name of the variable. - -- Required: Yes -- Type: string - -### Parameter: `value` - -The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. - -- Required: Yes -- Type: securestring - -### Parameter: `automationAccountName` - -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -The description of the variable. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `isEncrypted` - -If the variable should be encrypted. For security reasons encryption of variables should be enabled. - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed variable. | -| `resourceGroupName` | string | The resource group of the deployed variable. | -| `resourceId` | string | The resource ID of the deployed variable. | - -## Cross-referenced modules - -_None_ - -## Notes - - -### Parameter Usage: `value` - -

- -Parameter JSON format - -```json -//Boolean format -"value": { - "value": "false" -} - -//DateTime format -"value": { - "value": "\"\\/Date(1637934042656)\\/\"" -} - -//Integer format -"value": { - "value": "500" -} - -//String format -"value": { - "value": "\"TestString\"" -} -``` - -
- -
- -Bicep format - -```bicep -//Boolean format -value: 'false' - -//DateTime format -value: '\'\\/Date(1637934042656)\\/\'' - -//Integer format -value: '500' - -//String format -value: '\'TestString\'' -``` - -
-

diff --git a/modules/automation/automation-account/variable/main.bicep b/modules/automation/automation-account/variable/main.bicep deleted file mode 100644 index fa22969cbc..0000000000 --- a/modules/automation/automation-account/variable/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'Automation Account Variables' -metadata description = 'This module deploys an Azure Automation Account Variable.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment.') -param automationAccountName string - -@sys.description('Required. The name of the variable.') -param name string - -@secure() -@sys.description('Required. The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true.') -param value string - -@sys.description('Optional. The description of the variable.') -param description string = '' - -@sys.description('Optional. If the variable should be encrypted. For security reasons encryption of variables should be enabled.') -param isEncrypted bool = true - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' existing = { - name: automationAccountName -} - -resource variable 'Microsoft.Automation/automationAccounts/variables@2022-08-08' = { - name: name - parent: automationAccount - properties: { - description: description - isEncrypted: isEncrypted - value: value - } -} - -@sys.description('The name of the deployed variable.') -output name string = variable.name - -@sys.description('The resource ID of the deployed variable.') -output resourceId string = variable.id - -@sys.description('The resource group of the deployed variable.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/automation/automation-account/variable/main.json b/modules/automation/automation-account/variable/main.json deleted file mode 100644 index 36b7c3584b..0000000000 --- a/modules/automation/automation-account/variable/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13399277967950966124" - }, - "name": "Automation Account Variables", - "description": "This module deploys an Azure Automation Account Variable.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "automationAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Automation Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the variable." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the \"isEncrypted\" property is set to true." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the variable." - } - }, - "isEncrypted": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If the variable should be encrypted. For security reasons encryption of variables should be enabled." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Automation/automationAccounts/variables", - "apiVersion": "2022-08-08", - "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "isEncrypted": "[parameters('isEncrypted')]", - "value": "[parameters('value')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed variable." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed variable." - }, - "value": "[resourceId('Microsoft.Automation/automationAccounts/variables', parameters('automationAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed variable." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/automation/automation-account/variable/version.json b/modules/automation/automation-account/variable/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/variable/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/automation/automation-account/version.json b/modules/automation/automation-account/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/automation/automation-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/batch/batch-account/MOVED-TO-AVM.md b/modules/batch/batch-account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/batch/batch-account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 74a78f3d57..f9df9b2ab8 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -1,1288 +1,7 @@ -# Batch Accounts `[Microsoft.Batch/batchAccounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/batch/batch-account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/batch/batch-account).** -This module deploys a Batch Account. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/batch/batch-account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Batch/batchAccounts` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Batch/2022-06-01/batchAccounts) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/batch.batch-account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbamin' - params: { - // Required parameters - name: 'bbamin001' - storageAccountId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbamin001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbaencr' - params: { - // Required parameters - name: 'bbaencr001' - storageAccountId: '' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - poolAllocationMode: 'BatchService' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'batchAccount' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - storageAccessIdentity: '' - storageAuthenticationMode: 'BatchAccountManagedIdentity' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbaencr001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "poolAllocationMode": { - "value": "BatchService" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "batchAccount", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "storageAccessIdentity": { - "value": "" - }, - "storageAuthenticationMode": { - "value": "BatchAccountManagedIdentity" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbamax' - params: { - // Required parameters - name: 'bbamax001' - storageAccountId: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - poolAllocationMode: 'BatchService' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - storageAccessIdentity: '' - storageAuthenticationMode: 'BatchAccountManagedIdentity' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbamax001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "poolAllocationMode": { - "value": "BatchService" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "storageAccessIdentity": { - "value": "" - }, - "storageAuthenticationMode": { - "value": "BatchAccountManagedIdentity" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbawaf' - params: { - // Required parameters - name: 'bbawaf001' - storageAccountId: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - poolAllocationMode: 'BatchService' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - storageAccessIdentity: '' - storageAuthenticationMode: 'BatchAccountManagedIdentity' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbawaf001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "poolAllocationMode": { - "value": "BatchService" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "storageAccessIdentity": { - "value": "" - }, - "storageAuthenticationMode": { - "value": "BatchAccountManagedIdentity" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Batch. | -| [`storageAccountId`](#parameter-storageaccountid) | string | The resource ID of the storage account to be used for auto-storage account. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`keyVaultReferenceResourceId`](#parameter-keyvaultreferenceresourceid) | string | The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedAuthenticationModes`](#parameter-allowedauthenticationmodes) | array | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`networkProfileAllowedIpRanges`](#parameter-networkprofileallowedipranges) | array | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. | -| [`networkProfileDefaultAction`](#parameter-networkprofiledefaultaction) | string | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. | -| [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`storageAccessIdentity`](#parameter-storageaccessidentity) | string | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. | -| [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Azure Batch. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountId` - -The resource ID of the storage account to be used for auto-storage account. - -- Required: Yes -- Type: string - -### Parameter: `cMKKeyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `keyVaultReferenceResourceId` - -The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `allowedAuthenticationModes` - -List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'AAD' - 'SharedKey' - 'TaskAuthenticationToken' - ] - ``` - -### Parameter: `cMKKeyName` - -The name of the customer managed key to use for encryption. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVersion` - -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `networkProfileAllowedIpRanges` - -Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `networkProfileDefaultAction` - -The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. - -- Required: No -- Type: string -- Default: `'Deny'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `poolAllocationMode` - -The allocation mode for creating pools in the Batch account. Determines which quota will be used. - -- Required: No -- Type: string -- Default: `'BatchService'` -- Allowed: - ```Bicep - [ - 'BatchService' - 'UserSubscription' - ] - ``` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `storageAccessIdentity` - -The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageAuthenticationMode` - -The authentication mode which the Batch service will use to manage the auto-storage account. - -- Required: No -- Type: string -- Default: `'StorageKeys'` -- Allowed: - ```Bicep - [ - 'BatchAccountManagedIdentity' - 'StorageKeys' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the batch account. | -| `resourceGroupName` | string | The resource group the batch account was deployed into. | -| `resourceId` | string | The resource ID of the batch account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep deleted file mode 100644 index 476a5045a1..0000000000 --- a/modules/batch/batch-account/main.bicep +++ /dev/null @@ -1,407 +0,0 @@ -metadata name = 'Batch Accounts' -metadata description = 'This module deploys a Batch Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure Batch.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -@description('Required. The resource ID of the storage account to be used for auto-storage account.') -param storageAccountId string - -@allowed([ - 'BatchAccountManagedIdentity' - 'StorageKeys' -]) -@description('Optional. The authentication mode which the Batch service will use to manage the auto-storage account.') -param storageAuthenticationMode string = 'StorageKeys' - -@description('Optional. The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage.') -param storageAccessIdentity string = '' - -@allowed([ - 'BatchService' - 'UserSubscription' -]) -@description('Optional. The allocation mode for creating pools in the Batch account. Determines which quota will be used.') -param poolAllocationMode string = 'BatchService' - -@description('Conditional. The key vault to associate with the Batch account. Required if the \'poolAllocationMode\' is set to \'UserSubscription\' and requires the service principal \'Microsoft Azure Batch\' to be granted contributor permissions on this key vault.') -param keyVaultReferenceResourceId string = '' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('Optional. The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled.') -param networkProfileDefaultAction string = 'Deny' - -@description('Optional. Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled.') -param networkProfileAllowedIpRanges array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@allowed([ - 'AAD' - 'SharedKey' - 'TaskAuthenticationToken' -]) -@description('Optional. List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane.') -param allowedAuthenticationModes array = [] - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var networkProfileIpRules = [for networkProfileAllowedIpRange in networkProfileAllowedIpRanges: { - action: 'Allow' - value: networkProfileAllowedIpRange -}] - -var nodeIdentityReference = !empty(storageAccessIdentity) ? { - resourceId: !empty(storageAccessIdentity) ? storageAccessIdentity : null -} : null - -var autoStorageConfig = { - authenticationMode: storageAuthenticationMode - nodeIdentityReference: nodeIdentityReference - storageAccountId: storageAccountId -} - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' - } -} - -resource batchAccount 'Microsoft.Batch/batchAccounts@2022-06-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - allowedAuthenticationModes: allowedAuthenticationModes - autoStorage: autoStorageConfig - encryption: !empty(cMKKeyName) ? { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - } - } : null - keyVaultReference: poolAllocationMode == 'UserSubscription' ? { - id: keyVaultReferenceResourceId - url: cMKKeyVault.properties.vaultUri - } : null - networkProfile: (publicNetworkAccess == 'Disabled') || empty(networkProfileAllowedIpRanges) ? null : { - accountAccess: { - defaultAction: networkProfileDefaultAction - ipRules: networkProfileIpRules - } - } - poolAllocationMode: poolAllocationMode - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkProfileAllowedIpRanges) ? 'Disabled' : null) - } -} - -resource batchAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: batchAccount -} - -resource batchAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: batchAccount -}] - -resource batchAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(batchAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: batchAccount -}] - -module batchAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-batchAccount-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'batchAccount' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(batchAccount.id, '/'))}-${privateEndpoint.?service ?? 'batchAccount'}-${index}' - serviceResourceId: batchAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the batch account.') -output name string = batchAccount.name - -@description('The resource ID of the batch account.') -output resourceId string = batchAccount.id - -@description('The resource group the batch account was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = batchAccount.location - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(batchAccount.identity, 'principalId') ? batchAccount.identity.principalId : '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json deleted file mode 100644 index 963156fc27..0000000000 --- a/modules/batch/batch-account/main.json +++ /dev/null @@ -1,1373 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12136628607007085448" - }, - "name": "Batch Accounts", - "description": "This module deploys a Batch Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Batch." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "storageAccountId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the storage account to be used for auto-storage account." - } - }, - "storageAuthenticationMode": { - "type": "string", - "defaultValue": "StorageKeys", - "allowedValues": [ - "BatchAccountManagedIdentity", - "StorageKeys" - ], - "metadata": { - "description": "Optional. The authentication mode which the Batch service will use to manage the auto-storage account." - } - }, - "storageAccessIdentity": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage." - } - }, - "poolAllocationMode": { - "type": "string", - "defaultValue": "BatchService", - "allowedValues": [ - "BatchService", - "UserSubscription" - ], - "metadata": { - "description": "Optional. The allocation mode for creating pools in the Batch account. Determines which quota will be used." - } - }, - "keyVaultReferenceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set." - } - }, - "networkProfileDefaultAction": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled." - } - }, - "networkProfileAllowedIpRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "allowedAuthenticationModes": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "AAD", - "SharedKey", - "TaskAuthenticationToken" - ], - "metadata": { - "description": "Optional. List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane." - } - }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "networkProfileIpRules", - "count": "[length(parameters('networkProfileAllowedIpRanges'))]", - "input": { - "action": "Allow", - "value": "[parameters('networkProfileAllowedIpRanges')[copyIndex('networkProfileIpRules')]]" - } - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "nodeIdentityReference": "[if(not(empty(parameters('storageAccessIdentity'))), createObject('resourceId', if(not(empty(parameters('storageAccessIdentity'))), parameters('storageAccessIdentity'), null())), null())]", - "autoStorageConfig": { - "authenticationMode": "[parameters('storageAuthenticationMode')]", - "nodeIdentityReference": "[variables('nodeIdentityReference')]", - "storageAccountId": "[parameters('storageAccountId')]" - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "batchAccount": { - "type": "Microsoft.Batch/batchAccounts", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "allowedAuthenticationModes": "[parameters('allowedAuthenticationModes')]", - "autoStorage": "[variables('autoStorageConfig')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", - "keyVaultReference": "[if(equals(parameters('poolAllocationMode'), 'UserSubscription'), createObject('id', parameters('keyVaultReferenceResourceId'), 'url', reference('cMKKeyVault').vaultUri), null())]", - "networkProfile": "[if(or(equals(parameters('publicNetworkAccess'), 'Disabled'), empty(parameters('networkProfileAllowedIpRanges'))), null(), createObject('accountAccess', createObject('defaultAction', parameters('networkProfileDefaultAction'), 'ipRules', variables('networkProfileIpRules'))))]", - "poolAllocationMode": "[parameters('poolAllocationMode')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkProfileAllowedIpRanges'))), 'Disabled', null()))]" - }, - "dependsOn": [ - "cMKKeyVault" - ] - }, - "batchAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "batchAccount" - ] - }, - "batchAccount_diagnosticSettings": { - "copy": { - "name": "batchAccount_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "batchAccount" - ] - }, - "batchAccount_roleAssignments": { - "copy": { - "name": "batchAccount_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "batchAccount" - ] - }, - "batchAccount_privateEndpoints": { - "copy": { - "name": "batchAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-batchAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'batchAccount')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'batchAccount'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "batchAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the batch account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the batch account." - }, - "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the batch account was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('batchAccount', '2022-06-01', 'full').location]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('batchAccount', '2022-06-01', 'full').identity, 'principalId')), reference('batchAccount', '2022-06-01', 'full').identity.principalId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep b/modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index f069fcdbd9..0000000000 --- a/modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,17 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created Virtual Network Subnet.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep b/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index aa138f8c7d..0000000000 --- a/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - } -}] diff --git a/modules/batch/batch-account/tests/e2e/encr/dependencies.bicep b/modules/batch/batch-account/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index 9b4b4dd4cc..0000000000 --- a/modules/batch/batch-account/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,123 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.batch.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep deleted file mode 100644 index f32f9a7655..0000000000 --- a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,91 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbaencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}st${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - poolAllocationMode: 'BatchService' - privateEndpoints: [ - { - service: 'batchAccount' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId - storageAuthenticationMode: 'BatchAccountManagedIdentity' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/batch/batch-account/tests/e2e/max/dependencies.bicep b/modules/batch/batch-account/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 462e8a5f27..0000000000 --- a/modules/batch/batch-account/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,78 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.batch.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/batch/batch-account/tests/e2e/max/main.test.bicep b/modules/batch/batch-account/tests/e2e/max/main.test.bicep deleted file mode 100644 index 64ae401f0e..0000000000 --- a/modules/batch/batch-account/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}st${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - poolAllocationMode: 'BatchService' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId - storageAuthenticationMode: 'BatchAccountManagedIdentity' - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 462e8a5f27..0000000000 --- a/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,78 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.batch.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index d4edb44cb9..0000000000 --- a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}st${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - poolAllocationMode: 'BatchService' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId - storageAuthenticationMode: 'BatchAccountManagedIdentity' - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/batch/batch-account/version.json b/modules/batch/batch-account/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/batch/batch-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index c39d1698a8..13ee7a290a 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -1,1188 +1,7 @@ -# Redis Cache Enterprise `[Microsoft.Cache/redisEnterprise]` +

⚠️ Retired ⚠️

-This module deploys a Redis Cache Enterprise. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/cache/redis-enterprise). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Cache/redisEnterprise` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/2022-01-01/redisEnterprise) | -| `Microsoft.Cache/redisEnterprise/databases` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/2022-01-01/redisEnterprise/databases) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis-enterprise:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Geo](#example-2-geo) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cremin' - params: { - // Required parameters - name: 'cremin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cremin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Geo_ - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cregeo' - params: { - // Required parameters - name: '' - // Non-required parameters - capacity: 2 - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'NoEviction' - geoReplication: { - groupNickname: '' - linkedDatabases: [ - { - id: '' - } - { - id: '' - } - ] - } - modules: [ - { - name: 'RediSearch' - } - { - name: 'RedisJSON' - } - ] - persistenceAofEnabled: false - persistenceRdbEnabled: false - port: 10000 - } - ] - enableDefaultTelemetry: '' - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "databases": { - "value": [ - { - "clusteringPolicy": "EnterpriseCluster", - "evictionPolicy": "NoEviction", - "geoReplication": { - "groupNickname": "", - "linkedDatabases": [ - { - "id": "" - }, - { - "id": "" - } - ] - }, - "modules": [ - { - "name": "RediSearch" - }, - { - "name": "RedisJSON" - } - ], - "persistenceAofEnabled": false, - "persistenceRdbEnabled": false, - "port": 10000 - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache Enterprise" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cremax' - params: { - // Required parameters - name: 'cremax001' - // Non-required parameters - capacity: 2 - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - args: 'RETENTION_POLICY 20' - name: 'RedisTimeSeries' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - minimumTlsVersion: '1.2' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cremax001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "databases": { - "value": [ - { - "clusteringPolicy": "EnterpriseCluster", - "evictionPolicy": "AllKeysLFU", - "modules": [ - { - "name": "RedisBloom" - }, - { - "args": "RETENTION_POLICY 20", - "name": "RedisTimeSeries" - } - ], - "persistenceAofEnabled": true, - "persistenceAofFrequency": "1s", - "persistenceRdbEnabled": false, - "port": 10000 - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache Enterprise" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crewaf' - params: { - // Required parameters - name: 'crewaf001' - // Non-required parameters - capacity: 2 - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - args: 'RETENTION_POLICY 20' - name: 'RedisTimeSeries' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - minimumTlsVersion: '1.2' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crewaf001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "databases": { - "value": [ - { - "clusteringPolicy": "EnterpriseCluster", - "evictionPolicy": "AllKeysLFU", - "modules": [ - { - "name": "RedisBloom" - }, - { - "args": "RETENTION_POLICY 20", - "name": "RedisTimeSeries" - } - ], - "persistenceAofEnabled": true, - "persistenceAofFrequency": "1s", - "persistenceRdbEnabled": false, - "port": 10000 - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache Enterprise" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Redis Cache Enterprise resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`capacity`](#parameter-capacity) | int | The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. | -| [`databases`](#parameter-databases) | array | The databases to create in the Redis Cache Enterprise Cluster. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuName`](#parameter-skuname) | string | The type of Redis Enterprise Cluster to deploy. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, the cluster will be deployed across availability zones. | - -### Parameter: `name` - -The name of the Redis Cache Enterprise resource. - -- Required: Yes -- Type: string - -### Parameter: `capacity` - -The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `databases` - -The databases to create in the Redis Cache Enterprise Cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The geo-location where the resource lives. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `minimumTlsVersion` - -Requires clients to use a specified TLS version (or higher) to connect. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - ] - ``` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -The type of Redis Enterprise Cluster to deploy. - -- Required: No -- Type: string -- Default: `'Enterprise_E10'` -- Allowed: - ```Bicep - [ - 'Enterprise_E10' - 'Enterprise_E100' - 'Enterprise_E20' - 'Enterprise_E50' - 'EnterpriseFlash_F1500' - 'EnterpriseFlash_F300' - 'EnterpriseFlash_F700' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneRedundant` - -When true, the cluster will be deployed across availability zones. - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `hostName` | string | Redis hostname. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the redis cache enterprise. | -| `resourceGroupName` | string | The name of the resource group the redis cache enterprise was created in. | -| `resourceId` | string | The resource ID of the redis cache enterprise. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/cache/redis-enterprise/database/README.md b/modules/cache/redis-enterprise/database/README.md deleted file mode 100644 index 31f20ebd4b..0000000000 --- a/modules/cache/redis-enterprise/database/README.md +++ /dev/null @@ -1,255 +0,0 @@ -# Redis Cache Enterprise Databases `[Microsoft.Cache/redisEnterprise/databases]` - -This module deploys a Redis Cache Enterprise Database. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cache/redisEnterprise/databases` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/2022-01-01/redisEnterprise/databases) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`persistenceAofFrequency`](#parameter-persistenceaoffrequency) | string | Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. | -| [`persistenceRdbFrequency`](#parameter-persistencerdbfrequency) | string | Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. | -| [`redisCacheEnterpriseName`](#parameter-rediscacheenterprisename) | string | The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`clientProtocol`](#parameter-clientprotocol) | string | Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. | -| [`clusteringPolicy`](#parameter-clusteringpolicy) | string | Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`evictionPolicy`](#parameter-evictionpolicy) | string | Redis eviction policy - default is VolatileLRU. | -| [`geoReplication`](#parameter-georeplication) | object | Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`modules`](#parameter-modules) | array | Optional set of redis modules to enable in this database - modules can only be added at creation time. | -| [`persistenceAofEnabled`](#parameter-persistenceaofenabled) | bool | Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. | -| [`persistenceRdbEnabled`](#parameter-persistencerdbenabled) | bool | Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. | -| [`port`](#parameter-port) | int | TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. | - -### Parameter: `persistenceAofFrequency` - -Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '1s' - 'always' - ] - ``` - -### Parameter: `persistenceRdbFrequency` - -Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '12h' - '1h' - '6h' - ] - ``` - -### Parameter: `redisCacheEnterpriseName` - -The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `clientProtocol` - -Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. - -- Required: No -- Type: string -- Default: `'Encrypted'` -- Allowed: - ```Bicep - [ - 'Encrypted' - 'Plaintext' - ] - ``` - -### Parameter: `clusteringPolicy` - -Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. - -- Required: No -- Type: string -- Default: `'OSSCluster'` -- Allowed: - ```Bicep - [ - 'EnterpriseCluster' - 'OSSCluster' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `evictionPolicy` - -Redis eviction policy - default is VolatileLRU. - -- Required: No -- Type: string -- Default: `'VolatileLRU'` -- Allowed: - ```Bicep - [ - 'AllKeysLFU' - 'AllKeysLRU' - 'AllKeysRandom' - 'NoEviction' - 'VolatileLFU' - 'VolatileLRU' - 'VolatileRandom' - 'VolatileTTL' - ] - ``` - -### Parameter: `geoReplication` - -Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `modules` - -Optional set of redis modules to enable in this database - modules can only be added at creation time. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `persistenceAofEnabled` - -Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `persistenceRdbEnabled` - -Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `port` - -TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. - -- Required: No -- Type: int -- Default: `-1` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group of the deployed database. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `modules` - -Optional set of Redis modules to enable in this database. Modules can only be added at creation time. Each module requires a name (e.g. 'RedisBloom', 'RediSearch', 'RedisTimeSeries') and optionally an argument (e.g. 'ERROR_RATE 0.01 INITIAL_SIZE 400'). See [Redis Cache modules documentation](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-redis-modules) for more information. - -

- -Parameter JSON format - -```json -"modules": { - "value": [ - { - "name": "RedisBloom", - "args": "ERROR_RATE 0.00 INITIAL_SIZE 400" - }, - { - "name": "RedisTimeSeries", - "args": "RETENTION_POLICY 20" - }, - { - "name": "RediSearch" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -modules: [ - { - name: 'RedisBloom' - args: 'ERROR_RATE 1.00 INITIAL_SIZE 400' - } - { - name: 'RedisTimeSeries' - args: 'RETENTION_POLICY 20' - } - { - name: 'RediSearch' - } -] -``` - -
-

diff --git a/modules/cache/redis-enterprise/database/main.bicep b/modules/cache/redis-enterprise/database/main.bicep deleted file mode 100644 index 793f8294a4..0000000000 --- a/modules/cache/redis-enterprise/database/main.bicep +++ /dev/null @@ -1,115 +0,0 @@ -metadata name = 'Redis Cache Enterprise Databases' -metadata description = 'This module deploys a Redis Cache Enterprise Database.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment.') -param redisCacheEnterpriseName string - -@allowed([ - 'Encrypted' - 'Plaintext' -]) -@description('Optional. Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted.') -param clientProtocol string = 'Encrypted' - -@allowed([ - 'EnterpriseCluster' - 'OSSCluster' -]) -@description('Optional. Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster.') -param clusteringPolicy string = 'OSSCluster' - -@allowed([ - 'AllKeysLFU' - 'AllKeysLRU' - 'AllKeysRandom' - 'NoEviction' - 'VolatileLFU' - 'VolatileLRU' - 'VolatileRandom' - 'VolatileTTL' -]) -@description('Optional. Redis eviction policy - default is VolatileLRU.') -param evictionPolicy string = 'VolatileLRU' - -@description('Optional. Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information.') -param geoReplication object = {} - -@description('Optional. Optional set of redis modules to enable in this database - modules can only be added at creation time.') -param modules array = [] - -@description('Optional. Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time.') -param persistenceAofEnabled bool = false - -@allowed([ - '' - '1s' - 'always' -]) -@description('Conditional. Sets the frequency at which data is written to disk. Required if AOF persistence is enabled.') -param persistenceAofFrequency string = '' - -@description('Optional. Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time.') -param persistenceRdbEnabled bool = false - -@allowed([ - '' - '12h' - '1h' - '6h' -]) -@description('Conditional. Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled.') -param persistenceRdbFrequency string = '' - -@description('Optional. TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000.') -param port int = -1 - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' existing = { - name: redisCacheEnterpriseName -} - -resource database 'Microsoft.Cache/redisEnterprise/databases@2022-01-01' = { - name: 'default' - parent: redisCacheEnterprise - properties: { - clientProtocol: !empty(clientProtocol) ? clientProtocol : null - clusteringPolicy: !empty(clusteringPolicy) ? clusteringPolicy : null - evictionPolicy: !empty(evictionPolicy) ? evictionPolicy : null - geoReplication: !empty(geoReplication) ? geoReplication : null - modules: !empty(modules) ? modules : null - persistence: { - aofEnabled: persistenceAofEnabled - aofFrequency: !empty(persistenceAofFrequency) ? persistenceAofFrequency : null - rdbEnabled: persistenceRdbEnabled - rdbFrequency: !empty(persistenceRdbFrequency) ? persistenceRdbFrequency : null - } - port: port != -1 ? port : null - } -} - -@description('The name of the deployed database.') -output name string = database.name - -@description('The resource ID of the deployed database.') -output resourceId string = database.id - -@description('The resource group of the deployed database.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cache/redis-enterprise/database/main.json b/modules/cache/redis-enterprise/database/main.json deleted file mode 100644 index b5b92407aa..0000000000 --- a/modules/cache/redis-enterprise/database/main.json +++ /dev/null @@ -1,193 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2473493174520406257" - }, - "name": "Redis Cache Enterprise Databases", - "description": "This module deploys a Redis Cache Enterprise Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "redisCacheEnterpriseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment." - } - }, - "clientProtocol": { - "type": "string", - "defaultValue": "Encrypted", - "allowedValues": [ - "Encrypted", - "Plaintext" - ], - "metadata": { - "description": "Optional. Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted." - } - }, - "clusteringPolicy": { - "type": "string", - "defaultValue": "OSSCluster", - "allowedValues": [ - "EnterpriseCluster", - "OSSCluster" - ], - "metadata": { - "description": "Optional. Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster." - } - }, - "evictionPolicy": { - "type": "string", - "defaultValue": "VolatileLRU", - "allowedValues": [ - "AllKeysLFU", - "AllKeysLRU", - "AllKeysRandom", - "NoEviction", - "VolatileLFU", - "VolatileLRU", - "VolatileRandom", - "VolatileTTL" - ], - "metadata": { - "description": "Optional. Redis eviction policy - default is VolatileLRU." - } - }, - "geoReplication": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See \"https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites\" for more information." - } - }, - "modules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Optional set of redis modules to enable in this database - modules can only be added at creation time." - } - }, - "persistenceAofEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time." - } - }, - "persistenceAofFrequency": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "1s", - "always" - ], - "metadata": { - "description": "Conditional. Sets the frequency at which data is written to disk. Required if AOF persistence is enabled." - } - }, - "persistenceRdbEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time." - } - }, - "persistenceRdbFrequency": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "12h", - "1h", - "6h" - ], - "metadata": { - "description": "Conditional. Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled." - } - }, - "port": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cache/redisEnterprise/databases", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('redisCacheEnterpriseName'), 'default')]", - "properties": { - "clientProtocol": "[if(not(empty(parameters('clientProtocol'))), parameters('clientProtocol'), null())]", - "clusteringPolicy": "[if(not(empty(parameters('clusteringPolicy'))), parameters('clusteringPolicy'), null())]", - "evictionPolicy": "[if(not(empty(parameters('evictionPolicy'))), parameters('evictionPolicy'), null())]", - "geoReplication": "[if(not(empty(parameters('geoReplication'))), parameters('geoReplication'), null())]", - "modules": "[if(not(empty(parameters('modules'))), parameters('modules'), null())]", - "persistence": { - "aofEnabled": "[parameters('persistenceAofEnabled')]", - "aofFrequency": "[if(not(empty(parameters('persistenceAofFrequency'))), parameters('persistenceAofFrequency'), null())]", - "rdbEnabled": "[parameters('persistenceRdbEnabled')]", - "rdbFrequency": "[if(not(empty(parameters('persistenceRdbFrequency'))), parameters('persistenceRdbFrequency'), null())]" - }, - "port": "[if(not(equals(parameters('port'), -1)), parameters('port'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Cache/redisEnterprise/databases', parameters('redisCacheEnterpriseName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cache/redis-enterprise/database/version.json b/modules/cache/redis-enterprise/database/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/cache/redis-enterprise/database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep deleted file mode 100644 index cdc3b5a490..0000000000 --- a/modules/cache/redis-enterprise/main.bicep +++ /dev/null @@ -1,328 +0,0 @@ -metadata name = 'Redis Cache Enterprise' -metadata description = 'This module deploys a Redis Cache Enterprise.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The geo-location where the resource lives.') -param location string = resourceGroup().location - -@description('Required. The name of the Redis Cache Enterprise resource.') -param name string - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@allowed([ - '1.0' - '1.1' - '1.2' -]) -@description('Optional. Requires clients to use a specified TLS version (or higher) to connect.') -param minimumTlsVersion string = '1.2' - -@description('Optional. The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs.') -param capacity int = 2 - -@allowed([ - 'EnterpriseFlash_F1500' - 'EnterpriseFlash_F300' - 'EnterpriseFlash_F700' - 'Enterprise_E10' - 'Enterprise_E100' - 'Enterprise_E20' - 'Enterprise_E50' -]) -@description('Optional. The type of Redis Enterprise Cluster to deploy.') -param skuName string = 'Enterprise_E10' - -@description('Optional. When true, the cluster will be deployed across availability zones.') -param zoneRedundant bool = true - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The databases to create in the Redis Cache Enterprise Cluster.') -param databases array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var availabilityZones = zoneRedundant ? pickZones('Microsoft.Cache', 'redisEnterprise', location, 3) : [] - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource redisEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { - name: name - location: location - tags: tags - sku: { - capacity: capacity - name: skuName - } - properties: { - minimumTlsVersion: minimumTlsVersion - } - zones: availabilityZones -} - -resource redisEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: redisEnterprise -} - -resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: redisEnterprise -}] - -resource redisEnterprise_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(redisEnterprise.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: redisEnterprise -}] - -module redisEnterprise_databases 'database/main.bicep' = [for (database, index) in databases: { - name: '${uniqueString(deployment().name, location)}-redisCacheEnterprise-DB-${index}' - params: { - redisCacheEnterpriseName: redisEnterprise.name - location: location - clientProtocol: contains(database, 'clientProtocol') ? database.clientProtocol : 'Encrypted' - clusteringPolicy: contains(database, 'clusteringPolicy') ? database.clusteringPolicy : 'OSSCluster' - evictionPolicy: contains(database, 'evictionPolicy') ? database.evictionPolicy : 'VolatileLRU' - geoReplication: contains(database, 'geoReplication') ? database.geoReplication : {} - modules: contains(database, 'modules') ? database.modules : [] - persistenceAofEnabled: contains(database, 'persistenceAofEnabled') ? database.persistenceAofEnabled : false - persistenceAofFrequency: contains(database, 'persistenceAofFrequency') ? database.persistenceAofFrequency : '' - persistenceRdbEnabled: contains(database, 'persistenceRdbEnabled') ? database.persistenceRdbEnabled : false - persistenceRdbFrequency: contains(database, 'persistenceRdbFrequency') ? database.persistenceRdbFrequency : '' - port: contains(database, 'port') ? database.port : -1 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module redisEnterprise_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-redisEnterprise-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'redisEnterprise' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(redisEnterprise.id, '/'))}-${privateEndpoint.?service ?? 'redisEnterprise'}-${index}' - serviceResourceId: redisEnterprise.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the redis cache enterprise.') -output name string = redisEnterprise.name - -@description('The resource ID of the redis cache enterprise.') -output resourceId string = redisEnterprise.id - -@description('The name of the resource group the redis cache enterprise was created in.') -output resourceGroupName string = resourceGroup().name - -@description('Redis hostname.') -output hostName string = redisEnterprise.properties.hostName - -@description('The location the resource was deployed into.') -output location string = redisEnterprise.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json deleted file mode 100644 index 07490f41f9..0000000000 --- a/modules/cache/redis-enterprise/main.json +++ /dev/null @@ -1,1451 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14212744208009857353" - }, - "name": "Redis Cache Enterprise", - "description": "This module deploys a Redis Cache Enterprise.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The geo-location where the resource lives." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Redis Cache Enterprise resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. Requires clients to use a specified TLS version (or higher) to connect." - } - }, - "capacity": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Enterprise_E10", - "allowedValues": [ - "EnterpriseFlash_F1500", - "EnterpriseFlash_F300", - "EnterpriseFlash_F700", - "Enterprise_E10", - "Enterprise_E100", - "Enterprise_E20", - "Enterprise_E50" - ], - "metadata": { - "description": "Optional. The type of Redis Enterprise Cluster to deploy." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. When true, the cluster will be deployed across availability zones." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "databases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The databases to create in the Redis Cache Enterprise Cluster." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "availabilityZones": "[if(parameters('zoneRedundant'), pickZones('Microsoft.Cache', 'redisEnterprise', parameters('location'), 3), createArray())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "redisEnterprise": { - "type": "Microsoft.Cache/redisEnterprise", - "apiVersion": "2022-01-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "capacity": "[parameters('capacity')]", - "name": "[parameters('skuName')]" - }, - "properties": { - "minimumTlsVersion": "[parameters('minimumTlsVersion')]" - }, - "zones": "[variables('availabilityZones')]" - }, - "redisEnterprise_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "redisEnterprise" - ] - }, - "redisEnterprise_diagnosticSettings": { - "copy": { - "name": "redisEnterprise_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "redisEnterprise" - ] - }, - "redisEnterprise_roleAssignments": { - "copy": { - "name": "redisEnterprise_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "redisEnterprise" - ] - }, - "redisEnterprise_databases": { - "copy": { - "name": "redisEnterprise_databases", - "count": "[length(parameters('databases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-redisCacheEnterprise-DB-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "redisCacheEnterpriseName": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "clientProtocol": "[if(contains(parameters('databases')[copyIndex()], 'clientProtocol'), createObject('value', parameters('databases')[copyIndex()].clientProtocol), createObject('value', 'Encrypted'))]", - "clusteringPolicy": "[if(contains(parameters('databases')[copyIndex()], 'clusteringPolicy'), createObject('value', parameters('databases')[copyIndex()].clusteringPolicy), createObject('value', 'OSSCluster'))]", - "evictionPolicy": "[if(contains(parameters('databases')[copyIndex()], 'evictionPolicy'), createObject('value', parameters('databases')[copyIndex()].evictionPolicy), createObject('value', 'VolatileLRU'))]", - "geoReplication": "[if(contains(parameters('databases')[copyIndex()], 'geoReplication'), createObject('value', parameters('databases')[copyIndex()].geoReplication), createObject('value', createObject()))]", - "modules": "[if(contains(parameters('databases')[copyIndex()], 'modules'), createObject('value', parameters('databases')[copyIndex()].modules), createObject('value', createArray()))]", - "persistenceAofEnabled": "[if(contains(parameters('databases')[copyIndex()], 'persistenceAofEnabled'), createObject('value', parameters('databases')[copyIndex()].persistenceAofEnabled), createObject('value', false()))]", - "persistenceAofFrequency": "[if(contains(parameters('databases')[copyIndex()], 'persistenceAofFrequency'), createObject('value', parameters('databases')[copyIndex()].persistenceAofFrequency), createObject('value', ''))]", - "persistenceRdbEnabled": "[if(contains(parameters('databases')[copyIndex()], 'persistenceRdbEnabled'), createObject('value', parameters('databases')[copyIndex()].persistenceRdbEnabled), createObject('value', false()))]", - "persistenceRdbFrequency": "[if(contains(parameters('databases')[copyIndex()], 'persistenceRdbFrequency'), createObject('value', parameters('databases')[copyIndex()].persistenceRdbFrequency), createObject('value', ''))]", - "port": "[if(contains(parameters('databases')[copyIndex()], 'port'), createObject('value', parameters('databases')[copyIndex()].port), createObject('value', -1))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2473493174520406257" - }, - "name": "Redis Cache Enterprise Databases", - "description": "This module deploys a Redis Cache Enterprise Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "redisCacheEnterpriseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment." - } - }, - "clientProtocol": { - "type": "string", - "defaultValue": "Encrypted", - "allowedValues": [ - "Encrypted", - "Plaintext" - ], - "metadata": { - "description": "Optional. Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted." - } - }, - "clusteringPolicy": { - "type": "string", - "defaultValue": "OSSCluster", - "allowedValues": [ - "EnterpriseCluster", - "OSSCluster" - ], - "metadata": { - "description": "Optional. Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster." - } - }, - "evictionPolicy": { - "type": "string", - "defaultValue": "VolatileLRU", - "allowedValues": [ - "AllKeysLFU", - "AllKeysLRU", - "AllKeysRandom", - "NoEviction", - "VolatileLFU", - "VolatileLRU", - "VolatileRandom", - "VolatileTTL" - ], - "metadata": { - "description": "Optional. Redis eviction policy - default is VolatileLRU." - } - }, - "geoReplication": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See \"https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites\" for more information." - } - }, - "modules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Optional set of redis modules to enable in this database - modules can only be added at creation time." - } - }, - "persistenceAofEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time." - } - }, - "persistenceAofFrequency": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "1s", - "always" - ], - "metadata": { - "description": "Conditional. Sets the frequency at which data is written to disk. Required if AOF persistence is enabled." - } - }, - "persistenceRdbEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time." - } - }, - "persistenceRdbFrequency": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "12h", - "1h", - "6h" - ], - "metadata": { - "description": "Conditional. Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled." - } - }, - "port": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cache/redisEnterprise/databases", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('redisCacheEnterpriseName'), 'default')]", - "properties": { - "clientProtocol": "[if(not(empty(parameters('clientProtocol'))), parameters('clientProtocol'), null())]", - "clusteringPolicy": "[if(not(empty(parameters('clusteringPolicy'))), parameters('clusteringPolicy'), null())]", - "evictionPolicy": "[if(not(empty(parameters('evictionPolicy'))), parameters('evictionPolicy'), null())]", - "geoReplication": "[if(not(empty(parameters('geoReplication'))), parameters('geoReplication'), null())]", - "modules": "[if(not(empty(parameters('modules'))), parameters('modules'), null())]", - "persistence": { - "aofEnabled": "[parameters('persistenceAofEnabled')]", - "aofFrequency": "[if(not(empty(parameters('persistenceAofFrequency'))), parameters('persistenceAofFrequency'), null())]", - "rdbEnabled": "[parameters('persistenceRdbEnabled')]", - "rdbFrequency": "[if(not(empty(parameters('persistenceRdbFrequency'))), parameters('persistenceRdbFrequency'), null())]" - }, - "port": "[if(not(equals(parameters('port'), -1)), parameters('port'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Cache/redisEnterprise/databases', parameters('redisCacheEnterpriseName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "redisEnterprise" - ] - }, - "redisEnterprise_privateEndpoints": { - "copy": { - "name": "redisEnterprise_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-redisEnterprise-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisEnterprise')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisEnterprise'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "redisEnterprise" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the redis cache enterprise." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the redis cache enterprise." - }, - "value": "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the redis cache enterprise was created in." - }, - "value": "[resourceGroup().name]" - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Redis hostname." - }, - "value": "[reference('redisEnterprise').hostName]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('redisEnterprise', '2022-01-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 667f64420a..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cremin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep deleted file mode 100644 index 31cbbe50bf..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep +++ /dev/null @@ -1,59 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Redis Cache Enterprise to create.') -param redisCacheEnterpriseName string - -var redisCacheEnterpriseExpectedResourceID = '${resourceGroup().id}/providers/Microsoft.Cache/redisEnterprise/${redisCacheEnterpriseName}' - -resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { - name: redisCacheEnterpriseName - location: location - sku: { - name: 'Enterprise_E10' - capacity: 2 - } - properties: { - minimumTlsVersion: '1.2' - } - zones: [ - '1' - '2' - '3' - ] - - resource database 'databases@2022-01-01' = { - name: 'default' - properties: { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'NoEviction' - persistence: { - aofEnabled: false - rdbEnabled: false - } - modules: [ - { - name: 'RedisJSON' - } - { - name: 'RediSearch' - } - ] - geoReplication: { - groupNickname: '${redisCacheEnterpriseName}-geo-group' - linkedDatabases: [ - { - id: '${redisCacheEnterpriseExpectedResourceID}/databases/default' - } - ] - } - port: 10000 - } - } -} - -@description('The resource ID of the created Redis Cache Enterprise database.') -output redisCacheEnterpriseDatabaseResourceId string = redisCacheEnterprise::database.id - -@description('The geo replication group nickname of the created Redis Cache Enterprise database.') -output redisCacheEnterpriseDatabaseGeoReplicationGroupNickname string = redisCacheEnterprise::database.properties.geoReplication.groupNickname diff --git a/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep deleted file mode 100644 index 5d09f89094..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep +++ /dev/null @@ -1,91 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cregeo' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - redisCacheEnterpriseName: 'dep-${namePrefix}-rce-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -var redisCacheEnterpriseName = '${namePrefix}${serviceShort}001' -var redisCacheEnterpriseExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Cache/redisEnterprise/${redisCacheEnterpriseName}' - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: redisCacheEnterpriseName - capacity: 2 - zoneRedundant: true - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'NoEviction' - port: 10000 - modules: [ - { - name: 'RediSearch' - } - { - name: 'RedisJSON' - } - ] - geoReplication: { - groupNickname: nestedDependencies.outputs.redisCacheEnterpriseDatabaseGeoReplicationGroupNickname - linkedDatabases: [ - { - id: nestedDependencies.outputs.redisCacheEnterpriseDatabaseResourceId - } - { - id: '${redisCacheEnterpriseExpectedResourceID}/databases/default' - } - ] - } - persistenceAofEnabled: false - persistenceRdbEnabled: false - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - } -}] diff --git a/modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 59ae30a575..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.redisenterprise.cache.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep deleted file mode 100644 index baf56e3e5e..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cremax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - minimumTlsVersion: '1.2' - zoneRedundant: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - name: 'RedisTimeSeries' - args: 'RETENTION_POLICY 20' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - } -}] diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 59ae30a575..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.redisenterprise.cache.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index b9030436a7..0000000000 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,129 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crewaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - minimumTlsVersion: '1.2' - zoneRedundant: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - name: 'RedisTimeSeries' - args: 'RETENTION_POLICY 20' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - } -}] diff --git a/modules/cache/redis-enterprise/version.json b/modules/cache/redis-enterprise/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/cache/redis-enterprise/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cache/redis/MOVED-TO-AVM.md b/modules/cache/redis/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/cache/redis/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index dd04c79c43..a2bbd3ec3e 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -1,1228 +1,7 @@ -# Redis Cache `[Microsoft.Cache/redis]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/cache/redis](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/cache/redis).** -This module deploys a Redis Cache. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/cache/redis). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Cache/redis` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/2022-06-01/redis) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module redis 'br:bicep/modules/cache.redis:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crmin' - params: { - // Required parameters - name: 'crmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module redis 'br:bicep/modules/cache.redis:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crmax' - params: { - // Required parameters - name: 'crmax001' - // Non-required parameters - capacity: 2 - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableNonSslPort: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - minimumTlsVersion: '1.2' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - redisVersion: '6' - shardCount: 1 - skuName: 'Premium' - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache' - } - zoneRedundant: true - zones: [ - 1 - 2 - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crmax001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableNonSslPort": { - "value": true - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "redisVersion": { - "value": "6" - }, - "shardCount": { - "value": 1 - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache" - } - }, - "zoneRedundant": { - "value": true - }, - "zones": { - "value": [ - 1, - 2 - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module redis 'br:bicep/modules/cache.redis:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crwaf' - params: { - // Required parameters - name: 'crwaf001' - // Non-required parameters - capacity: 2 - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableNonSslPort: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - minimumTlsVersion: '1.2' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - redisVersion: '6' - shardCount: 1 - skuName: 'Premium' - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache' - } - zoneRedundant: true - zones: [ - 1 - 2 - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crwaf001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableNonSslPort": { - "value": true - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "redisVersion": { - "value": "6" - }, - "shardCount": { - "value": 1 - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache" - } - }, - "zoneRedundant": { - "value": true - }, - "zones": { - "value": [ - 1, - 2 - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Redis cache resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`capacity`](#parameter-capacity) | int | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableNonSslPort`](#parameter-enablenonsslport) | bool | Specifies whether the non-ssl Redis server port (6379) is enabled. | -| [`location`](#parameter-location) | string | The location to deploy the Redis cache service. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`redisConfiguration`](#parameter-redisconfiguration) | object | All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. | -| [`redisVersion`](#parameter-redisversion) | string | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). | -| [`replicasPerMaster`](#parameter-replicaspermaster) | int | The number of replicas to be created per primary. | -| [`replicasPerPrimary`](#parameter-replicasperprimary) | int | The number of replicas to be created per primary. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`shardCount`](#parameter-shardcount) | int | The number of shards to be created on a Premium Cluster Cache. | -| [`skuName`](#parameter-skuname) | string | The type of Redis cache to deploy. | -| [`staticIP`](#parameter-staticip) | string | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | -| [`subnetId`](#parameter-subnetid) | string | The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`tenantSettings`](#parameter-tenantsettings) | object | A dictionary of tenant settings. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, replicas will be provisioned in availability zones specified in the zones parameter. | -| [`zones`](#parameter-zones) | array | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | - -### Parameter: `name` - -The name of the Redis cache resource. - -- Required: Yes -- Type: string - -### Parameter: `capacity` - -The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). - -- Required: No -- Type: int -- Default: `1` -- Allowed: - ```Bicep - [ - 0 - 1 - 2 - 3 - 4 - 5 - 6 - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableNonSslPort` - -Specifies whether the non-ssl Redis server port (6379) is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -The location to deploy the Redis cache service. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `minimumTlsVersion` - -Requires clients to use a specified TLS version (or higher) to connect. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - ] - ``` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `redisConfiguration` - -All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `redisVersion` - -Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). - -- Required: No -- Type: string -- Default: `'6'` -- Allowed: - ```Bicep - [ - '4' - '6' - ] - ``` - -### Parameter: `replicasPerMaster` - -The number of replicas to be created per primary. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `replicasPerPrimary` - -The number of replicas to be created per primary. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `shardCount` - -The number of shards to be created on a Premium Cluster Cache. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `skuName` - -The type of Redis cache to deploy. - -- Required: No -- Type: string -- Default: `'Basic'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `staticIP` - -Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subnetId` - -The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `tenantSettings` - -A dictionary of tenant settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `zoneRedundant` - -When true, replicas will be provisioned in availability zones specified in the zones parameter. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `zones` - -If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `hostName` | string | Redis hostname. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Redis Cache. | -| `resourceGroupName` | string | The name of the resource group the Redis Cache was created in. | -| `resourceId` | string | The resource ID of the Redis Cache. | -| `sslPort` | int | Redis SSL port. | -| `subnetId` | string | The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `redisConfiguration` - -All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc.. - -Name | Description | Value ----------|----------|--------- -aof-storage-connection-string-0 | First storage account connection string | string -aof-storage-connection-string-1 | Second storage account connection string | string -maxfragmentationmemory-reserved | Value in megabytes reserved for fragmentation per shard | string -maxmemory-delta | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string -maxmemory-policy | The eviction strategy used when your data won't fit within its memory limit. | string -maxmemory-reserved | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string -rdb-backup-enabled | Specifies whether the rdb backup is enabled | string -rdb-backup-frequency | Specifies the frequency for creating rdb backup | string -rdb-backup-max-snapshot-count | Specifies the maximum number of snapshots for rdb backup | string -rdb-storage-connection-string | The storage account connection string for storing rdb file | string - -For more details visit [Microsoft.Cache redis reference](https://learn.microsoft.com/en-us/azure/templates/microsoft.cache/redis?tabs=bicep) - -

- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep deleted file mode 100644 index 4a34e577ce..0000000000 --- a/modules/cache/redis/main.bicep +++ /dev/null @@ -1,410 +0,0 @@ -metadata name = 'Redis Cache' -metadata description = 'This module deploys a Redis Cache.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The location to deploy the Redis cache service.') -param location string = resourceGroup().location - -@description('Required. The name of the Redis cache resource.') -param name string - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Specifies whether the non-ssl Redis server port (6379) is enabled.') -param enableNonSslPort bool = false - -@allowed([ - '1.0' - '1.1' - '1.2' -]) -@description('Optional. Requires clients to use a specified TLS version (or higher) to connect.') -param minimumTlsVersion string = '1.2' - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc.') -param redisConfiguration object = {} - -@allowed([ - '4' - '6' -]) -@description('Optional. Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6).') -param redisVersion string = '6' - -@minValue(1) -@description('Optional. The number of replicas to be created per primary.') -param replicasPerMaster int = 1 - -@minValue(1) -@description('Optional. The number of replicas to be created per primary.') -param replicasPerPrimary int = 1 - -@minValue(1) -@description('Optional. The number of shards to be created on a Premium Cluster Cache.') -param shardCount int = 1 - -@allowed([ - 0 - 1 - 2 - 3 - 4 - 5 - 6 -]) -@description('Optional. The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4).') -param capacity int = 1 - -@allowed([ - 'Basic' - 'Premium' - 'Standard' -]) -@description('Optional. The type of Redis cache to deploy.') -param skuName string = 'Basic' - -@description('Optional. Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default.') -param staticIP string = '' - -@description('Optional. The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1.') -param subnetId string = '' - -@description('Optional. A dictionary of tenant settings.') -param tenantSettings object = {} - -@description('Optional. When true, replicas will be provisioned in availability zones specified in the zones parameter.') -param zoneRedundant bool = true - -@description('Optional. If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed.') -param zones array = [] - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var availabilityZones = skuName == 'Premium' ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : [] : [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource redis 'Microsoft.Cache/redis@2022-06-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - enableNonSslPort: enableNonSslPort - minimumTlsVersion: minimumTlsVersion - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) - redisConfiguration: !empty(redisConfiguration) ? redisConfiguration : null - redisVersion: redisVersion - replicasPerMaster: skuName == 'Premium' ? replicasPerMaster : null - replicasPerPrimary: skuName == 'Premium' ? replicasPerPrimary : null - shardCount: skuName == 'Premium' ? shardCount : null // Not supported in free tier - sku: { - capacity: capacity - family: skuName == 'Premium' ? 'P' : 'C' - name: skuName - } - staticIP: !empty(staticIP) ? staticIP : null - subnetId: !empty(subnetId) ? subnetId : null - tenantSettings: tenantSettings - } - zones: availabilityZones -} - -resource redis_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: redis -} - -resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: redis -}] - -resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(redis.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: redis -}] - -module redis_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-redis-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'redisCache' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(redis.id, '/'))}-${privateEndpoint.?service ?? 'redisCache'}-${index}' - serviceResourceId: redis.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the Redis Cache.') -output name string = redis.name - -@description('The resource ID of the Redis Cache.') -output resourceId string = redis.id - -@description('The name of the resource group the Redis Cache was created in.') -output resourceGroupName string = resourceGroup().name - -@description('Redis hostname.') -output hostName string = redis.properties.hostName - -@description('Redis SSL port.') -output sslPort int = redis.properties.sslPort - -@description('The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in.') -output subnetId string = !empty(subnetId) ? redis.properties.subnetId : '' - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(redis.identity, 'principalId') ? redis.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = redis.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json deleted file mode 100644 index 90b5617b8a..0000000000 --- a/modules/cache/redis/main.json +++ /dev/null @@ -1,1397 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10455754336377427456" - }, - "name": "Redis Cache", - "description": "This module deploys a Redis Cache.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location to deploy the Redis cache service." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Redis cache resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "enableNonSslPort": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the non-ssl Redis server port (6379) is enabled." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. Requires clients to use a specified TLS version (or higher) to connect." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "redisConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc." - } - }, - "redisVersion": { - "type": "string", - "defaultValue": "6", - "allowedValues": [ - "4", - "6" - ], - "metadata": { - "description": "Optional. Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6)." - } - }, - "replicasPerMaster": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "metadata": { - "description": "Optional. The number of replicas to be created per primary." - } - }, - "replicasPerPrimary": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "metadata": { - "description": "Optional. The number of replicas to be created per primary." - } - }, - "shardCount": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "metadata": { - "description": "Optional. The number of shards to be created on a Premium Cluster Cache." - } - }, - "capacity": { - "type": "int", - "defaultValue": 1, - "allowedValues": [ - 0, - 1, - 2, - 3, - 4, - 5, - 6 - ], - "metadata": { - "description": "Optional. The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4)." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. The type of Redis cache to deploy." - } - }, - "staticIP": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default." - } - }, - "subnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1." - } - }, - "tenantSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A dictionary of tenant settings." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. When true, replicas will be provisioned in availability zones specified in the zones parameter." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "availabilityZones": "[if(equals(parameters('skuName'), 'Premium'), if(parameters('zoneRedundant'), if(not(empty(parameters('zones'))), parameters('zones'), pickZones('Microsoft.Cache', 'redis', parameters('location'), 3)), createArray()), createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "redis": { - "type": "Microsoft.Cache/redis", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "enableNonSslPort": "[parameters('enableNonSslPort')]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', null()))]", - "redisConfiguration": "[if(not(empty(parameters('redisConfiguration'))), parameters('redisConfiguration'), null())]", - "redisVersion": "[parameters('redisVersion')]", - "replicasPerMaster": "[if(equals(parameters('skuName'), 'Premium'), parameters('replicasPerMaster'), null())]", - "replicasPerPrimary": "[if(equals(parameters('skuName'), 'Premium'), parameters('replicasPerPrimary'), null())]", - "shardCount": "[if(equals(parameters('skuName'), 'Premium'), parameters('shardCount'), null())]", - "sku": { - "capacity": "[parameters('capacity')]", - "family": "[if(equals(parameters('skuName'), 'Premium'), 'P', 'C')]", - "name": "[parameters('skuName')]" - }, - "staticIP": "[if(not(empty(parameters('staticIP'))), parameters('staticIP'), null())]", - "subnetId": "[if(not(empty(parameters('subnetId'))), parameters('subnetId'), null())]", - "tenantSettings": "[parameters('tenantSettings')]" - }, - "zones": "[variables('availabilityZones')]" - }, - "redis_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "redis" - ] - }, - "redis_diagnosticSettings": { - "copy": { - "name": "redis_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "redis" - ] - }, - "redis_roleAssignments": { - "copy": { - "name": "redis_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Cache/redis', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "redis" - ] - }, - "redis_privateEndpoints": { - "copy": { - "name": "redis_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-redis-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisCache')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redis', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisCache'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Cache/redis', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "redis" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Redis Cache." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Redis Cache." - }, - "value": "[resourceId('Microsoft.Cache/redis', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Redis Cache was created in." - }, - "value": "[resourceGroup().name]" - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Redis hostname." - }, - "value": "[reference('redis').hostName]" - }, - "sslPort": { - "type": "int", - "metadata": { - "description": "Redis SSL port." - }, - "value": "[reference('redis').sslPort]" - }, - "subnetId": { - "type": "string", - "metadata": { - "description": "The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in." - }, - "value": "[if(not(empty(parameters('subnetId'))), reference('redis').subnetId, '')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('redis', '2022-06-01', 'full').identity, 'principalId')), reference('redis', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('redis', '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cache/redis/tests/e2e/defaults/main.test.bicep b/modules/cache/redis/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 4c8ef85da3..0000000000 --- a/modules/cache/redis/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -} diff --git a/modules/cache/redis/tests/e2e/max/dependencies.bicep b/modules/cache/redis/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8218e0c1ad..0000000000 --- a/modules/cache/redis/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.redis.cache.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cache/redis/tests/e2e/max/main.test.bicep b/modules/cache/redis/tests/e2e/max/main.test.bicep deleted file mode 100644 index dd1a06da7d..0000000000 --- a/modules/cache/redis/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,121 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableNonSslPort: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - minimumTlsVersion: '1.2' - zoneRedundant: true - zones: [ 1, 2 ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - redisVersion: '6' - shardCount: 1 - skuName: 'Premium' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache' - } - } -} diff --git a/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8218e0c1ad..0000000000 --- a/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.redis.cache.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 01f1338b3d..0000000000 --- a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,121 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableNonSslPort: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - minimumTlsVersion: '1.2' - zoneRedundant: true - zones: [ 1, 2 ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - redisVersion: '6' - shardCount: 1 - skuName: 'Premium' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache' - } - } -} diff --git a/modules/cache/redis/version.json b/modules/cache/redis/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/cache/redis/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/MOVED-TO-AVM.md b/modules/cdn/profile/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/cdn/profile/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 209c4c6306..e517a73b48 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -1,872 +1,7 @@ -# CDN Profiles `[Microsoft.Cdn/profiles]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/cdn/profile](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/cdn/profile).** -This module deploys a CDN Profile. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/cdn/profile). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Cdn/profiles` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles) | -| `Microsoft.Cdn/profiles/afdEndpoints` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/afdEndpoints) | -| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/afdEndpoints/routes) | -| `Microsoft.Cdn/profiles/customDomains` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/customDomains) | -| `Microsoft.Cdn/profiles/endpoints` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints) | -| `Microsoft.Cdn/profiles/endpoints/origins` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints/origins) | -| `Microsoft.Cdn/profiles/originGroups` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/originGroups) | -| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/originGroups/origins) | -| `Microsoft.Cdn/profiles/ruleSets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets) | -| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets/rules) | -| `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/secrets) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/cdn.profile:1.0.0`. - -- [Afd](#example-1-afd) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Afd_ - -
- -via Bicep module - -```bicep -module profile 'br:bicep/modules/cdn.profile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdnpafd' - params: { - // Required parameters - name: 'dep-test-cdnpafd' - sku: 'Standard_AzureFrontDoor' - // Non-required parameters - afdEndpoints: [ - { - name: 'dep-test-cdnpafd-afd-endpoint' - routes: [ - { - customDomainName: 'dep-test-cdnpafd-custom-domain' - name: 'dep-test-cdnpafd-afd-route' - originGroupName: 'dep-test-cdnpafd-origin-group' - ruleSets: [ - { - name: 'deptestcdnpafdruleset' - } - ] - } - ] - } - ] - customDomains: [ - { - certificateType: 'ManagedCertificate' - hostName: 'dep-test-cdnpafd-custom-domain.azurewebsites.net' - name: 'dep-test-cdnpafd-custom-domain' - } - ] - enableDefaultTelemetry: '' - location: 'global' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - origionGroups: [ - { - loadBalancingSettings: { - additionalLatencyInMilliseconds: 50 - sampleSize: 4 - successfulSamplesRequired: 3 - } - name: 'dep-test-cdnpafd-origin-group' - origins: [ - { - hostName: 'dep-test-cdnpafd-origin.azurewebsites.net' - name: 'dep-test-cdnpafd-origin' - } - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - ruleSets: [ - { - name: 'deptestcdnpafdruleset' - rules: [ - { - actions: [ - { - name: 'UrlRedirect' - parameters: { - customHostname: 'dev-etradefd.trade.azure.defra.cloud' - customPath: '/test123' - destinationProtocol: 'Https' - redirectType: 'PermanentRedirect' - typeName: 'DeliveryRuleUrlRedirectActionParameters' - } - } - ] - name: 'deptestcdnpafdrule' - order: 1 - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dep-test-cdnpafd" - }, - "sku": { - "value": "Standard_AzureFrontDoor" - }, - // Non-required parameters - "afdEndpoints": { - "value": [ - { - "name": "dep-test-cdnpafd-afd-endpoint", - "routes": [ - { - "customDomainName": "dep-test-cdnpafd-custom-domain", - "name": "dep-test-cdnpafd-afd-route", - "originGroupName": "dep-test-cdnpafd-origin-group", - "ruleSets": [ - { - "name": "deptestcdnpafdruleset" - } - ] - } - ] - } - ] - }, - "customDomains": { - "value": [ - { - "certificateType": "ManagedCertificate", - "hostName": "dep-test-cdnpafd-custom-domain.azurewebsites.net", - "name": "dep-test-cdnpafd-custom-domain" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "global" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "originResponseTimeoutSeconds": { - "value": 60 - }, - "origionGroups": { - "value": [ - { - "loadBalancingSettings": { - "additionalLatencyInMilliseconds": 50, - "sampleSize": 4, - "successfulSamplesRequired": 3 - }, - "name": "dep-test-cdnpafd-origin-group", - "origins": [ - { - "hostName": "dep-test-cdnpafd-origin.azurewebsites.net", - "name": "dep-test-cdnpafd-origin" - } - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "ruleSets": { - "value": [ - { - "name": "deptestcdnpafdruleset", - "rules": [ - { - "actions": [ - { - "name": "UrlRedirect", - "parameters": { - "customHostname": "dev-etradefd.trade.azure.defra.cloud", - "customPath": "/test123", - "destinationProtocol": "Https", - "redirectType": "PermanentRedirect", - "typeName": "DeliveryRuleUrlRedirectActionParameters" - } - } - ], - "name": "deptestcdnpafdrule", - "order": 1 - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module profile 'br:bicep/modules/cdn.profile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdnpmax' - params: { - // Required parameters - name: 'dep-test-cdnpmax' - sku: 'Standard_Verizon' - // Non-required parameters - enableDefaultTelemetry: '' - endpointProperties: { - contentTypesToCompress: [ - 'application/javascript' - 'application/json' - 'application/x-javascript' - 'application/xml' - 'text/css' - 'text/html' - 'text/javascript' - 'text/plain' - ] - geoFilters: [] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - originGroups: [] - originHostHeader: '' - origins: [ - { - name: 'dep-cdn-endpoint01' - properties: { - enabled: true - hostName: '' - httpPort: 80 - httpsPort: 443 - } - } - ] - queryStringCachingBehavior: 'IgnoreQueryString' - } - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dep-test-cdnpmax" - }, - "sku": { - "value": "Standard_Verizon" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "endpointProperties": { - "value": { - "contentTypesToCompress": [ - "application/javascript", - "application/json", - "application/x-javascript", - "application/xml", - "text/css", - "text/html", - "text/javascript", - "text/plain" - ], - "geoFilters": [], - "isCompressionEnabled": true, - "isHttpAllowed": true, - "isHttpsAllowed": true, - "originGroups": [], - "originHostHeader": "", - "origins": [ - { - "name": "dep-cdn-endpoint01", - "properties": { - "enabled": true, - "hostName": "", - "httpPort": 80, - "httpsPort": 443 - } - } - ], - "queryStringCachingBehavior": "IgnoreQueryString" - } - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "originResponseTimeoutSeconds": { - "value": 60 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module profile 'br:bicep/modules/cdn.profile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdnpwaf' - params: { - // Required parameters - name: 'dep-test-cdnpwaf' - sku: 'Standard_Verizon' - // Non-required parameters - enableDefaultTelemetry: '' - endpointProperties: { - contentTypesToCompress: [ - 'application/javascript' - 'application/json' - 'application/x-javascript' - 'application/xml' - 'text/css' - 'text/html' - 'text/javascript' - 'text/plain' - ] - geoFilters: [] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - originGroups: [] - originHostHeader: '' - origins: [ - { - name: 'dep-cdn-endpoint01' - properties: { - enabled: true - hostName: '' - httpPort: 80 - httpsPort: 443 - } - } - ] - queryStringCachingBehavior: 'IgnoreQueryString' - } - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dep-test-cdnpwaf" - }, - "sku": { - "value": "Standard_Verizon" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "endpointProperties": { - "value": { - "contentTypesToCompress": [ - "application/javascript", - "application/json", - "application/x-javascript", - "application/xml", - "text/css", - "text/html", - "text/javascript", - "text/plain" - ], - "geoFilters": [], - "isCompressionEnabled": true, - "isHttpAllowed": true, - "isHttpsAllowed": true, - "originGroups": [], - "originHostHeader": "", - "origins": [ - { - "name": "dep-cdn-endpoint01", - "properties": { - "enabled": true, - "hostName": "", - "httpPort": 80, - "httpsPort": 443 - } - } - ], - "queryStringCachingBehavior": "IgnoreQueryString" - } - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "originResponseTimeoutSeconds": { - "value": 60 - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the CDN profile. | -| [`sku`](#parameter-sku) | string | The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`origionGroups`](#parameter-origiongroups) | array | Array of origin group objects. Required if the afdEndpoints is specified. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`afdEndpoints`](#parameter-afdendpoints) | array | Array of AFD endpoint objects. | -| [`customDomains`](#parameter-customdomains) | array | Array of custom domain objects. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endpointName`](#parameter-endpointname) | string | Name of the endpoint under the profile which is unique globally. | -| [`endpointProperties`](#parameter-endpointproperties) | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`originResponseTimeoutSeconds`](#parameter-originresponsetimeoutseconds) | int | Send and receive timeout on forwarding request to the origin. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. | -| [`secrets`](#parameter-secrets) | array | Array of secret objects. | -| [`tags`](#parameter-tags) | object | Endpoint tags. | - -### Parameter: `name` - -Name of the CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `sku` - -The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Custom_Verizon' - 'Premium_AzureFrontDoor' - 'Premium_Verizon' - 'Standard_955BandWidth_ChinaCdn' - 'Standard_Akamai' - 'Standard_AvgBandWidth_ChinaCdn' - 'Standard_AzureFrontDoor' - 'Standard_ChinaCdn' - 'Standard_Microsoft' - 'Standard_Verizon' - 'StandardPlus_955BandWidth_ChinaCdn' - 'StandardPlus_AvgBandWidth_ChinaCdn' - 'StandardPlus_ChinaCdn' - ] - ``` - -### Parameter: `origionGroups` - -Array of origin group objects. Required if the afdEndpoints is specified. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `afdEndpoints` - -Array of AFD endpoint objects. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `customDomains` - -Array of custom domain objects. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endpointName` - -Name of the endpoint under the profile which is unique globally. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `endpointProperties` - -Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `originResponseTimeoutSeconds` - -Send and receive timeout on forwarding request to the origin. - -- Required: No -- Type: int -- Default: `60` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ruleSets` - -Array of rule set objects. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `secrets` - -Array of secret objects. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Endpoint tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the CDN profile. | -| `profileType` | string | The type of the CDN profile. | -| `resourceGroupName` | string | The resource group where the CDN profile is deployed. | -| `resourceId` | string | The resource ID of the CDN profile. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md deleted file mode 100644 index e2fc892ecc..0000000000 --- a/modules/cdn/profile/afdEndpoint/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# CDN Profiles AFD Endpoints `[Microsoft.Cdn/profiles/afdEndpoints]` - -This module deploys a CDN Profile AFD Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/afdEndpoints` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/afdEndpoints) | -| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/afdEndpoints/routes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the AFD Endpoint. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoGeneratedDomainNameLabelScope`](#parameter-autogenerateddomainnamelabelscope) | string | Indicates the endpoint name reuse scope. The default value is TenantReuse. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enabledState`](#parameter-enabledstate) | string | Indicates whether the AFD Endpoint is enabled. The default value is Enabled. | -| [`location`](#parameter-location) | string | The location of the AFD Endpoint. | -| [`routes`](#parameter-routes) | array | The list of routes for this AFD Endpoint. | -| [`tags`](#parameter-tags) | object | The tags of the AFD Endpoint. | - -### Parameter: `name` - -The name of the AFD Endpoint. - -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the parent CDN profile. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `autoGeneratedDomainNameLabelScope` - -Indicates the endpoint name reuse scope. The default value is TenantReuse. - -- Required: No -- Type: string -- Default: `'TenantReuse'` -- Allowed: - ```Bicep - [ - 'NoReuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabledState` - -Indicates whether the AFD Endpoint is enabled. The default value is Enabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `location` - -The location of the AFD Endpoint. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `routes` - -The list of routes for this AFD Endpoint. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -The tags of the AFD Endpoint. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AFD Endpoint. | -| `resourceGroupName` | string | The name of the resource group the endpoint was created in. | -| `resourceId` | string | The resource id of the AFD Endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/afdEndpoint/main.bicep b/modules/cdn/profile/afdEndpoint/main.bicep deleted file mode 100644 index 92a40f407e..0000000000 --- a/modules/cdn/profile/afdEndpoint/main.bicep +++ /dev/null @@ -1,98 +0,0 @@ -metadata name = 'CDN Profiles AFD Endpoints' -metadata description = 'This module deploys a CDN Profile AFD Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the AFD Endpoint.') -param name string - -@description('Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment.') -param profileName string - -@description('Optional. The location of the AFD Endpoint.') -param location string = resourceGroup().location - -@description('Optional. The tags of the AFD Endpoint.') -param tags object? - -@description('Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse.') -@allowed([ - 'NoReuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' -]) -param autoGeneratedDomainNameLabelScope string = 'TenantReuse' - -@description('Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param enabledState string = 'Enabled' - -@description('Optional. The list of routes for this AFD Endpoint.') -param routes array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName -} - -resource afd_endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2023-05-01' = { - name: name - parent: profile - location: location - tags: tags - properties: { - autoGeneratedDomainNameLabelScope: autoGeneratedDomainNameLabelScope - enabledState: enabledState - } -} - -module afd_endpoint_route 'route/main.bicep' = [for route in routes: { - name: '${uniqueString(deployment().name, route.name)}-Profile-AfdEndpoint-Route' - params: { - name: route.name - profileName: profile.name - afdEndpointName: afd_endpoint.name - cacheConfiguration: contains(route, 'cacheConfiguration') ? route.cacheConfiguration : null - customDomainName: contains(route, 'customDomainName') ? route.customDomainName : '' - enabledState: contains(route, 'enabledState') ? route.enabledState : 'Enabled' - forwardingProtocol: contains(route, 'forwardingProtocol') ? route.forwardingProtocol : 'MatchRequest' - httpsRedirect: contains(route, 'httpsRedirect') ? route.httpsRedirect : 'Enabled' - linkToDefaultDomain: contains(route, 'linkToDefaultDomain') ? route.linkToDefaultDomain : 'Enabled' - originGroupName: contains(route, 'originGroupName') ? route.originGroupName : '' - originPath: contains(route, 'originPath') ? route.originPath : '' - patternsToMatch: contains(route, 'patternsToMatch') ? route.patternsToMatch : [] - ruleSets: contains(route, 'ruleSets') ? route.ruleSets : [] - supportedProtocols: contains(route, 'supportedProtocols') ? route.supportedProtocols : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the AFD Endpoint.') -output name string = afd_endpoint.name - -@description('The resource id of the AFD Endpoint.') -output resourceId string = afd_endpoint.id - -@description('The name of the resource group the endpoint was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = afd_endpoint.location diff --git a/modules/cdn/profile/afdEndpoint/main.json b/modules/cdn/profile/afdEndpoint/main.json deleted file mode 100644 index 327752a035..0000000000 --- a/modules/cdn/profile/afdEndpoint/main.json +++ /dev/null @@ -1,399 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9151451101933620806" - }, - "name": "CDN Profiles AFD Endpoints", - "description": "This module deploys a CDN Profile AFD Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AFD Endpoint." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location of the AFD Endpoint." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The tags of the AFD Endpoint." - } - }, - "autoGeneratedDomainNameLabelScope": { - "type": "string", - "defaultValue": "TenantReuse", - "allowedValues": [ - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of routes for this AFD Endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "profile": { - "existing": true, - "type": "Microsoft.Cdn/profiles", - "apiVersion": "2023-05-01", - "name": "[parameters('profileName')]" - }, - "afd_endpoint": { - "type": "Microsoft.Cdn/profiles/afdEndpoints", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", - "enabledState": "[parameters('enabledState')]" - }, - "dependsOn": [ - "profile" - ] - }, - "afd_endpoint_route": { - "copy": { - "name": "afd_endpoint_route", - "count": "[length(parameters('routes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-AfdEndpoint-Route', uniqueString(deployment().name, parameters('routes')[copyIndex()].name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('routes')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('profileName')]" - }, - "afdEndpointName": { - "value": "[parameters('name')]" - }, - "cacheConfiguration": "[if(contains(parameters('routes')[copyIndex()], 'cacheConfiguration'), createObject('value', parameters('routes')[copyIndex()].cacheConfiguration), createObject('value', null()))]", - "customDomainName": "[if(contains(parameters('routes')[copyIndex()], 'customDomainName'), createObject('value', parameters('routes')[copyIndex()].customDomainName), createObject('value', ''))]", - "enabledState": "[if(contains(parameters('routes')[copyIndex()], 'enabledState'), createObject('value', parameters('routes')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", - "forwardingProtocol": "[if(contains(parameters('routes')[copyIndex()], 'forwardingProtocol'), createObject('value', parameters('routes')[copyIndex()].forwardingProtocol), createObject('value', 'MatchRequest'))]", - "httpsRedirect": "[if(contains(parameters('routes')[copyIndex()], 'httpsRedirect'), createObject('value', parameters('routes')[copyIndex()].httpsRedirect), createObject('value', 'Enabled'))]", - "linkToDefaultDomain": "[if(contains(parameters('routes')[copyIndex()], 'linkToDefaultDomain'), createObject('value', parameters('routes')[copyIndex()].linkToDefaultDomain), createObject('value', 'Enabled'))]", - "originGroupName": "[if(contains(parameters('routes')[copyIndex()], 'originGroupName'), createObject('value', parameters('routes')[copyIndex()].originGroupName), createObject('value', ''))]", - "originPath": "[if(contains(parameters('routes')[copyIndex()], 'originPath'), createObject('value', parameters('routes')[copyIndex()].originPath), createObject('value', ''))]", - "patternsToMatch": "[if(contains(parameters('routes')[copyIndex()], 'patternsToMatch'), createObject('value', parameters('routes')[copyIndex()].patternsToMatch), createObject('value', createArray()))]", - "ruleSets": "[if(contains(parameters('routes')[copyIndex()], 'ruleSets'), createObject('value', parameters('routes')[copyIndex()].ruleSets), createObject('value', createArray()))]", - "supportedProtocols": "[if(contains(parameters('routes')[copyIndex()], 'supportedProtocols'), createObject('value', parameters('routes')[copyIndex()].supportedProtocols), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1534020105352910282" - }, - "name": "CDN Profiles AFD Endpoint Route", - "description": "This module deploys a CDN Profile AFD Endpoint route.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the route." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent CDN profile." - } - }, - "afdEndpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AFD endpoint." - } - }, - "cacheConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." - } - }, - "customDomainName": { - "type": "string", - "metadata": { - "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." - } - }, - "forwardingProtocol": { - "type": "string", - "defaultValue": "MatchRequest", - "allowedValues": [ - "HttpOnly", - "HttpsOnly", - "MatchRequest" - ], - "metadata": { - "description": "Optional. The protocol this rule will use when forwarding traffic to backends." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route is enabled." - } - }, - "httpsRedirect": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." - } - }, - "linkToDefaultDomain": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route will be linked to the default endpoint domain." - } - }, - "originGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." - } - }, - "originPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." - } - }, - "patternsToMatch": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The route patterns of the rule." - } - }, - "ruleSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." - } - }, - "supportedProtocols": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Http", - "Https" - ], - "metadata": { - "description": "Optional. The supported protocols of the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "ruleSets", - "count": "[length(parameters('ruleSets'))]", - "input": { - "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" - } - } - ], - "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", - "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", - "enabledState": "[parameters('enabledState')]", - "forwardingProtocol": "[parameters('forwardingProtocol')]", - "httpsRedirect": "[parameters('httpsRedirect')]", - "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", - "originGroup": { - "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" - }, - "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", - "patternsToMatch": "[parameters('patternsToMatch')]", - "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the route." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ID of the route." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the route was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "afd_endpoint", - "profile" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the AFD Endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the AFD Endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('afd_endpoint', '2023-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/afdEndpoint/route/README.md b/modules/cdn/profile/afdEndpoint/route/README.md deleted file mode 100644 index 3591e2f9c4..0000000000 --- a/modules/cdn/profile/afdEndpoint/route/README.md +++ /dev/null @@ -1,208 +0,0 @@ -# CDN Profiles AFD Endpoint Route `[Microsoft.Cdn/profiles/afdEndpoints/routes]` - -This module deploys a CDN Profile AFD Endpoint route. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/afdEndpoints/routes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`afdEndpointName`](#parameter-afdendpointname) | string | The name of the AFD endpoint. | -| [`name`](#parameter-name) | string | The name of the route. | -| [`originGroupName`](#parameter-origingroupname) | string | The name of the origin group. The origin group must be defined in the profile originGroups. | -| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cacheConfiguration`](#parameter-cacheconfiguration) | object | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. | -| [`customDomainName`](#parameter-customdomainname) | string | The name of the custom domain. The custom domain must be defined in the profile customDomains. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enabledState`](#parameter-enabledstate) | string | Whether this route is enabled. | -| [`forwardingProtocol`](#parameter-forwardingprotocol) | string | The protocol this rule will use when forwarding traffic to backends. | -| [`httpsRedirect`](#parameter-httpsredirect) | string | Whether to automatically redirect HTTP traffic to HTTPS traffic. | -| [`linkToDefaultDomain`](#parameter-linktodefaultdomain) | string | Whether this route will be linked to the default endpoint domain. | -| [`originPath`](#parameter-originpath) | string | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. | -| [`patternsToMatch`](#parameter-patternstomatch) | array | The route patterns of the rule. | -| [`ruleSets`](#parameter-rulesets) | array | The rule sets of the rule. The rule sets must be defined in the profile ruleSets. | -| [`supportedProtocols`](#parameter-supportedprotocols) | array | The supported protocols of the rule. | - -### Parameter: `afdEndpointName` - -The name of the AFD endpoint. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the route. - -- Required: Yes -- Type: string - -### Parameter: `originGroupName` - -The name of the origin group. The origin group must be defined in the profile originGroups. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `profileName` - -The name of the parent CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `cacheConfiguration` - -The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `customDomainName` - -The name of the custom domain. The custom domain must be defined in the profile customDomains. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabledState` - -Whether this route is enabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `forwardingProtocol` - -The protocol this rule will use when forwarding traffic to backends. - -- Required: No -- Type: string -- Default: `'MatchRequest'` -- Allowed: - ```Bicep - [ - 'HttpOnly' - 'HttpsOnly' - 'MatchRequest' - ] - ``` - -### Parameter: `httpsRedirect` - -Whether to automatically redirect HTTP traffic to HTTPS traffic. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `linkToDefaultDomain` - -Whether this route will be linked to the default endpoint domain. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `originPath` - -A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `patternsToMatch` - -The route patterns of the rule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ruleSets` - -The rule sets of the rule. The rule sets must be defined in the profile ruleSets. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `supportedProtocols` - -The supported protocols of the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Http' - 'Https' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the route. | -| `resourceGroupName` | string | The name of the resource group the route was created in. | -| `resourceId` | string | The ID of the route. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/afdEndpoint/route/main.bicep b/modules/cdn/profile/afdEndpoint/route/main.bicep deleted file mode 100644 index 8d919e4a00..0000000000 --- a/modules/cdn/profile/afdEndpoint/route/main.bicep +++ /dev/null @@ -1,131 +0,0 @@ -metadata name = 'CDN Profiles AFD Endpoint Route' -metadata description = 'This module deploys a CDN Profile AFD Endpoint route.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the route.') -param name string - -@description('Required. The name of the parent CDN profile.') -param profileName string - -@description('Required. The name of the AFD endpoint.') -param afdEndpointName string - -@description('Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object.') -param cacheConfiguration object = {} - -@description('Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains.') -param customDomainName string - -@allowed([ - 'HttpOnly' - 'HttpsOnly' - 'MatchRequest' -]) -@description('Optional. The protocol this rule will use when forwarding traffic to backends.') -param forwardingProtocol string = 'MatchRequest' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether this route is enabled.') -param enabledState string = 'Enabled' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic.') -param httpsRedirect string = 'Enabled' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether this route will be linked to the default endpoint domain.') -param linkToDefaultDomain string = 'Enabled' - -@description('Required. The name of the origin group. The origin group must be defined in the profile originGroups.') -param originGroupName string = '' - -@description('Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath.') -param originPath string = '' - -@description('Optional. The route patterns of the rule.') -param patternsToMatch array = [] - -@description('Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets.') -param ruleSets array = [] - -@allowed([ 'Http', 'Https' ]) -@description('Optional. The supported protocols of the rule.') -param supportedProtocols array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName - - resource afd_endpoint 'afdEndpoints@2023-05-01' existing = { - name: afdEndpointName - } - - resource custom_domain 'customDomains@2023-05-01' existing = if (!empty(customDomainName)) { - name: customDomainName - } - - resource originGroup 'originGroups@2023-05-01' existing = { - name: originGroupName - } - - resource rule_set 'ruleSets@2023-05-01' existing = [for ruleSet in ruleSets: { - name: ruleSet.name - }] -} - -resource afd_endpoint_route 'Microsoft.Cdn/profiles/afdEndpoints/routes@2023-05-01' = { - name: name - parent: profile::afd_endpoint - properties: { - cacheConfiguration: !empty(cacheConfiguration) ? cacheConfiguration : null - customDomains: !empty(customDomainName) ? [ { - id: profile::custom_domain.id - } ] : [] - enabledState: enabledState - forwardingProtocol: forwardingProtocol - httpsRedirect: httpsRedirect - linkToDefaultDomain: linkToDefaultDomain - originGroup: { - id: profile::originGroup.id - } - originPath: !empty(originPath) ? originPath : null - patternsToMatch: patternsToMatch - ruleSets: [for (item, index) in ruleSets: { - id: profile::rule_set[index].id - }] - supportedProtocols: !empty(supportedProtocols) ? supportedProtocols : null - } -} - -@description('The name of the route.') -output name string = afd_endpoint_route.name - -@description('The ID of the route.') -output resourceId string = afd_endpoint_route.id - -@description('The name of the resource group the route was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/afdEndpoint/route/main.json b/modules/cdn/profile/afdEndpoint/route/main.json deleted file mode 100644 index 570e2b6db9..0000000000 --- a/modules/cdn/profile/afdEndpoint/route/main.json +++ /dev/null @@ -1,205 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1534020105352910282" - }, - "name": "CDN Profiles AFD Endpoint Route", - "description": "This module deploys a CDN Profile AFD Endpoint route.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the route." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent CDN profile." - } - }, - "afdEndpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AFD endpoint." - } - }, - "cacheConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." - } - }, - "customDomainName": { - "type": "string", - "metadata": { - "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." - } - }, - "forwardingProtocol": { - "type": "string", - "defaultValue": "MatchRequest", - "allowedValues": [ - "HttpOnly", - "HttpsOnly", - "MatchRequest" - ], - "metadata": { - "description": "Optional. The protocol this rule will use when forwarding traffic to backends." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route is enabled." - } - }, - "httpsRedirect": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." - } - }, - "linkToDefaultDomain": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route will be linked to the default endpoint domain." - } - }, - "originGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." - } - }, - "originPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." - } - }, - "patternsToMatch": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The route patterns of the rule." - } - }, - "ruleSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." - } - }, - "supportedProtocols": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Http", - "Https" - ], - "metadata": { - "description": "Optional. The supported protocols of the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "ruleSets", - "count": "[length(parameters('ruleSets'))]", - "input": { - "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" - } - } - ], - "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", - "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", - "enabledState": "[parameters('enabledState')]", - "forwardingProtocol": "[parameters('forwardingProtocol')]", - "httpsRedirect": "[parameters('httpsRedirect')]", - "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", - "originGroup": { - "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" - }, - "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", - "patternsToMatch": "[parameters('patternsToMatch')]", - "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the route." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ID of the route." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the route was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/afdEndpoint/route/version.json b/modules/cdn/profile/afdEndpoint/route/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/afdEndpoint/route/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/afdEndpoint/version.json b/modules/cdn/profile/afdEndpoint/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/afdEndpoint/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/customdomain/README.md b/modules/cdn/profile/customdomain/README.md deleted file mode 100644 index 2e727b796e..0000000000 --- a/modules/cdn/profile/customdomain/README.md +++ /dev/null @@ -1,146 +0,0 @@ -# CDN Profiles Custom Domains `[Microsoft.Cdn/profiles/customDomains]` - -This module deploys a CDN Profile Custom Domains. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/customDomains` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/customDomains) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`certificateType`](#parameter-certificatetype) | string | The type of the certificate used for secure delivery. | -| [`hostName`](#parameter-hostname) | string | The host name of the domain. Must be a domain name. | -| [`name`](#parameter-name) | string | The name of the custom domain. | -| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`extendedProperties`](#parameter-extendedproperties) | object | Key-Value pair representing migration properties for domains. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version required for the custom domain. Default value: TLS12. | -| [`preValidatedCustomDomainResourceId`](#parameter-prevalidatedcustomdomainresourceid) | string | Resource reference to the Azure resource where custom domain ownership was prevalidated. | -| [`secretName`](#parameter-secretname) | string | The name of the secret. ie. subs/rg/profile/secret. | - -**Optonal parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`azureDnsZoneResourceId`](#parameter-azurednszoneresourceid) | string | Resource reference to the Azure DNS zone. | - -### Parameter: `certificateType` - -The type of the certificate used for secure delivery. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'CustomerCertificate' - 'ManagedCertificate' - ] - ``` - -### Parameter: `hostName` - -The host name of the domain. Must be a domain name. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the custom domain. - -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `extendedProperties` - -Key-Value pair representing migration properties for domains. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `minimumTlsVersion` - -The minimum TLS version required for the custom domain. Default value: TLS12. - -- Required: No -- Type: string -- Default: `'TLS12'` -- Allowed: - ```Bicep - [ - 'TLS10' - 'TLS12' - ] - ``` - -### Parameter: `preValidatedCustomDomainResourceId` - -Resource reference to the Azure resource where custom domain ownership was prevalidated. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `secretName` - -The name of the secret. ie. subs/rg/profile/secret. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `azureDnsZoneResourceId` - -Resource reference to the Azure DNS zone. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the custom domain. | -| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | -| `resourceId` | string | The resource id of the custom domain. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/customdomain/main.bicep b/modules/cdn/profile/customdomain/main.bicep deleted file mode 100644 index 63be21a3bb..0000000000 --- a/modules/cdn/profile/customdomain/main.bicep +++ /dev/null @@ -1,92 +0,0 @@ -metadata name = 'CDN Profiles Custom Domains' -metadata description = 'This module deploys a CDN Profile Custom Domains.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the custom domain.') -param name string - -@description('Required. The name of the CDN profile.') -param profileName string - -@description('Required. The host name of the domain. Must be a domain name.') -param hostName string - -@description('Optonal. Resource reference to the Azure DNS zone.') -param azureDnsZoneResourceId string = '' - -@description('Optional. Key-Value pair representing migration properties for domains.') -param extendedProperties object = {} - -@description('Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated.') -param preValidatedCustomDomainResourceId string = '' - -@allowed([ - 'CustomerCertificate' - 'ManagedCertificate' -]) -@description('Required. The type of the certificate used for secure delivery.') -param certificateType string - -@allowed([ - 'TLS10' - 'TLS12' -]) -@description('Optional. The minimum TLS version required for the custom domain. Default value: TLS12.') -param minimumTlsVersion string = 'TLS12' - -@description('Optional. The name of the secret. ie. subs/rg/profile/secret.') -param secretName string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName - - resource profile_secrect 'secrets@2023-05-01' existing = if (!empty(secretName)) { - name: secretName - } -} - -resource profile_custom_domain 'Microsoft.Cdn/profiles/customDomains@2023-05-01' = { - name: name - parent: profile - properties: { - azureDnsZone: !empty(azureDnsZoneResourceId) ? { - id: azureDnsZoneResourceId - } : null - extendedProperties: !empty(extendedProperties) ? extendedProperties : null - hostName: hostName - preValidatedCustomDomainResourceId: !empty(preValidatedCustomDomainResourceId) ? { - id: preValidatedCustomDomainResourceId - } : null - tlsSettings: { - certificateType: certificateType - minimumTlsVersion: minimumTlsVersion - secret: !(empty(secretName)) ? { - id: profile::profile_secrect.id - } : null - } - } -} - -@description('The name of the custom domain.') -output name string = profile_custom_domain.name - -@description('The resource id of the custom domain.') -output resourceId string = profile_custom_domain.id - -@description('The name of the resource group the custom domain was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/customdomain/main.json b/modules/cdn/profile/customdomain/main.json deleted file mode 100644 index f60ead03f4..0000000000 --- a/modules/cdn/profile/customdomain/main.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14020917186794999695" - }, - "name": "CDN Profiles Custom Domains", - "description": "This module deploys a CDN Profile Custom Domains.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the custom domain." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The host name of the domain. Must be a domain name." - } - }, - "azureDnsZoneResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optonal. Resource reference to the Azure DNS zone." - } - }, - "extendedProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-Value pair representing migration properties for domains." - } - }, - "preValidatedCustomDomainResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated." - } - }, - "certificateType": { - "type": "string", - "allowedValues": [ - "CustomerCertificate", - "ManagedCertificate" - ], - "metadata": { - "description": "Required. The type of the certificate used for secure delivery." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "TLS12", - "allowedValues": [ - "TLS10", - "TLS12" - ], - "metadata": { - "description": "Optional. The minimum TLS version required for the custom domain. Default value: TLS12." - } - }, - "secretName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the secret. ie. subs/rg/profile/secret." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/customDomains", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "azureDnsZone": "[if(not(empty(parameters('azureDnsZoneResourceId'))), createObject('id', parameters('azureDnsZoneResourceId')), null())]", - "extendedProperties": "[if(not(empty(parameters('extendedProperties'))), parameters('extendedProperties'), null())]", - "hostName": "[parameters('hostName')]", - "preValidatedCustomDomainResourceId": "[if(not(empty(parameters('preValidatedCustomDomainResourceId'))), createObject('id', parameters('preValidatedCustomDomainResourceId')), null())]", - "tlsSettings": { - "certificateType": "[parameters('certificateType')]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "secret": "[if(not(empty(parameters('secretName'))), createObject('id', resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('secretName'))), null())]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the custom domain." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the custom domain." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/customdomain/version.json b/modules/cdn/profile/customdomain/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/customdomain/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/endpoint/README.md b/modules/cdn/profile/endpoint/README.md deleted file mode 100644 index 2ed256dbe2..0000000000 --- a/modules/cdn/profile/endpoint/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# CDN Profiles Endpoints `[Microsoft.Cdn/profiles/endpoints]` - -This module deploys a CDN Profile Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/endpoints` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints) | -| `Microsoft.Cdn/profiles/endpoints/origins` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints/origins) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the endpoint under the profile which is unique globally. | -| [`properties`](#parameter-properties) | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Resource location. | -| [`tags`](#parameter-tags) | object | Endpoint tags. | - -### Parameter: `name` - -Name of the endpoint under the profile which is unique globally. - -- Required: Yes -- Type: string - -### Parameter: `properties` - -Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). - -- Required: Yes -- Type: object - -### Parameter: `profileName` - -The name of the parent CDN profile. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `tags` - -Endpoint tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `endpointProperties` | object | The properties of the endpoint. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the endpoint. | -| `resourceGroupName` | string | The name of the resource group the endpoint was created in. | -| `resourceId` | string | The resource ID of the endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/endpoint/main.bicep b/modules/cdn/profile/endpoint/main.bicep deleted file mode 100644 index 83793f9da5..0000000000 --- a/modules/cdn/profile/endpoint/main.bicep +++ /dev/null @@ -1,82 +0,0 @@ -metadata name = 'CDN Profiles Endpoints' -metadata description = 'This module deploys a CDN Profile Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment.') -param profileName string - -@description('Required. Name of the endpoint under the profile which is unique globally.') -param name string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Required. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details).') -param properties object - -@description('Optional. Endpoint tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2021-06-01' existing = { - name: profileName -} - -resource endpoint 'microsoft.cdn/profiles/endpoints@2021-06-01' = { - parent: profile - name: name - location: location - properties: properties - tags: tags -} - -module endpoint_origins 'origin/main.bicep' = [for origin in properties.origins: { - name: '${name}-origins-${origin.name}' - params: { - profileName: profile.name - endpointName: endpoint.name - name: origin.name - hostName: origin.properties.hostName - httpPort: contains(origin.properties, 'httpPort') ? origin.properties.httpPort : 80 - httpsPort: contains(origin.properties, 'httpsPort') ? origin.properties.httpsPort : 443 - enabled: origin.properties.enabled - priority: contains(origin.properties, 'priority') ? origin.properties.priority : -1 - weight: contains(origin.properties, 'weight') ? origin.properties.weight : -1 - originHostHeader: contains(origin.properties, 'originHostHeader') ? origin.properties.originHostHeader : '' - privateLinkAlias: contains(origin.properties, 'privateLinkAlias') ? origin.properties.privateLinkAlias : '' - privateLinkLocation: contains(origin.properties, 'privateLinkLocation') ? origin.properties.privateLinkLocation : '' - privateLinkResourceId: contains(origin.properties, 'privateLinkResourceId') ? origin.properties.privateLinkResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the endpoint.') -output name string = endpoint.name - -@description('The resource ID of the endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the endpoint was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = endpoint.location - -@description('The properties of the endpoint.') -output endpointProperties object = endpoint.properties diff --git a/modules/cdn/profile/endpoint/main.json b/modules/cdn/profile/endpoint/main.json deleted file mode 100644 index 195f6a1bd7..0000000000 --- a/modules/cdn/profile/endpoint/main.json +++ /dev/null @@ -1,335 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12835560149201986440" - }, - "name": "CDN Profiles Endpoints", - "description": "This module deploys a CDN Profile Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the endpoint under the profile which is unique globally." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Endpoint tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "profile": { - "existing": true, - "type": "Microsoft.Cdn/profiles", - "apiVersion": "2021-06-01", - "name": "[parameters('profileName')]" - }, - "endpoint": { - "type": "Microsoft.Cdn/profiles/endpoints", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": "[parameters('properties')]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "profile" - ] - }, - "endpoint_origins": { - "copy": { - "name": "endpoint_origins", - "count": "[length(parameters('properties').origins)]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-origins-{1}', parameters('name'), parameters('properties').origins[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "profileName": { - "value": "[parameters('profileName')]" - }, - "endpointName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('properties').origins[copyIndex()].name]" - }, - "hostName": { - "value": "[parameters('properties').origins[copyIndex()].properties.hostName]" - }, - "httpPort": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'httpPort'), createObject('value', parameters('properties').origins[copyIndex()].properties.httpPort), createObject('value', 80))]", - "httpsPort": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'httpsPort'), createObject('value', parameters('properties').origins[copyIndex()].properties.httpsPort), createObject('value', 443))]", - "enabled": { - "value": "[parameters('properties').origins[copyIndex()].properties.enabled]" - }, - "priority": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'priority'), createObject('value', parameters('properties').origins[copyIndex()].properties.priority), createObject('value', -1))]", - "weight": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'weight'), createObject('value', parameters('properties').origins[copyIndex()].properties.weight), createObject('value', -1))]", - "originHostHeader": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'originHostHeader'), createObject('value', parameters('properties').origins[copyIndex()].properties.originHostHeader), createObject('value', ''))]", - "privateLinkAlias": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkAlias'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkAlias), createObject('value', ''))]", - "privateLinkLocation": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkLocation'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkLocation), createObject('value', ''))]", - "privateLinkResourceId": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkResourceId'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "13313881743665626025" - }, - "name": "CDN Profiles Endpoints Origins", - "description": "This module deploys a CDN Profile Endpoint Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "endpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN Endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origin." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the origin is enabled for load balancing." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The hostname of the origin." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The HTTP port of the origin." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The HTTPS port of the origin." - } - }, - "priority": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The priority of origin in given origin group for load balancing. Required if `weight` is provided." - } - }, - "weight": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." - } - }, - "privateLinkAlias": { - "type": "string", - "metadata": { - "description": "Conditional. The private link alias of the origin. Required if privateLinkLocation is provided." - } - }, - "privateLinkLocation": { - "type": "string", - "metadata": { - "description": "Conditional. The private link location of the origin. Required if privateLinkAlias is provided." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Optional. The private link resource ID of the origin." - } - }, - "originHostHeader": { - "type": "string", - "metadata": { - "description": "Optional. The host header value sent to the origin." - } - }, - "profileName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the CDN profile. Default to \"default\"." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/endpoints/origins", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]", - "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/endpoints/origins', parameters('profileName'), parameters('endpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('endpointName')), '2021-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "endpoint", - "profile" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('endpoint', '2021-06-01', 'full').location]" - }, - "endpointProperties": { - "type": "object", - "metadata": { - "description": "The properties of the endpoint." - }, - "value": "[reference('endpoint')]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/endpoint/origin/README.md b/modules/cdn/profile/endpoint/origin/README.md deleted file mode 100644 index f68d78a71a..0000000000 --- a/modules/cdn/profile/endpoint/origin/README.md +++ /dev/null @@ -1,166 +0,0 @@ -# CDN Profiles Endpoints Origins `[Microsoft.Cdn/profiles/endpoints/origins]` - -This module deploys a CDN Profile Endpoint Origin. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/endpoints/origins` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints/origins) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`endpointName`](#parameter-endpointname) | string | The name of the CDN Endpoint. | -| [`hostName`](#parameter-hostname) | string | The hostname of the origin. | -| [`name`](#parameter-name) | string | The name of the origin. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`priority`](#parameter-priority) | int | The priority of origin in given origin group for load balancing. Required if `weight` is provided. | -| [`privateLinkAlias`](#parameter-privatelinkalias) | string | The private link alias of the origin. Required if privateLinkLocation is provided. | -| [`privateLinkLocation`](#parameter-privatelinklocation) | string | The private link location of the origin. Required if privateLinkAlias is provided. | -| [`weight`](#parameter-weight) | int | The weight of the origin used for load balancing. Required if `priority` is provided. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enabled`](#parameter-enabled) | bool | Whether the origin is enabled for load balancing. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`httpPort`](#parameter-httpport) | int | The HTTP port of the origin. | -| [`httpsPort`](#parameter-httpsport) | int | The HTTPS port of the origin. | -| [`originHostHeader`](#parameter-originhostheader) | string | The host header value sent to the origin. | -| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The private link resource ID of the origin. | -| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. Default to "default". | - -### Parameter: `endpointName` - -The name of the CDN Endpoint. - -- Required: Yes -- Type: string - -### Parameter: `hostName` - -The hostname of the origin. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the origin. - -- Required: Yes -- Type: string - -### Parameter: `priority` - -The priority of origin in given origin group for load balancing. Required if `weight` is provided. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `privateLinkAlias` - -The private link alias of the origin. Required if privateLinkLocation is provided. - -- Required: Yes -- Type: string - -### Parameter: `privateLinkLocation` - -The private link location of the origin. Required if privateLinkAlias is provided. - -- Required: Yes -- Type: string - -### Parameter: `weight` - -The weight of the origin used for load balancing. Required if `priority` is provided. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `enabled` - -Whether the origin is enabled for load balancing. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `httpPort` - -The HTTP port of the origin. - -- Required: No -- Type: int -- Default: `80` - -### Parameter: `httpsPort` - -The HTTPS port of the origin. - -- Required: No -- Type: int -- Default: `443` - -### Parameter: `originHostHeader` - -The host header value sent to the origin. - -- Required: Yes -- Type: string - -### Parameter: `privateLinkResourceId` - -The private link resource ID of the origin. - -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the CDN profile. Default to "default". - -- Required: No -- Type: string -- Default: `'default'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the endpoint. | -| `resourceGroupName` | string | The name of the resource group the endpoint was created in. | -| `resourceId` | string | The resource ID of the endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/endpoint/origin/main.bicep b/modules/cdn/profile/endpoint/origin/main.bicep deleted file mode 100644 index e0ab14c064..0000000000 --- a/modules/cdn/profile/endpoint/origin/main.bicep +++ /dev/null @@ -1,99 +0,0 @@ -metadata name = 'CDN Profiles Endpoints Origins' -metadata description = 'This module deploys a CDN Profile Endpoint Origin.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the CDN Endpoint.') -param endpointName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. The name of the origin.') -param name string - -@description('Optional. Whether the origin is enabled for load balancing.') -param enabled bool = true - -@description('Required. The hostname of the origin.') -param hostName string - -@description('Optional. The HTTP port of the origin.') -param httpPort int = 80 - -@description('Optional. The HTTPS port of the origin.') -param httpsPort int = 443 - -@description('Conditional. The priority of origin in given origin group for load balancing. Required if `weight` is provided.') -param priority int = -1 - -@description('Conditional. The weight of the origin used for load balancing. Required if `priority` is provided.') -param weight int = -1 - -@description('Conditional. The private link alias of the origin. Required if privateLinkLocation is provided.') -param privateLinkAlias string - -@description('Conditional. The private link location of the origin. Required if privateLinkAlias is provided.') -param privateLinkLocation string - -@description('Optional. The private link resource ID of the origin.') -param privateLinkResourceId string - -@description('Optional. The host header value sent to the origin.') -param originHostHeader string - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@description('Optional. The name of the CDN profile. Default to "default".') -param profileName string = 'default' - -resource profile 'Microsoft.Cdn/profiles@2021-06-01' existing = { - name: profileName -} - -resource endpoint 'Microsoft.Cdn/profiles/endpoints@2021-06-01' existing = { - parent: profile - name: endpointName -} - -resource origins 'Microsoft.Cdn/profiles/endpoints/origins@2021-06-01' = { - parent: endpoint - name: name - properties: union({ - hostName: hostName - httpPort: httpPort - enabled: enabled - httpsPort: httpsPort - }, ((priority > 0 || weight > 0) ? { - priority: priority - weight: weight - } : {}), (!empty(privateLinkAlias) && !empty(privateLinkLocation) ? { - privateLinkAlias: privateLinkAlias - privateLinkLocation: privateLinkLocation - } : {}), (!empty(privateLinkResourceId) ? { - privateLinkResourceId: privateLinkResourceId - } : {}), (!empty(originHostHeader) ? { - originHostHeader: originHostHeader - } : {})) -} - -@description('The name of the endpoint.') -output name string = origins.name - -@description('The resource ID of the endpoint.') -output resourceId string = origins.id - -@description('The name of the resource group the endpoint was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = endpoint.location diff --git a/modules/cdn/profile/endpoint/origin/main.json b/modules/cdn/profile/endpoint/origin/main.json deleted file mode 100644 index c32c154e0c..0000000000 --- a/modules/cdn/profile/endpoint/origin/main.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "13313881743665626025" - }, - "name": "CDN Profiles Endpoints Origins", - "description": "This module deploys a CDN Profile Endpoint Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "endpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN Endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origin." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the origin is enabled for load balancing." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The hostname of the origin." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The HTTP port of the origin." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The HTTPS port of the origin." - } - }, - "priority": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The priority of origin in given origin group for load balancing. Required if `weight` is provided." - } - }, - "weight": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." - } - }, - "privateLinkAlias": { - "type": "string", - "metadata": { - "description": "Conditional. The private link alias of the origin. Required if privateLinkLocation is provided." - } - }, - "privateLinkLocation": { - "type": "string", - "metadata": { - "description": "Conditional. The private link location of the origin. Required if privateLinkAlias is provided." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Optional. The private link resource ID of the origin." - } - }, - "originHostHeader": { - "type": "string", - "metadata": { - "description": "Optional. The host header value sent to the origin." - } - }, - "profileName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the CDN profile. Default to \"default\"." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/endpoints/origins", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]", - "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/endpoints/origins', parameters('profileName'), parameters('endpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('endpointName')), '2021-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/endpoint/origin/version.json b/modules/cdn/profile/endpoint/origin/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/endpoint/origin/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/endpoint/version.json b/modules/cdn/profile/endpoint/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/endpoint/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep deleted file mode 100644 index dd7abe44db..0000000000 --- a/modules/cdn/profile/main.bicep +++ /dev/null @@ -1,261 +0,0 @@ -metadata name = 'CDN Profiles' -metadata description = 'This module deploys a CDN Profile.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the CDN profile.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@allowed([ - 'Custom_Verizon' - 'Premium_AzureFrontDoor' - 'Premium_Verizon' - 'StandardPlus_955BandWidth_ChinaCdn' - 'StandardPlus_AvgBandWidth_ChinaCdn' - 'StandardPlus_ChinaCdn' - 'Standard_955BandWidth_ChinaCdn' - 'Standard_Akamai' - 'Standard_AvgBandWidth_ChinaCdn' - 'Standard_AzureFrontDoor' - 'Standard_ChinaCdn' - 'Standard_Microsoft' - 'Standard_Verizon' -]) -@description('Required. The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile.') -param sku string - -@description('Optional. Send and receive timeout on forwarding request to the origin.') -param originResponseTimeoutSeconds int = 60 - -@description('Optional. Name of the endpoint under the profile which is unique globally.') -param endpointName string = '' - -@description('Optional. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details).') -param endpointProperties object = {} - -@description('Optional. Array of secret objects.') -param secrets array = [] - -@description('Optional. Array of custom domain objects.') -param customDomains array = [] - -@description('Conditional. Array of origin group objects. Required if the afdEndpoints is specified.') -param origionGroups array = [] - -@description('Optional. Array of rule set objects.') -param ruleSets array = [] - -@description('Optional. Array of AFD endpoint objects.') -param afdEndpoints array = [] - -@description('Optional. Endpoint tags.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' = { - name: name - location: location - sku: { - name: sku - } - properties: { - originResponseTimeoutSeconds: originResponseTimeoutSeconds - } - tags: tags -} - -resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: profile -} - -resource profile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(profile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: profile -}] - -module profile_endpoint 'endpoint/main.bicep' = if (!empty(endpointProperties)) { - name: '${uniqueString(deployment().name, location)}-Profile-Endpoint' - params: { - name: !empty(endpointName) ? endpointName : '${profile.name}-endpoint' - properties: endpointProperties - location: location - profileName: profile.name - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module profile_secret 'secret/main.bicep' = [for (secret, index) in secrets: { - name: '${uniqueString(deployment().name)}-Profile-Secret-${index}' - params: { - name: secret.name - profileName: profile.name - type: secret.type - secretSourceResourceId: secret.secretSourceResourceId - subjectAlternativeNames: contains(secret, 'subjectAlternativeNames') ? secret.subjectAlternativeNames : [] - useLatestVersion: contains(secret, 'useLatestVersion') ? secret.useLatestVersion : false - secretVersion: secret.secretVersion - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module profile_custom_domain 'customdomain/main.bicep' = [for (customDomain, index) in customDomains: { - name: '${uniqueString(deployment().name)}-CustomDomain-${index}' - dependsOn: [ - profile_secret - ] - params: { - name: customDomain.name - profileName: profile.name - hostName: customDomain.hostName - azureDnsZoneResourceId: contains(customDomain, 'azureDnsZoneResourceId') ? customDomain.azureDnsZoneResourceId : '' - extendedProperties: contains(customDomain, 'extendedProperties') ? customDomain.extendedProperties : {} - certificateType: customDomain.certificateType - minimumTlsVersion: contains(customDomain, 'minimumTlsVersion') ? customDomain.minimumTlsVersion : 'TLS12' - preValidatedCustomDomainResourceId: contains(customDomain, 'preValidatedCustomDomainResourceId') ? customDomain.preValidatedCustomDomainResourceId : '' - secretName: contains(customDomain, 'secretName') ? customDomain.secretName : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module profile_origionGroup 'origingroup/main.bicep' = [for (origingroup, index) in origionGroups: { - name: '${uniqueString(deployment().name)}-Profile-OrigionGroup-${index}' - params: { - name: origingroup.name - profileName: profile.name - healthProbeSettings: contains(origingroup, 'healthProbeSettings') ? origingroup.healthProbeSettings : {} - loadBalancingSettings: origingroup.loadBalancingSettings - sessionAffinityState: contains(origingroup, 'sessionAffinityState') ? origingroup.sessionAffinityState : 'Disabled' - trafficRestorationTimeToHealedOrNewEndpointsInMinutes: contains(origingroup, 'trafficRestorationTimeToHealedOrNewEndpointsInMinutes') ? origingroup.trafficRestorationTimeToHealedOrNewEndpointsInMinutes : 10 - origins: origingroup.origins - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module profile_ruleSet 'ruleset/main.bicep' = [for (ruleSet, index) in ruleSets: { - name: '${uniqueString(deployment().name)}-Profile-RuleSet-${index}' - params: { - name: ruleSet.name - profileName: profile.name - rules: ruleSet.rules - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module profile_afdEndpoint 'afdEndpoint/main.bicep' = [for (afdEndpoint, index) in afdEndpoints: { - name: '${uniqueString(deployment().name)}-Profile-AfdEndpoint-${index}' - dependsOn: [ - profile_origionGroup - profile_custom_domain - profile_ruleSet - ] - params: { - name: afdEndpoint.name - location: location - profileName: profile.name - autoGeneratedDomainNameLabelScope: contains(afdEndpoint, 'autoGeneratedDomainNameLabelScope') ? afdEndpoint.autoGeneratedDomainNameLabelScope : 'TenantReuse' - enabledState: contains(afdEndpoint, 'enabledState') ? afdEndpoint.enabledState : 'Enabled' - enableDefaultTelemetry: enableReferencedModulesTelemetry - routes: contains(afdEndpoint, 'routes') ? afdEndpoint.routes : [] - tags: afdEndpoint.?tags ?? tags - } -}] - -@description('The name of the CDN profile.') -output name string = profile.name - -@description('The resource ID of the CDN profile.') -output resourceId string = profile.id - -@description('The resource group where the CDN profile is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The type of the CDN profile.') -output profileType string = profile.type - -@description('The location the resource was deployed into.') -output location string = profile.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json deleted file mode 100644 index 82168cf292..0000000000 --- a/modules/cdn/profile/main.json +++ /dev/null @@ -1,2151 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2094374182247826446" - }, - "name": "CDN Profiles", - "description": "This module deploys a CDN Profile.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the CDN profile." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "sku": { - "type": "string", - "allowedValues": [ - "Custom_Verizon", - "Premium_AzureFrontDoor", - "Premium_Verizon", - "StandardPlus_955BandWidth_ChinaCdn", - "StandardPlus_AvgBandWidth_ChinaCdn", - "StandardPlus_ChinaCdn", - "Standard_955BandWidth_ChinaCdn", - "Standard_Akamai", - "Standard_AvgBandWidth_ChinaCdn", - "Standard_AzureFrontDoor", - "Standard_ChinaCdn", - "Standard_Microsoft", - "Standard_Verizon" - ], - "metadata": { - "description": "Required. The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile." - } - }, - "originResponseTimeoutSeconds": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. Send and receive timeout on forwarding request to the origin." - } - }, - "endpointName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the endpoint under the profile which is unique globally." - } - }, - "endpointProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details)." - } - }, - "secrets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of secret objects." - } - }, - "customDomains": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of custom domain objects." - } - }, - "origionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. Array of origin group objects. Required if the afdEndpoints is specified." - } - }, - "ruleSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of rule set objects." - } - }, - "afdEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of AFD endpoint objects." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Endpoint tags." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "profile": { - "type": "Microsoft.Cdn/profiles", - "apiVersion": "2023-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('sku')]" - }, - "properties": { - "originResponseTimeoutSeconds": "[parameters('originResponseTimeoutSeconds')]" - }, - "tags": "[parameters('tags')]" - }, - "profile_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "profile" - ] - }, - "profile_roleAssignments": { - "copy": { - "name": "profile_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Cdn/profiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "profile" - ] - }, - "profile_endpoint": { - "condition": "[not(empty(parameters('endpointProperties')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-Endpoint', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(not(empty(parameters('endpointName'))), createObject('value', parameters('endpointName')), createObject('value', format('{0}-endpoint', parameters('name'))))]", - "properties": { - "value": "[parameters('endpointProperties')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12835560149201986440" - }, - "name": "CDN Profiles Endpoints", - "description": "This module deploys a CDN Profile Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the endpoint under the profile which is unique globally." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Endpoint tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "profile": { - "existing": true, - "type": "Microsoft.Cdn/profiles", - "apiVersion": "2021-06-01", - "name": "[parameters('profileName')]" - }, - "endpoint": { - "type": "Microsoft.Cdn/profiles/endpoints", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": "[parameters('properties')]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "profile" - ] - }, - "endpoint_origins": { - "copy": { - "name": "endpoint_origins", - "count": "[length(parameters('properties').origins)]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-origins-{1}', parameters('name'), parameters('properties').origins[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "profileName": { - "value": "[parameters('profileName')]" - }, - "endpointName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('properties').origins[copyIndex()].name]" - }, - "hostName": { - "value": "[parameters('properties').origins[copyIndex()].properties.hostName]" - }, - "httpPort": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'httpPort'), createObject('value', parameters('properties').origins[copyIndex()].properties.httpPort), createObject('value', 80))]", - "httpsPort": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'httpsPort'), createObject('value', parameters('properties').origins[copyIndex()].properties.httpsPort), createObject('value', 443))]", - "enabled": { - "value": "[parameters('properties').origins[copyIndex()].properties.enabled]" - }, - "priority": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'priority'), createObject('value', parameters('properties').origins[copyIndex()].properties.priority), createObject('value', -1))]", - "weight": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'weight'), createObject('value', parameters('properties').origins[copyIndex()].properties.weight), createObject('value', -1))]", - "originHostHeader": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'originHostHeader'), createObject('value', parameters('properties').origins[copyIndex()].properties.originHostHeader), createObject('value', ''))]", - "privateLinkAlias": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkAlias'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkAlias), createObject('value', ''))]", - "privateLinkLocation": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkLocation'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkLocation), createObject('value', ''))]", - "privateLinkResourceId": "[if(contains(parameters('properties').origins[copyIndex()].properties, 'privateLinkResourceId'), createObject('value', parameters('properties').origins[copyIndex()].properties.privateLinkResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "13313881743665626025" - }, - "name": "CDN Profiles Endpoints Origins", - "description": "This module deploys a CDN Profile Endpoint Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "endpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN Endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origin." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the origin is enabled for load balancing." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The hostname of the origin." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The HTTP port of the origin." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The HTTPS port of the origin." - } - }, - "priority": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The priority of origin in given origin group for load balancing. Required if `weight` is provided." - } - }, - "weight": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." - } - }, - "privateLinkAlias": { - "type": "string", - "metadata": { - "description": "Conditional. The private link alias of the origin. Required if privateLinkLocation is provided." - } - }, - "privateLinkLocation": { - "type": "string", - "metadata": { - "description": "Conditional. The private link location of the origin. Required if privateLinkAlias is provided." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Optional. The private link resource ID of the origin." - } - }, - "originHostHeader": { - "type": "string", - "metadata": { - "description": "Optional. The host header value sent to the origin." - } - }, - "profileName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the CDN profile. Default to \"default\"." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/endpoints/origins", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]", - "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/endpoints/origins', parameters('profileName'), parameters('endpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('endpointName')), '2021-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "endpoint", - "profile" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('endpoint', '2021-06-01', 'full').location]" - }, - "endpointProperties": { - "type": "object", - "metadata": { - "description": "The properties of the endpoint." - }, - "value": "[reference('endpoint')]" - } - } - } - }, - "dependsOn": [ - "profile" - ] - }, - "profile_secret": { - "copy": { - "name": "profile_secret", - "count": "[length(parameters('secrets'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-Secret-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('secrets')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "type": { - "value": "[parameters('secrets')[copyIndex()].type]" - }, - "secretSourceResourceId": { - "value": "[parameters('secrets')[copyIndex()].secretSourceResourceId]" - }, - "subjectAlternativeNames": "[if(contains(parameters('secrets')[copyIndex()], 'subjectAlternativeNames'), createObject('value', parameters('secrets')[copyIndex()].subjectAlternativeNames), createObject('value', createArray()))]", - "useLatestVersion": "[if(contains(parameters('secrets')[copyIndex()], 'useLatestVersion'), createObject('value', parameters('secrets')[copyIndex()].useLatestVersion), createObject('value', false()))]", - "secretVersion": { - "value": "[parameters('secrets')[copyIndex()].secretVersion]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9065117765223577157" - }, - "name": "CDN Profiles Secret", - "description": "This module deploys a CDN Profile Secret.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secrect." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "type": { - "type": "string", - "defaultValue": "AzureFirstPartyManagedCertificate", - "allowedValues": [ - "AzureFirstPartyManagedCertificate", - "CustomerCertificate", - "ManagedCertificate", - "UrlSigningKey" - ], - "metadata": { - "description": "Required. The type of the secrect." - } - }, - "secretSourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of the secret source. Required if the `type` is \"CustomerCertificate\"." - } - }, - "secretVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the secret." - } - }, - "subjectAlternativeNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The subject alternative names of the secrect." - } - }, - "useLatestVersion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether to use the latest version of the secrect." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/secrets", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "parameters": "[if(equals(parameters('type'), 'CustomerCertificate'), createObject('type', parameters('type'), 'secretSource', createObject('id', parameters('secretSourceResourceId')), 'secretVersion', parameters('secretVersion'), 'subjectAlternativeNames', parameters('subjectAlternativeNames'), 'useLatestVersion', parameters('useLatestVersion')), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the secrect." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the secrect." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the secret was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "profile" - ] - }, - "profile_custom_domain": { - "copy": { - "name": "profile_custom_domain", - "count": "[length(parameters('customDomains'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-CustomDomain-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('customDomains')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "hostName": { - "value": "[parameters('customDomains')[copyIndex()].hostName]" - }, - "azureDnsZoneResourceId": "[if(contains(parameters('customDomains')[copyIndex()], 'azureDnsZoneResourceId'), createObject('value', parameters('customDomains')[copyIndex()].azureDnsZoneResourceId), createObject('value', ''))]", - "extendedProperties": "[if(contains(parameters('customDomains')[copyIndex()], 'extendedProperties'), createObject('value', parameters('customDomains')[copyIndex()].extendedProperties), createObject('value', createObject()))]", - "certificateType": { - "value": "[parameters('customDomains')[copyIndex()].certificateType]" - }, - "minimumTlsVersion": "[if(contains(parameters('customDomains')[copyIndex()], 'minimumTlsVersion'), createObject('value', parameters('customDomains')[copyIndex()].minimumTlsVersion), createObject('value', 'TLS12'))]", - "preValidatedCustomDomainResourceId": "[if(contains(parameters('customDomains')[copyIndex()], 'preValidatedCustomDomainResourceId'), createObject('value', parameters('customDomains')[copyIndex()].preValidatedCustomDomainResourceId), createObject('value', ''))]", - "secretName": "[if(contains(parameters('customDomains')[copyIndex()], 'secretName'), createObject('value', parameters('customDomains')[copyIndex()].secretName), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14020917186794999695" - }, - "name": "CDN Profiles Custom Domains", - "description": "This module deploys a CDN Profile Custom Domains.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the custom domain." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The host name of the domain. Must be a domain name." - } - }, - "azureDnsZoneResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optonal. Resource reference to the Azure DNS zone." - } - }, - "extendedProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-Value pair representing migration properties for domains." - } - }, - "preValidatedCustomDomainResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated." - } - }, - "certificateType": { - "type": "string", - "allowedValues": [ - "CustomerCertificate", - "ManagedCertificate" - ], - "metadata": { - "description": "Required. The type of the certificate used for secure delivery." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "TLS12", - "allowedValues": [ - "TLS10", - "TLS12" - ], - "metadata": { - "description": "Optional. The minimum TLS version required for the custom domain. Default value: TLS12." - } - }, - "secretName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the secret. ie. subs/rg/profile/secret." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/customDomains", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "azureDnsZone": "[if(not(empty(parameters('azureDnsZoneResourceId'))), createObject('id', parameters('azureDnsZoneResourceId')), null())]", - "extendedProperties": "[if(not(empty(parameters('extendedProperties'))), parameters('extendedProperties'), null())]", - "hostName": "[parameters('hostName')]", - "preValidatedCustomDomainResourceId": "[if(not(empty(parameters('preValidatedCustomDomainResourceId'))), createObject('id', parameters('preValidatedCustomDomainResourceId')), null())]", - "tlsSettings": { - "certificateType": "[parameters('certificateType')]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "secret": "[if(not(empty(parameters('secretName'))), createObject('id', resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('secretName'))), null())]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the custom domain." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the custom domain." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "profile", - "profile_secret" - ] - }, - "profile_origionGroup": { - "copy": { - "name": "profile_origionGroup", - "count": "[length(parameters('origionGroups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-OrigionGroup-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('origionGroups')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "healthProbeSettings": "[if(contains(parameters('origionGroups')[copyIndex()], 'healthProbeSettings'), createObject('value', parameters('origionGroups')[copyIndex()].healthProbeSettings), createObject('value', createObject()))]", - "loadBalancingSettings": { - "value": "[parameters('origionGroups')[copyIndex()].loadBalancingSettings]" - }, - "sessionAffinityState": "[if(contains(parameters('origionGroups')[copyIndex()], 'sessionAffinityState'), createObject('value', parameters('origionGroups')[copyIndex()].sessionAffinityState), createObject('value', 'Disabled'))]", - "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[if(contains(parameters('origionGroups')[copyIndex()], 'trafficRestorationTimeToHealedOrNewEndpointsInMinutes'), createObject('value', parameters('origionGroups')[copyIndex()].trafficRestorationTimeToHealedOrNewEndpointsInMinutes), createObject('value', 10))]", - "origins": { - "value": "[parameters('origionGroups')[copyIndex()].origins]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11971964733746078182" - }, - "name": "CDN Profiles Origin Group", - "description": "This module deploys a CDN Profile Origin Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origin group." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "healthProbeSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin." - } - }, - "loadBalancingSettings": { - "type": "object", - "metadata": { - "description": "Required. Load balancing settings for a backend pool." - } - }, - "sessionAffinityState": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to allow session affinity on this host." - } - }, - "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins." - } - }, - "origins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. The list of origins within the origin group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/originGroups", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "healthProbeSettings": "[if(not(empty(parameters('healthProbeSettings'))), parameters('healthProbeSettings'), null())]", - "loadBalancingSettings": "[parameters('loadBalancingSettings')]", - "sessionAffinityState": "[parameters('sessionAffinityState')]", - "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]" - } - }, - { - "copy": { - "name": "origin", - "count": "[length(parameters('origins'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-OriginGroup-Origin-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('origins')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('profileName')]" - }, - "hostName": { - "value": "[parameters('origins')[copyIndex()].hostName]" - }, - "originGroupName": { - "value": "[parameters('name')]" - }, - "enabledState": "[if(contains(parameters('origins')[copyIndex()], 'enabledState'), createObject('value', parameters('origins')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", - "enforceCertificateNameCheck": "[if(contains(parameters('origins')[copyIndex()], 'enforceCertificateNameCheck'), createObject('value', parameters('origins')[copyIndex()].enforceCertificateNameCheck), createObject('value', true()))]", - "httpPort": "[if(contains(parameters('origins')[copyIndex()], 'httpPort'), createObject('value', parameters('origins')[copyIndex()].httpPort), createObject('value', 80))]", - "httpsPort": "[if(contains(parameters('origins')[copyIndex()], 'httpsPort'), createObject('value', parameters('origins')[copyIndex()].httpsPort), createObject('value', 443))]", - "originHostHeader": "[if(contains(parameters('origins')[copyIndex()], 'originHostHeader'), createObject('value', parameters('origins')[copyIndex()].originHostHeader), createObject('value', parameters('origins')[copyIndex()].hostName))]", - "priority": "[if(contains(parameters('origins')[copyIndex()], 'priority'), createObject('value', parameters('origins')[copyIndex()].priority), createObject('value', 1))]", - "weight": "[if(contains(parameters('origins')[copyIndex()], 'weight'), createObject('value', parameters('origins')[copyIndex()].weight), createObject('value', 1000))]", - "sharedPrivateLinkResource": "[if(contains(parameters('origins')[copyIndex()], 'sharedPrivateLinkResource'), createObject('value', parameters('origins')[copyIndex()].sharedPrivateLinkResource), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9016533430746404335" - }, - "name": "CDN Profiles Origin", - "description": "This module deploys a CDN Profile Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origion." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "originGroupName": { - "type": "string", - "metadata": { - "description": "Required. The name of the group." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." - } - }, - "enforceCertificateNameCheck": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether to enable certificate name check at origin level." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." - } - }, - "originHostHeader": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." - } - }, - "priority": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." - } - }, - "sharedPrivateLinkResource": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the private link resource for private origin." - } - }, - "weight": { - "type": "int", - "defaultValue": 1000, - "metadata": { - "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/originGroups/origins", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", - "properties": { - "enabledState": "[parameters('enabledState')]", - "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", - "hostName": "[parameters('hostName')]", - "httpPort": "[parameters('httpPort')]", - "httpsPort": "[parameters('httpsPort')]", - "originHostHeader": "[parameters('originHostHeader')]", - "priority": "[parameters('priority')]", - "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", - "weight": "[parameters('weight')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the origin." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the origin." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the origin was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the origin group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the origin group." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the origin group was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('profileName')), '2023-05-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "profile" - ] - }, - "profile_ruleSet": { - "copy": { - "name": "profile_ruleSet", - "count": "[length(parameters('ruleSets'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-RuleSet-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('ruleSets')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "rules": { - "value": "[parameters('ruleSets')[copyIndex()].rules]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6357254985592021008" - }, - "name": "CDN Profiles Rule Sets", - "description": "This module deploys a CDN Profile rule set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule set." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "rules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optinal. The rules to apply to the rule set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/ruleSets", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]" - }, - { - "copy": { - "name": "rule", - "count": "[length(parameters('rules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RuleSet-Rule-{1}-{2}', uniqueString(deployment().name), parameters('rules')[copyIndex()].name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "profileName": { - "value": "[parameters('profileName')]" - }, - "ruleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('rules')[copyIndex()].name]" - }, - "order": { - "value": "[parameters('rules')[copyIndex()].order]" - }, - "actions": { - "value": "[parameters('rules')[copyIndex()].actions]" - }, - "conditions": "[if(contains(parameters('rules')[copyIndex()], 'conditions'), createObject('value', parameters('rules')[copyIndex()].conditions), createObject('value', createArray()))]", - "matchProcessingBehavior": "[if(contains(parameters('rules')[copyIndex()], 'matchProcessingBehavior'), createObject('value', parameters('rules')[copyIndex()].matchProcessingBehavior), createObject('value', 'Continue'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5740342061156329686" - }, - "name": "CDN Profiles Rules", - "description": "This module deploys a CDN Profile rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the profile." - } - }, - "ruleSetName": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule set." - } - }, - "order": { - "type": "int", - "metadata": { - "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." - } - }, - "conditions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of conditions that must be matched for the actions to be executed." - } - }, - "matchProcessingBehavior": { - "type": "string", - "allowedValues": [ - "Continue", - "Stop" - ], - "metadata": { - "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/ruleSets/rules", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", - "properties": { - "order": "[parameters('order')]", - "actions": "[parameters('actions')]", - "conditions": "[parameters('conditions')]", - "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the rule." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the rule set." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the rule set." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "profile" - ] - }, - "profile_afdEndpoint": { - "copy": { - "name": "profile_afdEndpoint", - "count": "[length(parameters('afdEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-AfdEndpoint-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('afdEndpoints')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "profileName": { - "value": "[parameters('name')]" - }, - "autoGeneratedDomainNameLabelScope": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'autoGeneratedDomainNameLabelScope'), createObject('value', parameters('afdEndpoints')[copyIndex()].autoGeneratedDomainNameLabelScope), createObject('value', 'TenantReuse'))]", - "enabledState": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'enabledState'), createObject('value', parameters('afdEndpoints')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "routes": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'routes'), createObject('value', parameters('afdEndpoints')[copyIndex()].routes), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('afdEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9151451101933620806" - }, - "name": "CDN Profiles AFD Endpoints", - "description": "This module deploys a CDN Profile AFD Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AFD Endpoint." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location of the AFD Endpoint." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The tags of the AFD Endpoint." - } - }, - "autoGeneratedDomainNameLabelScope": { - "type": "string", - "defaultValue": "TenantReuse", - "allowedValues": [ - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of routes for this AFD Endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "profile": { - "existing": true, - "type": "Microsoft.Cdn/profiles", - "apiVersion": "2023-05-01", - "name": "[parameters('profileName')]" - }, - "afd_endpoint": { - "type": "Microsoft.Cdn/profiles/afdEndpoints", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", - "enabledState": "[parameters('enabledState')]" - }, - "dependsOn": [ - "profile" - ] - }, - "afd_endpoint_route": { - "copy": { - "name": "afd_endpoint_route", - "count": "[length(parameters('routes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-AfdEndpoint-Route', uniqueString(deployment().name, parameters('routes')[copyIndex()].name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('routes')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('profileName')]" - }, - "afdEndpointName": { - "value": "[parameters('name')]" - }, - "cacheConfiguration": "[if(contains(parameters('routes')[copyIndex()], 'cacheConfiguration'), createObject('value', parameters('routes')[copyIndex()].cacheConfiguration), createObject('value', null()))]", - "customDomainName": "[if(contains(parameters('routes')[copyIndex()], 'customDomainName'), createObject('value', parameters('routes')[copyIndex()].customDomainName), createObject('value', ''))]", - "enabledState": "[if(contains(parameters('routes')[copyIndex()], 'enabledState'), createObject('value', parameters('routes')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", - "forwardingProtocol": "[if(contains(parameters('routes')[copyIndex()], 'forwardingProtocol'), createObject('value', parameters('routes')[copyIndex()].forwardingProtocol), createObject('value', 'MatchRequest'))]", - "httpsRedirect": "[if(contains(parameters('routes')[copyIndex()], 'httpsRedirect'), createObject('value', parameters('routes')[copyIndex()].httpsRedirect), createObject('value', 'Enabled'))]", - "linkToDefaultDomain": "[if(contains(parameters('routes')[copyIndex()], 'linkToDefaultDomain'), createObject('value', parameters('routes')[copyIndex()].linkToDefaultDomain), createObject('value', 'Enabled'))]", - "originGroupName": "[if(contains(parameters('routes')[copyIndex()], 'originGroupName'), createObject('value', parameters('routes')[copyIndex()].originGroupName), createObject('value', ''))]", - "originPath": "[if(contains(parameters('routes')[copyIndex()], 'originPath'), createObject('value', parameters('routes')[copyIndex()].originPath), createObject('value', ''))]", - "patternsToMatch": "[if(contains(parameters('routes')[copyIndex()], 'patternsToMatch'), createObject('value', parameters('routes')[copyIndex()].patternsToMatch), createObject('value', createArray()))]", - "ruleSets": "[if(contains(parameters('routes')[copyIndex()], 'ruleSets'), createObject('value', parameters('routes')[copyIndex()].ruleSets), createObject('value', createArray()))]", - "supportedProtocols": "[if(contains(parameters('routes')[copyIndex()], 'supportedProtocols'), createObject('value', parameters('routes')[copyIndex()].supportedProtocols), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1534020105352910282" - }, - "name": "CDN Profiles AFD Endpoint Route", - "description": "This module deploys a CDN Profile AFD Endpoint route.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the route." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent CDN profile." - } - }, - "afdEndpointName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AFD endpoint." - } - }, - "cacheConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." - } - }, - "customDomainName": { - "type": "string", - "metadata": { - "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." - } - }, - "forwardingProtocol": { - "type": "string", - "defaultValue": "MatchRequest", - "allowedValues": [ - "HttpOnly", - "HttpsOnly", - "MatchRequest" - ], - "metadata": { - "description": "Optional. The protocol this rule will use when forwarding traffic to backends." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route is enabled." - } - }, - "httpsRedirect": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." - } - }, - "linkToDefaultDomain": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether this route will be linked to the default endpoint domain." - } - }, - "originGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." - } - }, - "originPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." - } - }, - "patternsToMatch": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The route patterns of the rule." - } - }, - "ruleSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." - } - }, - "supportedProtocols": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Http", - "Https" - ], - "metadata": { - "description": "Optional. The supported protocols of the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "ruleSets", - "count": "[length(parameters('ruleSets'))]", - "input": { - "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" - } - } - ], - "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", - "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", - "enabledState": "[parameters('enabledState')]", - "forwardingProtocol": "[parameters('forwardingProtocol')]", - "httpsRedirect": "[parameters('httpsRedirect')]", - "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", - "originGroup": { - "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" - }, - "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", - "patternsToMatch": "[parameters('patternsToMatch')]", - "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the route." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ID of the route." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the route was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "afd_endpoint", - "profile" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the AFD Endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the AFD Endpoint." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the endpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('afd_endpoint', '2023-05-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "profile", - "profile_custom_domain", - "profile_origionGroup", - "profile_ruleSet" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the CDN profile." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the CDN profile." - }, - "value": "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the CDN profile is deployed." - }, - "value": "[resourceGroup().name]" - }, - "profileType": { - "type": "string", - "metadata": { - "description": "The type of the CDN profile." - }, - "value": "Microsoft.Cdn/profiles" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('profile', '2023-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/README.md b/modules/cdn/profile/origingroup/README.md deleted file mode 100644 index 75ea5a05c2..0000000000 --- a/modules/cdn/profile/origingroup/README.md +++ /dev/null @@ -1,119 +0,0 @@ -# CDN Profiles Origin Group `[Microsoft.Cdn/profiles/originGroups]` - -This module deploys a CDN Profile Origin Group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/originGroups` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/originGroups) | -| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/originGroups/origins) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`loadBalancingSettings`](#parameter-loadbalancingsettings) | object | Load balancing settings for a backend pool. | -| [`name`](#parameter-name) | string | The name of the origin group. | -| [`origins`](#parameter-origins) | array | The list of origins within the origin group. | -| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`healthProbeSettings`](#parameter-healthprobesettings) | object | Health probe settings to the origin that is used to determine the health of the origin. | -| [`sessionAffinityState`](#parameter-sessionaffinitystate) | string | Whether to allow session affinity on this host. | -| [`trafficRestorationTimeToHealedOrNewEndpointsInMinutes`](#parameter-trafficrestorationtimetohealedornewendpointsinminutes) | int | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. | - -### Parameter: `loadBalancingSettings` - -Load balancing settings for a backend pool. - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the origin group. - -- Required: Yes -- Type: string - -### Parameter: `origins` - -The list of origins within the origin group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `profileName` - -The name of the CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `healthProbeSettings` - -Health probe settings to the origin that is used to determine the health of the origin. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `sessionAffinityState` - -Whether to allow session affinity on this host. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `trafficRestorationTimeToHealedOrNewEndpointsInMinutes` - -Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. - -- Required: No -- Type: int -- Default: `10` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the origin group. | -| `resourceGroupName` | string | The name of the resource group the origin group was created in. | -| `resourceId` | string | The resource id of the origin group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/origingroup/main.bicep b/modules/cdn/profile/origingroup/main.bicep deleted file mode 100644 index e394dcb042..0000000000 --- a/modules/cdn/profile/origingroup/main.bicep +++ /dev/null @@ -1,91 +0,0 @@ -metadata name = 'CDN Profiles Origin Group' -metadata description = 'This module deploys a CDN Profile Origin Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the origin group.') -param name string - -@description('Required. The name of the CDN profile.') -param profileName string - -@description('Optional. Health probe settings to the origin that is used to determine the health of the origin.') -param healthProbeSettings object = {} - -@description('Required. Load balancing settings for a backend pool.') -param loadBalancingSettings object - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether to allow session affinity on this host.') -param sessionAffinityState string = 'Disabled' - -@description('Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins.') -param trafficRestorationTimeToHealedOrNewEndpointsInMinutes int = 10 - -@description('Required. The list of origins within the origin group.') -param origins array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName -} - -resource originGroup 'Microsoft.Cdn/profiles/originGroups@2023-05-01' = { - name: name - parent: profile - properties: { - healthProbeSettings: !empty(healthProbeSettings) ? healthProbeSettings : null - loadBalancingSettings: loadBalancingSettings - sessionAffinityState: sessionAffinityState - trafficRestorationTimeToHealedOrNewEndpointsInMinutes: trafficRestorationTimeToHealedOrNewEndpointsInMinutes - } -} - -module origin 'origin/main.bicep' = [for (origion, index) in origins: { - name: '${uniqueString(deployment().name)}-OriginGroup-Origin-${index}' - params: { - name: origion.name - profileName: profileName - hostName: origion.hostName - originGroupName: originGroup.name - enabledState: contains(origion, 'enabledState') ? origion.enabledState : 'Enabled' - enforceCertificateNameCheck: contains(origion, 'enforceCertificateNameCheck') ? origion.enforceCertificateNameCheck : true - httpPort: contains(origion, 'httpPort') ? origion.httpPort : 80 - httpsPort: contains(origion, 'httpsPort') ? origion.httpsPort : 443 - originHostHeader: contains(origion, 'originHostHeader') ? origion.originHostHeader : origion.hostName - priority: contains(origion, 'priority') ? origion.priority : 1 - weight: contains(origion, 'weight') ? origion.weight : 1000 - sharedPrivateLinkResource: contains(origion, 'sharedPrivateLinkResource') ? origion.sharedPrivateLinkResource : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the origin group.') -output name string = originGroup.name - -@description('The resource id of the origin group.') -output resourceId string = originGroup.id - -@description('The name of the resource group the origin group was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = profile.location diff --git a/modules/cdn/profile/origingroup/main.json b/modules/cdn/profile/origingroup/main.json deleted file mode 100644 index dbd070e484..0000000000 --- a/modules/cdn/profile/origingroup/main.json +++ /dev/null @@ -1,338 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11971964733746078182" - }, - "name": "CDN Profiles Origin Group", - "description": "This module deploys a CDN Profile Origin Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origin group." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "healthProbeSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin." - } - }, - "loadBalancingSettings": { - "type": "object", - "metadata": { - "description": "Required. Load balancing settings for a backend pool." - } - }, - "sessionAffinityState": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to allow session affinity on this host." - } - }, - "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins." - } - }, - "origins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. The list of origins within the origin group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/originGroups", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "healthProbeSettings": "[if(not(empty(parameters('healthProbeSettings'))), parameters('healthProbeSettings'), null())]", - "loadBalancingSettings": "[parameters('loadBalancingSettings')]", - "sessionAffinityState": "[parameters('sessionAffinityState')]", - "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]" - } - }, - { - "copy": { - "name": "origin", - "count": "[length(parameters('origins'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-OriginGroup-Origin-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('origins')[copyIndex()].name]" - }, - "profileName": { - "value": "[parameters('profileName')]" - }, - "hostName": { - "value": "[parameters('origins')[copyIndex()].hostName]" - }, - "originGroupName": { - "value": "[parameters('name')]" - }, - "enabledState": "[if(contains(parameters('origins')[copyIndex()], 'enabledState'), createObject('value', parameters('origins')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", - "enforceCertificateNameCheck": "[if(contains(parameters('origins')[copyIndex()], 'enforceCertificateNameCheck'), createObject('value', parameters('origins')[copyIndex()].enforceCertificateNameCheck), createObject('value', true()))]", - "httpPort": "[if(contains(parameters('origins')[copyIndex()], 'httpPort'), createObject('value', parameters('origins')[copyIndex()].httpPort), createObject('value', 80))]", - "httpsPort": "[if(contains(parameters('origins')[copyIndex()], 'httpsPort'), createObject('value', parameters('origins')[copyIndex()].httpsPort), createObject('value', 443))]", - "originHostHeader": "[if(contains(parameters('origins')[copyIndex()], 'originHostHeader'), createObject('value', parameters('origins')[copyIndex()].originHostHeader), createObject('value', parameters('origins')[copyIndex()].hostName))]", - "priority": "[if(contains(parameters('origins')[copyIndex()], 'priority'), createObject('value', parameters('origins')[copyIndex()].priority), createObject('value', 1))]", - "weight": "[if(contains(parameters('origins')[copyIndex()], 'weight'), createObject('value', parameters('origins')[copyIndex()].weight), createObject('value', 1000))]", - "sharedPrivateLinkResource": "[if(contains(parameters('origins')[copyIndex()], 'sharedPrivateLinkResource'), createObject('value', parameters('origins')[copyIndex()].sharedPrivateLinkResource), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9016533430746404335" - }, - "name": "CDN Profiles Origin", - "description": "This module deploys a CDN Profile Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origion." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "originGroupName": { - "type": "string", - "metadata": { - "description": "Required. The name of the group." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." - } - }, - "enforceCertificateNameCheck": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether to enable certificate name check at origin level." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." - } - }, - "originHostHeader": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." - } - }, - "priority": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." - } - }, - "sharedPrivateLinkResource": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the private link resource for private origin." - } - }, - "weight": { - "type": "int", - "defaultValue": 1000, - "metadata": { - "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/originGroups/origins", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", - "properties": { - "enabledState": "[parameters('enabledState')]", - "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", - "hostName": "[parameters('hostName')]", - "httpPort": "[parameters('httpPort')]", - "httpsPort": "[parameters('httpsPort')]", - "originHostHeader": "[parameters('originHostHeader')]", - "priority": "[parameters('priority')]", - "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", - "weight": "[parameters('weight')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the origin." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the origin." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the origin was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the origin group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the origin group." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the origin group was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('profileName')), '2023-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/origin/README.md b/modules/cdn/profile/origingroup/origin/README.md deleted file mode 100644 index e1ce2dd02c..0000000000 --- a/modules/cdn/profile/origingroup/origin/README.md +++ /dev/null @@ -1,161 +0,0 @@ -# CDN Profiles Origin `[Microsoft.Cdn/profiles/originGroups/origins]` - -This module deploys a CDN Profile Origin. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/originGroups/origins) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hostName`](#parameter-hostname) | string | The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. | -| [`name`](#parameter-name) | string | The name of the origion. | -| [`originGroupName`](#parameter-origingroupname) | string | The name of the group. | -| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enabledState`](#parameter-enabledstate) | string | Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. | -| [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | bool | Whether to enable certificate name check at origin level. | -| [`httpPort`](#parameter-httpport) | int | The value of the HTTP port. Must be between 1 and 65535. | -| [`httpsPort`](#parameter-httpsport) | int | The value of the HTTPS port. Must be between 1 and 65535. | -| [`originHostHeader`](#parameter-originhostheader) | string | The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. | -| [`priority`](#parameter-priority) | int | Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. | -| [`sharedPrivateLinkResource`](#parameter-sharedprivatelinkresource) | object | The properties of the private link resource for private origin. | -| [`weight`](#parameter-weight) | int | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | - -### Parameter: `hostName` - -The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the origion. - -- Required: Yes -- Type: string - -### Parameter: `originGroupName` - -The name of the group. - -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabledState` - -Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `enforceCertificateNameCheck` - -Whether to enable certificate name check at origin level. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `httpPort` - -The value of the HTTP port. Must be between 1 and 65535. - -- Required: No -- Type: int -- Default: `80` - -### Parameter: `httpsPort` - -The value of the HTTPS port. Must be between 1 and 65535. - -- Required: No -- Type: int -- Default: `443` - -### Parameter: `originHostHeader` - -The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `priority` - -Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `sharedPrivateLinkResource` - -The properties of the private link resource for private origin. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `weight` - -Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. - -- Required: No -- Type: int -- Default: `1000` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the origin. | -| `resourceGroupName` | string | The name of the resource group the origin was created in. | -| `resourceId` | string | The resource id of the origin. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/origingroup/origin/main.bicep b/modules/cdn/profile/origingroup/origin/main.bicep deleted file mode 100644 index c93522b4cc..0000000000 --- a/modules/cdn/profile/origingroup/origin/main.bicep +++ /dev/null @@ -1,91 +0,0 @@ -metadata name = 'CDN Profiles Origin' -metadata description = 'This module deploys a CDN Profile Origin.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the origion.') -param name string - -@description('Required. The name of the CDN profile.') -param profileName string - -@description('Required. The name of the group.') -param originGroupName string - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool.') -param enabledState string = 'Enabled' - -@description('Optional. Whether to enable certificate name check at origin level.') -param enforceCertificateNameCheck bool = true - -@description('Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint.') -param hostName string - -@description('Optional. The value of the HTTP port. Must be between 1 and 65535.') -param httpPort int = 80 - -@description('Optional. The value of the HTTPS port. Must be between 1 and 65535.') -param httpsPort int = 443 - -@description('Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint.') -param originHostHeader string = '' - -@description('Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5.') -param priority int = 1 - -@description('Optional. The properties of the private link resource for private origin.') -param sharedPrivateLinkResource object = {} - -@description('Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000.') -param weight int = 1000 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName - - resource originGroup 'originGroups@2023-05-01' existing = { - name: originGroupName - } -} - -resource origin 'Microsoft.Cdn/profiles/originGroups/origins@2023-05-01' = { - name: name - parent: profile::originGroup - properties: { - enabledState: enabledState - enforceCertificateNameCheck: enforceCertificateNameCheck - hostName: hostName - httpPort: httpPort - httpsPort: httpsPort - originHostHeader: originHostHeader - priority: priority - sharedPrivateLinkResource: !empty(sharedPrivateLinkResource) ? sharedPrivateLinkResource : null - weight: weight - } -} - -@description('The name of the origin.') -output name string = origin.name - -@description('The resource id of the origin.') -output resourceId string = origin.id - -@description('The name of the resource group the origin was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/origingroup/origin/main.json b/modules/cdn/profile/origingroup/origin/main.json deleted file mode 100644 index f72c208fb4..0000000000 --- a/modules/cdn/profile/origingroup/origin/main.json +++ /dev/null @@ -1,162 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9016533430746404335" - }, - "name": "CDN Profiles Origin", - "description": "This module deploys a CDN Profile Origin.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the origion." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "originGroupName": { - "type": "string", - "metadata": { - "description": "Required. The name of the group." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." - } - }, - "enforceCertificateNameCheck": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether to enable certificate name check at origin level." - } - }, - "hostName": { - "type": "string", - "metadata": { - "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." - } - }, - "httpPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." - } - }, - "httpsPort": { - "type": "int", - "defaultValue": 443, - "metadata": { - "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." - } - }, - "originHostHeader": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." - } - }, - "priority": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." - } - }, - "sharedPrivateLinkResource": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the private link resource for private origin." - } - }, - "weight": { - "type": "int", - "defaultValue": 1000, - "metadata": { - "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/originGroups/origins", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", - "properties": { - "enabledState": "[parameters('enabledState')]", - "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", - "hostName": "[parameters('hostName')]", - "httpPort": "[parameters('httpPort')]", - "httpsPort": "[parameters('httpsPort')]", - "originHostHeader": "[parameters('originHostHeader')]", - "priority": "[parameters('priority')]", - "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", - "weight": "[parameters('weight')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the origin." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the origin." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the origin was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/origin/version.json b/modules/cdn/profile/origingroup/origin/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/origingroup/origin/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/origingroup/version.json b/modules/cdn/profile/origingroup/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/origingroup/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/ruleset/README.md b/modules/cdn/profile/ruleset/README.md deleted file mode 100644 index 86a5df0c0e..0000000000 --- a/modules/cdn/profile/ruleset/README.md +++ /dev/null @@ -1,81 +0,0 @@ -# CDN Profiles Rule Sets `[Microsoft.Cdn/profiles/ruleSets]` - -This module deploys a CDN Profile rule set. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/ruleSets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets) | -| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets/rules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the rule set. | -| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -**Optinal parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`rules`](#parameter-rules) | array | The rules to apply to the rule set. | - -### Parameter: `name` - -The name of the rule set. - -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the CDN profile. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rules` - -The rules to apply to the rule set. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the rule set. | -| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | -| `resourceId` | string | The resource id of the rule set. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/ruleset/main.bicep b/modules/cdn/profile/ruleset/main.bicep deleted file mode 100644 index 634a391120..0000000000 --- a/modules/cdn/profile/ruleset/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'CDN Profiles Rule Sets' -metadata description = 'This module deploys a CDN Profile rule set.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the rule set.') -param name string - -@description('Required. The name of the CDN profile.') -param profileName string - -@description('Optinal. The rules to apply to the rule set.') -param rules array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName -} - -resource rule_set 'Microsoft.Cdn/profiles/ruleSets@2023-05-01' = { - name: name - parent: profile -} - -module rule 'rule/main.bicep' = [for (rule, index) in rules: { - name: '${uniqueString(deployment().name)}-RuleSet-Rule-${rule.name}-${index}' - params: { - profileName: profileName - ruleSetName: name - name: rule.name - order: rule.order - actions: rule.actions - conditions: contains(rule, 'conditions') ? rule.conditions : [] - matchProcessingBehavior: contains(rule, 'matchProcessingBehavior') ? rule.matchProcessingBehavior : 'Continue' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the rule set.') -output name string = rule_set.name - -@description('The resource id of the rule set.') -output resourceId string = rule_set.id - -@description('The name of the resource group the custom domain was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/ruleset/main.json b/modules/cdn/profile/ruleset/main.json deleted file mode 100644 index 648f1e2927..0000000000 --- a/modules/cdn/profile/ruleset/main.json +++ /dev/null @@ -1,247 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6357254985592021008" - }, - "name": "CDN Profiles Rule Sets", - "description": "This module deploys a CDN Profile rule set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule set." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the CDN profile." - } - }, - "rules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optinal. The rules to apply to the rule set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/ruleSets", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]" - }, - { - "copy": { - "name": "rule", - "count": "[length(parameters('rules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RuleSet-Rule-{1}-{2}', uniqueString(deployment().name), parameters('rules')[copyIndex()].name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "profileName": { - "value": "[parameters('profileName')]" - }, - "ruleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('rules')[copyIndex()].name]" - }, - "order": { - "value": "[parameters('rules')[copyIndex()].order]" - }, - "actions": { - "value": "[parameters('rules')[copyIndex()].actions]" - }, - "conditions": "[if(contains(parameters('rules')[copyIndex()], 'conditions'), createObject('value', parameters('rules')[copyIndex()].conditions), createObject('value', createArray()))]", - "matchProcessingBehavior": "[if(contains(parameters('rules')[copyIndex()], 'matchProcessingBehavior'), createObject('value', parameters('rules')[copyIndex()].matchProcessingBehavior), createObject('value', 'Continue'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5740342061156329686" - }, - "name": "CDN Profiles Rules", - "description": "This module deploys a CDN Profile rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the profile." - } - }, - "ruleSetName": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule set." - } - }, - "order": { - "type": "int", - "metadata": { - "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." - } - }, - "conditions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of conditions that must be matched for the actions to be executed." - } - }, - "matchProcessingBehavior": { - "type": "string", - "allowedValues": [ - "Continue", - "Stop" - ], - "metadata": { - "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/ruleSets/rules", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", - "properties": { - "order": "[parameters('order')]", - "actions": "[parameters('actions')]", - "conditions": "[parameters('conditions')]", - "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the rule." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the rule set." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the rule set." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/ruleset/rule/README.md b/modules/cdn/profile/ruleset/rule/README.md deleted file mode 100644 index 69b073f5b8..0000000000 --- a/modules/cdn/profile/ruleset/rule/README.md +++ /dev/null @@ -1,115 +0,0 @@ -# CDN Profiles Rules `[Microsoft.Cdn/profiles/ruleSets/rules]` - -This module deploys a CDN Profile rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets/rules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`matchProcessingBehavior`](#parameter-matchprocessingbehavior) | string | If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. | -| [`name`](#parameter-name) | string | The name of the rule. | -| [`order`](#parameter-order) | int | The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. | -| [`profileName`](#parameter-profilename) | string | The name of the profile. | -| [`ruleSetName`](#parameter-rulesetname) | string | The name of the rule set. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | A list of actions that are executed when all the conditions of a rule are satisfied. | -| [`conditions`](#parameter-conditions) | array | A list of conditions that must be matched for the actions to be executed. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `matchProcessingBehavior` - -If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Continue' - 'Stop' - ] - ``` - -### Parameter: `name` - -The name of the rule. - -- Required: Yes -- Type: string - -### Parameter: `order` - -The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. - -- Required: Yes -- Type: int - -### Parameter: `profileName` - -The name of the profile. - -- Required: Yes -- Type: string - -### Parameter: `ruleSetName` - -The name of the rule set. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -A list of actions that are executed when all the conditions of a rule are satisfied. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `conditions` - -A list of conditions that must be matched for the actions to be executed. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the rule. | -| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | -| `resourceId` | string | The resource id of the rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/ruleset/rule/main.bicep b/modules/cdn/profile/ruleset/rule/main.bicep deleted file mode 100644 index ac839dd91a..0000000000 --- a/modules/cdn/profile/ruleset/rule/main.bicep +++ /dev/null @@ -1,71 +0,0 @@ -metadata name = 'CDN Profiles Rules' -metadata description = 'This module deploys a CDN Profile rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the rule.') -param name string - -@description('Required. The name of the profile.') -param profileName string - -@description('Required. The name of the rule set.') -param ruleSetName string - -@description('Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order.') -param order int - -@description('Optional. A list of actions that are executed when all the conditions of a rule are satisfied.') -param actions array = [] - -@description('Optional. A list of conditions that must be matched for the actions to be executed.') -param conditions array = [] - -@allowed([ - 'Continue' - 'Stop' -]) -@description('Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue.') -param matchProcessingBehavior string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName - - resource rule_set 'ruleSets@2023-05-01' existing = { - name: ruleSetName - } -} - -resource rule_set_rule 'Microsoft.Cdn/profiles/ruleSets/rules@2023-05-01' = { - name: name - parent: profile::rule_set - properties: { - order: order - actions: actions - conditions: conditions - matchProcessingBehavior: matchProcessingBehavior - } -} - -@description('The name of the rule.') -output name string = rule_set_rule.name - -@description('The resource id of the rule.') -output resourceId string = rule_set_rule.id - -@description('The name of the resource group the custom domain was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/ruleset/rule/main.json b/modules/cdn/profile/ruleset/rule/main.json deleted file mode 100644 index f80130a829..0000000000 --- a/modules/cdn/profile/ruleset/rule/main.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5740342061156329686" - }, - "name": "CDN Profiles Rules", - "description": "This module deploys a CDN Profile rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Required. The name of the profile." - } - }, - "ruleSetName": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule set." - } - }, - "order": { - "type": "int", - "metadata": { - "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." - } - }, - "conditions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of conditions that must be matched for the actions to be executed." - } - }, - "matchProcessingBehavior": { - "type": "string", - "allowedValues": [ - "Continue", - "Stop" - ], - "metadata": { - "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/ruleSets/rules", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", - "properties": { - "order": "[parameters('order')]", - "actions": "[parameters('actions')]", - "conditions": "[parameters('conditions')]", - "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the rule." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the custom domain was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/ruleset/rule/version.json b/modules/cdn/profile/ruleset/rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/ruleset/rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/ruleset/version.json b/modules/cdn/profile/ruleset/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/ruleset/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/secret/README.md b/modules/cdn/profile/secret/README.md deleted file mode 100644 index ee6b555589..0000000000 --- a/modules/cdn/profile/secret/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# CDN Profiles Secret `[Microsoft.Cdn/profiles/secrets]` - -This module deploys a CDN Profile Secret. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/secrets) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the secrect. | -| [`type`](#parameter-type) | string | The type of the secrect. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | -| [`secretSourceResourceId`](#parameter-secretsourceresourceid) | string | The resource ID of the secret source. Required if the `type` is "CustomerCertificate". | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`secretVersion`](#parameter-secretversion) | string | The version of the secret. | -| [`subjectAlternativeNames`](#parameter-subjectalternativenames) | array | The subject alternative names of the secrect. | -| [`useLatestVersion`](#parameter-uselatestversion) | bool | Indicates whether to use the latest version of the secrect. | - -### Parameter: `name` - -The name of the secrect. - -- Required: Yes -- Type: string - -### Parameter: `type` - -The type of the secrect. - -- Required: No -- Type: string -- Default: `'AzureFirstPartyManagedCertificate'` -- Allowed: - ```Bicep - [ - 'AzureFirstPartyManagedCertificate' - 'CustomerCertificate' - 'ManagedCertificate' - 'UrlSigningKey' - ] - ``` - -### Parameter: `profileName` - -The name of the parent CDN profile. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `secretSourceResourceId` - -The resource ID of the secret source. Required if the `type` is "CustomerCertificate". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `secretVersion` - -The version of the secret. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subjectAlternativeNames` - -The subject alternative names of the secrect. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `useLatestVersion` - -Indicates whether to use the latest version of the secrect. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the secrect. | -| `resourceGroupName` | string | The name of the resource group the secret was created in. | -| `resourceId` | string | The resource ID of the secrect. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cdn/profile/secret/main.bicep b/modules/cdn/profile/secret/main.bicep deleted file mode 100644 index 831c5a1f03..0000000000 --- a/modules/cdn/profile/secret/main.bicep +++ /dev/null @@ -1,75 +0,0 @@ -metadata name = 'CDN Profiles Secret' -metadata description = 'This module deploys a CDN Profile Secret.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the secrect.') -param name string - -@description('Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment.') -param profileName string - -@allowed([ - 'AzureFirstPartyManagedCertificate' - 'CustomerCertificate' - 'ManagedCertificate' - 'UrlSigningKey' -]) -@description('Required. The type of the secrect.') -param type string = 'AzureFirstPartyManagedCertificate' - -@description('Conditional. The resource ID of the secret source. Required if the `type` is "CustomerCertificate".') -#disable-next-line secure-secrets-in-params -param secretSourceResourceId string = '' - -@description('Optional. The version of the secret.') -param secretVersion string = '' - -@description('Optional. The subject alternative names of the secrect.') -param subjectAlternativeNames array = [] - -@description('Optional. Indicates whether to use the latest version of the secrect.') -param useLatestVersion bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { - name: profileName -} - -resource profile_secrect 'Microsoft.Cdn/profiles/secrets@2023-05-01' = { - name: name - parent: profile - properties: { - parameters: (type == 'CustomerCertificate') ? { - type: type - secretSource: { - id: secretSourceResourceId - } - secretVersion: secretVersion - subjectAlternativeNames: subjectAlternativeNames - useLatestVersion: useLatestVersion - } : null - } -} - -@description('The name of the secrect.') -output name string = profile_secrect.name - -@description('The resource ID of the secrect.') -output resourceId string = profile_secrect.id - -@description('The name of the resource group the secret was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/secret/main.json b/modules/cdn/profile/secret/main.json deleted file mode 100644 index 18def3c8f9..0000000000 --- a/modules/cdn/profile/secret/main.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9065117765223577157" - }, - "name": "CDN Profiles Secret", - "description": "This module deploys a CDN Profile Secret.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secrect." - } - }, - "profileName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." - } - }, - "type": { - "type": "string", - "defaultValue": "AzureFirstPartyManagedCertificate", - "allowedValues": [ - "AzureFirstPartyManagedCertificate", - "CustomerCertificate", - "ManagedCertificate", - "UrlSigningKey" - ], - "metadata": { - "description": "Required. The type of the secrect." - } - }, - "secretSourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of the secret source. Required if the `type` is \"CustomerCertificate\"." - } - }, - "secretVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the secret." - } - }, - "subjectAlternativeNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The subject alternative names of the secrect." - } - }, - "useLatestVersion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether to use the latest version of the secrect." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Cdn/profiles/secrets", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", - "properties": { - "parameters": "[if(equals(parameters('type'), 'CustomerCertificate'), createObject('type', parameters('type'), 'secretSource', createObject('id', parameters('secretSourceResourceId')), 'secretVersion', parameters('secretVersion'), 'subjectAlternativeNames', parameters('subjectAlternativeNames'), 'useLatestVersion', parameters('useLatestVersion')), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the secrect." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the secrect." - }, - "value": "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the secret was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/cdn/profile/secret/version.json b/modules/cdn/profile/secret/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/secret/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cdn/profile/tests/e2e/afd/dependencies.bicep b/modules/cdn/profile/tests/e2e/afd/dependencies.bicep deleted file mode 100644 index 48a1bc4be0..0000000000 --- a/modules/cdn/profile/tests/e2e/afd/dependencies.bicep +++ /dev/null @@ -1,38 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - allowBlobPublicAccess: false - networkAcls: { - defaultAction: 'Deny' - bypass: 'AzureServices' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/tests/e2e/afd/main.test.bicep b/modules/cdn/profile/tests/e2e/afd/main.test.bicep deleted file mode 100644 index e9e3864bf9..0000000000 --- a/modules/cdn/profile/tests/e2e/afd/main.test.bicep +++ /dev/null @@ -1,142 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpafd' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: 'global' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_AzureFrontDoor' - enableDefaultTelemetry: enableDefaultTelemetry - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - customDomains: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' - certificateType: 'ManagedCertificate' - } - ] - origionGroups: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - loadBalancingSettings: { - additionalLatencyInMilliseconds: 50 - sampleSize: 4 - successfulSamplesRequired: 3 - } - origins: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin' - hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' - } - ] - } - ] - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - rules: [ - { - name: 'dep${namePrefix}test${serviceShort}rule' - order: 1 - actions: [ - { - name: 'UrlRedirect' - parameters: { - typeName: 'DeliveryRuleUrlRedirectActionParameters' - redirectType: 'PermanentRedirect' - destinationProtocol: 'Https' - customPath: '/test123' - customHostname: 'dev-etradefd.trade.azure.defra.cloud' - } - } - ] - } - ] - } - ] - afdEndpoints: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' - routes: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' - originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - } - ] - } - ] - } - ] - } -}] diff --git a/modules/cdn/profile/tests/e2e/max/dependencies.bicep b/modules/cdn/profile/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 7ca387035b..0000000000 --- a/modules/cdn/profile/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,38 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - allowBlobPublicAccess: false - networkAcls: { - defaultAction: 'Deny' - bypass: 'AzureServices' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The resource ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/tests/e2e/max/main.test.bicep b/modules/cdn/profile/tests/e2e/max/main.test.bicep deleted file mode 100644 index 85bf8f601d..0000000000 --- a/modules/cdn/profile/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,112 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_Verizon' - enableDefaultTelemetry: enableDefaultTelemetry - endpointProperties: { - originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - contentTypesToCompress: [ - 'text/plain' - 'text/html' - 'text/css' - 'text/javascript' - 'application/x-javascript' - 'application/javascript' - 'application/json' - 'application/xml' - ] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - queryStringCachingBehavior: 'IgnoreQueryString' - origins: [ - { - name: 'dep-${namePrefix}-cdn-endpoint01' - properties: { - hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - httpPort: 80 - httpsPort: 443 - enabled: true - } - } - ] - originGroups: [] - geoFilters: [] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 7ca387035b..0000000000 --- a/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,38 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - allowBlobPublicAccess: false - networkAcls: { - defaultAction: 'Deny' - bypass: 'AzureServices' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The resource ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index af0c232249..0000000000 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_Verizon' - enableDefaultTelemetry: enableDefaultTelemetry - endpointProperties: { - originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - contentTypesToCompress: [ - 'text/plain' - 'text/html' - 'text/css' - 'text/javascript' - 'application/x-javascript' - 'application/javascript' - 'application/json' - 'application/xml' - ] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - queryStringCachingBehavior: 'IgnoreQueryString' - origins: [ - { - name: 'dep-${namePrefix}-cdn-endpoint01' - properties: { - hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - httpPort: 80 - httpsPort: 443 - enabled: true - } - } - ] - originGroups: [] - geoFilters: [] - } - } -}] diff --git a/modules/cdn/profile/version.json b/modules/cdn/profile/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/cdn/profile/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/cognitive-services/account/MOVED-TO-AVM.md b/modules/cognitive-services/account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/cognitive-services/account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index fdc4c529e8..b7625ef33a 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -1,1471 +1,7 @@ -# Cognitive Services `[Microsoft.CognitiveServices/accounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/cognitive-services/account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/cognitive-services/account).** -This module deploys a Cognitive Service. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/cognitive-services/account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.CognitiveServices/accounts` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2022-12-01/accounts) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/cognitive-services.account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Speech](#example-4-speech) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csamin' - params: { - // Required parameters - kind: 'SpeechServices' - name: 'csamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "SpeechServices" - }, - "name": { - "value": "csamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csaencr' - params: { - // Required parameters - kind: 'SpeechServices' - name: 'csaencr001' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - publicNetworkAccess: 'Enabled' - restrictOutboundNetworkAccess: false - sku: 'S0' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "SpeechServices" - }, - "name": { - "value": "csaencr001" - }, - // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "restrictOutboundNetworkAccess": { - "value": false - }, - "sku": { - "value": "S0" - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csamax' - params: { - // Required parameters - kind: 'Face' - name: 'csamax001' - // Non-required parameters - customSubDomainName: 'xdomain' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'S0' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "Face" - }, - "name": { - "value": "csamax001" - }, - // Non-required parameters - "customSubDomainName": { - "value": "xdomain" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkAcls": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "S0" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Speech_ - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csaspeech' - params: { - // Required parameters - kind: 'SpeechServices' - name: 'csaspeech001' - // Non-required parameters - customSubDomainName: 'speechdomain' - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'account' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - sku: 'S0' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "SpeechServices" - }, - "name": { - "value": "csaspeech001" - }, - // Non-required parameters - "customSubDomainName": { - "value": "speechdomain" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "account", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "sku": { - "value": "S0" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csawaf' - params: { - // Required parameters - kind: 'Face' - name: 'csawaf001' - // Non-required parameters - customSubDomainName: 'xdomain' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'S0' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "Face" - }, - "name": { - "value": "csawaf001" - }, - // Non-required parameters - "customSubDomainName": { - "value": "xdomain" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkAcls": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "S0" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | -| [`name`](#parameter-name) | string | The name of Cognitive Services account. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | -| [`customSubDomainName`](#parameter-customsubdomainname) | string | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedFqdnList`](#parameter-allowedfqdnlist) | array | List of allowed FQDN. | -| [`apiProperties`](#parameter-apiproperties) | object | The API properties for special APIs. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, latest is used. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Allow only Azure AD authentication. Should be enabled for security reasons. | -| [`dynamicThrottlingEnabled`](#parameter-dynamicthrottlingenabled) | bool | The flag to enable dynamic throttling. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`migrationToken`](#parameter-migrationtoken) | string | Resource migration token. | -| [`networkAcls`](#parameter-networkacls) | object | A collection of rules governing the accessibility from specific network locations. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| [`restore`](#parameter-restore) | bool | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | -| [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | bool | Restrict outbound network access. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`sku`](#parameter-sku) | string | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userOwnedStorage`](#parameter-userownedstorage) | array | The storage accounts for this resource. | - -### Parameter: `kind` - -Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'AnomalyDetector' - 'Bing.Autosuggest.v7' - 'Bing.CustomSearch' - 'Bing.EntitySearch' - 'Bing.Search.v7' - 'Bing.SpellCheck.v7' - 'CognitiveServices' - 'ComputerVision' - 'ContentModerator' - 'CustomVision.Prediction' - 'CustomVision.Training' - 'Face' - 'FormRecognizer' - 'ImmersiveReader' - 'Internal.AllInOne' - 'LUIS' - 'LUIS.Authoring' - 'Personalizer' - 'QnAMaker' - 'SpeechServices' - 'TextAnalytics' - 'TextTranslation' - ] - ``` - -### Parameter: `name` - -The name of Cognitive Services account. - -- Required: Yes -- Type: string - -### Parameter: `cMKKeyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKUserAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customSubDomainName` - -Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `allowedFqdnList` - -List of allowed FQDN. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `apiProperties` - -The API properties for special APIs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `cMKKeyName` - -The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVersion` - -The version of the customer managed key to reference for encryption. If not provided, latest is used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -Allow only Azure AD authentication. Should be enabled for security reasons. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `dynamicThrottlingEnabled` - -The flag to enable dynamic throttling. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - -- Required: No -- Type: array - -### Parameter: `migrationToken` - -Resource migration token. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `networkAcls` - -A collection of rules governing the accessibility from specific network locations. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `restore` - -Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `restrictOutboundNetworkAccess` - -Restrict outbound network access. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. - -- Required: No -- Type: string -- Default: `'S0'` -- Allowed: - ```Bicep - [ - 'C2' - 'C3' - 'C4' - 'F0' - 'F1' - 'S' - 'S0' - 'S1' - 'S10' - 'S2' - 'S3' - 'S4' - 'S5' - 'S6' - 'S7' - 'S8' - 'S9' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `userOwnedStorage` - -The storage accounts for this resource. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `endpoint` | string | The service endpoint of the cognitive services account. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the cognitive services account. | -| `resourceGroupName` | string | The resource group the cognitive services account was deployed into. | -| `resourceId` | string | The resource ID of the cognitive services account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep deleted file mode 100644 index be906d33de..0000000000 --- a/modules/cognitive-services/account/main.bicep +++ /dev/null @@ -1,473 +0,0 @@ -metadata name = 'Cognitive Services' -metadata description = 'This module deploys a Cognitive Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of Cognitive Services account.') -param name string - -@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.') -@allowed([ - 'AnomalyDetector' - 'Bing.Autosuggest.v7' - 'Bing.CustomSearch' - 'Bing.EntitySearch' - 'Bing.Search.v7' - 'Bing.SpellCheck.v7' - 'CognitiveServices' - 'ComputerVision' - 'ContentModerator' - 'CustomVision.Prediction' - 'CustomVision.Training' - 'Face' - 'FormRecognizer' - 'ImmersiveReader' - 'Internal.AllInOne' - 'LUIS' - 'LUIS.Authoring' - 'Personalizer' - 'QnAMaker' - 'SpeechServices' - 'TextAnalytics' - 'TextTranslation' -]) -param kind string - -@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.') -@allowed([ - 'C2' - 'C3' - 'C4' - 'F0' - 'F1' - 'S' - 'S0' - 'S1' - 'S10' - 'S2' - 'S3' - 'S4' - 'S5' - 'S6' - 'S7' - 'S8' - 'S9' -]) -param sku string = 'S0' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' or \'privateEndpoints\' are set.') -param customSubDomainName string = '' - -@description('Optional. A collection of rules governing the accessibility from specific network locations.') -param networkAcls object = {} - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. List of allowed FQDN.') -param allowedFqdnList array = [] - -@description('Optional. The API properties for special APIs.') -param apiProperties object = {} - -@description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') -param disableLocalAuth bool = true - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') -param cMKKeyName string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') -param cMKKeyVersion string = '' - -@description('Optional. The flag to enable dynamic throttling.') -param dynamicThrottlingEnabled bool = false - -@description('Optional. Resource migration token.') -param migrationToken string = '' - -@description('Optional. Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists.') -param restore bool = false - -@description('Optional. Restrict outbound network access.') -param restrictOutboundNetworkAccess bool = true - -@description('Optional. The storage accounts for this resource.') -param userOwnedStorage array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services Custom Vision Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3') - 'Cognitive Services Custom Vision Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f') - 'Cognitive Services Custom Vision Labeler': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c') - 'Cognitive Services Custom Vision Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73') - 'Cognitive Services Custom Vision Trainer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b') - 'Cognitive Services Data Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c') - 'Cognitive Services Face Recognizer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7') - 'Cognitive Services Immersive Reader User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d') - 'Cognitive Services Language Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498') - 'Cognitive Services Language Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e') - 'Cognitive Services Language Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8') - 'Cognitive Services LUIS Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8') - 'Cognitive Services LUIS Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226') - 'Cognitive Services LUIS Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27') - 'Cognitive Services Metrics Advisor Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a') - 'Cognitive Services Metrics Advisor User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8') - 'Cognitive Services OpenAI Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442') - 'Cognitive Services OpenAI User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') - 'Cognitive Services QnA Maker Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025') - 'Cognitive Services QnA Maker Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126') - 'Cognitive Services Speech Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181') - 'Cognitive Services Speech User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! - scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) -} - -resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-12-01' = { - name: name - kind: kind - identity: identity - location: location - tags: tags - sku: { - name: sku - } - properties: { - customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null - networkAcls: !empty(networkAcls) ? { - defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : null - virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] - ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] - } : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkAcls) ? 'Disabled' : null) - allowedFqdnList: allowedFqdnList - apiProperties: apiProperties - disableLocalAuth: disableLocalAuth - encryption: !empty(cMKKeyName) ? { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: cMKUserAssignedIdentity.properties.clientId - keyVaultUri: cMKKeyVault.properties.vaultUri - keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - } : null - migrationToken: !empty(migrationToken) ? migrationToken : null - restore: restore - restrictOutboundNetworkAccess: restrictOutboundNetworkAccess - userOwnedStorage: !empty(userOwnedStorage) ? userOwnedStorage : null - dynamicThrottlingEnabled: dynamicThrottlingEnabled - } -} - -resource cognitiveServices_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: cognitiveServices -} - -resource cognitiveServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: cognitiveServices -}] - -module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-cognitiveServices-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'account' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(cognitiveServices.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}' - serviceResourceId: cognitiveServices.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource cognitiveServices_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(cognitiveServices.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: cognitiveServices -}] - -@description('The name of the cognitive services account.') -output name string = cognitiveServices.name - -@description('The resource ID of the cognitive services account.') -output resourceId string = cognitiveServices.id - -@description('The resource group the cognitive services account was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The service endpoint of the cognitive services account.') -output endpoint string = cognitiveServices.properties.endpoint - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(cognitiveServices.identity, 'principalId') ? cognitiveServices.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = cognitiveServices.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json deleted file mode 100644 index ec1c5362ac..0000000000 --- a/modules/cognitive-services/account/main.json +++ /dev/null @@ -1,1468 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7313430754429497718" - }, - "name": "Cognitive Services", - "description": "This module deploys a Cognitive Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of Cognitive Services account." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "AnomalyDetector", - "Bing.Autosuggest.v7", - "Bing.CustomSearch", - "Bing.EntitySearch", - "Bing.Search.v7", - "Bing.SpellCheck.v7", - "CognitiveServices", - "ComputerVision", - "ContentModerator", - "CustomVision.Prediction", - "CustomVision.Training", - "Face", - "FormRecognizer", - "ImmersiveReader", - "Internal.AllInOne", - "LUIS", - "LUIS.Authoring", - "Personalizer", - "QnAMaker", - "SpeechServices", - "TextAnalytics", - "TextTranslation" - ], - "metadata": { - "description": "Required. Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region." - } - }, - "sku": { - "type": "string", - "defaultValue": "S0", - "allowedValues": [ - "C2", - "C3", - "C4", - "F0", - "F1", - "S", - "S0", - "S1", - "S10", - "S2", - "S3", - "S4", - "S5", - "S6", - "S7", - "S8", - "S9" - ], - "metadata": { - "description": "Optional. SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set." - } - }, - "customSubDomainName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set." - } - }, - "networkAcls": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A collection of rules governing the accessibility from specific network locations." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "allowedFqdnList": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of allowed FQDN." - } - }, - "apiProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The API properties for special APIs." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Allow only Azure AD authentication. Should be enabled for security reasons." - } - }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used." - } - }, - "dynamicThrottlingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag to enable dynamic throttling." - } - }, - "migrationToken": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource migration token." - } - }, - "restore": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists." - } - }, - "restrictOutboundNetworkAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Restrict outbound network access." - } - }, - "userOwnedStorage": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The storage accounts for this resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services Face Recognizer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7')]", - "Cognitive Services Immersive Reader User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d')]", - "Cognitive Services Language Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498')]", - "Cognitive Services Language Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e')]", - "Cognitive Services Language Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8')]", - "Cognitive Services LUIS Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8')]", - "Cognitive Services LUIS Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226')]", - "Cognitive Services LUIS Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27')]", - "Cognitive Services Metrics Advisor Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a')]", - "Cognitive Services Metrics Advisor User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8')]", - "Cognitive Services OpenAI Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')]", - "Cognitive Services OpenAI User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')]", - "Cognitive Services QnA Maker Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services Speech Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181')]", - "Cognitive Services Speech User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "cognitiveServices": { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-12-01", - "name": "[parameters('name')]", - "kind": "[parameters('kind')]", - "identity": "[variables('identity')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('sku')]" - }, - "properties": { - "customSubDomainName": "[if(not(empty(parameters('customSubDomainName'))), parameters('customSubDomainName'), null())]", - "networkAcls": "[if(not(empty(parameters('networkAcls'))), createObject('defaultAction', if(contains(parameters('networkAcls'), 'defaultAction'), parameters('networkAcls').defaultAction, null()), 'virtualNetworkRules', if(contains(parameters('networkAcls'), 'virtualNetworkRules'), parameters('networkAcls').virtualNetworkRules, createArray()), 'ipRules', if(contains(parameters('networkAcls'), 'ipRules'), parameters('networkAcls').ipRules, createArray())), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]", - "allowedFqdnList": "[parameters('allowedFqdnList')]", - "apiProperties": "[parameters('apiProperties')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('identityClientId', reference('cMKUserAssignedIdentity').clientId, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", - "migrationToken": "[if(not(empty(parameters('migrationToken'))), parameters('migrationToken'), null())]", - "restore": "[parameters('restore')]", - "restrictOutboundNetworkAccess": "[parameters('restrictOutboundNetworkAccess')]", - "userOwnedStorage": "[if(not(empty(parameters('userOwnedStorage'))), parameters('userOwnedStorage'), null())]", - "dynamicThrottlingEnabled": "[parameters('dynamicThrottlingEnabled')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "cognitiveServices_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "cognitiveServices" - ] - }, - "cognitiveServices_diagnosticSettings": { - "copy": { - "name": "cognitiveServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "cognitiveServices" - ] - }, - "cognitiveServices_roleAssignments": { - "copy": { - "name": "cognitiveServices_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "cognitiveServices" - ] - }, - "cognitiveServices_privateEndpoints": { - "copy": { - "name": "cognitiveServices_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-cognitiveServices-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "cognitiveServices" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the cognitive services account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the cognitive services account." - }, - "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the cognitive services account was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "endpoint": { - "type": "string", - "metadata": { - "description": "The service endpoint of the cognitive services account." - }, - "value": "[reference('cognitiveServices').endpoint]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('cognitiveServices', '2022-12-01', 'full').identity, 'principalId')), reference('cognitiveServices', '2022-12-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('cognitiveServices', '2022-12-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep b/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 0f682f11ba..0000000000 --- a/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'SpeechServices' - } -}] diff --git a/modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index e4c35b5db4..0000000000 --- a/modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,89 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created Key Vault encryption key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The client ID of the created Managed Identity.') -output managedIdentityClientId string = managedIdentity.properties.clientId diff --git a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 8b7c4e6608..0000000000 --- a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csaencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'SpeechServices' - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyVaultKeyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - publicNetworkAccess: 'Enabled' - sku: 'S0' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - restrictOutboundNetworkAccess: false - } -}] diff --git a/modules/cognitive-services/account/tests/e2e/max/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 129b6f6579..0000000000 --- a/modules/cognitive-services/account/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.CognitiveServices' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.cognitiveservices.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5652d77380..0000000000 --- a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,138 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'Face' - customSubDomainName: '${namePrefix}xdomain' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'S0' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep deleted file mode 100644 index 542150de5c..0000000000 --- a/modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.cognitiveservices.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep deleted file mode 100644 index 8c2a992585..0000000000 --- a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csaspeech' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'SpeechServices' - customSubDomainName: '${namePrefix}speechdomain' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'account' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - sku: 'S0' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 129b6f6579..0000000000 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.CognitiveServices' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.cognitiveservices.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 06069401e4..0000000000 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,138 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'Face' - customSubDomainName: '${namePrefix}xdomain' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'S0' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/cognitive-services/account/version.json b/modules/cognitive-services/account/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/cognitive-services/account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/availability-set/MOVED-TO-AVM.md b/modules/compute/availability-set/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/availability-set/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index afe2687e20..a11338fe9b 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -1,489 +1,7 @@ -# Availability Sets `[Microsoft.Compute/availabilitySets]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/availability-set](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/availability-set).** -This module deploys an Availability Set. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/availability-set). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/availabilitySets` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/availabilitySets) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.availability-set:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-casmin' - params: { - // Required parameters - name: 'casmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "casmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-casmax' - params: { - // Required parameters - name: 'casmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "casmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-caswaf' - params: { - // Required parameters - name: 'caswaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "caswaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the availability set that is being created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`platformFaultDomainCount`](#parameter-platformfaultdomaincount) | int | The number of fault domains to use. | -| [`platformUpdateDomainCount`](#parameter-platformupdatedomaincount) | int | The number of update domains to use. | -| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuName`](#parameter-skuname) | string | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | -| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | - -### Parameter: `name` - -The name of the availability set that is being created. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `platformFaultDomainCount` - -The number of fault domains to use. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `platformUpdateDomainCount` - -The number of update domains to use. - -- Required: No -- Type: int -- Default: `5` - -### Parameter: `proximityPlacementGroupResourceId` - -Resource ID of a proximity placement group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. - -- Required: No -- Type: string -- Default: `'Aligned'` - -### Parameter: `tags` - -Tags of the availability set resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the availability set. | -| `resourceGroupName` | string | The resource group the availability set was deployed into. | -| `resourceId` | string | The resource ID of the availability set. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep deleted file mode 100644 index e7365a0176..0000000000 --- a/modules/compute/availability-set/main.bicep +++ /dev/null @@ -1,140 +0,0 @@ -metadata name = 'Availability Sets' -metadata description = 'This module deploys an Availability Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the availability set that is being created.') -param name string - -@description('Optional. The number of fault domains to use.') -param platformFaultDomainCount int = 2 - -@description('Optional. The number of update domains to use.') -param platformUpdateDomainCount int = 5 - -@description('Optional. SKU of the availability set.

- Use \'Aligned\' for virtual machines with managed disks.

- Use \'Classic\' for virtual machines with unmanaged disks.') -param skuName string = 'Aligned' - -@description('Optional. Resource ID of a proximity placement group.') -param proximityPlacementGroupResourceId string = '' - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the availability set resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource availabilitySet 'Microsoft.Compute/availabilitySets@2022-11-01' = { - name: name - location: location - tags: tags - properties: { - platformFaultDomainCount: platformFaultDomainCount - platformUpdateDomainCount: platformUpdateDomainCount - proximityPlacementGroup: !empty(proximityPlacementGroupResourceId) ? { - id: proximityPlacementGroupResourceId - } : null - } - sku: { - name: skuName - } -} - -resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: availabilitySet -} - -resource availabilitySet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(availabilitySet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: availabilitySet -}] - -@description('The name of the availability set.') -output name string = availabilitySet.name - -@description('The resource ID of the availability set.') -output resourceId string = availabilitySet.id - -@description('The resource group the availability set was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = availabilitySet.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json deleted file mode 100644 index 1b91ebde76..0000000000 --- a/modules/compute/availability-set/main.json +++ /dev/null @@ -1,283 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14578818571498649497" - }, - "name": "Availability Sets", - "description": "This module deploys an Availability Set.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the availability set that is being created." - } - }, - "platformFaultDomainCount": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The number of fault domains to use." - } - }, - "platformUpdateDomainCount": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The number of update domains to use." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Aligned", - "metadata": { - "description": "Optional. SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a proximity placement group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the availability set resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "availabilitySet": { - "type": "Microsoft.Compute/availabilitySets", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]", - "platformUpdateDomainCount": "[parameters('platformUpdateDomainCount')]", - "proximityPlacementGroup": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), createObject('id', parameters('proximityPlacementGroupResourceId')), null())]" - }, - "sku": { - "name": "[parameters('skuName')]" - } - }, - "availabilitySet_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "availabilitySet" - ] - }, - "availabilitySet_roleAssignments": { - "copy": { - "name": "availabilitySet_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/availabilitySets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "availabilitySet" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the availability set." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the availability set." - }, - "value": "[resourceId('Microsoft.Compute/availabilitySets', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the availability set was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('availabilitySet', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep b/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index ba54d3f25e..0000000000 --- a/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'casmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/compute/availability-set/tests/e2e/max/dependencies.bicep b/modules/compute/availability-set/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 2c78999e90..0000000000 --- a/modules/compute/availability-set/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Proximity Placement Group to create.') -param proximityPlacementGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { - name: proximityPlacementGroupName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Proximity Placement Group.') -output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/availability-set/tests/e2e/max/main.test.bicep b/modules/compute/availability-set/tests/e2e/max/main.test.bicep deleted file mode 100644 index af84f42458..0000000000 --- a/modules/compute/availability-set/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,85 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'casmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 2c78999e90..0000000000 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Proximity Placement Group to create.') -param proximityPlacementGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { - name: proximityPlacementGroupName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Proximity Placement Group.') -output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 6aff4b922e..0000000000 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,68 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'caswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/availability-set/version.json b/modules/compute/availability-set/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/availability-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/disk-encryption-set/MOVED-TO-AVM.md b/modules/compute/disk-encryption-set/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/disk-encryption-set/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index bb9b6c10ff..7f3e8b71cd 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -1,655 +1,7 @@ -# Disk Encryption Sets `[Microsoft.Compute/diskEncryptionSets]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/disk-encryption-set](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/disk-encryption-set).** -This module deploys a Disk Encryption Set. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/disk-encryption-set). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/diskEncryptionSets` | [2022-07-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-07-02/diskEncryptionSets) | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | -| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2018-11-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk-encryption-set:1.0.0`. - -- [Accesspolicies](#example-1-accesspolicies) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Accesspolicies_ - -
- -via Bicep module - -```bicep -module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdesap' - params: { - // Required parameters - keyName: '' - keyVaultResourceId: '' - name: 'cdesap001' - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "keyName": { - "value": "" - }, - "keyVaultResourceId": { - "value": "" - }, - "name": { - "value": "cdesap001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdesmax' - params: { - // Required parameters - keyName: '' - keyVaultResourceId: '' - name: 'cdesmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "keyName": { - "value": "" - }, - "keyVaultResourceId": { - "value": "" - }, - "name": { - "value": "cdesmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdeswaf' - params: { - // Required parameters - keyName: '' - keyVaultResourceId: '' - name: 'cdeswaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "keyName": { - "value": "" - }, - "keyVaultResourceId": { - "value": "" - }, - "name": { - "value": "cdeswaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-keyname) | string | Key URL (with version) pointing to a key or secret in KeyVault. | -| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | Resource ID of the KeyVault containing the key or secret. | -| [`name`](#parameter-name) | string | The name of the disk encryption set that is being created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionType`](#parameter-encryptiontype) | string | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | -| [`federatedClientId`](#parameter-federatedclientid) | string | Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. | -| [`keyVersion`](#parameter-keyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | -| [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | - -### Parameter: `keyName` - -Key URL (with version) pointing to a key or secret in KeyVault. - -- Required: Yes -- Type: string - -### Parameter: `keyVaultResourceId` - -Resource ID of the KeyVault containing the key or secret. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the disk encryption set that is being created. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionType` - -The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. - -- Required: No -- Type: string -- Default: `'EncryptionAtRestWithPlatformAndCustomerKeys'` -- Allowed: - ```Bicep - [ - 'EncryptionAtRestWithCustomerKey' - 'EncryptionAtRestWithPlatformAndCustomerKeys' - ] - ``` - -### Parameter: `federatedClientId` - -Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. - -- Required: No -- Type: string -- Default: `'None'` - -### Parameter: `keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. At least one identity type is required. - -- Required: No -- Type: object -- Default: - ```Bicep - { - systemAssigned: true - } - ``` - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `rotationToLatestKeyVersionEnabled` - -Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags of the disk encryption resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `identities` | object | The idenities of the disk encryption set. | -| `keyVaultName` | string | The name of the key vault with the disk encryption key. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the disk encryption set. | -| `resourceGroupName` | string | The resource group the disk encryption set was deployed into. | -| `resourceId` | string | The resource ID of the disk encryption set. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/key-vault/vault/access-policy` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep deleted file mode 100644 index c31fc9e4b7..0000000000 --- a/modules/compute/disk-encryption-set/main.bicep +++ /dev/null @@ -1,210 +0,0 @@ -metadata name = 'Disk Encryption Sets' -metadata description = 'This module deploys a Disk Encryption Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the disk encryption set that is being created.') -param name string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Required. Resource ID of the KeyVault containing the key or secret.') -param keyVaultResourceId string - -@description('Required. Key URL (with version) pointing to a key or secret in KeyVault.') -param keyName string - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param keyVersion string = '' - -@description('Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys.') -@allowed([ - 'EncryptionAtRestWithCustomerKey' - 'EncryptionAtRestWithPlatformAndCustomerKeys' -]) -param encryptionType string = 'EncryptionAtRestWithPlatformAndCustomerKeys' - -@description('Optional. Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property.') -param federatedClientId string = 'None' - -@description('Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version.') -param rotationToLatestKeyVersionEnabled bool = false - -@description('Optional. The managed identity definition for this resource. At least one identity type is required.') -param managedIdentities managedIdentitiesType = { - systemAssigned: true -} - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the disk encryption resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { - name: last(split(keyVaultResourceId, '/'))! - scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) - - resource key 'keys@2021-10-01' existing = { - name: keyName - } -} - -// Note: This is only enabled for user-assigned identities as the service's system-assigned identity isn't available during its initial deployment -module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityResourceId, index) in (managedIdentities.?userAssignedResourceIds ?? []): { - name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVPermissions-${index}' - params: { - keyName: keyName - keyVaultResourceId: keyVaultResourceId - userAssignedIdentityResourceId: userAssignedIdentityResourceId - rbacAuthorizationEnabled: keyVault.properties.enableRbacAuthorization - } - scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) -}] - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { - name: name - location: location - tags: tags - identity: identity - properties: { - activeKey: { - sourceVault: { - id: keyVaultResourceId - } - keyUrl: !empty(keyVersion) ? '${keyVault::key.properties.keyUri}/${keyVersion}' : keyVault::key.properties.keyUriWithVersion - } - encryptionType: encryptionType - federatedClientId: federatedClientId - rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled - } - dependsOn: [ - keyVaultPermissions - ] -} - -resource diskEncryptionSet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(diskEncryptionSet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: diskEncryptionSet -}] - -resource diskEncryptionSet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: diskEncryptionSet -} - -@description('The resource ID of the disk encryption set.') -output resourceId string = diskEncryptionSet.id - -@description('The name of the disk encryption set.') -output name string = diskEncryptionSet.name - -@description('The resource group the disk encryption set was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(diskEncryptionSet.identity, 'principalId') ? diskEncryptionSet.identity.principalId : '' - -@description('The idenities of the disk encryption set.') -output identities object = diskEncryptionSet.identity - -@description('The name of the key vault with the disk encryption key.') -output keyVaultName string = last(split(keyVaultResourceId, '/'))! - -@description('The location the resource was deployed into.') -output location string = diskEncryptionSet.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -} - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json deleted file mode 100644 index dbd6c27c6b..0000000000 --- a/modules/compute/disk-encryption-set/main.json +++ /dev/null @@ -1,671 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3002808940290583221" - }, - "name": "Disk Encryption Sets", - "description": "This module deploys a Disk Encryption Set.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the disk encryption set that is being created." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the KeyVault containing the key or secret." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. Key URL (with version) pointing to a key or secret in KeyVault." - } - }, - "keyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "encryptionType": { - "type": "string", - "defaultValue": "EncryptionAtRestWithPlatformAndCustomerKeys", - "allowedValues": [ - "EncryptionAtRestWithCustomerKey", - "EncryptionAtRestWithPlatformAndCustomerKeys" - ], - "metadata": { - "description": "Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys." - } - }, - "federatedClientId": { - "type": "string", - "defaultValue": "None", - "metadata": { - "description": "Optional. Multi-tenant application client ID to access key vault in a different tenant. Setting the value to \"None\" will clear the property." - } - }, - "rotationToLatestKeyVersionEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "defaultValue": { - "systemAssigned": true - }, - "metadata": { - "description": "Optional. The managed identity definition for this resource. At least one identity type is required." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the disk encryption resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "keyVault::key": { - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(parameters('keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('keyVaultResourceId'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName'))]", - "dependsOn": [ - "keyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(parameters('keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('keyVaultResourceId'), '/')[4]]", - "name": "[last(split(parameters('keyVaultResourceId'), '/'))]" - }, - "diskEncryptionSet": { - "type": "Microsoft.Compute/diskEncryptionSets", - "apiVersion": "2022-07-02", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "activeKey": { - "sourceVault": { - "id": "[parameters('keyVaultResourceId')]" - }, - "keyUrl": "[if(not(empty(parameters('keyVersion'))), format('{0}/{1}', reference('keyVault::key').keyUri, parameters('keyVersion')), reference('keyVault::key').keyUriWithVersion)]" - }, - "encryptionType": "[parameters('encryptionType')]", - "federatedClientId": "[parameters('federatedClientId')]", - "rotationToLatestKeyVersionEnabled": "[parameters('rotationToLatestKeyVersionEnabled')]" - }, - "dependsOn": [ - "keyVault", - "keyVaultPermissions" - ] - }, - "diskEncryptionSet_roleAssignments": { - "copy": { - "name": "diskEncryptionSet_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "diskEncryptionSet" - ] - }, - "diskEncryptionSet_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "diskEncryptionSet" - ] - }, - "keyVaultPermissions": { - "copy": { - "name": "keyVaultPermissions", - "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DiskEncrSet-KVPermissions-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[split(parameters('keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('keyVaultResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyName": { - "value": "[parameters('keyName')]" - }, - "keyVaultResourceId": { - "value": "[parameters('keyVaultResourceId')]" - }, - "userAssignedIdentityResourceId": { - "value": "[coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[copyIndex()]]" - }, - "rbacAuthorizationEnabled": { - "value": "[reference('keyVault').enableRbacAuthorization]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6347916704864142763" - } - }, - "parameters": { - "rbacAuthorizationEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Required. A boolean to specify whether or not the used Key Vault has RBAC authentication enabled or not." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resourceID of the User Assigned Identity to assign permissions to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the KeyVault containing the key or secret." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. Key URL (with version) pointing to a key or secret in KeyVault." - } - } - }, - "resources": [ - { - "condition": "[equals(parameters('rbacAuthorizationEnabled'), true())]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName'))]", - "name": "[guid(format('msi-{0}-{1}-{2}-Key-Reader-RoleAssignment', resourceId('Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName')), parameters('location'), parameters('userAssignedIdentityResourceId')))]", - "properties": { - "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('userAssignedIdentityResourceId'), '/')[2], split(parameters('userAssignedIdentityResourceId'), '/')[4]), 'Microsoft.Resources/deployments', format('{0}-MSI-Reference', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.principalId.value]", - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('userAssignedIdentityResourceId'), '/')[2], split(parameters('userAssignedIdentityResourceId'), '/')[4]), 'Microsoft.Resources/deployments', format('{0}-MSI-Reference', uniqueString(deployment().name, parameters('location'))))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MSI-Reference', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[split(parameters('userAssignedIdentityResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('userAssignedIdentityResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "userAssignedIdentityName": { - "value": "[last(split(parameters('userAssignedIdentityResourceId'), '/'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2571756615431841166" - } - }, - "parameters": { - "userAssignedIdentityName": { - "type": "string", - "metadata": { - "description": "Required. The name of the User Assigned Identity to fetch the principal ID from." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - } - }, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2018-11-30", - "name": "[parameters('userAssignedIdentityName')]", - "location": "[parameters('location')]" - } - ], - "outputs": { - "principalId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), '2018-11-30').principalId]" - } - } - } - } - }, - { - "condition": "[not(equals(parameters('rbacAuthorizationEnabled'), true()))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DiskEncrSet-KVAccessPolicies', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyVaultName": { - "value": "[last(split(parameters('keyVaultResourceId'), '/'))]" - }, - "accessPolicies": { - "value": [ - { - "tenantId": "[subscription().tenantId]", - "objectId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('userAssignedIdentityResourceId'), '/')[2], split(parameters('userAssignedIdentityResourceId'), '/')[4]), 'Microsoft.Resources/deployments', format('{0}-MSI-Reference', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.principalId.value]", - "permissions": { - "keys": [ - "get", - "wrapKey", - "unwrapKey" - ] - } - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5636934877550105255" - }, - "name": "Key Vault Access Policies", - "description": "This module deploys a Key Vault Access Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(parameters('accessPolicies'))]", - "input": { - "applicationId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'applicationId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'objectId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].objectId, '')]", - "permissions": "[parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'tenantId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), 'add')]", - "properties": { - "accessPolicies": "[variables('formattedAccessPolicies')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the access policies assignment was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the access policies assignment." - }, - "value": "add" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the access policies assignment." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('userAssignedIdentityResourceId'), '/')[2], split(parameters('userAssignedIdentityResourceId'), '/')[4]), 'Microsoft.Resources/deployments', format('{0}-MSI-Reference', uniqueString(deployment().name, parameters('location'))))]" - ] - } - ] - } - }, - "dependsOn": [ - "keyVault" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the disk encryption set." - }, - "value": "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the disk encryption set." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the disk encryption set was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('diskEncryptionSet', '2022-07-02', 'full').identity, 'principalId')), reference('diskEncryptionSet', '2022-07-02', 'full').identity.principalId, '')]" - }, - "identities": { - "type": "object", - "metadata": { - "description": "The idenities of the disk encryption set." - }, - "value": "[reference('diskEncryptionSet', '2022-07-02', 'full').identity]" - }, - "keyVaultName": { - "type": "string", - "metadata": { - "description": "The name of the key vault with the disk encryption key." - }, - "value": "[last(split(parameters('keyVaultResourceId'), '/'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('diskEncryptionSet', '2022-07-02', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep b/modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep deleted file mode 100644 index 22a719438c..0000000000 --- a/modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Required. A boolean to specify whether or not the used Key Vault has RBAC authentication enabled or not.') -param rbacAuthorizationEnabled bool = true - -@description('Required. The resourceID of the User Assigned Identity to assign permissions to.') -param userAssignedIdentityResourceId string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Required. Resource ID of the KeyVault containing the key or secret.') -param keyVaultResourceId string - -@description('Required. Key URL (with version) pointing to a key or secret in KeyVault.') -param keyName string - -resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { - name: last(split(keyVaultResourceId, '/'))! - - resource key 'keys@2021-10-01' existing = { - name: keyName - } -} - -module userAssignedIdentity 'nested_managedIdentityReference.bicep' = { - name: '${uniqueString(deployment().name, location)}-MSI-Reference' - params: { - userAssignedIdentityName: last(split(userAssignedIdentityResourceId, '/'))! - } - scope: resourceGroup(split(userAssignedIdentityResourceId, '/')[2], split(userAssignedIdentityResourceId, '/')[4]) -} - -// =============== // -// Role Assignment // -// =============== // - -resource keyVaultKeyRBAC 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAuthorizationEnabled == true) { - name: guid('msi-${keyVault::key.id}-${location}-${userAssignedIdentityResourceId}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: userAssignedIdentity.outputs.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -// ============= // -// Access Policy // -// ============= // - -module keyVaultAccessPolicies '../../../key-vault/vault/access-policy/main.bicep' = if (rbacAuthorizationEnabled != true) { - name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' - params: { - keyVaultName: last(split(keyVaultResourceId, '/'))! - accessPolicies: [ - { - tenantId: subscription().tenantId - objectId: userAssignedIdentity.outputs.principalId - permissions: { - keys: [ - 'get' - 'wrapKey' - 'unwrapKey' - ] - } - } - ] - } -} diff --git a/modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep b/modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep deleted file mode 100644 index 970ad5148c..0000000000 --- a/modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep +++ /dev/null @@ -1,12 +0,0 @@ -@description('Required. The name of the User Assigned Identity to fetch the principal ID from.') -param userAssignedIdentityName string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: userAssignedIdentityName - location: location -} - -output principalId string = userAssignedIdentity.properties.principalId diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep deleted file mode 100644 index 2024e8644e..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep +++ /dev/null @@ -1,51 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by disk encryption set - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: false - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep deleted file mode 100644 index c7ca375354..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdesap' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 62321ebe98..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,51 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by disk encryption set - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep deleted file mode 100644 index 23cb40bc46..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdesmax' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 62321ebe98..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,51 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by disk encryption set - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f27ccfe1eb..0000000000 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdeswaf' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk-encryption-set/version.json b/modules/compute/disk-encryption-set/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/disk-encryption-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/disk/MOVED-TO-AVM.md b/modules/compute/disk/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/disk/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 078ef7e2fd..2b313c2934 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -1,992 +1,7 @@ -# Compute Disks `[Microsoft.Compute/disks]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/disk](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/disk).** -This module deploys a Compute Disk +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/disk). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/disks` | [2022-07-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-07-02/disks) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Image](#example-2-image) -- [Import](#example-3-import) -- [Using large parameter set](#example-4-using-large-parameter-set) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdmin' - params: { - // Required parameters - name: 'cdmin001' - sku: 'Standard_LRS' - // Non-required parameters - diskSizeGB: 1 - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdmin001" - }, - "sku": { - "value": "Standard_LRS" - }, - // Non-required parameters - "diskSizeGB": { - "value": 1 - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Image_ - -

- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdimg' - params: { - // Required parameters - name: 'cdimg001' - sku: 'Standard_LRS' - // Non-required parameters - createOption: 'FromImage' - enableDefaultTelemetry: '' - imageReferenceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdimg001" - }, - "sku": { - "value": "Standard_LRS" - }, - // Non-required parameters - "createOption": { - "value": "FromImage" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageReferenceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Import_ - -

- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdimp' - params: { - // Required parameters - name: 'cdimp001' - sku: 'Standard_LRS' - // Non-required parameters - createOption: 'Import' - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sourceUri: '' - storageAccountId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdimp001" - }, - "sku": { - "value": "Standard_LRS" - }, - // Non-required parameters - "createOption": { - "value": "Import" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sourceUri": { - "value": "" - }, - "storageAccountId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdmax' - params: { - // Required parameters - name: 'cdmax001' - sku: 'UltraSSD_LRS' - // Non-required parameters - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdmax001" - }, - "sku": { - "value": "UltraSSD_LRS" - }, - // Non-required parameters - "diskIOPSReadWrite": { - "value": 500 - }, - "diskMBpsReadWrite": { - "value": 60 - }, - "diskSizeGB": { - "value": 128 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "logicalSectorSize": { - "value": 512 - }, - "osType": { - "value": "Windows" - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdwaf' - params: { - // Required parameters - name: 'cdwaf001' - sku: 'UltraSSD_LRS' - // Non-required parameters - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdwaf001" - }, - "sku": { - "value": "UltraSSD_LRS" - }, - // Non-required parameters - "diskIOPSReadWrite": { - "value": 500 - }, - "diskMBpsReadWrite": { - "value": 60 - }, - "diskSizeGB": { - "value": 128 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "logicalSectorSize": { - "value": 512 - }, - "osType": { - "value": "Windows" - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the disk that is being created. | -| [`sku`](#parameter-sku) | string | The disks sku name. Can be . | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diskSizeGB`](#parameter-disksizegb) | int | The size of the disk to create. Required if create option is Empty. | -| [`storageAccountId`](#parameter-storageaccountid) | string | The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`acceleratedNetwork`](#parameter-acceleratednetwork) | bool | True if the image from which the OS disk is created supports accelerated networking. | -| [`architecture`](#parameter-architecture) | string | CPU architecture supported by an OS disk. | -| [`burstingEnabled`](#parameter-burstingenabled) | bool | Set to true to enable bursting beyond the provisioned performance target of the disk. | -| [`completionPercent`](#parameter-completionpercent) | int | Percentage complete for the background copy when a resource is created via the CopyStart operation. | -| [`createOption`](#parameter-createoption) | string | Sources of a disk creation. | -| [`diskIOPSReadWrite`](#parameter-diskiopsreadwrite) | int | The number of IOPS allowed for this disk; only settable for UltraSSD disks. | -| [`diskMBpsReadWrite`](#parameter-diskmbpsreadwrite) | int | The bandwidth allowed for this disk; only settable for UltraSSD disks. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hyperVGeneration`](#parameter-hypervgeneration) | string | The hypervisor generation of the Virtual Machine. Applicable to OS disks only. | -| [`imageReferenceId`](#parameter-imagereferenceid) | string | A relative uri containing either a Platform Image Repository or user image reference. | -| [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`logicalSectorSize`](#parameter-logicalsectorsize) | int | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. | -| [`maxShares`](#parameter-maxshares) | int | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. | -| [`networkAccessPolicy`](#parameter-networkaccesspolicy) | string | Policy for accessing the disk via network. | -| [`optimizedForFrequentAttach`](#parameter-optimizedforfrequentattach) | bool | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. | -| [`osType`](#parameter-ostype) | string | Sources of a disk creation. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Policy for controlling export on the disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securityDataUri`](#parameter-securitydatauri) | string | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. | -| [`sourceResourceId`](#parameter-sourceresourceid) | string | If create option is Copy, this is the ARM ID of the source snapshot or disk. | -| [`sourceUri`](#parameter-sourceuri) | string | If create option is Import, this is the URI of a blob to be imported into a managed disk. | -| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | -| [`uploadSizeBytes`](#parameter-uploadsizebytes) | int | If create option is Upload, this is the size of the contents of the upload including the VHD footer. | - -### Parameter: `name` - -The name of the disk that is being created. - -- Required: Yes -- Type: string - -### Parameter: `sku` - -The disks sku name. Can be . - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Premium_LRS' - 'Premium_ZRS' - 'Premium_ZRS' - 'PremiumV2_LRS' - 'Standard_LRS' - 'StandardSSD_LRS' - 'UltraSSD_LRS' - ] - ``` - -### Parameter: `diskSizeGB` - -The size of the disk to create. Required if create option is Empty. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `storageAccountId` - -The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `acceleratedNetwork` - -True if the image from which the OS disk is created supports accelerated networking. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `architecture` - -CPU architecture supported by an OS disk. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Arm64' - 'x64' - ] - ``` - -### Parameter: `burstingEnabled` - -Set to true to enable bursting beyond the provisioned performance target of the disk. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `completionPercent` - -Percentage complete for the background copy when a resource is created via the CopyStart operation. - -- Required: No -- Type: int -- Default: `100` - -### Parameter: `createOption` - -Sources of a disk creation. - -- Required: No -- Type: string -- Default: `'Empty'` -- Allowed: - ```Bicep - [ - 'Attach' - 'Copy' - 'CopyStart' - 'Empty' - 'FromImage' - 'Import' - 'ImportSecure' - 'Restore' - 'Upload' - 'UploadPreparedSecure' - ] - ``` - -### Parameter: `diskIOPSReadWrite` - -The number of IOPS allowed for this disk; only settable for UltraSSD disks. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `diskMBpsReadWrite` - -The bandwidth allowed for this disk; only settable for UltraSSD disks. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hyperVGeneration` - -The hypervisor generation of the Virtual Machine. Applicable to OS disks only. - -- Required: No -- Type: string -- Default: `'V2'` -- Allowed: - ```Bicep - [ - 'V1' - 'V2' - ] - ``` - -### Parameter: `imageReferenceId` - -A relative uri containing either a Platform Image Repository or user image reference. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `logicalSectorSize` - -Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. - -- Required: No -- Type: int -- Default: `4096` - -### Parameter: `maxShares` - -The maximum number of VMs that can attach to the disk at the same time. Default value is 0. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `networkAccessPolicy` - -Policy for accessing the disk via network. - -- Required: No -- Type: string -- Default: `'DenyAll'` -- Allowed: - ```Bicep - [ - 'AllowAll' - 'AllowPrivate' - 'DenyAll' - ] - ``` - -### Parameter: `optimizedForFrequentAttach` - -Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `osType` - -Sources of a disk creation. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `publicNetworkAccess` - -Policy for controlling export on the disk. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securityDataUri` - -If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceResourceId` - -If create option is Copy, this is the ARM ID of the source snapshot or disk. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceUri` - -If create option is Import, this is the URI of a blob to be imported into a managed disk. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the availability set resource. - -- Required: No -- Type: object - -### Parameter: `uploadSizeBytes` - -If create option is Upload, this is the size of the contents of the upload including the VHD footer. - -- Required: No -- Type: int -- Default: `20972032` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the disk. | -| `resourceGroupName` | string | The resource group the disk was deployed into. | -| `resourceId` | string | The resource ID of the disk. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep deleted file mode 100644 index 7989977bb4..0000000000 --- a/modules/compute/disk/main.bicep +++ /dev/null @@ -1,264 +0,0 @@ -metadata name = 'Compute Disks' -metadata description = 'This module deploys a Compute Disk' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the disk that is being created.') -param name string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@allowed([ - 'Standard_LRS' - 'Premium_LRS' - 'StandardSSD_LRS' - 'UltraSSD_LRS' - 'Premium_ZRS' - 'Premium_ZRS' - 'PremiumV2_LRS' -]) -@description('Required. The disks sku name. Can be .') -param sku string - -@allowed([ - 'x64' - 'Arm64' - '' -]) -@description('Optional. CPU architecture supported by an OS disk.') -param architecture string = '' - -@description('Optional. Set to true to enable bursting beyond the provisioned performance target of the disk.') -param burstingEnabled bool = false - -@description('Optional. Percentage complete for the background copy when a resource is created via the CopyStart operation.') -param completionPercent int = 100 - -@allowed([ - 'Attach' - 'Copy' - 'CopyStart' - 'Empty' - 'FromImage' - 'Import' - 'ImportSecure' - 'Restore' - 'Upload' - 'UploadPreparedSecure' -]) -@description('Optional. Sources of a disk creation.') -param createOption string = 'Empty' - -@description('Optional. A relative uri containing either a Platform Image Repository or user image reference.') -param imageReferenceId string = '' - -@description('Optional. Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096.') -param logicalSectorSize int = 4096 - -@description('Optional. If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state.') -param securityDataUri string = '' - -@description('Optional. If create option is Copy, this is the ARM ID of the source snapshot or disk.') -param sourceResourceId string = '' - -@description('Optional. If create option is Import, this is the URI of a blob to be imported into a managed disk.') -param sourceUri string = '' - -@description('Conditional. The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import.') -param storageAccountId string = '' - -@description('Optional. If create option is Upload, this is the size of the contents of the upload including the VHD footer.') -param uploadSizeBytes int = 20972032 - -@description('Conditional. The size of the disk to create. Required if create option is Empty.') -param diskSizeGB int = 0 - -@description('Optional. The number of IOPS allowed for this disk; only settable for UltraSSD disks.') -param diskIOPSReadWrite int = 0 - -@description('Optional. The bandwidth allowed for this disk; only settable for UltraSSD disks.') -param diskMBpsReadWrite int = 0 - -@allowed([ - 'V1' - 'V2' -]) -@description('Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only.') -param hyperVGeneration string = 'V2' - -@description('Optional. The maximum number of VMs that can attach to the disk at the same time. Default value is 0.') -param maxShares int = 1 - -@allowed([ - 'AllowAll' - 'AllowPrivate' - 'DenyAll' -]) -@description('Optional. Policy for accessing the disk via network.') -param networkAccessPolicy string = 'DenyAll' - -@description('Optional. Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine.') -param optimizedForFrequentAttach bool = false - -@allowed([ - 'Windows' - 'Linux' - '' -]) -@description('Optional. Sources of a disk creation.') -param osType string = '' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Policy for controlling export on the disk.') -param publicNetworkAccess string = 'Disabled' - -@description('Optional. True if the image from which the OS disk is created supports accelerated networking.') -param acceleratedNetwork bool = false - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the availability set resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource disk 'Microsoft.Compute/disks@2022-07-02' = { - name: name - location: location - tags: tags - sku: { - name: sku - } - properties: { - burstingEnabled: burstingEnabled - completionPercent: completionPercent - creationData: { - createOption: createOption - imageReference: createOption != 'FromImage' ? null : { - id: imageReferenceId - } - logicalSectorSize: contains(sku, 'Ultra') ? logicalSectorSize : null - securityDataUri: createOption == 'ImportSecure' ? securityDataUri : null - sourceResourceId: createOption == 'Copy' ? sourceResourceId : null - sourceUri: createOption == 'Import' ? sourceUri : null - storageAccountId: createOption == 'Import' ? storageAccountId : null - uploadSizeBytes: createOption == 'Upload' ? uploadSizeBytes : null - } - diskIOPSReadWrite: contains(sku, 'Ultra') ? diskIOPSReadWrite : null - diskMBpsReadWrite: contains(sku, 'Ultra') ? diskMBpsReadWrite : null - diskSizeGB: createOption == 'Empty' ? diskSizeGB : null - hyperVGeneration: empty(osType) ? null : hyperVGeneration - maxShares: maxShares - networkAccessPolicy: networkAccessPolicy - optimizedForFrequentAttach: optimizedForFrequentAttach - osType: empty(osType) ? any(null) : osType - publicNetworkAccess: publicNetworkAccess - supportedCapabilities: empty(osType) ? {} : { - acceleratedNetwork: acceleratedNetwork - architecture: empty(architecture) ? null : architecture - } - } -} - -resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: disk -} - -resource disk_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(disk.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: disk -}] - -@description('The resource group the disk was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the disk.') -output resourceId string = disk.id - -@description('The name of the disk.') -output name string = disk.name - -@description('The location the resource was deployed into.') -output location string = disk.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json deleted file mode 100644 index 37e7361de7..0000000000 --- a/modules/compute/disk/main.json +++ /dev/null @@ -1,476 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8419179965275134660" - }, - "name": "Compute Disks", - "description": "This module deploys a Compute Disk", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the disk that is being created." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "sku": { - "type": "string", - "allowedValues": [ - "Standard_LRS", - "Premium_LRS", - "StandardSSD_LRS", - "UltraSSD_LRS", - "Premium_ZRS", - "Premium_ZRS", - "PremiumV2_LRS" - ], - "metadata": { - "description": "Required. The disks sku name. Can be ." - } - }, - "architecture": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "x64", - "Arm64", - "" - ], - "metadata": { - "description": "Optional. CPU architecture supported by an OS disk." - } - }, - "burstingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Set to true to enable bursting beyond the provisioned performance target of the disk." - } - }, - "completionPercent": { - "type": "int", - "defaultValue": 100, - "metadata": { - "description": "Optional. Percentage complete for the background copy when a resource is created via the CopyStart operation." - } - }, - "createOption": { - "type": "string", - "defaultValue": "Empty", - "allowedValues": [ - "Attach", - "Copy", - "CopyStart", - "Empty", - "FromImage", - "Import", - "ImportSecure", - "Restore", - "Upload", - "UploadPreparedSecure" - ], - "metadata": { - "description": "Optional. Sources of a disk creation." - } - }, - "imageReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A relative uri containing either a Platform Image Repository or user image reference." - } - }, - "logicalSectorSize": { - "type": "int", - "defaultValue": 4096, - "metadata": { - "description": "Optional. Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096." - } - }, - "securityDataUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If create option is Copy, this is the ARM ID of the source snapshot or disk." - } - }, - "sourceUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If create option is Import, this is the URI of a blob to be imported into a managed disk." - } - }, - "storageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import." - } - }, - "uploadSizeBytes": { - "type": "int", - "defaultValue": 20972032, - "metadata": { - "description": "Optional. If create option is Upload, this is the size of the contents of the upload including the VHD footer." - } - }, - "diskSizeGB": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Conditional. The size of the disk to create. Required if create option is Empty." - } - }, - "diskIOPSReadWrite": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The number of IOPS allowed for this disk; only settable for UltraSSD disks." - } - }, - "diskMBpsReadWrite": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The bandwidth allowed for this disk; only settable for UltraSSD disks." - } - }, - "hyperVGeneration": { - "type": "string", - "defaultValue": "V2", - "allowedValues": [ - "V1", - "V2" - ], - "metadata": { - "description": "Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only." - } - }, - "maxShares": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The maximum number of VMs that can attach to the disk at the same time. Default value is 0." - } - }, - "networkAccessPolicy": { - "type": "string", - "defaultValue": "DenyAll", - "allowedValues": [ - "AllowAll", - "AllowPrivate", - "DenyAll" - ], - "metadata": { - "description": "Optional. Policy for accessing the disk via network." - } - }, - "optimizedForFrequentAttach": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine." - } - }, - "osType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Windows", - "Linux", - "" - ], - "metadata": { - "description": "Optional. Sources of a disk creation." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Policy for controlling export on the disk." - } - }, - "acceleratedNetwork": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. True if the image from which the OS disk is created supports accelerated networking." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the availability set resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "disk": { - "type": "Microsoft.Compute/disks", - "apiVersion": "2022-07-02", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('sku')]" - }, - "properties": { - "burstingEnabled": "[parameters('burstingEnabled')]", - "completionPercent": "[parameters('completionPercent')]", - "creationData": { - "createOption": "[parameters('createOption')]", - "imageReference": "[if(not(equals(parameters('createOption'), 'FromImage')), null(), createObject('id', parameters('imageReferenceId')))]", - "logicalSectorSize": "[if(contains(parameters('sku'), 'Ultra'), parameters('logicalSectorSize'), null())]", - "securityDataUri": "[if(equals(parameters('createOption'), 'ImportSecure'), parameters('securityDataUri'), null())]", - "sourceResourceId": "[if(equals(parameters('createOption'), 'Copy'), parameters('sourceResourceId'), null())]", - "sourceUri": "[if(equals(parameters('createOption'), 'Import'), parameters('sourceUri'), null())]", - "storageAccountId": "[if(equals(parameters('createOption'), 'Import'), parameters('storageAccountId'), null())]", - "uploadSizeBytes": "[if(equals(parameters('createOption'), 'Upload'), parameters('uploadSizeBytes'), null())]" - }, - "diskIOPSReadWrite": "[if(contains(parameters('sku'), 'Ultra'), parameters('diskIOPSReadWrite'), null())]", - "diskMBpsReadWrite": "[if(contains(parameters('sku'), 'Ultra'), parameters('diskMBpsReadWrite'), null())]", - "diskSizeGB": "[if(equals(parameters('createOption'), 'Empty'), parameters('diskSizeGB'), null())]", - "hyperVGeneration": "[if(empty(parameters('osType')), null(), parameters('hyperVGeneration'))]", - "maxShares": "[parameters('maxShares')]", - "networkAccessPolicy": "[parameters('networkAccessPolicy')]", - "optimizedForFrequentAttach": "[parameters('optimizedForFrequentAttach')]", - "osType": "[if(empty(parameters('osType')), null(), parameters('osType'))]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "supportedCapabilities": "[if(empty(parameters('osType')), createObject(), createObject('acceleratedNetwork', parameters('acceleratedNetwork'), 'architecture', if(empty(parameters('architecture')), null(), parameters('architecture'))))]" - } - }, - "disk_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "disk" - ] - }, - "disk_roleAssignments": { - "copy": { - "name": "disk_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/disks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "disk" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the disk was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the disk." - }, - "value": "[resourceId('Microsoft.Compute/disks', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the disk." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('disk', '2022-07-02', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/disk/tests/e2e/defaults/main.test.bicep b/modules/compute/disk/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 95b44f7771..0000000000 --- a/modules/compute/disk/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - diskSizeGB: 1 - } -}] diff --git a/modules/compute/disk/tests/e2e/image/dependencies.bicep b/modules/compute/disk/tests/e2e/image/dependencies.bicep deleted file mode 100644 index 616cf219fe..0000000000 --- a/modules/compute/disk/tests/e2e/image/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/disk/tests/e2e/image/main.test.bicep b/modules/compute/disk/tests/e2e/image/main.test.bicep deleted file mode 100644 index 67fd259073..0000000000 --- a/modules/compute/disk/tests/e2e/image/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'FromImage' - imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk/tests/e2e/import/dependencies.bicep b/modules/compute/disk/tests/e2e/import/dependencies.bicep deleted file mode 100644 index aa2912f2ec..0000000000 --- a/modules/compute/disk/tests/e2e/import/dependencies.bicep +++ /dev/null @@ -1,152 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create and to copy the VHD into.') -param storageAccountName string - -@description('Required. The name prefix of the Image Template to create.') -param imageTemplateNamePrefix string - -@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') -param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') - -@description('Required. The name of the Deployment Script to create for triggering the image creation.') -param triggerImageDeploymentScriptName string - -@description('Required. The name of the Deployment Script to copy the VHD to a destination storage account.') -param copyVhdDeploymentScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } - resource blobServices 'blobServices@2022-09-01' = { - name: 'default' - resource container 'containers@2022-09-01' = { - name: 'vhds' - properties: { - publicAccess: 'None' - } - } - } -} - -module roleAssignment 'dependencies_rbac.bicep' = { - name: '${deployment().name}-MSI-roleAssignment' - scope: subscription() - params: { - managedIdentityPrincipalId: managedIdentity.properties.principalId - managedIdentityResourceId: managedIdentity.id - } -} - -// Deploy image template -resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { - name: '${imageTemplateNamePrefix}-${baseTime}' - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - buildTimeoutInMinutes: 0 - vmProfile: { - vmSize: 'Standard_D2s_v3' - osDiskSizeGB: 127 - } - source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-11' - sku: 'win11-21h2-avd' - version: 'latest' - } - distribute: [ - { - type: 'VHD' - runOutputName: '${imageTemplateNamePrefix}-VHD' - artifactTags: {} - } - ] - customize: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - } -} - -// Trigger VHD creation -resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: triggerImageDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ - roleAssignment - ] -} - -// Copy VHD to destination storage account -resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: copyVhdDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ triggerImageDeploymentScript ] -} - -@description('The URI of the created VHD.') -output vhdUri string = 'https://${storageAccount.name}.blob.${environment().suffixes.storage}/vhds/${imageTemplateNamePrefix}.vhd' - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep b/modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep deleted file mode 100644 index cdca1b63bd..0000000000 --- a/modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep +++ /dev/null @@ -1,16 +0,0 @@ -targetScope = 'subscription' - -@description('Required. The resource ID of the created Managed Identity.') -param managedIdentityResourceId string - -@description('Required. The principal ID of the created Managed Identity.') -param managedIdentityPrincipalId string - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().subscriptionId, 'Contributor', managedIdentityResourceId) - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} diff --git a/modules/compute/disk/tests/e2e/import/main.test.bicep b/modules/compute/disk/tests/e2e/import/main.test.bicep deleted file mode 100644 index 0622d78455..0000000000 --- a/modules/compute/disk/tests/e2e/import/main.test.bicep +++ /dev/null @@ -1,83 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimp' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'Import' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sourceUri: nestedDependencies.outputs.vhdUri - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk/tests/e2e/max/dependencies.bicep b/modules/compute/disk/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 616cf219fe..0000000000 --- a/modules/compute/disk/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/disk/tests/e2e/max/main.test.bicep b/modules/compute/disk/tests/e2e/max/main.test.bicep deleted file mode 100644 index 25ab818edd..0000000000 --- a/modules/compute/disk/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'UltraSSD_LRS' - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 616cf219fe..0000000000 --- a/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e22035fb5e..0000000000 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'UltraSSD_LRS' - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/disk/version.json b/modules/compute/disk/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/disk/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/gallery/MOVED-TO-AVM.md b/modules/compute/gallery/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/gallery/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index e4881d82aa..87f694ea4f 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -1,950 +1,7 @@ -# Azure Compute Galleries `[Microsoft.Compute/galleries]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/gallery](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/gallery).** -This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/gallery). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/galleries` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries) | -| `Microsoft.Compute/galleries/applications` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/applications) | -| `Microsoft.Compute/galleries/images` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/images) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.gallery:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cgmin' - params: { - // Required parameters - name: 'cgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cgmax' - params: { - // Required parameters - name: 'cgmax001' - // Non-required parameters - applications: [ - { - name: 'cgmax-appd-001' - } - { - name: 'cgmax-appd-002' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - supportedOSType: 'Windows' - } - ] - enableDefaultTelemetry: '' - images: [ - { - name: 'az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - securityType: 'TrustedLaunch' - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: 'az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cgmax001" - }, - // Non-required parameters - "applications": { - "value": [ - { - "name": "cgmax-appd-001" - }, - { - "name": "cgmax-appd-002", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "supportedOSType": "Windows" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "images": { - "value": [ - { - "name": "az-imgd-ws-001" - }, - { - "hyperVGeneration": "V1", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-002", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition" - }, - { - "hyperVGeneration": "V2", - "isHibernateSupported": "true", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-003", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition-hibernate" - }, - { - "hyperVGeneration": "V2", - "isAcceleratedNetworkSupported": "true", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-004", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition-accnet" - }, - { - "hyperVGeneration": "V2", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 4, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-wdtl-002", - "offer": "WindowsDesktop", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsDesktop", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "securityType": "TrustedLaunch", - "sku": "Win11-21H2" - }, - { - "hyperVGeneration": "V2", - "maxRecommendedMemory": 32, - "maxRecommendedvCPUs": 4, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 1, - "name": "az-imgd-us-001", - "offer": "0001-com-ubuntu-server-focal", - "osState": "Generalized", - "osType": "Linux", - "publisher": "canonical", - "sku": "20_04-lts-gen2" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cgwaf' - params: { - // Required parameters - name: 'cgwaf001' - // Non-required parameters - applications: [ - { - name: 'cgwaf-appd-001' - } - { - name: 'cgwaf-appd-002' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - supportedOSType: 'Windows' - } - ] - enableDefaultTelemetry: '' - images: [ - { - name: 'az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: 'az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - securityType: 'TrustedLaunch' - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: 'az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cgwaf001" - }, - // Non-required parameters - "applications": { - "value": [ - { - "name": "cgwaf-appd-001" - }, - { - "name": "cgwaf-appd-002", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "supportedOSType": "Windows" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "images": { - "value": [ - { - "name": "az-imgd-ws-001" - }, - { - "hyperVGeneration": "V1", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-002", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition" - }, - { - "hyperVGeneration": "V2", - "isHibernateSupported": "true", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-003", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition-hibernate" - }, - { - "hyperVGeneration": "V2", - "isAcceleratedNetworkSupported": "true", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 8, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-ws-004", - "offer": "WindowsServer", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsServer", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "sku": "2022-datacenter-azure-edition-accnet" - }, - { - "hyperVGeneration": "V2", - "maxRecommendedMemory": 16, - "maxRecommendedvCPUs": 4, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 2, - "name": "az-imgd-wdtl-002", - "offer": "WindowsDesktop", - "osState": "Generalized", - "osType": "Windows", - "publisher": "MicrosoftWindowsDesktop", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "securityType": "TrustedLaunch", - "sku": "Win11-21H2" - }, - { - "hyperVGeneration": "V2", - "maxRecommendedMemory": 32, - "maxRecommendedvCPUs": 4, - "minRecommendedMemory": 4, - "minRecommendedvCPUs": 1, - "name": "az-imgd-us-001", - "offer": "0001-com-ubuntu-server-focal", - "osState": "Generalized", - "osType": "Linux", - "publisher": "canonical", - "sku": "20_04-lts-gen2" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Compute Gallery. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applications`](#parameter-applications) | array | Applications to create. | -| [`description`](#parameter-description) | string | Description of the Azure Shared Image Gallery. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`images`](#parameter-images) | array | Images to create. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags for all resources. | - -### Parameter: `name` - -Name of the Azure Compute Gallery. - -- Required: Yes -- Type: string - -### Parameter: `applications` - -Applications to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -Description of the Azure Shared Image Gallery. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `images` - -Images to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags for all resources. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed image gallery. | -| `resourceGroupName` | string | The resource group of the deployed image gallery. | -| `resourceId` | string | The resource ID of the deployed image gallery. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md deleted file mode 100644 index e07919f955..0000000000 --- a/modules/compute/gallery/application/README.md +++ /dev/null @@ -1,352 +0,0 @@ -# Compute Galleries Applications `[Microsoft.Compute/galleries/applications]` - -This module deploys an Azure Compute Gallery Application. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/galleries/applications` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/applications) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the application definition. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`galleryName`](#parameter-galleryname) | string | The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customActions`](#parameter-customactions) | array | A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. | -| [`description`](#parameter-description) | string | The description of this gallery Application Definition resource. This property is updatable. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endOfLifeDate`](#parameter-endoflifedate) | string | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | -| [`eula`](#parameter-eula) | string | The Eula agreement for the gallery Application Definition. Has to be a valid URL. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`privacyStatementUri`](#parameter-privacystatementuri) | string | The privacy statement uri. Has to be a valid URL. | -| [`releaseNoteUri`](#parameter-releasenoteuri) | string | The release note uri. Has to be a valid URL. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`supportedOSType`](#parameter-supportedostype) | string | This property allows you to specify the supported type of the OS that application is built for. | -| [`tags`](#parameter-tags) | object | Tags for all resources. | - -### Parameter: `name` - -Name of the application definition. - -- Required: Yes -- Type: string - -### Parameter: `galleryName` - -The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `customActions` - -A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -The description of this gallery Application Definition resource. This property is updatable. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endOfLifeDate` - -The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `eula` - -The Eula agreement for the gallery Application Definition. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `privacyStatementUri` - -The privacy statement uri. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `releaseNoteUri` - -The release note uri. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `supportedOSType` - -This property allows you to specify the supported type of the OS that application is built for. - -- Required: No -- Type: string -- Default: `'Windows'` -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `tags` - -Tags for all resources. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the image. | -| `resourceGroupName` | string | The resource group the image was deployed into. | -| `resourceId` | string | The resource ID of the image. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `customActions` - -Create a list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. - -

- -Parameter JSON format - -```json -"customActions": { - "value": [ - { - "description": "This is a sample custom action", - "name": "Name of the custom action 1 (Required). Must be unique within the Compute Gallery", - "parameters": [ - { - "defaultValue": "Default Value of Parameter1. Only applies to string types.", - "description": "a description value to help others understands what it means.", - "name": "The parameter name. (Required)", - "required": True, - "type": "ConfigurationDataBlob, LogOutputBlob, or String" - }, - { - "defaultValue": "Default Value of Parameter2. Only applies to string types.", - "description": "a description value to help others understands what it means.", - "name": "The parameter name. (Required)", - "required": False, - "type": "ConfigurationDataBlob, LogOutputBlob, or String" - } - ], - "script": "The script to run when executing this custom action. (Required)" - }, - { - "description": "This is another sample custom action", - "name": "Name of the custom action 2 (Required). Must be unique within the Compute Gallery", - "parameters": [ - { - "defaultValue": "Default Value of Parameter1. Only applies to string types.", - "description": "a description value to help others understands what it means.", - "name": "The parameter name. (Required)", - "required": True, - "type": "ConfigurationDataBlob, LogOutputBlob, or String" - } - ], - "script": "The script to run when executing this custom action. (Required)" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -customActions: [ - { - description: "This is a sample custom action" - name: "Name of the custom action 1 (Required). Must be unique within the Compute Gallery" - parameters: [ - { - defaultValue: "Default Value of Parameter 1. Only applies to string types." - description: "a description value to help others understands what it means." - name: "The parameter name. (Required)" - required: True, - type: "ConfigurationDataBlob, LogOutputBlob, or String" - } - { - defaultValue: "Default Value of Parameter 2. Only applies to string types." - description: "a description value to help others understands what it means." - name: "The parameter name. (Required)" - required: True, - type: "ConfigurationDataBlob, LogOutputBlob, or String" - } - ] - script: "The script to run when executing this custom action. (Required)" - } - { - description: "This is another sample custom action" - name: "Name of the custom action 2 (Required). Must be unique within the Compute Gallery" - parameters: [ - { - defaultValue: "Default Value of Parameter. Only applies to string types." - description: "a description value to help others understands what it means." - name: "The paramter name. (Required)" - required: True, - type: "ConfigurationDataBlob, LogOutputBlob, or String" - } - ] - script: "The script to run when executing this custom action. (Required)" - } -] -``` - -
-

diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep deleted file mode 100644 index dcb745225b..0000000000 --- a/modules/compute/gallery/application/main.bicep +++ /dev/null @@ -1,140 +0,0 @@ -metadata name = 'Compute Galleries Applications' -metadata description = 'This module deploys an Azure Compute Gallery Application.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the application definition.') -param name string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment.') -@minLength(1) -param galleryName string - -@sys.description('Optional. The description of this gallery Application Definition resource. This property is updatable.') -param description string = '' - -@sys.description('Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL.') -param eula string = '' - -@sys.description('Optional. The privacy statement uri. Has to be a valid URL.') -param privacyStatementUri string = '' - -@sys.description('Optional. The release note uri. Has to be a valid URL.') -param releaseNoteUri string = '' - -@sys.description('Optional. This property allows you to specify the supported type of the OS that application is built for.') -@allowed([ - 'Windows' - 'Linux' -]) -param supportedOSType string = 'Windows' - -@sys.description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.') -param endOfLifeDate string = '' - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Tags for all resources.') -param tags object? - -@sys.description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.') -param customActions array = [] - -var builtInRoleNames = { - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource gallery 'Microsoft.Compute/galleries@2022-03-03' existing = { - name: galleryName -} - -resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { - name: name - parent: gallery - location: location - tags: tags - properties: { - customActions: !empty(customActions) ? customActions : null - description: description - endOfLifeDate: endOfLifeDate - eula: eula - privacyStatementUri: privacyStatementUri - releaseNoteUri: releaseNoteUri - supportedOSType: supportedOSType - } -} - -resource application_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(application.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: application -}] - -@sys.description('The resource group the image was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The resource ID of the image.') -output resourceId string = application.id - -@sys.description('The name of the image.') -output name string = application.name - -@sys.description('The location the resource was deployed into.') -output location string = application.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json deleted file mode 100644 index 173a43d0c8..0000000000 --- a/modules/compute/gallery/application/main.json +++ /dev/null @@ -1,281 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13733131047823769084" - }, - "name": "Compute Galleries Applications", - "description": "This module deploys an Azure Compute Gallery Application.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the application definition." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "galleryName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of this gallery Application Definition resource. This property is updatable." - } - }, - "eula": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL." - } - }, - "privacyStatementUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The privacy statement uri. Has to be a valid URL." - } - }, - "releaseNoteUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The release note uri. Has to be a valid URL." - } - }, - "supportedOSType": { - "type": "string", - "defaultValue": "Windows", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. This property allows you to specify the supported type of the OS that application is built for." - } - }, - "endOfLifeDate": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "customActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application." - } - } - }, - "variables": { - "builtInRoleNames": { - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "gallery": { - "existing": true, - "type": "Microsoft.Compute/galleries", - "apiVersion": "2022-03-03", - "name": "[parameters('galleryName')]" - }, - "application": { - "type": "Microsoft.Compute/galleries/applications", - "apiVersion": "2022-03-03", - "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "customActions": "[if(not(empty(parameters('customActions'))), parameters('customActions'), null())]", - "description": "[parameters('description')]", - "endOfLifeDate": "[parameters('endOfLifeDate')]", - "eula": "[parameters('eula')]", - "privacyStatementUri": "[parameters('privacyStatementUri')]", - "releaseNoteUri": "[parameters('releaseNoteUri')]", - "supportedOSType": "[parameters('supportedOSType')]" - }, - "dependsOn": [ - "gallery" - ] - }, - "application_roleAssignments": { - "copy": { - "name": "application_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "application" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image." - }, - "value": "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the image." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('application', '2022-03-03', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/gallery/application/version.json b/modules/compute/gallery/application/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/gallery/application/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md deleted file mode 100644 index a1299ecc52..0000000000 --- a/modules/compute/gallery/image/README.md +++ /dev/null @@ -1,423 +0,0 @@ -# Compute Galleries Image Definitions `[Microsoft.Compute/galleries/images]` - -This module deploys an Azure Compute Gallery Image Definition. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/galleries/images` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/images) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the image definition. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`galleryName`](#parameter-galleryname) | string | The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description of this gallery Image Definition resource. This property is updatable. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endOfLife`](#parameter-endoflife) | string | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | -| [`eula`](#parameter-eula) | string | The Eula agreement for the gallery Image Definition. Has to be a valid URL. | -| [`excludedDiskTypes`](#parameter-excludeddisktypes) | array | List of the excluded disk types. E.g. Standard_LRS. | -| [`hyperVGeneration`](#parameter-hypervgeneration) | string | The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. | -| [`isAcceleratedNetworkSupported`](#parameter-isacceleratednetworksupported) | string | The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. | -| [`isHibernateSupported`](#parameter-ishibernatesupported) | string | The image will support hibernation. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`maxRecommendedMemory`](#parameter-maxrecommendedmemory) | int | The maximum amount of RAM in GB recommended for this image. | -| [`maxRecommendedvCPUs`](#parameter-maxrecommendedvcpus) | int | The maximum number of the CPU cores recommended for this image. | -| [`minRecommendedMemory`](#parameter-minrecommendedmemory) | int | The minimum amount of RAM in GB recommended for this image. | -| [`minRecommendedvCPUs`](#parameter-minrecommendedvcpus) | int | The minimum number of the CPU cores recommended for this image. | -| [`offer`](#parameter-offer) | string | The name of the gallery Image Definition offer. | -| [`osState`](#parameter-osstate) | string | This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | -| [`osType`](#parameter-ostype) | string | OS type of the image to be created. | -| [`planName`](#parameter-planname) | string | The plan ID. | -| [`planPublisherName`](#parameter-planpublishername) | string | The publisher ID. | -| [`privacyStatementUri`](#parameter-privacystatementuri) | string | The privacy statement uri. Has to be a valid URL. | -| [`productName`](#parameter-productname) | string | The product ID. | -| [`publisher`](#parameter-publisher) | string | The name of the gallery Image Definition publisher. | -| [`releaseNoteUri`](#parameter-releasenoteuri) | string | The release note uri. Has to be a valid URL. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`securityType`](#parameter-securitytype) | string | The security type of the image. Requires a hyperVGeneration V2. | -| [`sku`](#parameter-sku) | string | The name of the gallery Image Definition SKU. | -| [`tags`](#parameter-tags) | object | Tags for all resources. | - -### Parameter: `name` - -Name of the image definition. - -- Required: Yes -- Type: string - -### Parameter: `galleryName` - -The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -The description of this gallery Image Definition resource. This property is updatable. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endOfLife` - -The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `eula` - -The Eula agreement for the gallery Image Definition. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `excludedDiskTypes` - -List of the excluded disk types. E.g. Standard_LRS. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `hyperVGeneration` - -The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'V1' - 'V2' - ] - ``` - -### Parameter: `isAcceleratedNetworkSupported` - -The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. - -- Required: No -- Type: string -- Default: `'false'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `isHibernateSupported` - -The image will support hibernation. - -- Required: No -- Type: string -- Default: `'false'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `maxRecommendedMemory` - -The maximum amount of RAM in GB recommended for this image. - -- Required: No -- Type: int -- Default: `16` - -### Parameter: `maxRecommendedvCPUs` - -The maximum number of the CPU cores recommended for this image. - -- Required: No -- Type: int -- Default: `4` - -### Parameter: `minRecommendedMemory` - -The minimum amount of RAM in GB recommended for this image. - -- Required: No -- Type: int -- Default: `4` - -### Parameter: `minRecommendedvCPUs` - -The minimum number of the CPU cores recommended for this image. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `offer` - -The name of the gallery Image Definition offer. - -- Required: No -- Type: string -- Default: `'WindowsServer'` - -### Parameter: `osState` - -This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. - -- Required: No -- Type: string -- Default: `'Generalized'` -- Allowed: - ```Bicep - [ - 'Generalized' - 'Specialized' - ] - ``` - -### Parameter: `osType` - -OS type of the image to be created. - -- Required: No -- Type: string -- Default: `'Windows'` -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `planName` - -The plan ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `planPublisherName` - -The publisher ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `privacyStatementUri` - -The privacy statement uri. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `productName` - -The product ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `publisher` - -The name of the gallery Image Definition publisher. - -- Required: No -- Type: string -- Default: `'MicrosoftWindowsServer'` - -### Parameter: `releaseNoteUri` - -The release note uri. Has to be a valid URL. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securityType` - -The security type of the image. Requires a hyperVGeneration V2. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'ConfidentialVM' - 'ConfidentialVMSupported' - 'Standard' - 'TrustedLaunch' - ] - ``` - -### Parameter: `sku` - -The name of the gallery Image Definition SKU. - -- Required: No -- Type: string -- Default: `'2019-Datacenter'` - -### Parameter: `tags` - -Tags for all resources. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the image. | -| `resourceGroupName` | string | The resource group the image was deployed into. | -| `resourceId` | string | The resource ID of the image. | - -## Cross-referenced modules - -_None_ diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep deleted file mode 100644 index a922e5e74b..0000000000 --- a/modules/compute/gallery/image/main.bicep +++ /dev/null @@ -1,263 +0,0 @@ -metadata name = 'Compute Galleries Image Definitions' -metadata description = 'This module deploys an Azure Compute Gallery Image Definition.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the image definition.') -param name string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Conditional. The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment.') -@minLength(1) -param galleryName string - -@sys.description('Optional. OS type of the image to be created.') -@allowed([ - 'Windows' - 'Linux' -]) -param osType string = 'Windows' - -@sys.description('Optional. This property allows the user to specify whether the virtual machines created under this image are \'Generalized\' or \'Specialized\'.') -@allowed([ - 'Generalized' - 'Specialized' -]) -param osState string = 'Generalized' - -@sys.description('Optional. The name of the gallery Image Definition publisher.') -param publisher string = 'MicrosoftWindowsServer' - -@sys.description('Optional. The name of the gallery Image Definition offer.') -param offer string = 'WindowsServer' - -@sys.description('Optional. The name of the gallery Image Definition SKU.') -param sku string = '2019-Datacenter' - -@sys.description('Optional. The minimum number of the CPU cores recommended for this image.') -@minValue(1) -@maxValue(128) -param minRecommendedvCPUs int = 1 - -@sys.description('Optional. The maximum number of the CPU cores recommended for this image.') -@minValue(1) -@maxValue(128) -param maxRecommendedvCPUs int = 4 - -@sys.description('Optional. The minimum amount of RAM in GB recommended for this image.') -@minValue(1) -@maxValue(4000) -param minRecommendedMemory int = 4 - -@sys.description('Optional. The maximum amount of RAM in GB recommended for this image.') -@minValue(1) -@maxValue(4000) -param maxRecommendedMemory int = 16 - -@sys.description('Optional. The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1.') -@allowed([ - '' - 'V1' - 'V2' -]) -param hyperVGeneration string = '' - -@sys.description('Optional. The security type of the image. Requires a hyperVGeneration V2.') -@allowed([ - 'Standard' - 'TrustedLaunch' - 'ConfidentialVM' - 'ConfidentialVMSupported' -]) -param securityType string = 'Standard' - -@sys.description('Optional. The image will support hibernation.') -@allowed([ - 'true' - 'false' -]) -param isHibernateSupported string = 'false' - -@sys.description('Optional. The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types.') -@allowed([ - 'true' - 'false' -]) -param isAcceleratedNetworkSupported string = 'false' - -@sys.description('Optional. The description of this gallery Image Definition resource. This property is updatable.') -param description string = '' - -@sys.description('Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL.') -param eula string = '' - -@sys.description('Optional. The privacy statement uri. Has to be a valid URL.') -param privacyStatementUri string = '' - -@sys.description('Optional. The release note uri. Has to be a valid URL.') -param releaseNoteUri string = '' - -@sys.description('Optional. The product ID.') -param productName string = '' - -@sys.description('Optional. The plan ID.') -param planName string = '' - -@sys.description('Optional. The publisher ID.') -param planPublisherName string = '' - -@sys.description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.') -param endOfLife string = '' - -@sys.description('Optional. List of the excluded disk types. E.g. Standard_LRS.') -param excludedDiskTypes array = [] - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Tags for all resources.') -param tags object? - -var builtInRoleNames = { - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource gallery 'Microsoft.Compute/galleries@2022-03-03' existing = { - name: galleryName -} - -resource image 'Microsoft.Compute/galleries/images@2022-03-03' = { - name: name - parent: gallery - location: location - tags: tags - properties: { - osType: osType - osState: osState - identifier: { - publisher: publisher - offer: offer - sku: sku - } - recommended: { - vCPUs: { - min: minRecommendedvCPUs - max: maxRecommendedvCPUs - } - memory: { - min: minRecommendedMemory - max: maxRecommendedMemory - } - } - hyperVGeneration: !empty(hyperVGeneration) ? hyperVGeneration : (!empty(securityType) ? 'V2' : 'V1') - features: !empty(securityType) && securityType != 'Standard' ? [ - { - name: 'SecurityType' - value: securityType - } - { - name: 'IsAcceleratedNetworkSupported' - value: isAcceleratedNetworkSupported - } - { - name: 'IsHibernateSupported' - value: isHibernateSupported - } - ] : [ - { - name: 'IsAcceleratedNetworkSupported' - value: isAcceleratedNetworkSupported - } - { - name: 'IsHibernateSupported' - value: isHibernateSupported - } - ] - description: description - eula: eula - privacyStatementUri: privacyStatementUri - releaseNoteUri: releaseNoteUri - purchasePlan: { - product: !empty(productName) ? productName : null - name: !empty(planName) ? planName : null - publisher: !empty(planPublisherName) ? planPublisherName : null - } - endOfLifeDate: endOfLife - disallowed: { - diskTypes: excludedDiskTypes - } - } -} - -resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: image -}] - -@sys.description('The resource group the image was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The resource ID of the image.') -output resourceId string = image.id - -@sys.description('The name of the image.') -output name string = image.name - -@sys.description('The location the resource was deployed into.') -output location string = image.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json deleted file mode 100644 index 966b22684c..0000000000 --- a/modules/compute/gallery/image/main.json +++ /dev/null @@ -1,442 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17846161223611480196" - }, - "name": "Compute Galleries Image Definitions", - "description": "This module deploys an Azure Compute Gallery Image Definition.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the image definition." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "galleryName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment." - } - }, - "osType": { - "type": "string", - "defaultValue": "Windows", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. OS type of the image to be created." - } - }, - "osState": { - "type": "string", - "defaultValue": "Generalized", - "allowedValues": [ - "Generalized", - "Specialized" - ], - "metadata": { - "description": "Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'." - } - }, - "publisher": { - "type": "string", - "defaultValue": "MicrosoftWindowsServer", - "metadata": { - "description": "Optional. The name of the gallery Image Definition publisher." - } - }, - "offer": { - "type": "string", - "defaultValue": "WindowsServer", - "metadata": { - "description": "Optional. The name of the gallery Image Definition offer." - } - }, - "sku": { - "type": "string", - "defaultValue": "2019-Datacenter", - "metadata": { - "description": "Optional. The name of the gallery Image Definition SKU." - } - }, - "minRecommendedvCPUs": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 128, - "metadata": { - "description": "Optional. The minimum number of the CPU cores recommended for this image." - } - }, - "maxRecommendedvCPUs": { - "type": "int", - "defaultValue": 4, - "minValue": 1, - "maxValue": 128, - "metadata": { - "description": "Optional. The maximum number of the CPU cores recommended for this image." - } - }, - "minRecommendedMemory": { - "type": "int", - "defaultValue": 4, - "minValue": 1, - "maxValue": 4000, - "metadata": { - "description": "Optional. The minimum amount of RAM in GB recommended for this image." - } - }, - "maxRecommendedMemory": { - "type": "int", - "defaultValue": 16, - "minValue": 1, - "maxValue": 4000, - "metadata": { - "description": "Optional. The maximum amount of RAM in GB recommended for this image." - } - }, - "hyperVGeneration": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "V1", - "V2" - ], - "metadata": { - "description": "Optional. The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1." - } - }, - "securityType": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "TrustedLaunch", - "ConfidentialVM", - "ConfidentialVMSupported" - ], - "metadata": { - "description": "Optional. The security type of the image. Requires a hyperVGeneration V2." - } - }, - "isHibernateSupported": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "true", - "false" - ], - "metadata": { - "description": "Optional. The image will support hibernation." - } - }, - "isAcceleratedNetworkSupported": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "true", - "false" - ], - "metadata": { - "description": "Optional. The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of this gallery Image Definition resource. This property is updatable." - } - }, - "eula": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL." - } - }, - "privacyStatementUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The privacy statement uri. Has to be a valid URL." - } - }, - "releaseNoteUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The release note uri. Has to be a valid URL." - } - }, - "productName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The product ID." - } - }, - "planName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The plan ID." - } - }, - "planPublisherName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The publisher ID." - } - }, - "endOfLife": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z." - } - }, - "excludedDiskTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of the excluded disk types. E.g. Standard_LRS." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - } - }, - "variables": { - "builtInRoleNames": { - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "gallery": { - "existing": true, - "type": "Microsoft.Compute/galleries", - "apiVersion": "2022-03-03", - "name": "[parameters('galleryName')]" - }, - "image": { - "type": "Microsoft.Compute/galleries/images", - "apiVersion": "2022-03-03", - "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "osType": "[parameters('osType')]", - "osState": "[parameters('osState')]", - "identifier": { - "publisher": "[parameters('publisher')]", - "offer": "[parameters('offer')]", - "sku": "[parameters('sku')]" - }, - "recommended": { - "vCPUs": { - "min": "[parameters('minRecommendedvCPUs')]", - "max": "[parameters('maxRecommendedvCPUs')]" - }, - "memory": { - "min": "[parameters('minRecommendedMemory')]", - "max": "[parameters('maxRecommendedMemory')]" - } - }, - "hyperVGeneration": "[if(not(empty(parameters('hyperVGeneration'))), parameters('hyperVGeneration'), if(not(empty(parameters('securityType'))), 'V2', 'V1'))]", - "features": "[if(and(not(empty(parameters('securityType'))), not(equals(parameters('securityType'), 'Standard'))), createArray(createObject('name', 'SecurityType', 'value', parameters('securityType')), createObject('name', 'IsAcceleratedNetworkSupported', 'value', parameters('isAcceleratedNetworkSupported')), createObject('name', 'IsHibernateSupported', 'value', parameters('isHibernateSupported'))), createArray(createObject('name', 'IsAcceleratedNetworkSupported', 'value', parameters('isAcceleratedNetworkSupported')), createObject('name', 'IsHibernateSupported', 'value', parameters('isHibernateSupported'))))]", - "description": "[parameters('description')]", - "eula": "[parameters('eula')]", - "privacyStatementUri": "[parameters('privacyStatementUri')]", - "releaseNoteUri": "[parameters('releaseNoteUri')]", - "purchasePlan": { - "product": "[if(not(empty(parameters('productName'))), parameters('productName'), null())]", - "name": "[if(not(empty(parameters('planName'))), parameters('planName'), null())]", - "publisher": "[if(not(empty(parameters('planPublisherName'))), parameters('planPublisherName'), null())]" - }, - "endOfLifeDate": "[parameters('endOfLife')]", - "disallowed": { - "diskTypes": "[parameters('excludedDiskTypes')]" - } - }, - "dependsOn": [ - "gallery" - ] - }, - "image_roleAssignments": { - "copy": { - "name": "image_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "image" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image." - }, - "value": "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the image." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('image', '2022-03-03', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/gallery/image/version.json b/modules/compute/gallery/image/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/gallery/image/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep deleted file mode 100644 index 54aaf1e3f9..0000000000 --- a/modules/compute/gallery/main.bicep +++ /dev/null @@ -1,185 +0,0 @@ -metadata name = 'Azure Compute Galleries' -metadata description = 'This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).' -metadata owner = 'Azure/module-maintainers' - -@minLength(1) -@sys.description('Required. Name of the Azure Compute Gallery.') -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. Description of the Azure Shared Image Gallery.') -param description string = '' - -@sys.description('Optional. Applications to create.') -param applications array = [] - -@sys.description('Optional. Images to create.') -param images array = [] - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Tags for all resources.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { - name: name - location: location - tags: tags - properties: { - description: description - identifier: {} - } -} - -resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: gallery -} - -resource gallery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(gallery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: gallery -}] - -// Applications -module galleries_applications 'application/main.bicep' = [for (application, index) in applications: { - name: '${uniqueString(deployment().name, location)}-Gallery-Application-${index}' - params: { - name: application.name - galleryName: gallery.name - supportedOSType: contains(application, 'supportOSType') ? application.supportedOSType : 'Windows' - description: contains(application, 'description') ? application.description : '' - eula: contains(application, 'eula') ? application.eula : '' - privacyStatementUri: contains(application, 'privacyStatementUri') ? application.privacyStatementUri : '' - releaseNoteUri: contains(application, 'releaseNoteUri') ? application.releaseNoteUri : '' - endOfLifeDate: contains(application, 'endOfLifeDate') ? application.endOfLifeDate : '' - roleAssignments: contains(application, 'roleAssignments') ? application.roleAssignments : [] - customActions: contains(application, 'customActions') ? application.customActions : [] - tags: application.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// Images -module galleries_images 'image/main.bicep' = [for (image, index) in images: { - name: '${uniqueString(deployment().name, location)}-Gallery-Image-${index}' - params: { - name: image.name - galleryName: gallery.name - osType: contains(image, 'osType') ? image.osType : 'Windows' - osState: contains(image, 'osState') ? image.osState : 'Generalized' - publisher: contains(image, 'publisher') ? image.publisher : 'MicrosoftWindowsServer' - offer: contains(image, 'offer') ? image.offer : 'WindowsServer' - sku: contains(image, 'sku') ? image.sku : '2019-Datacenter' - minRecommendedvCPUs: contains(image, 'minRecommendedvCPUs') ? image.minRecommendedvCPUs : 1 - maxRecommendedvCPUs: contains(image, 'maxRecommendedvCPUs') ? image.maxRecommendedvCPUs : 4 - minRecommendedMemory: contains(image, 'minRecommendedMemory') ? image.minRecommendedMemory : 4 - maxRecommendedMemory: contains(image, 'maxRecommendedMemory') ? image.maxRecommendedMemory : 16 - hyperVGeneration: contains(image, 'hyperVGeneration') ? image.hyperVGeneration : 'V1' - securityType: contains(image, 'securityType') ? image.securityType : 'Standard' - description: contains(image, 'description') ? image.description : '' - eula: contains(image, 'eula') ? image.eula : '' - privacyStatementUri: contains(image, 'privacyStatementUri') ? image.privacyStatementUri : '' - releaseNoteUri: contains(image, 'releaseNoteUri') ? image.releaseNoteUri : '' - productName: contains(image, 'productName') ? image.productName : '' - planName: contains(image, 'planName') ? image.planName : '' - planPublisherName: contains(image, 'planPublisherName') ? image.planPublisherName : '' - endOfLife: contains(image, 'endOfLife') ? image.endOfLife : '' - excludedDiskTypes: contains(image, 'excludedDiskTypes') ? image.excludedDiskTypes : [] - roleAssignments: contains(image, 'roleAssignments') ? image.roleAssignments : [] - tags: image.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@sys.description('The resource ID of the deployed image gallery.') -output resourceId string = gallery.id - -@sys.description('The resource group of the deployed image gallery.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the deployed image gallery.') -output name string = gallery.name - -@sys.description('The location the resource was deployed into.') -output location string = gallery.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json deleted file mode 100644 index 44e5d0a6f9..0000000000 --- a/modules/compute/gallery/main.json +++ /dev/null @@ -1,1091 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15313131097423380423" - }, - "name": "Azure Compute Galleries", - "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Azure Compute Gallery." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the Azure Shared Image Gallery." - } - }, - "applications": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Applications to create." - } - }, - "images": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Images to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "gallery": { - "type": "Microsoft.Compute/galleries", - "apiVersion": "2022-03-03", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "identifier": {} - } - }, - "gallery_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "gallery" - ] - }, - "gallery_roleAssignments": { - "copy": { - "name": "gallery_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "gallery" - ] - }, - "galleries_applications": { - "copy": { - "name": "galleries_applications", - "count": "[length(parameters('applications'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Gallery-Application-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('applications')[copyIndex()].name]" - }, - "galleryName": { - "value": "[parameters('name')]" - }, - "supportedOSType": "[if(contains(parameters('applications')[copyIndex()], 'supportOSType'), createObject('value', parameters('applications')[copyIndex()].supportedOSType), createObject('value', 'Windows'))]", - "description": "[if(contains(parameters('applications')[copyIndex()], 'description'), createObject('value', parameters('applications')[copyIndex()].description), createObject('value', ''))]", - "eula": "[if(contains(parameters('applications')[copyIndex()], 'eula'), createObject('value', parameters('applications')[copyIndex()].eula), createObject('value', ''))]", - "privacyStatementUri": "[if(contains(parameters('applications')[copyIndex()], 'privacyStatementUri'), createObject('value', parameters('applications')[copyIndex()].privacyStatementUri), createObject('value', ''))]", - "releaseNoteUri": "[if(contains(parameters('applications')[copyIndex()], 'releaseNoteUri'), createObject('value', parameters('applications')[copyIndex()].releaseNoteUri), createObject('value', ''))]", - "endOfLifeDate": "[if(contains(parameters('applications')[copyIndex()], 'endOfLifeDate'), createObject('value', parameters('applications')[copyIndex()].endOfLifeDate), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('applications')[copyIndex()], 'roleAssignments'), createObject('value', parameters('applications')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "customActions": "[if(contains(parameters('applications')[copyIndex()], 'customActions'), createObject('value', parameters('applications')[copyIndex()].customActions), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('applications')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13733131047823769084" - }, - "name": "Compute Galleries Applications", - "description": "This module deploys an Azure Compute Gallery Application.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the application definition." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "galleryName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of this gallery Application Definition resource. This property is updatable." - } - }, - "eula": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL." - } - }, - "privacyStatementUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The privacy statement uri. Has to be a valid URL." - } - }, - "releaseNoteUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The release note uri. Has to be a valid URL." - } - }, - "supportedOSType": { - "type": "string", - "defaultValue": "Windows", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. This property allows you to specify the supported type of the OS that application is built for." - } - }, - "endOfLifeDate": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "customActions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application." - } - } - }, - "variables": { - "builtInRoleNames": { - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "gallery": { - "existing": true, - "type": "Microsoft.Compute/galleries", - "apiVersion": "2022-03-03", - "name": "[parameters('galleryName')]" - }, - "application": { - "type": "Microsoft.Compute/galleries/applications", - "apiVersion": "2022-03-03", - "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "customActions": "[if(not(empty(parameters('customActions'))), parameters('customActions'), null())]", - "description": "[parameters('description')]", - "endOfLifeDate": "[parameters('endOfLifeDate')]", - "eula": "[parameters('eula')]", - "privacyStatementUri": "[parameters('privacyStatementUri')]", - "releaseNoteUri": "[parameters('releaseNoteUri')]", - "supportedOSType": "[parameters('supportedOSType')]" - }, - "dependsOn": [ - "gallery" - ] - }, - "application_roleAssignments": { - "copy": { - "name": "application_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "application" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image." - }, - "value": "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the image." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('application', '2022-03-03', 'full').location]" - } - } - } - }, - "dependsOn": [ - "gallery" - ] - }, - "galleries_images": { - "copy": { - "name": "galleries_images", - "count": "[length(parameters('images'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Gallery-Image-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('images')[copyIndex()].name]" - }, - "galleryName": { - "value": "[parameters('name')]" - }, - "osType": "[if(contains(parameters('images')[copyIndex()], 'osType'), createObject('value', parameters('images')[copyIndex()].osType), createObject('value', 'Windows'))]", - "osState": "[if(contains(parameters('images')[copyIndex()], 'osState'), createObject('value', parameters('images')[copyIndex()].osState), createObject('value', 'Generalized'))]", - "publisher": "[if(contains(parameters('images')[copyIndex()], 'publisher'), createObject('value', parameters('images')[copyIndex()].publisher), createObject('value', 'MicrosoftWindowsServer'))]", - "offer": "[if(contains(parameters('images')[copyIndex()], 'offer'), createObject('value', parameters('images')[copyIndex()].offer), createObject('value', 'WindowsServer'))]", - "sku": "[if(contains(parameters('images')[copyIndex()], 'sku'), createObject('value', parameters('images')[copyIndex()].sku), createObject('value', '2019-Datacenter'))]", - "minRecommendedvCPUs": "[if(contains(parameters('images')[copyIndex()], 'minRecommendedvCPUs'), createObject('value', parameters('images')[copyIndex()].minRecommendedvCPUs), createObject('value', 1))]", - "maxRecommendedvCPUs": "[if(contains(parameters('images')[copyIndex()], 'maxRecommendedvCPUs'), createObject('value', parameters('images')[copyIndex()].maxRecommendedvCPUs), createObject('value', 4))]", - "minRecommendedMemory": "[if(contains(parameters('images')[copyIndex()], 'minRecommendedMemory'), createObject('value', parameters('images')[copyIndex()].minRecommendedMemory), createObject('value', 4))]", - "maxRecommendedMemory": "[if(contains(parameters('images')[copyIndex()], 'maxRecommendedMemory'), createObject('value', parameters('images')[copyIndex()].maxRecommendedMemory), createObject('value', 16))]", - "hyperVGeneration": "[if(contains(parameters('images')[copyIndex()], 'hyperVGeneration'), createObject('value', parameters('images')[copyIndex()].hyperVGeneration), createObject('value', 'V1'))]", - "securityType": "[if(contains(parameters('images')[copyIndex()], 'securityType'), createObject('value', parameters('images')[copyIndex()].securityType), createObject('value', 'Standard'))]", - "description": "[if(contains(parameters('images')[copyIndex()], 'description'), createObject('value', parameters('images')[copyIndex()].description), createObject('value', ''))]", - "eula": "[if(contains(parameters('images')[copyIndex()], 'eula'), createObject('value', parameters('images')[copyIndex()].eula), createObject('value', ''))]", - "privacyStatementUri": "[if(contains(parameters('images')[copyIndex()], 'privacyStatementUri'), createObject('value', parameters('images')[copyIndex()].privacyStatementUri), createObject('value', ''))]", - "releaseNoteUri": "[if(contains(parameters('images')[copyIndex()], 'releaseNoteUri'), createObject('value', parameters('images')[copyIndex()].releaseNoteUri), createObject('value', ''))]", - "productName": "[if(contains(parameters('images')[copyIndex()], 'productName'), createObject('value', parameters('images')[copyIndex()].productName), createObject('value', ''))]", - "planName": "[if(contains(parameters('images')[copyIndex()], 'planName'), createObject('value', parameters('images')[copyIndex()].planName), createObject('value', ''))]", - "planPublisherName": "[if(contains(parameters('images')[copyIndex()], 'planPublisherName'), createObject('value', parameters('images')[copyIndex()].planPublisherName), createObject('value', ''))]", - "endOfLife": "[if(contains(parameters('images')[copyIndex()], 'endOfLife'), createObject('value', parameters('images')[copyIndex()].endOfLife), createObject('value', ''))]", - "excludedDiskTypes": "[if(contains(parameters('images')[copyIndex()], 'excludedDiskTypes'), createObject('value', parameters('images')[copyIndex()].excludedDiskTypes), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('images')[copyIndex()], 'roleAssignments'), createObject('value', parameters('images')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('images')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17846161223611480196" - }, - "name": "Compute Galleries Image Definitions", - "description": "This module deploys an Azure Compute Gallery Image Definition.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the image definition." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "galleryName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment." - } - }, - "osType": { - "type": "string", - "defaultValue": "Windows", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. OS type of the image to be created." - } - }, - "osState": { - "type": "string", - "defaultValue": "Generalized", - "allowedValues": [ - "Generalized", - "Specialized" - ], - "metadata": { - "description": "Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'." - } - }, - "publisher": { - "type": "string", - "defaultValue": "MicrosoftWindowsServer", - "metadata": { - "description": "Optional. The name of the gallery Image Definition publisher." - } - }, - "offer": { - "type": "string", - "defaultValue": "WindowsServer", - "metadata": { - "description": "Optional. The name of the gallery Image Definition offer." - } - }, - "sku": { - "type": "string", - "defaultValue": "2019-Datacenter", - "metadata": { - "description": "Optional. The name of the gallery Image Definition SKU." - } - }, - "minRecommendedvCPUs": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 128, - "metadata": { - "description": "Optional. The minimum number of the CPU cores recommended for this image." - } - }, - "maxRecommendedvCPUs": { - "type": "int", - "defaultValue": 4, - "minValue": 1, - "maxValue": 128, - "metadata": { - "description": "Optional. The maximum number of the CPU cores recommended for this image." - } - }, - "minRecommendedMemory": { - "type": "int", - "defaultValue": 4, - "minValue": 1, - "maxValue": 4000, - "metadata": { - "description": "Optional. The minimum amount of RAM in GB recommended for this image." - } - }, - "maxRecommendedMemory": { - "type": "int", - "defaultValue": 16, - "minValue": 1, - "maxValue": 4000, - "metadata": { - "description": "Optional. The maximum amount of RAM in GB recommended for this image." - } - }, - "hyperVGeneration": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "V1", - "V2" - ], - "metadata": { - "description": "Optional. The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1." - } - }, - "securityType": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "TrustedLaunch", - "ConfidentialVM", - "ConfidentialVMSupported" - ], - "metadata": { - "description": "Optional. The security type of the image. Requires a hyperVGeneration V2." - } - }, - "isHibernateSupported": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "true", - "false" - ], - "metadata": { - "description": "Optional. The image will support hibernation." - } - }, - "isAcceleratedNetworkSupported": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "true", - "false" - ], - "metadata": { - "description": "Optional. The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of this gallery Image Definition resource. This property is updatable." - } - }, - "eula": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL." - } - }, - "privacyStatementUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The privacy statement uri. Has to be a valid URL." - } - }, - "releaseNoteUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The release note uri. Has to be a valid URL." - } - }, - "productName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The product ID." - } - }, - "planName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The plan ID." - } - }, - "planPublisherName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The publisher ID." - } - }, - "endOfLife": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z." - } - }, - "excludedDiskTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of the excluded disk types. E.g. Standard_LRS." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - } - }, - "variables": { - "builtInRoleNames": { - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "gallery": { - "existing": true, - "type": "Microsoft.Compute/galleries", - "apiVersion": "2022-03-03", - "name": "[parameters('galleryName')]" - }, - "image": { - "type": "Microsoft.Compute/galleries/images", - "apiVersion": "2022-03-03", - "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "osType": "[parameters('osType')]", - "osState": "[parameters('osState')]", - "identifier": { - "publisher": "[parameters('publisher')]", - "offer": "[parameters('offer')]", - "sku": "[parameters('sku')]" - }, - "recommended": { - "vCPUs": { - "min": "[parameters('minRecommendedvCPUs')]", - "max": "[parameters('maxRecommendedvCPUs')]" - }, - "memory": { - "min": "[parameters('minRecommendedMemory')]", - "max": "[parameters('maxRecommendedMemory')]" - } - }, - "hyperVGeneration": "[if(not(empty(parameters('hyperVGeneration'))), parameters('hyperVGeneration'), if(not(empty(parameters('securityType'))), 'V2', 'V1'))]", - "features": "[if(and(not(empty(parameters('securityType'))), not(equals(parameters('securityType'), 'Standard'))), createArray(createObject('name', 'SecurityType', 'value', parameters('securityType')), createObject('name', 'IsAcceleratedNetworkSupported', 'value', parameters('isAcceleratedNetworkSupported')), createObject('name', 'IsHibernateSupported', 'value', parameters('isHibernateSupported'))), createArray(createObject('name', 'IsAcceleratedNetworkSupported', 'value', parameters('isAcceleratedNetworkSupported')), createObject('name', 'IsHibernateSupported', 'value', parameters('isHibernateSupported'))))]", - "description": "[parameters('description')]", - "eula": "[parameters('eula')]", - "privacyStatementUri": "[parameters('privacyStatementUri')]", - "releaseNoteUri": "[parameters('releaseNoteUri')]", - "purchasePlan": { - "product": "[if(not(empty(parameters('productName'))), parameters('productName'), null())]", - "name": "[if(not(empty(parameters('planName'))), parameters('planName'), null())]", - "publisher": "[if(not(empty(parameters('planPublisherName'))), parameters('planPublisherName'), null())]" - }, - "endOfLifeDate": "[parameters('endOfLife')]", - "disallowed": { - "diskTypes": "[parameters('excludedDiskTypes')]" - } - }, - "dependsOn": [ - "gallery" - ] - }, - "image_roleAssignments": { - "copy": { - "name": "image_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "image" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image." - }, - "value": "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the image." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('image', '2022-03-03', 'full').location]" - } - } - } - }, - "dependsOn": [ - "gallery" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed image gallery." - }, - "value": "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed image gallery." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed image gallery." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('gallery', '2022-03-03', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/gallery/tests/e2e/defaults/main.test.bicep b/modules/compute/gallery/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f7a09d997c..0000000000 --- a/modules/compute/gallery/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/compute/gallery/tests/e2e/max/dependencies.bicep b/modules/compute/gallery/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/compute/gallery/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/gallery/tests/e2e/max/main.test.bicep b/modules/compute/gallery/tests/e2e/max/main.test.bicep deleted file mode 100644 index 2562a048e5..0000000000 --- a/modules/compute/gallery/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,200 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - applications: [ - { - name: '${namePrefix}-${serviceShort}-appd-001' - } - { - name: '${namePrefix}-${serviceShort}-appd-002' - supportedOSType: 'Windows' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - images: [ - { - name: '${namePrefix}-az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - securityType: 'TrustedLaunch' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: '${namePrefix}-az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 7d759c2f2a..0000000000 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,183 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - applications: [ - { - name: '${namePrefix}-${serviceShort}-appd-001' - } - { - name: '${namePrefix}-${serviceShort}-appd-002' - supportedOSType: 'Windows' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - images: [ - { - name: '${namePrefix}-az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - securityType: 'TrustedLaunch' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: '${namePrefix}-az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/gallery/version.json b/modules/compute/gallery/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/gallery/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/image/MOVED-TO-AVM.md b/modules/compute/image/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/image/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 62ec79e0aa..34da8019f1 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -1,539 +1,7 @@ -# Images `[Microsoft.Compute/images]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/image](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/image).** -This module deploys a Compute Image. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/image). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/images` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/images) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.image:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module image 'br:bicep/modules/compute.image:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cimax' - params: { - // Required parameters - name: 'cimax001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: '' - osDiskCaching: 'ReadWrite' - osType: 'Windows' - // Non-required parameters - diskEncryptionSetResourceId: '' - diskSizeGB: 128 - enableDefaultTelemetry: '' - hyperVGeneration: 'V1' - osState: 'Generalized' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - zoneResilient: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cimax001" - }, - "osAccountType": { - "value": "Premium_LRS" - }, - "osDiskBlobUri": { - "value": "" - }, - "osDiskCaching": { - "value": "ReadWrite" - }, - "osType": { - "value": "Windows" - }, - // Non-required parameters - "diskEncryptionSetResourceId": { - "value": "" - }, - "diskSizeGB": { - "value": 128 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hyperVGeneration": { - "value": "V1" - }, - "osState": { - "value": "Generalized" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "tagA": "You\"re it", - "tagB": "Player" - } - }, - "zoneResilient": { - "value": true - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module image 'br:bicep/modules/compute.image:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ciwaf' - params: { - // Required parameters - name: 'ciwaf001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: '' - osDiskCaching: 'ReadWrite' - osType: 'Windows' - // Non-required parameters - diskEncryptionSetResourceId: '' - diskSizeGB: 128 - enableDefaultTelemetry: '' - hyperVGeneration: 'V1' - osState: 'Generalized' - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - zoneResilient: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ciwaf001" - }, - "osAccountType": { - "value": "Premium_LRS" - }, - "osDiskBlobUri": { - "value": "" - }, - "osDiskCaching": { - "value": "ReadWrite" - }, - "osType": { - "value": "Windows" - }, - // Non-required parameters - "diskEncryptionSetResourceId": { - "value": "" - }, - "diskSizeGB": { - "value": 128 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hyperVGeneration": { - "value": "V1" - }, - "osState": { - "value": "Generalized" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "tagA": "You\"re it", - "tagB": "Player" - } - }, - "zoneResilient": { - "value": true - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the image. | -| [`osDiskBlobUri`](#parameter-osdiskbloburi) | string | The Virtual Hard Disk. | -| [`osType`](#parameter-ostype) | string | This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataDisks`](#parameter-datadisks) | array | Specifies the parameters that are used to add a data disk to a virtual machine. | -| [`diskEncryptionSetResourceId`](#parameter-diskencryptionsetresourceid) | string | Specifies the customer managed disk encryption set resource ID for the managed image disk. | -| [`diskSizeGB`](#parameter-disksizegb) | int | Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`extendedLocation`](#parameter-extendedlocation) | object | The extended location of the Image. | -| [`hyperVGeneration`](#parameter-hypervgeneration) | string | Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`managedDiskResourceId`](#parameter-manageddiskresourceid) | string | The managedDisk. | -| [`osAccountType`](#parameter-osaccounttype) | string | Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. | -| [`osDiskCaching`](#parameter-osdiskcaching) | string | Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. | -| [`osState`](#parameter-osstate) | string | The OS State. For managed images, use Generalized. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`snapshotResourceId`](#parameter-snapshotresourceid) | string | The snapshot resource ID. | -| [`sourceVirtualMachineResourceId`](#parameter-sourcevirtualmachineresourceid) | string | The source virtual machine from which Image is created. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneResilient`](#parameter-zoneresilient) | bool | Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | - -### Parameter: `name` - -The name of the image. - -- Required: Yes -- Type: string - -### Parameter: `osDiskBlobUri` - -The Virtual Hard Disk. - -- Required: Yes -- Type: string - -### Parameter: `osType` - -This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. - -- Required: Yes -- Type: string - -### Parameter: `dataDisks` - -Specifies the parameters that are used to add a data disk to a virtual machine. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diskEncryptionSetResourceId` - -Specifies the customer managed disk encryption set resource ID for the managed image disk. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diskSizeGB` - -Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. - -- Required: No -- Type: int -- Default: `128` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `extendedLocation` - -The extended location of the Image. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `hyperVGeneration` - -Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. - -- Required: No -- Type: string -- Default: `'V1'` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `managedDiskResourceId` - -The managedDisk. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `osAccountType` - -Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. - -- Required: Yes -- Type: string - -### Parameter: `osDiskCaching` - -Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. - -- Required: Yes -- Type: string - -### Parameter: `osState` - -The OS State. For managed images, use Generalized. - -- Required: No -- Type: string -- Default: `'Generalized'` -- Allowed: - ```Bicep - [ - 'Generalized' - 'Specialized' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `snapshotResourceId` - -The snapshot resource ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceVirtualMachineResourceId` - -The source virtual machine from which Image is created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneResilient` - -Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the image. | -| `resourceGroupName` | string | The resource group the image was deployed into. | -| `resourceId` | string | The resource ID of the image. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep deleted file mode 100644 index 20e3e6ea11..0000000000 --- a/modules/compute/image/main.bicep +++ /dev/null @@ -1,170 +0,0 @@ -metadata name = 'Images' -metadata description = 'This module deploys a Compute Image.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the image.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. The Virtual Hard Disk.') -param osDiskBlobUri string - -@description('Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux.') -param osType string - -@description('Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite.') -param osDiskCaching string - -@description('Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS.') -param osAccountType string - -@description('Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS).') -param zoneResilient bool = false - -@description('Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2.') -param hyperVGeneration string = 'V1' - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The extended location of the Image.') -param extendedLocation object = {} - -@description('Optional. The source virtual machine from which Image is created.') -param sourceVirtualMachineResourceId string = '' - -@description('Optional. Specifies the customer managed disk encryption set resource ID for the managed image disk.') -param diskEncryptionSetResourceId string = '' - -@description('Optional. The managedDisk.') -param managedDiskResourceId string = '' - -@description('Optional. Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB.') -param diskSizeGB int = 128 - -@description('Optional. The OS State. For managed images, use Generalized.') -@allowed([ - 'Generalized' - 'Specialized' -]) -param osState string = 'Generalized' - -@description('Optional. The snapshot resource ID.') -param snapshotResourceId string = '' - -@description('Optional. Specifies the parameters that are used to add a data disk to a virtual machine.') -param dataDisks array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource image 'Microsoft.Compute/images@2022-11-01' = { - name: name - location: location - tags: tags - extendedLocation: !empty(extendedLocation) ? extendedLocation : null - properties: { - storageProfile: { - osDisk: { - osType: osType - blobUri: osDiskBlobUri - caching: osDiskCaching - storageAccountType: osAccountType - osState: osState - diskEncryptionSet: !empty(diskEncryptionSetResourceId) ? { - id: diskEncryptionSetResourceId - } : null - diskSizeGB: diskSizeGB - managedDisk: !empty(managedDiskResourceId) ? { - id: managedDiskResourceId - } : null - snapshot: !empty(snapshotResourceId) ? { - id: snapshotResourceId - } : null - } - dataDisks: dataDisks - zoneResilient: zoneResilient - } - hyperVGeneration: hyperVGeneration - sourceVirtualMachine: !empty(sourceVirtualMachineResourceId) ? { - id: sourceVirtualMachineResourceId - } : null - } -} - -resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: image -}] - -@description('The resource ID of the image.') -output resourceId string = image.id - -@description('The resource group the image was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the image.') -output name string = image.name - -@description('The location the resource was deployed into.') -output location string = image.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json deleted file mode 100644 index b3099a9dec..0000000000 --- a/modules/compute/image/main.json +++ /dev/null @@ -1,320 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6473488393825855372" - }, - "name": "Images", - "description": "This module deploys a Compute Image.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the image." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "osDiskBlobUri": { - "type": "string", - "metadata": { - "description": "Required. The Virtual Hard Disk." - } - }, - "osType": { - "type": "string", - "metadata": { - "description": "Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux." - } - }, - "osDiskCaching": { - "type": "string", - "metadata": { - "description": "Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite." - } - }, - "osAccountType": { - "type": "string", - "metadata": { - "description": "Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS." - } - }, - "zoneResilient": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS)." - } - }, - "hyperVGeneration": { - "type": "string", - "defaultValue": "V1", - "metadata": { - "description": "Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "extendedLocation": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The extended location of the Image." - } - }, - "sourceVirtualMachineResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source virtual machine from which Image is created." - } - }, - "diskEncryptionSetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the customer managed disk encryption set resource ID for the managed image disk." - } - }, - "managedDiskResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The managedDisk." - } - }, - "diskSizeGB": { - "type": "int", - "defaultValue": 128, - "metadata": { - "description": "Optional. Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB." - } - }, - "osState": { - "type": "string", - "defaultValue": "Generalized", - "allowedValues": [ - "Generalized", - "Specialized" - ], - "metadata": { - "description": "Optional. The OS State. For managed images, use Generalized." - } - }, - "snapshotResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The snapshot resource ID." - } - }, - "dataDisks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the parameters that are used to add a data disk to a virtual machine." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "image": { - "type": "Microsoft.Compute/images", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "extendedLocation": "[if(not(empty(parameters('extendedLocation'))), parameters('extendedLocation'), null())]", - "properties": { - "storageProfile": { - "osDisk": { - "osType": "[parameters('osType')]", - "blobUri": "[parameters('osDiskBlobUri')]", - "caching": "[parameters('osDiskCaching')]", - "storageAccountType": "[parameters('osAccountType')]", - "osState": "[parameters('osState')]", - "diskEncryptionSet": "[if(not(empty(parameters('diskEncryptionSetResourceId'))), createObject('id', parameters('diskEncryptionSetResourceId')), null())]", - "diskSizeGB": "[parameters('diskSizeGB')]", - "managedDisk": "[if(not(empty(parameters('managedDiskResourceId'))), createObject('id', parameters('managedDiskResourceId')), null())]", - "snapshot": "[if(not(empty(parameters('snapshotResourceId'))), createObject('id', parameters('snapshotResourceId')), null())]" - }, - "dataDisks": "[parameters('dataDisks')]", - "zoneResilient": "[parameters('zoneResilient')]" - }, - "hyperVGeneration": "[parameters('hyperVGeneration')]", - "sourceVirtualMachine": "[if(not(empty(parameters('sourceVirtualMachineResourceId'))), createObject('id', parameters('sourceVirtualMachineResourceId')), null())]" - } - }, - "image_roleAssignments": { - "copy": { - "name": "image_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/images/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/images', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "image" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image." - }, - "value": "[resourceId('Microsoft.Compute/images', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the image." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('image', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/image/tests/e2e/max/dependencies.bicep b/modules/compute/image/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 2a31d8730b..0000000000 --- a/modules/compute/image/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,218 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create and to copy the VHD into.') -param storageAccountName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name prefix of the Image Template to create.') -param imageTemplateNamePrefix string - -@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') -param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') - -@description('Required. The name of the Deployment Script to create for triggering the image creation.') -param triggerImageDeploymentScriptName string - -@description('Required. The name of the Deployment Script to copy the VHD to a destination storage account.') -param copyVhdDeploymentScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } - resource blobServices 'blobServices@2022-09-01' = { - name: 'default' - resource container 'containers@2022-09-01' = { - name: 'vhds' - properties: { - publicAccess: 'None' - } - } - } -} - -module roleAssignment 'dependencies_rbac.bicep' = { - name: '${deployment().name}-MSI-roleAssignment' - scope: subscription() - params: { - managedIdentityPrincipalId: managedIdentity.properties.principalId - managedIdentityResourceId: managedIdentity.id - } -} - -// Deploy image template -resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { - #disable-next-line use-stable-resource-identifiers - name: '${imageTemplateNamePrefix}-${baseTime}' - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - buildTimeoutInMinutes: 0 - vmProfile: { - vmSize: 'Standard_D2s_v3' - osDiskSizeGB: 127 - } - source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-11' - sku: 'win11-21h2-avd' - version: 'latest' - } - distribute: [ - { - type: 'VHD' - runOutputName: '${imageTemplateNamePrefix}-VHD' - artifactTags: {} - } - ] - customize: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - } -} - -// Trigger VHD creation -resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: triggerImageDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ - roleAssignment - ] -} - -// Copy VHD to destination storage account -resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: copyVhdDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ triggerImageDeploymentScript ] -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required for encrption to work - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithCustomerKey' - } - dependsOn: [ - keyPermissions - ] -} - -@description('The URI of the created VHD.') -output vhdUri string = 'https://${storageAccount.name}.blob.${environment().suffixes.storage}/vhds/${imageTemplateNamePrefix}.vhd' - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id diff --git a/modules/compute/image/tests/e2e/max/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/max/dependencies_rbac.bicep deleted file mode 100644 index cdca1b63bd..0000000000 --- a/modules/compute/image/tests/e2e/max/dependencies_rbac.bicep +++ /dev/null @@ -1,16 +0,0 @@ -targetScope = 'subscription' - -@description('Required. The resource ID of the created Managed Identity.') -param managedIdentityResourceId string - -@description('Required. The principal ID of the created Managed Identity.') -param managedIdentityPrincipalId string - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().subscriptionId, 'Contributor', managedIdentityResourceId) - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} diff --git a/modules/compute/image/tests/e2e/max/main.test.bicep b/modules/compute/image/tests/e2e/max/main.test.bicep deleted file mode 100644 index 4ef529aeea..0000000000 --- a/modules/compute/image/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,97 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cimax' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: nestedDependencies.outputs.vhdUri - osDiskCaching: 'ReadWrite' - osType: 'Windows' - hyperVGeneration: 'V1' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - zoneResilient: true - diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId - osState: 'Generalized' - diskSizeGB: 128 - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - } -}] diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 2a31d8730b..0000000000 --- a/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,218 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create and to copy the VHD into.') -param storageAccountName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name prefix of the Image Template to create.') -param imageTemplateNamePrefix string - -@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') -param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') - -@description('Required. The name of the Deployment Script to create for triggering the image creation.') -param triggerImageDeploymentScriptName string - -@description('Required. The name of the Deployment Script to copy the VHD to a destination storage account.') -param copyVhdDeploymentScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } - resource blobServices 'blobServices@2022-09-01' = { - name: 'default' - resource container 'containers@2022-09-01' = { - name: 'vhds' - properties: { - publicAccess: 'None' - } - } - } -} - -module roleAssignment 'dependencies_rbac.bicep' = { - name: '${deployment().name}-MSI-roleAssignment' - scope: subscription() - params: { - managedIdentityPrincipalId: managedIdentity.properties.principalId - managedIdentityResourceId: managedIdentity.id - } -} - -// Deploy image template -resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { - #disable-next-line use-stable-resource-identifiers - name: '${imageTemplateNamePrefix}-${baseTime}' - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - buildTimeoutInMinutes: 0 - vmProfile: { - vmSize: 'Standard_D2s_v3' - osDiskSizeGB: 127 - } - source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-11' - sku: 'win11-21h2-avd' - version: 'latest' - } - distribute: [ - { - type: 'VHD' - runOutputName: '${imageTemplateNamePrefix}-VHD' - artifactTags: {} - } - ] - customize: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - } -} - -// Trigger VHD creation -resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: triggerImageDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ - roleAssignment - ] -} - -// Copy VHD to destination storage account -resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: copyVhdDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') - cleanupPreference: 'OnSuccess' - forceUpdateTag: baseTime - } - dependsOn: [ triggerImageDeploymentScript ] -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required for encrption to work - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithCustomerKey' - } - dependsOn: [ - keyPermissions - ] -} - -@description('The URI of the created VHD.') -output vhdUri string = 'https://${storageAccount.name}.blob.${environment().suffixes.storage}/vhds/${imageTemplateNamePrefix}.vhd' - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep deleted file mode 100644 index cdca1b63bd..0000000000 --- a/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep +++ /dev/null @@ -1,16 +0,0 @@ -targetScope = 'subscription' - -@description('Required. The resource ID of the created Managed Identity.') -param managedIdentityResourceId string - -@description('Required. The principal ID of the created Managed Identity.') -param managedIdentityPrincipalId string - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().subscriptionId, 'Contributor', managedIdentityResourceId) - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index ee4dfe3db0..0000000000 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,80 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ciwaf' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: nestedDependencies.outputs.vhdUri - osDiskCaching: 'ReadWrite' - osType: 'Windows' - hyperVGeneration: 'V1' - zoneResilient: true - diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId - osState: 'Generalized' - diskSizeGB: 128 - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - } -}] diff --git a/modules/compute/image/version.json b/modules/compute/image/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/image/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/proximity-placement-group/MOVED-TO-AVM.md b/modules/compute/proximity-placement-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/proximity-placement-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 89d99b10b9..0afddae7c8 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -1,568 +1,7 @@ -# Proximity Placement Groups `[Microsoft.Compute/proximityPlacementGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/proximity-placement-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/proximity-placement-group).** -This module deploys a Proximity Placement Group. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/proximity-placement-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/proximityPlacementGroups` | [2022-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-08-01/proximityPlacementGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.proximity-placement-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cppgmin' - params: { - // Required parameters - name: 'cppgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cppgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cppgmax' - params: { - // Required parameters - name: 'cppgmax001' - // Non-required parameters - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - enableDefaultTelemetry: '' - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - type: 'Standard' - zones: [ - '1' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cppgmax001" - }, - // Non-required parameters - "colocationStatus": { - "value": { - "code": "ColocationStatus/Aligned", - "displayStatus": "Aligned", - "level": "Info", - "message": "I\"m a default error message" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "intent": { - "value": { - "vmSizes": [ - "Standard_B1ms", - "Standard_B4ms" - ] - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "TagA": "Would you kindly...", - "TagB": "Tags for sale" - } - }, - "type": { - "value": "Standard" - }, - "zones": { - "value": [ - "1" - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cppgwaf' - params: { - // Required parameters - name: 'cppgwaf001' - // Non-required parameters - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - enableDefaultTelemetry: '' - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - type: 'Standard' - zones: [ - '1' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cppgwaf001" - }, - // Non-required parameters - "colocationStatus": { - "value": { - "code": "ColocationStatus/Aligned", - "displayStatus": "Aligned", - "level": "Info", - "message": "I\"m a default error message" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "intent": { - "value": { - "vmSizes": [ - "Standard_B1ms", - "Standard_B4ms" - ] - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "TagA": "Would you kindly...", - "TagB": "Tags for sale" - } - }, - "type": { - "value": "Standard" - }, - "zones": { - "value": [ - "1" - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the proximity placement group that is being created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`colocationStatus`](#parameter-colocationstatus) | object | Describes colocation status of the Proximity Placement Group. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`intent`](#parameter-intent) | object | Specifies the user intent of the proximity placement group. | -| [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the proximity placement group resource. | -| [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | -| [`zones`](#parameter-zones) | array | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | - -### Parameter: `name` - -The name of the proximity placement group that is being created. - -- Required: Yes -- Type: string - -### Parameter: `colocationStatus` - -Describes colocation status of the Proximity Placement Group. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `intent` - -Specifies the user intent of the proximity placement group. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the proximity placement group resource. - -- Required: No -- Type: object - -### Parameter: `type` - -Specifies the type of the proximity placement group. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Standard' - 'Ultra' - ] - ``` - -### Parameter: `zones` - -Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the proximity placement group. | -| `resourceGroupName` | string | The resource group the proximity placement group was deployed into. | -| `resourceId` | string | The resourceId the proximity placement group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep deleted file mode 100644 index 45047683d4..0000000000 --- a/modules/compute/proximity-placement-group/main.bicep +++ /dev/null @@ -1,139 +0,0 @@ -metadata name = 'Proximity Placement Groups' -metadata description = 'This module deploys a Proximity Placement Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the proximity placement group that is being created.') -param name string - -@description('Optional. Specifies the type of the proximity placement group.') -@allowed([ - 'Standard' - 'Ultra' -]) -param type string = 'Standard' - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the proximity placement group resource.') -param tags object? - -@description('Optional. Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created.') -param zones array = [] - -@description('Optional. Describes colocation status of the Proximity Placement Group.') -param colocationStatus object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Specifies the user intent of the proximity placement group.') -param intent object = {} - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-08-01' = { - name: name - location: location - tags: tags - zones: zones - properties: { - proximityPlacementGroupType: type - colocationStatus: colocationStatus - intent: !empty(intent) ? intent : null - } -} - -resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: proximityPlacementGroup -} - -resource proximityPlacementGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(proximityPlacementGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: proximityPlacementGroup -}] - -@description('The name of the proximity placement group.') -output name string = proximityPlacementGroup.name - -@description('The resourceId the proximity placement group.') -output resourceId string = proximityPlacementGroup.id - -@description('The resource group the proximity placement group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = proximityPlacementGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json deleted file mode 100644 index 6d3f4e9580..0000000000 --- a/modules/compute/proximity-placement-group/main.json +++ /dev/null @@ -1,285 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1474026739792714088" - }, - "name": "Proximity Placement Groups", - "description": "This module deploys a Proximity Placement Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the proximity placement group that is being created." - } - }, - "type": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "Ultra" - ], - "metadata": { - "description": "Optional. Specifies the type of the proximity placement group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the proximity placement group resource." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created." - } - }, - "colocationStatus": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes colocation status of the Proximity Placement Group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "intent": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies the user intent of the proximity placement group." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "proximityPlacementGroup": { - "type": "Microsoft.Compute/proximityPlacementGroups", - "apiVersion": "2022-08-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "zones": "[parameters('zones')]", - "properties": { - "proximityPlacementGroupType": "[parameters('type')]", - "colocationStatus": "[parameters('colocationStatus')]", - "intent": "[if(not(empty(parameters('intent'))), parameters('intent'), null())]" - } - }, - "proximityPlacementGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "proximityPlacementGroup" - ] - }, - "proximityPlacementGroup_roleAssignments": { - "copy": { - "name": "proximityPlacementGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "proximityPlacementGroup" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the proximity placement group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resourceId the proximity placement group." - }, - "value": "[resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the proximity placement group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('proximityPlacementGroup', '2022-08-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 9ac35b31d9..0000000000 --- a/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index a0e4f0cbc6..0000000000 --- a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,99 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - zones: [ - '1' - ] - type: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - } -}] diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index db7c9800b0..0000000000 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - zones: [ - '1' - ] - type: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - } -}] diff --git a/modules/compute/proximity-placement-group/version.json b/modules/compute/proximity-placement-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/proximity-placement-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/ssh-public-key/MOVED-TO-AVM.md b/modules/compute/ssh-public-key/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/ssh-public-key/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index 509a83961d..c137535989 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -1,384 +1,7 @@ -# Public SSH Keys `[Microsoft.Compute/sshPublicKeys]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/ssh-public-key](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/ssh-public-key).** -This module deploys a Public SSH Key. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/ssh-public-key). -> Note: The resource does not auto-generate the key for you. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/sshPublicKeys` | [2022-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-08-01/sshPublicKeys) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.ssh-public-key:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cspkmin' - params: { - // Required parameters - name: 'cspkmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cspkmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cspkmax' - params: { - // Required parameters - name: 'sshkey-cspkmax001' - // Non-required parameters - enableDefaultTelemetry: '' - publicKey: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sshkey-cspkmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "publicKey": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cspkwaf' - params: { - // Required parameters - name: 'sshkey-cspkwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - publicKey: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sshkey-cspkwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "publicKey": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SSH public Key that is being created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicKey`](#parameter-publickey) | string | SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | - -### Parameter: `name` - -The name of the SSH public Key that is being created. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Resource location. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicKey` - -SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the availability set resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Public SSH Key. | -| `resourceGroupName` | string | The name of the Resource Group the Public SSH Key was created in. | -| `resourceId` | string | The resource ID of the Public SSH Key. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/ssh-public-key/main.bicep b/modules/compute/ssh-public-key/main.bicep deleted file mode 100644 index 42728721ff..0000000000 --- a/modules/compute/ssh-public-key/main.bicep +++ /dev/null @@ -1,125 +0,0 @@ -metadata name = 'Public SSH Keys' -metadata description = '''This module deploys a Public SSH Key. - -> Note: The resource does not auto-generate the key for you.''' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the SSH public Key that is being created.') -param name string - -@description('Optional. Resource location.') -param location string = resourceGroup().location - -@description('Optional. SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format.') -param publicKey string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the availability set resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource sshPublicKey 'Microsoft.Compute/sshPublicKeys@2022-08-01' = { - name: name - location: location - tags: tags - properties: { - publicKey: !empty(publicKey) ? publicKey : null - } -} - -resource sshPublicKey_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: sshPublicKey -} - -resource sshPublicKey_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(sshPublicKey.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: sshPublicKey -}] - -@description('The name of the Resource Group the Public SSH Key was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Public SSH Key.') -output resourceId string = sshPublicKey.id - -@description('The name of the Public SSH Key.') -output name string = sshPublicKey.name - -@description('The location the resource was deployed into.') -output location string = sshPublicKey.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json deleted file mode 100644 index bf19a6c816..0000000000 --- a/modules/compute/ssh-public-key/main.json +++ /dev/null @@ -1,257 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5802465844150331034" - }, - "name": "Public SSH Keys", - "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SSH public Key that is being created." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Resource location." - } - }, - "publicKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the availability set resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "sshPublicKey": { - "type": "Microsoft.Compute/sshPublicKeys", - "apiVersion": "2022-08-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publicKey": "[if(not(empty(parameters('publicKey'))), parameters('publicKey'), null())]" - } - }, - "sshPublicKey_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/sshPublicKeys/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "sshPublicKey" - ] - }, - "sshPublicKey_roleAssignments": { - "copy": { - "name": "sshPublicKey_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/sshPublicKeys/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/sshPublicKeys', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "sshPublicKey" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Public SSH Key was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Public SSH Key." - }, - "value": "[resourceId('Microsoft.Compute/sshPublicKeys', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Public SSH Key." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('sshPublicKey', '2022-08-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c0e78b3fd3..0000000000 --- a/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cspkmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - } -}] diff --git a/modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 13a584595b..0000000000 --- a/modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. Name of the Deployment Script that creates the SSH Public Key.') -param generateSshPubKeyScriptName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. Name of the temporary SSH Public Key to create for test.') -param sshKeyName string - -@description('Optional. Do not provide a value. Used to force the deployment script to rerun on every redeployment.') -param utcValue string = utcNow() - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -// required for the deployment script to create a new temporary ssh public key object -resource msi_ContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'ManagedIdentityContributor', '[[namePrefix]]') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource createPubKeyScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: generateSshPubKeyScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ResourceGroupName ${resourceGroup().name} -SSHKeyName ${sshKeyName}' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - cleanupPreference: 'OnExpiration' - forceUpdateTag: utcValue - } - dependsOn: [ - msi_ContributorRoleAssignment - ] -} - -@description('The public key to be added to the SSH Public Key resource.') -output publicKey string = createPubKeyScript.properties.outputs.publicKey - -@description('The resource ID of the managed Identity') -output managedIdentityId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5913288f41..0000000000 --- a/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,61 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -@maxLength(7) -param serviceShort string = 'cspkmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - generateSshPubKeyScriptName: 'dep-${namePrefix}-ds-${serviceShort}-generateSshPubKey' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-sshkey-${serviceShort}001' - publicKey: nestedDependencies.outputs.publicKey - } -}] diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 13a584595b..0000000000 --- a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. Name of the Deployment Script that creates the SSH Public Key.') -param generateSshPubKeyScriptName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. Name of the temporary SSH Public Key to create for test.') -param sshKeyName string - -@description('Optional. Do not provide a value. Used to force the deployment script to rerun on every redeployment.') -param utcValue string = utcNow() - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -// required for the deployment script to create a new temporary ssh public key object -resource msi_ContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'ManagedIdentityContributor', '[[namePrefix]]') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource createPubKeyScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: generateSshPubKeyScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-ResourceGroupName ${resourceGroup().name} -SSHKeyName ${sshKeyName}' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - cleanupPreference: 'OnExpiration' - forceUpdateTag: utcValue - } - dependsOn: [ - msi_ContributorRoleAssignment - ] -} - -@description('The public key to be added to the SSH Public Key resource.') -output publicKey string = createPubKeyScript.properties.outputs.publicKey - -@description('The resource ID of the managed Identity') -output managedIdentityId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 38825503d4..0000000000 --- a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,61 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -@maxLength(7) -param serviceShort string = 'cspkwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - generateSshPubKeyScriptName: 'dep-${namePrefix}-ds-${serviceShort}-generateSshPubKey' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-sshkey-${serviceShort}001' - publicKey: nestedDependencies.outputs.publicKey - } -}] diff --git a/modules/compute/ssh-public-key/version.json b/modules/compute/ssh-public-key/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/ssh-public-key/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 6856cbc7f1..1184774517 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -1,2777 +1,7 @@ -# Virtual Machine Scale Sets `[Microsoft.Compute/virtualMachineScaleSets]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Virtual Machine Scale Set. +**This module has been evolved into the following AVM module: [avm/res/compute/virtual-machine-scale-set](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/virtual-machine-scale-set).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/virtual-machine-scale-set). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/virtualMachineScaleSets` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachineScaleSets) | -| `Microsoft.Compute/virtualMachineScaleSets/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachineScaleSets/extensions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine-scale-set:1.0.0`. - -- [Linux.Min](#example-1-linuxmin) -- [Linux.Ssecmk](#example-2-linuxssecmk) -- [Linux](#example-3-linux) -- [Windows.Min](#example-4-windowsmin) -- [Windows](#example-5-windows) - -### Example 1: _Linux.Min_ - -
- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslinmin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "scaleSetAdmin" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "name": { - "value": "cvmsslinmin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] - } - } -} -``` - -
-

- -### Example 2: _Linux.Ssecmk_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslcmk001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - ] - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - extensionMonitoringAgentConfig: { - enabled: true - } - location: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "scaleSetAdmin" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "name": { - "value": "cvmsslcmk001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true - } - }, - "location": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Linux_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslin' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - availabilityZones: [ - '2' - ] - bootDiagnosticStorageAccountName: '' - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - protectedSettings: { - commandToExecute: 'sudo apt-get update' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - scaleSetFaultDomain: 1 - skuCapacity: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - upgradePolicyMode: 'Manual' - vmNamePrefix: 'vmsslinvm' - vmPriority: 'Regular' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "scaleSetAdmin" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "name": { - "value": "cvmsslin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "availabilityZones": { - "value": [ - "2" - ] - }, - "bootDiagnosticStorageAccountName": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "256", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "protectedSettings": { - "commandToExecute": "sudo apt-get update" - } - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "scaleSetFaultDomain": { - "value": 1 - }, - "skuCapacity": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "upgradePolicyMode": { - "value": "Manual" - }, - "vmNamePrefix": { - "value": "vmsslinvm" - }, - "vmPriority": { - "value": "Regular" - } - } -} -``` - -
-

- -### Example 4: _Windows.Min_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - name: 'cvmsswinmin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - enableDefaultTelemetry: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "name": { - "value": "cvmsswinmin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - } - } -} -``` - -
-

- -### Example 5: _Windows_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsswin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - name: 'cvmsswin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - protectedSettings: { - commandToExecute: '' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 1 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - upgradePolicyMode: 'Manual' - vmNamePrefix: 'vmsswinvm' - vmPriority: 'Regular' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "name": { - "value": "cvmsswin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" - } - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "protectedSettings": { - "commandToExecute": "" - } - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionDSCConfig": { - "value": { - "enabled": true - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuCapacity": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "upgradePolicyMode": { - "value": "Manual" - }, - "vmNamePrefix": { - "value": "vmsswinvm" - }, - "vmPriority": { - "value": "Regular" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`adminUsername`](#parameter-adminusername) | securestring | Administrator username. | -| [`imageReference`](#parameter-imagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| [`name`](#parameter-name) | string | Name of the VMSS. | -| [`nicConfigurations`](#parameter-nicconfigurations) | array | Configures NICs and PIPs. | -| [`osDisk`](#parameter-osdisk) | object | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | -| [`osType`](#parameter-ostype) | string | The chosen OS type. | -| [`skuName`](#parameter-skuname) | string | The SKU size of the VMs. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`additionalUnattendContent`](#parameter-additionalunattendcontent) | array | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | -| [`automaticRepairsPolicyEnabled`](#parameter-automaticrepairspolicyenabled) | bool | Specifies whether automatic repairs should be enabled on the virtual machine scale set. | -| [`availabilityZones`](#parameter-availabilityzones) | array | The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | -| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | -| [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | -| [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableAutomaticRollback`](#parameter-disableautomaticrollback) | bool | Whether OS image rollback feature should be disabled. | -| [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | -| [`doNotRunExtensionsOnOverprovisionedVMs`](#parameter-donotrunextensionsonoverprovisionedvms) | bool | When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | -| [`enableAutomaticOSUpgrade`](#parameter-enableautomaticosupgrade) | bool | Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | -| [`enableAutomaticUpdates`](#parameter-enableautomaticupdates) | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableEvictionPolicy`](#parameter-enableevictionpolicy) | bool | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| [`encryptionAtHost`](#parameter-encryptionathost) | bool | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. | -| [`extensionAntiMalwareConfig`](#parameter-extensionantimalwareconfig) | object | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionAzureDiskEncryptionConfig`](#parameter-extensionazurediskencryptionconfig) | object | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | -| [`extensionCustomScriptConfig`](#parameter-extensioncustomscriptconfig) | object | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionDependencyAgentConfig`](#parameter-extensiondependencyagentconfig) | object | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionDomainJoinConfig`](#parameter-extensiondomainjoinconfig) | object | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionDomainJoinPassword`](#parameter-extensiondomainjoinpassword) | securestring | Required if name is specified. Password of the user specified in user parameter. | -| [`extensionDSCConfig`](#parameter-extensiondscconfig) | object | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionMonitoringAgentConfig`](#parameter-extensionmonitoringagentconfig) | object | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionNetworkWatcherAgentConfig`](#parameter-extensionnetworkwatcheragentconfig) | object | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`gracePeriod`](#parameter-graceperiod) | string | The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | -| [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`maxBatchInstancePercent`](#parameter-maxbatchinstancepercent) | int | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | -| [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| [`maxUnhealthyInstancePercent`](#parameter-maxunhealthyinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | -| [`maxUnhealthyUpgradedInstancePercent`](#parameter-maxunhealthyupgradedinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | -| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | -| [`overprovision`](#parameter-overprovision) | bool | Specifies whether the Virtual Machine Scale Set should be overprovisioned. | -| [`pauseTimeBetweenBatches`](#parameter-pausetimebetweenbatches) | string | The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. | -| [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| [`scaleInPolicy`](#parameter-scaleinpolicy) | object | Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. | -| [`scaleSetFaultDomain`](#parameter-scalesetfaultdomain) | int | Fault Domain count for each placement group. | -| [`scheduledEventsProfile`](#parameter-scheduledeventsprofile) | object | Specifies Scheduled Event related configurations. | -| [`secrets`](#parameter-secrets) | array | Specifies set of certificates that should be installed onto the virtual machines in the scale set. | -| [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. | -| [`singlePlacementGroup`](#parameter-singleplacementgroup) | bool | When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | -| [`skuCapacity`](#parameter-skucapacity) | int | The initial instance count of scale set VMs. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| [`upgradePolicyMode`](#parameter-upgradepolicymode) | string | Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. | -| [`vmNamePrefix`](#parameter-vmnameprefix) | string | Specifies the computer name prefix for all of the virtual machines in the scale set. | -| [`vmPriority`](#parameter-vmpriority) | string | Specifies the priority for the virtual machine. | -| [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| [`winRM`](#parameter-winrm) | object | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | -| [`zoneBalance`](#parameter-zonebalance) | bool | Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | - -### Parameter: `adminUsername` - -Administrator username. - -- Required: Yes -- Type: securestring - -### Parameter: `imageReference` - -OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. - -- Required: Yes -- Type: object - -### Parameter: `name` - -Name of the VMSS. - -- Required: Yes -- Type: string - -### Parameter: `nicConfigurations` - -Configures NICs and PIPs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `osDisk` - -Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - -- Required: Yes -- Type: object - -### Parameter: `osType` - -The chosen OS type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `skuName` - -The SKU size of the VMs. - -- Required: Yes -- Type: string - -### Parameter: `additionalUnattendContent` - -Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `adminPassword` - -When specifying a Windows Virtual Machine, this value should be passed. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `automaticRepairsPolicyEnabled` - -Specifies whether automatic repairs should be enabled on the virtual machine scale set. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `availabilityZones` - -The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `bootDiagnosticStorageAccountName` - -Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `bootDiagnosticStorageAccountUri` - -Storage account boot diagnostic base URI. - -- Required: No -- Type: string -- Default: `[format('.blob.{0}/', environment().suffixes.storage)]` - -### Parameter: `customData` - -Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dataDisks` - -Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableAutomaticRollback` - -Whether OS image rollback feature should be disabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disablePasswordAuthentication` - -Specifies whether password authentication should be disabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `doNotRunExtensionsOnOverprovisionedVMs` - -When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableAutomaticOSUpgrade` - -Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableAutomaticUpdates` - -Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableEvictionPolicy` - -Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `encryptionAtHost` - -This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `extensionAntiMalwareConfig` - -The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionAzureDiskEncryptionConfig` - -The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionCustomScriptConfig` - -The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - fileData: [] - } - ``` - -### Parameter: `extensionDependencyAgentConfig` - -The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionDomainJoinConfig` - -The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionDomainJoinPassword` - -Required if name is specified. Password of the user specified in user parameter. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `extensionDSCConfig` - -The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionMonitoringAgentConfig` - -The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionNetworkWatcherAgentConfig` - -The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `gracePeriod` - -The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). - -- Required: No -- Type: string -- Default: `'PT30M'` - -### Parameter: `licenseType` - -Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Windows_Client' - 'Windows_Server' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `maxBatchInstancePercent` - -The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. - -- Required: No -- Type: int -- Default: `20` - -### Parameter: `maxPriceForLowPriorityVm` - -Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `maxUnhealthyInstancePercent` - -The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. - -- Required: No -- Type: int -- Default: `20` - -### Parameter: `maxUnhealthyUpgradedInstancePercent` - -The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. - -- Required: No -- Type: int -- Default: `20` - -### Parameter: `monitoringWorkspaceId` - -Resource ID of the monitoring log analytics workspace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `overprovision` - -Specifies whether the Virtual Machine Scale Set should be overprovisioned. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `pauseTimeBetweenBatches` - -The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. - -- Required: No -- Type: string -- Default: `'PT0S'` - -### Parameter: `plan` - -Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `provisionVMAgent` - -Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `proximityPlacementGroupResourceId` - -Resource ID of a proximity placement group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `publicKeys` - -The list of SSH public keys used to authenticate with linux based VMs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sasTokenValidityLength` - -SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. - -- Required: No -- Type: string -- Default: `'PT8H'` - -### Parameter: `scaleInPolicy` - -Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. - -- Required: No -- Type: object -- Default: - ```Bicep - { - rules: [ - 'Default' - ] - } - ``` - -### Parameter: `scaleSetFaultDomain` - -Fault Domain count for each placement group. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `scheduledEventsProfile` - -Specifies Scheduled Event related configurations. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `secrets` - -Specifies set of certificates that should be installed onto the virtual machines in the scale set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `secureBootEnabled` - -Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `securityType` - -Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `singlePlacementGroup` - -When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `skuCapacity` - -The initial instance count of scale set VMs. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `timeZone` - -Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ultraSSDEnabled` - -The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `upgradePolicyMode` - -Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. - -- Required: No -- Type: string -- Default: `'Manual'` -- Allowed: - ```Bicep - [ - 'Automatic' - 'Manual' - 'Rolling' - ] - ``` - -### Parameter: `vmNamePrefix` - -Specifies the computer name prefix for all of the virtual machines in the scale set. - -- Required: No -- Type: string -- Default: `'vmssvm'` - -### Parameter: `vmPriority` - -Specifies the priority for the virtual machine. - -- Required: No -- Type: string -- Default: `'Regular'` -- Allowed: - ```Bicep - [ - 'Low' - 'Regular' - 'Spot' - ] - ``` - -### Parameter: `vTpmEnabled` - -Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `winRM` - -Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `zoneBalance` - -Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a registration token. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual machine scale set. | -| `resourceGroupName` | string | The resource group of the virtual machine scale set. | -| `resourceId` | string | The resource ID of the virtual machine scale set. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `imageReference` - -#### Marketplace images - -

- -Parameter JSON format - -```json -"imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } -} -``` - -
- - -
- -Bicep format - -```bicep -imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' -} -``` - -
- -#### Custom images - -
- -Parameter JSON format - -```json -"imageReference": { - "value": { - "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" - } -} -``` - -
- -
- -Bicep format - -```bicep -imageReference: { - id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' -} -``` - -
-

- -### Parameter Usage: `plan` - -

- -Parameter JSON format - -```json -"plan": { - "value": { - "name": "qvsa-25", - "product": "qualys-virtual-scanner", - "publisher": "qualysguard" - } -} -``` - -
- -
- -Bicep format - -```bicep -plan: { - name: 'qvsa-25' - product: 'qualys-virtual-scanner' - publisher: 'qualysguard' -} -``` - -
-

- -### Parameter Usage: `osDisk` - -

- -Parameter JSON format - -```json -"osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } -} -``` - -
-

- -### Parameter Usage: `dataDisks` - -

- -Parameter JSON format - -```json -"dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "256", - "writeAcceleratorEnabled": true, - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "writeAcceleratorEnabled": true, - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - writeAcceleratorEnabled: true - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - writeAcceleratorEnabled: true - managedDisk: { - storageAccountType: 'Premium_LRS'diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } - } -] -``` - -
-

- -### Parameter Usage: `nicConfigurations` - -Comments: -- The field `nicSuffix` is mandatory. -- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VMSS to be deployed with a supported OS and VM size. - -

- -Parameter JSON format - -```json -"nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic01", - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux" - } - } - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -nicConfigurations: [ - { - nicSuffix: '-nic01' - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux' - } - } - } - ] - } -] -``` - -
-

- -### Parameter Usage: `extensionDomainJoinConfig` - -

- -Parameter JSON format - -```json -"extensionDomainJoinConfig": { - "value": { - "enabled": true, - "settings": { - "name": "contoso.com", - "user": "test.user@testcompany.com", - "ouPath": "OU=testOU; DC=contoso; DC=com", - "restart": true, - "options": 3 - } - } -}, -"extensionDomainJoinPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" - }, - "secretName": "domainJoinUser02-Password" - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionDomainJoinConfig: { - enabled: true - settings: { - name: 'contoso.com' - user: 'test.user@testcompany.com' - ouPath: 'OU=testOU; DC=contoso; DC=com' - restart: true - options: 3 - } -} - -resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { - name: 'adp-[[namePrefix]]-az-kv-x-001' - scope: resourceGroup('[[subscriptionId]]','validation-rg') -} - -extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') -``` - -
-

- -### Parameter Usage: `extensionNetworkWatcherAgentConfig` - -

- -Parameter JSON format - -```json -"extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionNetworkWatcherAgentConfig: { - enabled: true -} -``` - -
-

- -### Parameter Usage: `extensionAntiMalwareConfig` - -Only for OSType Windows - -

- -Parameter JSON format - -```json -"extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "isEnabled": "true", - "scanType": "Quick", - "day": "7", - "time": "120" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - isEnabled: 'true' - scanType: 'Quick' - day: '7' - time: '120' - } - } -} -``` - -
-

- -### Parameter Usage: `extensionAzureDiskEncryptionConfig` - -

- -Parameter JSON format - -```json -"extensionAzureDiskEncryptionConfig": { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "https://mykeyvault.vault.azure.net/", - "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys - "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - "VolumeType": "All", //'OS'/'Data'/'All' - "ResizeOSDisk": "false" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAzureDiskEncryptionConfig: { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KeyVaultURL: 'https://mykeyvault.vault.azure.net/' - KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys - KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - VolumeType: 'All' //'OS'/'Data'/'All' - ResizeOSDisk: 'false' - } -} -``` - -
-

- -### Parameter Usage: `extensionCustomScriptConfig` - -

- -Parameter JSON format - -```json -"extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - //storage accounts with SAS token requirement - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - "uri": "https://github.com/myProject/File3.ps1", - "storageAccountId": "" - } - ], - "settings": { - "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionCustomScriptConfig: { - enabled: true - fileData: [ - //storage accounts with SAS token requirement - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - uri: 'https://github.com/myProject/File3.ps1' - storageAccountId: '' - } - ] - settings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' - } -} -``` - -
-

- -### Parameter Usage: `extensionDSCConfig` - -

- -Parameter JSON format - -```json -"extensionDSCConfig": { - "value": { - "enabled": true, - "settings": { - "wmfVersion": "latest", - "configuration": { - "url": "http://validURLToConfigLocation", - "script": "ConfigurationScript.ps1", - "function": "ConfigurationFunction" - }, - "configurationArguments": { - "argument1": "Value1", - "argument2": "Value2" - }, - "configurationData": { - "url": "https://foo.psd1" - }, - "privacy": { - "dataCollection": "enable" - }, - "advancedOptions": { - "forcePullAndApply": false, - "downloadMappings": { - "specificDependencyKey": "https://myCustomDependencyLocation" - } - } - }, - "protectedSettings": { - "configurationArguments": { - "mySecret": "MyPlaceholder" - }, - "configurationUrlSasToken": "MyPlaceholder", - "configurationDataUrlSasToken": "MyPlaceholder" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionDSCConfig: { - enabled: true - settings: { - wmfVersion: 'latest' - configuration: { - url: 'http://validURLToConfigLocation' - script: 'ConfigurationScript.ps1' - function: 'ConfigurationFunction' - } - configurationArguments: { - argument1: 'Value1' - argument2: 'Value2' - } - configurationData: { - url: 'https://foo.psd1' - } - privacy: { - dataCollection: 'enable' - } - advancedOptions: { - forcePullAndApply: false - downloadMappings: { - specificDependencyKey: 'https://myCustomDependencyLocation' - } - } - } - protectedSettings: { - configurationArguments: { - mySecret: 'MyPlaceholder' - } - configurationUrlSasToken: 'MyPlaceholder' - configurationDataUrlSasToken: 'MyPlaceholder' - } -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/virtual-machine-scale-set/extension/README.md b/modules/compute/virtual-machine-scale-set/extension/README.md deleted file mode 100644 index 9053bdd926..0000000000 --- a/modules/compute/virtual-machine-scale-set/extension/README.md +++ /dev/null @@ -1,147 +0,0 @@ -# Virtual Machine Scale Set Extensions `[Microsoft.Compute/virtualMachineScaleSets/extensions]` - -This module deploys a Virtual Machine Scale Set Extension. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Compute/virtualMachineScaleSets/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachineScaleSets/extensions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoUpgradeMinorVersion`](#parameter-autoupgrademinorversion) | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | -| [`enableAutomaticUpgrade`](#parameter-enableautomaticupgrade) | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | -| [`name`](#parameter-name) | string | The name of the virtual machine scale set extension. | -| [`publisher`](#parameter-publisher) | string | The name of the extension handler publisher. | -| [`type`](#parameter-type) | string | Specifies the type of the extension; an example is "CustomScriptExtension". | -| [`typeHandlerVersion`](#parameter-typehandlerversion) | string | Specifies the version of the script handler. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualMachineScaleSetName`](#parameter-virtualmachinescalesetname) | string | The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`forceUpdateTag`](#parameter-forceupdatetag) | string | How the extension handler should be forced to update even if the extension configuration has not changed. | -| [`protectedSettings`](#parameter-protectedsettings) | secureObject | Any object that contains the extension specific protected settings. | -| [`settings`](#parameter-settings) | object | Any object that contains the extension specific settings. | -| [`supressFailures`](#parameter-supressfailures) | bool | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | - -### Parameter: `autoUpgradeMinorVersion` - -Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. - -- Required: Yes -- Type: bool - -### Parameter: `enableAutomaticUpgrade` - -Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. - -- Required: Yes -- Type: bool - -### Parameter: `name` - -The name of the virtual machine scale set extension. - -- Required: Yes -- Type: string - -### Parameter: `publisher` - -The name of the extension handler publisher. - -- Required: Yes -- Type: string - -### Parameter: `type` - -Specifies the type of the extension; an example is "CustomScriptExtension". - -- Required: Yes -- Type: string - -### Parameter: `typeHandlerVersion` - -Specifies the version of the script handler. - -- Required: Yes -- Type: string - -### Parameter: `virtualMachineScaleSetName` - -The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `forceUpdateTag` - -How the extension handler should be forced to update even if the extension configuration has not changed. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `protectedSettings` - -Any object that contains the extension specific protected settings. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `settings` - -Any object that contains the extension specific settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `supressFailures` - -Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the extension. | -| `resourceGroupName` | string | The name of the Resource Group the extension was created in. | -| `resourceId` | string | The ResourceId of the extension. | - -## Cross-referenced modules - -_None_ diff --git a/modules/compute/virtual-machine-scale-set/extension/main.bicep b/modules/compute/virtual-machine-scale-set/extension/main.bicep deleted file mode 100644 index 9ec5064a7d..0000000000 --- a/modules/compute/virtual-machine-scale-set/extension/main.bicep +++ /dev/null @@ -1,81 +0,0 @@ -metadata name = 'Virtual Machine Scale Set Extensions' -metadata description = 'This module deploys a Virtual Machine Scale Set Extension.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment.') -param virtualMachineScaleSetName string - -@description('Required. The name of the virtual machine scale set extension.') -param name string - -@description('Required. The name of the extension handler publisher.') -param publisher string - -@description('Required. Specifies the type of the extension; an example is "CustomScriptExtension".') -param type string - -@description('Required. Specifies the version of the script handler.') -param typeHandlerVersion string - -@description('Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true.') -param autoUpgradeMinorVersion bool - -@description('Optional. How the extension handler should be forced to update even if the extension configuration has not changed.') -param forceUpdateTag string = '' - -@description('Optional. Any object that contains the extension specific settings.') -param settings object = {} - -@description('Optional. Any object that contains the extension specific protected settings.') -@secure() -param protectedSettings object = {} - -@description('Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false.') -param supressFailures bool = false - -@description('Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available.') -param enableAutomaticUpgrade bool - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualMachineScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' existing = { - name: virtualMachineScaleSetName -} - -resource extension 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-11-01' = { - name: name - parent: virtualMachineScaleSet - properties: { - publisher: publisher - type: type - typeHandlerVersion: typeHandlerVersion - autoUpgradeMinorVersion: autoUpgradeMinorVersion - enableAutomaticUpgrade: enableAutomaticUpgrade - forceUpdateTag: !empty(forceUpdateTag) ? forceUpdateTag : null - settings: !empty(settings) ? settings : null - protectedSettings: !empty(protectedSettings) ? protectedSettings : null - suppressFailures: supressFailures - } -} - -@description('The name of the extension.') -output name string = extension.name - -@description('The ResourceId of the extension.') -output resourceId string = extension.id - -@description('The name of the Resource Group the extension was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/compute/virtual-machine-scale-set/extension/main.json b/modules/compute/virtual-machine-scale-set/extension/main.json deleted file mode 100644 index 04ab8111c2..0000000000 --- a/modules/compute/virtual-machine-scale-set/extension/main.json +++ /dev/null @@ -1,148 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/compute/virtual-machine-scale-set/extension/version.json b/modules/compute/virtual-machine-scale-set/extension/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/virtual-machine-scale-set/extension/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep deleted file mode 100644 index bd8bb169af..0000000000 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ /dev/null @@ -1,726 +0,0 @@ -metadata name = 'Virtual Machine Scale Sets' -metadata description = 'This module deploys a Virtual Machine Scale Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the VMSS.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets.') -param encryptionAtHost bool = true - -@description('Optional. Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings.') -param securityType string = '' - -@description('Optional. Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings.') -param secureBootEnabled bool = false - -@description('Optional. Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings.') -param vTpmEnabled bool = false - -@description('Required. OS image reference. In case of marketplace images, it\'s the combination of the publisher, offer, sku, version attributes. In case of custom images it\'s the resource ID of the custom image.') -param imageReference object - -@description('Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use.') -param plan object = {} - -@description('Required. Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets.') -param osDisk object - -@description('Optional. Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets.') -param dataDisks array = [] - -@description('Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled.') -param ultraSSDEnabled bool = false - -@description('Required. Administrator username.') -@secure() -param adminUsername string - -@description('Optional. When specifying a Windows Virtual Machine, this value should be passed.') -@secure() -param adminPassword string = '' - -@description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.') -param customData string = '' - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Fault Domain count for each placement group.') -param scaleSetFaultDomain int = 2 - -@description('Optional. Resource ID of a proximity placement group.') -param proximityPlacementGroupResourceId string = '' - -@description('Required. Configures NICs and PIPs.') -param nicConfigurations array = [] - -@description('Optional. Specifies the priority for the virtual machine.') -@allowed([ - 'Regular' - 'Low' - 'Spot' -]) -param vmPriority string = 'Regular' - -@description('Optional. Specifies the eviction policy for the low priority virtual machine. Will result in \'Deallocate\' eviction policy.') -param enableEvictionPolicy bool = false - -@description('Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars.') -param maxPriceForLowPriorityVm string = '' - -@description('Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system.') -@allowed([ - 'Windows_Client' - 'Windows_Server' - '' -]) -param licenseType string = '' - -@description('Optional. Required if name is specified. Password of the user specified in user parameter.') -@secure() -param extensionDomainJoinPassword string = '' - -@description('Optional. The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDomainJoinConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionAntiMalwareConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionMonitoringAgentConfig object = { - enabled: false -} - -@description('Optional. Resource ID of the monitoring log analytics workspace.') -param monitoringWorkspaceId string = '' - -@description('Optional. The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDependencyAgentConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionNetworkWatcherAgentConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.') -param extensionAzureDiskEncryptionConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDSCConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionCustomScriptConfig object = { - enabled: false - fileData: [] -} - -@description('Optional. Storage account boot diagnostic base URI.') -param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.storage}/' - -@description('Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided.') -param bootDiagnosticStorageAccountName string = '' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Specifies the mode of an upgrade to virtual machines in the scale set.\' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling.') -@allowed([ - 'Manual' - 'Automatic' - 'Rolling' -]) -param upgradePolicyMode string = 'Manual' - -@description('Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability.') -param maxBatchInstancePercent int = 20 - -@description('Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch.') -param maxUnhealthyInstancePercent int = 20 - -@description('Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch.') -param maxUnhealthyUpgradedInstancePercent int = 20 - -@description('Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format.') -param pauseTimeBetweenBatches string = 'PT0S' - -@description('Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true.') -param enableAutomaticOSUpgrade bool = false - -@description('Optional. Whether OS image rollback feature should be disabled.') -param disableAutomaticRollback bool = false - -@description('Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set.') -param automaticRepairsPolicyEnabled bool = false - -@description('Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M).') -param gracePeriod string = 'PT30M' - -@description('Optional. Specifies the computer name prefix for all of the virtual machines in the scale set.') -@minLength(1) -@maxLength(15) -param vmNamePrefix string = 'vmssvm' - -@description('Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later.') -param provisionVMAgent bool = true - -@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') -param enableAutomaticUpdates bool = true - -@description('Optional. Specifies the time zone of the virtual machine. e.g. \'Pacific Standard Time\'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`.') -param timeZone string = '' - -@description('Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object.') -param additionalUnattendContent array = [] - -@description('Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object.') -param winRM object = {} - -@description('Optional. Specifies whether password authentication should be disabled.') -#disable-next-line secure-secrets-in-params // Not a secret -param disablePasswordAuthentication bool = false - -@description('Optional. The list of SSH public keys used to authenticate with linux based VMs.') -param publicKeys array = [] - -@description('Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set.') -#disable-next-line secure-secrets-in-params // Not a secret -param secrets array = [] - -@description('Optional. Specifies Scheduled Event related configurations.') -param scheduledEventsProfile object = {} - -@description('Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned.') -param overprovision bool = false - -@description('Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs.') -param doNotRunExtensionsOnOverprovisionedVMs bool = false - -@description('Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage.') -param zoneBalance bool = false - -@description('Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true.') -param singlePlacementGroup bool = true - -@description('Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in.') -param scaleInPolicy object = { - rules: [ - 'Default' - ] -} - -@description('Required. The SKU size of the VMs.') -param skuName string - -@description('Optional. The initial instance count of scale set VMs.') -param skuCapacity int = 1 - -@description('Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set.') -param availabilityZones array = [] - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. The chosen OS type.') -@allowed([ - 'Windows' - 'Linux' -]) -param osType string - -@description('Generated. Do not provide a value! This date value is used to generate a registration token.') -param baseTime string = utcNow('u') - -@description('Optional. SAS token validity length to use to download files from storage accounts. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours.') -param sasTokenValidityLength string = 'PT8H' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -var publicKeysFormatted = [for publicKey in publicKeys: { - path: publicKey.path - keyData: publicKey.keyData -}] - -var linuxConfiguration = { - disablePasswordAuthentication: disablePasswordAuthentication - ssh: { - publicKeys: publicKeysFormatted - } - provisionVMAgent: provisionVMAgent -} - -var windowsConfiguration = { - provisionVMAgent: provisionVMAgent - enableAutomaticUpdates: enableAutomaticUpdates - timeZone: empty(timeZone) ? null : timeZone - additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent - winRM: !empty(winRM) ? { - listeners: winRM - } : null -} - -var accountSasProperties = { - signedServices: 'b' - signedPermission: 'r' - signedExpiry: dateTimeAdd(baseTime, sasTokenValidityLength) - signedResourceTypes: 'o' - signedProtocol: 'https' -} - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { - name: name - location: location - tags: tags - identity: identity - zones: availabilityZones - properties: { - proximityPlacementGroup: !empty(proximityPlacementGroupResourceId) ? { - id: proximityPlacementGroupResourceId - } : null - upgradePolicy: { - mode: upgradePolicyMode - rollingUpgradePolicy: { - maxBatchInstancePercent: maxBatchInstancePercent - maxUnhealthyInstancePercent: maxUnhealthyInstancePercent - maxUnhealthyUpgradedInstancePercent: maxUnhealthyUpgradedInstancePercent - pauseTimeBetweenBatches: pauseTimeBetweenBatches - } - automaticOSUpgradePolicy: { - enableAutomaticOSUpgrade: enableAutomaticOSUpgrade - disableAutomaticRollback: disableAutomaticRollback - } - } - automaticRepairsPolicy: { - enabled: automaticRepairsPolicyEnabled - gracePeriod: gracePeriod - } - virtualMachineProfile: { - osProfile: { - computerNamePrefix: vmNamePrefix - adminUsername: adminUsername - adminPassword: !empty(adminPassword) ? adminPassword : null - customData: !empty(customData) ? base64(customData) : null - windowsConfiguration: osType == 'Windows' ? windowsConfiguration : null - linuxConfiguration: osType == 'Linux' ? linuxConfiguration : null - secrets: secrets - } - securityProfile: { - encryptionAtHost: encryptionAtHost ? encryptionAtHost : null - securityType: securityType - uefiSettings: securityType == 'TrustedLaunch' ? { - secureBootEnabled: secureBootEnabled - vTpmEnabled: vTpmEnabled - } : null - } - storageProfile: { - imageReference: imageReference - osDisk: { - createOption: osDisk.createOption - diskSizeGB: osDisk.diskSizeGB - caching: contains(osDisk, 'caching') ? osDisk.caching : null - writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null - diffDiskSettings: contains(osDisk, 'diffDiskSettings') ? osDisk.diffDiskSettings : null - osType: contains(osDisk, 'osType') ? osDisk.osType : null - image: contains(osDisk, 'image') ? osDisk.image : null - vhdContainers: contains(osDisk, 'vhdContainers') ? osDisk.vhdContainers : null - managedDisk: { - storageAccountType: osDisk.managedDisk.storageAccountType - diskEncryptionSet: contains(osDisk.managedDisk, 'diskEncryptionSet') ? { - id: osDisk.managedDisk.diskEncryptionSet.id - } : null - } - } - dataDisks: [for (dataDisk, index) in dataDisks: { - lun: index - diskSizeGB: dataDisk.diskSizeGB - createOption: dataDisk.createOption - caching: dataDisk.caching - writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null - managedDisk: { - storageAccountType: dataDisk.managedDisk.storageAccountType - diskEncryptionSet: contains(dataDisk.managedDisk, 'diskEncryptionSet') ? { - id: dataDisk.managedDisk.diskEncryptionSet.id - } : null - } - diskIOPSReadWrite: contains(osDisk, 'diskIOPSReadWrite') ? dataDisk.diskIOPSReadWrite : null - diskMBpsReadWrite: contains(osDisk, 'diskMBpsReadWrite') ? dataDisk.diskMBpsReadWrite : null - }] - } - networkProfile: { - networkInterfaceConfigurations: [for (nicConfiguration, index) in nicConfigurations: { - name: '${name}${nicConfiguration.nicSuffix}configuration-${index}' - properties: { - primary: (index == 0) ? true : any(null) - enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true - networkSecurityGroup: contains(nicConfiguration, 'nsgId') ? { - id: nicConfiguration.nsgId - } : null - ipConfigurations: nicConfiguration.ipConfigurations - } - }] - } - diagnosticsProfile: { - bootDiagnostics: { - enabled: !empty(bootDiagnosticStorageAccountName) - storageUri: !empty(bootDiagnosticStorageAccountName) ? 'https://${bootDiagnosticStorageAccountName}${bootDiagnosticStorageAccountUri}' : null - } - } - licenseType: empty(licenseType) ? null : licenseType - priority: vmPriority - evictionPolicy: enableEvictionPolicy ? 'Deallocate' : null - billingProfile: !empty(vmPriority) && !empty(maxPriceForLowPriorityVm) ? { - maxPrice: maxPriceForLowPriorityVm - } : null - scheduledEventsProfile: scheduledEventsProfile - } - overprovision: overprovision - doNotRunExtensionsOnOverprovisionedVMs: doNotRunExtensionsOnOverprovisionedVMs - zoneBalance: zoneBalance == 'true' ? zoneBalance : null - platformFaultDomainCount: scaleSetFaultDomain - singlePlacementGroup: singlePlacementGroup - additionalCapabilities: { - ultraSSDEnabled: ultraSSDEnabled - } - scaleInPolicy: scaleInPolicy - } - sku: { - name: skuName - capacity: skuCapacity - } - plan: !empty(plan) ? plan : null -} - -module vmss_domainJoinExtension 'extension/main.bicep' = if (extensionDomainJoinConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-DomainJoin' - params: { - virtualMachineScaleSetName: vmss.name - name: 'DomainJoin' - publisher: 'Microsoft.Compute' - type: 'JsonADDomainExtension' - typeHandlerVersion: contains(extensionDomainJoinConfig, 'typeHandlerVersion') ? extensionDomainJoinConfig.typeHandlerVersion : '1.3' - autoUpgradeMinorVersion: contains(extensionDomainJoinConfig, 'autoUpgradeMinorVersion') ? extensionDomainJoinConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDomainJoinConfig, 'enableAutomaticUpgrade') ? extensionDomainJoinConfig.enableAutomaticUpgrade : false - settings: extensionDomainJoinConfig.settings - protectedSettings: { - Password: extensionDomainJoinPassword - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vmss_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extensionAntiMalwareConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-MicrosoftAntiMalware' - params: { - virtualMachineScaleSetName: vmss.name - name: 'MicrosoftAntiMalware' - publisher: 'Microsoft.Azure.Security' - type: 'IaaSAntimalware' - typeHandlerVersion: contains(extensionAntiMalwareConfig, 'typeHandlerVersion') ? extensionAntiMalwareConfig.typeHandlerVersion : '1.3' - autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') ? extensionAntiMalwareConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') ? extensionAntiMalwareConfig.enableAutomaticUpgrade : false - settings: extensionAntiMalwareConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource vmss_logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(monitoringWorkspaceId)) { - name: last(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : 'law'), '/'))! - scope: az.resourceGroup(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '//'), '/')[2], split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '////'), '/')[4]) -} - -module vmss_azureMonitorAgentExtension 'extension/main.bicep' = if (extensionMonitoringAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-AzureMonitorAgent' - params: { - virtualMachineScaleSetName: vmss.name - name: 'AzureMonitorAgent' - publisher: 'Microsoft.Azure.Monitor' - type: osType == 'Windows' ? 'AzureMonitorWindowsAgent' : 'AzureMonitorLinuxAgent' - typeHandlerVersion: contains(extensionMonitoringAgentConfig, 'typeHandlerVersion') ? extensionMonitoringAgentConfig.typeHandlerVersion : (osType == 'Windows' ? '1.0' : '1.7') - autoUpgradeMinorVersion: contains(extensionMonitoringAgentConfig, 'autoUpgradeMinorVersion') ? extensionMonitoringAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionMonitoringAgentConfig, 'enableAutomaticUpgrade') ? extensionMonitoringAgentConfig.enableAutomaticUpgrade : false - settings: { - workspaceId: !empty(monitoringWorkspaceId) ? reference(vmss_logAnalyticsWorkspace.id, vmss_logAnalyticsWorkspace.apiVersion).customerId : '' - } - protectedSettings: { - workspaceKey: !empty(monitoringWorkspaceId) ? vmss_logAnalyticsWorkspace.listKeys().primarySharedKey : '' - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vmss_dependencyAgentExtension 'extension/main.bicep' = if (extensionDependencyAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-DependencyAgent' - params: { - virtualMachineScaleSetName: vmss.name - name: 'DependencyAgent' - publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' - type: osType == 'Windows' ? 'DependencyAgentWindows' : 'DependencyAgentLinux' - typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion') ? extensionDependencyAgentConfig.typeHandlerVersion : '9.5' - autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') ? extensionDependencyAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') ? extensionDependencyAgentConfig.enableAutomaticUpgrade : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vmss_networkWatcherAgentExtension 'extension/main.bicep' = if (extensionNetworkWatcherAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-NetworkWatcherAgent' - params: { - virtualMachineScaleSetName: vmss.name - name: 'NetworkWatcherAgent' - publisher: 'Microsoft.Azure.NetworkWatcher' - type: osType == 'Windows' ? 'NetworkWatcherAgentWindows' : 'NetworkWatcherAgentLinux' - typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion') ? extensionNetworkWatcherAgentConfig.typeHandlerVersion : '1.4' - autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vmss_desiredStateConfigurationExtension 'extension/main.bicep' = if (extensionDSCConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-DesiredStateConfiguration' - params: { - virtualMachineScaleSetName: vmss.name - name: 'DesiredStateConfiguration' - publisher: 'Microsoft.Powershell' - type: 'DSC' - typeHandlerVersion: contains(extensionDSCConfig, 'typeHandlerVersion') ? extensionDSCConfig.typeHandlerVersion : '2.77' - autoUpgradeMinorVersion: contains(extensionDSCConfig, 'autoUpgradeMinorVersion') ? extensionDSCConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') ? extensionDSCConfig.enableAutomaticUpgrade : false - settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} - protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vmss_customScriptExtension 'extension/main.bicep' = if (extensionCustomScriptConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-CustomScriptExtension' - params: { - virtualMachineScaleSetName: vmss.name - name: 'CustomScriptExtension' - publisher: osType == 'Windows' ? 'Microsoft.Compute' : 'Microsoft.Azure.Extensions' - type: osType == 'Windows' ? 'CustomScriptExtension' : 'CustomScript' - typeHandlerVersion: contains(extensionCustomScriptConfig, 'typeHandlerVersion') ? extensionCustomScriptConfig.typeHandlerVersion : (osType == 'Windows' ? '1.10' : '2.1') - autoUpgradeMinorVersion: contains(extensionCustomScriptConfig, 'autoUpgradeMinorVersion') ? extensionCustomScriptConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionCustomScriptConfig, 'enableAutomaticUpgrade') ? extensionCustomScriptConfig.enableAutomaticUpgrade : false - settings: { - fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri] - } - protectedSettings: contains(extensionCustomScriptConfig, 'protectedSettings') ? extensionCustomScriptConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - vmss_desiredStateConfigurationExtension - ] -} - -module vmss_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionAzureDiskEncryptionConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VMSS-AzureDiskEncryption' - params: { - virtualMachineScaleSetName: vmss.name - name: 'AzureDiskEncryption' - publisher: 'Microsoft.Azure.Security' - type: osType == 'Windows' ? 'AzureDiskEncryption' : 'AzureDiskEncryptionForLinux' - typeHandlerVersion: contains(extensionAzureDiskEncryptionConfig, 'typeHandlerVersion') ? extensionAzureDiskEncryptionConfig.typeHandlerVersion : (osType == 'Windows' ? '2.2' : '1.1') - autoUpgradeMinorVersion: contains(extensionAzureDiskEncryptionConfig, 'autoUpgradeMinorVersion') ? extensionAzureDiskEncryptionConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAzureDiskEncryptionConfig, 'enableAutomaticUpgrade') ? extensionAzureDiskEncryptionConfig.enableAutomaticUpgrade : false - forceUpdateTag: contains(extensionAzureDiskEncryptionConfig, 'forceUpdateTag') ? extensionAzureDiskEncryptionConfig.forceUpdateTag : '1.0' - settings: extensionAzureDiskEncryptionConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - vmss_customScriptExtension - vmss_azureMonitorAgentExtension - ] -} - -resource vmss_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: vmss -} - -resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: vmss -}] - -resource vmss_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(vmss.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: vmss -}] - -@description('The resource ID of the virtual machine scale set.') -output resourceId string = vmss.id - -@description('The resource group of the virtual machine scale set.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the virtual machine scale set.') -output name string = vmss.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(vmss.identity, 'principalId') ? vmss.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = vmss.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json deleted file mode 100644 index 107c9cd3ab..0000000000 --- a/modules/compute/virtual-machine-scale-set/main.json +++ /dev/null @@ -1,2522 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4789140627838282506" - }, - "name": "Virtual Machine Scale Sets", - "description": "This module deploys a Virtual Machine Scale Set.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the VMSS." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "encryptionAtHost": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets." - } - }, - "securityType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings." - } - }, - "secureBootEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings." - } - }, - "vTpmEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings." - } - }, - "imageReference": { - "type": "object", - "metadata": { - "description": "Required. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." - } - }, - "plan": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use." - } - }, - "osDisk": { - "type": "object", - "metadata": { - "description": "Required. Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets." - } - }, - "dataDisks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets." - } - }, - "ultraSSDEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled." - } - }, - "adminUsername": { - "type": "securestring", - "metadata": { - "description": "Required. Administrator username." - } - }, - "adminPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. When specifying a Windows Virtual Machine, this value should be passed." - } - }, - "customData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "scaleSetFaultDomain": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Fault Domain count for each placement group." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a proximity placement group." - } - }, - "nicConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. Configures NICs and PIPs." - } - }, - "vmPriority": { - "type": "string", - "defaultValue": "Regular", - "allowedValues": [ - "Regular", - "Low", - "Spot" - ], - "metadata": { - "description": "Optional. Specifies the priority for the virtual machine." - } - }, - "enableEvictionPolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy." - } - }, - "maxPriceForLowPriorityVm": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Windows_Client", - "Windows_Server", - "" - ], - "metadata": { - "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system." - } - }, - "extensionDomainJoinPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if name is specified. Password of the user specified in user parameter." - } - }, - "extensionDomainJoinConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Domain Join] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionAntiMalwareConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Anti Malware] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionMonitoringAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "monitoringWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the monitoring log analytics workspace." - } - }, - "extensionDependencyAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Dependency Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionNetworkWatcherAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Network Watcher Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionAzureDiskEncryptionConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Azure Disk Encryption] extension. Must at least contain the [\"enabled\": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys." - } - }, - "extensionDSCConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Desired State Configuration] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionCustomScriptConfig": { - "type": "object", - "defaultValue": { - "enabled": false, - "fileData": [] - }, - "metadata": { - "description": "Optional. The configuration for the [Custom Script] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "bootDiagnosticStorageAccountUri": { - "type": "string", - "defaultValue": "[format('.blob.{0}/', environment().suffixes.storage)]", - "metadata": { - "description": "Optional. Storage account boot diagnostic base URI." - } - }, - "bootDiagnosticStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "upgradePolicyMode": { - "type": "string", - "defaultValue": "Manual", - "allowedValues": [ - "Manual", - "Automatic", - "Rolling" - ], - "metadata": { - "description": "Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling." - } - }, - "maxBatchInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability." - } - }, - "maxUnhealthyInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch." - } - }, - "maxUnhealthyUpgradedInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch." - } - }, - "pauseTimeBetweenBatches": { - "type": "string", - "defaultValue": "PT0S", - "metadata": { - "description": "Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format." - } - }, - "enableAutomaticOSUpgrade": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true." - } - }, - "disableAutomaticRollback": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether OS image rollback feature should be disabled." - } - }, - "automaticRepairsPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set." - } - }, - "gracePeriod": { - "type": "string", - "defaultValue": "PT30M", - "metadata": { - "description": "Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M)." - } - }, - "vmNamePrefix": { - "type": "string", - "defaultValue": "vmssvm", - "minLength": 1, - "maxLength": 15, - "metadata": { - "description": "Optional. Specifies the computer name prefix for all of the virtual machines in the scale set." - } - }, - "provisionVMAgent": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later." - } - }, - "enableAutomaticUpdates": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`." - } - }, - "additionalUnattendContent": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object." - } - }, - "winRM": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object." - } - }, - "disablePasswordAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether password authentication should be disabled." - } - }, - "publicKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs." - } - }, - "secrets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set." - } - }, - "scheduledEventsProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies Scheduled Event related configurations." - } - }, - "overprovision": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned." - } - }, - "doNotRunExtensionsOnOverprovisionedVMs": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs." - } - }, - "zoneBalance": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage." - } - }, - "singlePlacementGroup": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true." - } - }, - "scaleInPolicy": { - "type": "object", - "defaultValue": { - "rules": [ - "Default" - ] - }, - "metadata": { - "description": "Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in." - } - }, - "skuName": { - "type": "string", - "metadata": { - "description": "Required. The SKU size of the VMs." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The initial instance count of scale set VMs." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "osType": { - "type": "string", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Required. The chosen OS type." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a registration token." - } - }, - "sasTokenValidityLength": { - "type": "string", - "defaultValue": "PT8H", - "metadata": { - "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "copy": [ - { - "name": "publicKeysFormatted", - "count": "[length(parameters('publicKeys'))]", - "input": { - "path": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].path]", - "keyData": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].keyData]" - } - } - ], - "linuxConfiguration": { - "disablePasswordAuthentication": "[parameters('disablePasswordAuthentication')]", - "ssh": { - "publicKeys": "[variables('publicKeysFormatted')]" - }, - "provisionVMAgent": "[parameters('provisionVMAgent')]" - }, - "windowsConfiguration": { - "provisionVMAgent": "[parameters('provisionVMAgent')]", - "enableAutomaticUpdates": "[parameters('enableAutomaticUpdates')]", - "timeZone": "[if(empty(parameters('timeZone')), null(), parameters('timeZone'))]", - "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), parameters('additionalUnattendContent'))]", - "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM')), null())]" - }, - "accountSasProperties": { - "signedServices": "b", - "signedPermission": "r", - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", - "signedResourceTypes": "o", - "signedProtocol": "https" - }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "vmss": { - "type": "Microsoft.Compute/virtualMachineScaleSets", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "zones": "[parameters('availabilityZones')]", - "properties": { - "proximityPlacementGroup": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), createObject('id', parameters('proximityPlacementGroupResourceId')), null())]", - "upgradePolicy": { - "mode": "[parameters('upgradePolicyMode')]", - "rollingUpgradePolicy": { - "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]", - "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]", - "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]", - "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]" - }, - "automaticOSUpgradePolicy": { - "enableAutomaticOSUpgrade": "[parameters('enableAutomaticOSUpgrade')]", - "disableAutomaticRollback": "[parameters('disableAutomaticRollback')]" - } - }, - "automaticRepairsPolicy": { - "enabled": "[parameters('automaticRepairsPolicyEnabled')]", - "gracePeriod": "[parameters('gracePeriod')]" - }, - "virtualMachineProfile": { - "osProfile": { - "computerNamePrefix": "[parameters('vmNamePrefix')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[if(not(empty(parameters('adminPassword'))), parameters('adminPassword'), null())]", - "customData": "[if(not(empty(parameters('customData'))), base64(parameters('customData')), null())]", - "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null())]", - "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null())]", - "secrets": "[parameters('secrets')]" - }, - "securityProfile": { - "encryptionAtHost": "[if(parameters('encryptionAtHost'), parameters('encryptionAtHost'), null())]", - "securityType": "[parameters('securityType')]", - "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), createObject('secureBootEnabled', parameters('secureBootEnabled'), 'vTpmEnabled', parameters('vTpmEnabled')), null())]" - }, - "storageProfile": { - "copy": [ - { - "name": "dataDisks", - "count": "[length(parameters('dataDisks'))]", - "input": { - "lun": "[copyIndex('dataDisks')]", - "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", - "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]", - "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]", - "managedDisk": { - "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", - "diskEncryptionSet": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSet'), createObject('id', parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id), null())]" - }, - "diskIOPSReadWrite": "[if(contains(parameters('osDisk'), 'diskIOPSReadWrite'), parameters('dataDisks')[copyIndex('dataDisks')].diskIOPSReadWrite, null())]", - "diskMBpsReadWrite": "[if(contains(parameters('osDisk'), 'diskMBpsReadWrite'), parameters('dataDisks')[copyIndex('dataDisks')].diskMBpsReadWrite, null())]" - } - } - ], - "imageReference": "[parameters('imageReference')]", - "osDisk": { - "createOption": "[parameters('osDisk').createOption]", - "diskSizeGB": "[parameters('osDisk').diskSizeGB]", - "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, null())]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]", - "diffDiskSettings": "[if(contains(parameters('osDisk'), 'diffDiskSettings'), parameters('osDisk').diffDiskSettings, null())]", - "osType": "[if(contains(parameters('osDisk'), 'osType'), parameters('osDisk').osType, null())]", - "image": "[if(contains(parameters('osDisk'), 'image'), parameters('osDisk').image, null())]", - "vhdContainers": "[if(contains(parameters('osDisk'), 'vhdContainers'), parameters('osDisk').vhdContainers, null())]", - "managedDisk": { - "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]", - "diskEncryptionSet": "[if(contains(parameters('osDisk').managedDisk, 'diskEncryptionSet'), createObject('id', parameters('osDisk').managedDisk.diskEncryptionSet.id), null())]" - } - } - }, - "networkProfile": { - "copy": [ - { - "name": "networkInterfaceConfigurations", - "count": "[length(parameters('nicConfigurations'))]", - "input": { - "name": "[format('{0}{1}configuration-{2}', parameters('name'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nicSuffix, copyIndex('networkInterfaceConfigurations'))]", - "properties": { - "primary": "[if(equals(copyIndex('networkInterfaceConfigurations'), 0), true(), null())]", - "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'enableAcceleratedNetworking'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking, true())]", - "networkSecurityGroup": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'nsgId'), createObject('id', parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId), null())]", - "ipConfigurations": "[parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].ipConfigurations]" - } - } - } - ] - }, - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "[not(empty(parameters('bootDiagnosticStorageAccountName')))]", - "storageUri": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), format('https://{0}{1}', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')), null())]" - } - }, - "licenseType": "[if(empty(parameters('licenseType')), null(), parameters('licenseType'))]", - "priority": "[parameters('vmPriority')]", - "evictionPolicy": "[if(parameters('enableEvictionPolicy'), 'Deallocate', null())]", - "billingProfile": "[if(and(not(empty(parameters('vmPriority'))), not(empty(parameters('maxPriceForLowPriorityVm')))), createObject('maxPrice', parameters('maxPriceForLowPriorityVm')), null())]", - "scheduledEventsProfile": "[parameters('scheduledEventsProfile')]" - }, - "overprovision": "[parameters('overprovision')]", - "doNotRunExtensionsOnOverprovisionedVMs": "[parameters('doNotRunExtensionsOnOverprovisionedVMs')]", - "zoneBalance": "[if(equals(parameters('zoneBalance'), 'true'), parameters('zoneBalance'), null())]", - "platformFaultDomainCount": "[parameters('scaleSetFaultDomain')]", - "singlePlacementGroup": "[parameters('singlePlacementGroup')]", - "additionalCapabilities": { - "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]" - }, - "scaleInPolicy": "[parameters('scaleInPolicy')]" - }, - "sku": { - "name": "[parameters('skuName')]", - "capacity": "[parameters('skuCapacity')]" - }, - "plan": "[if(not(empty(parameters('plan'))), parameters('plan'), null())]" - }, - "vmss_logAnalyticsWorkspace": { - "condition": "[not(empty(parameters('monitoringWorkspaceId')))]", - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-06-01", - "subscriptionId": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))]" - }, - "vmss_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_diagnosticSettings": { - "copy": { - "name": "vmss_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_roleAssignments": { - "copy": { - "name": "vmss_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_domainJoinExtension": { - "condition": "[parameters('extensionDomainJoinConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-DomainJoin', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DomainJoin" - }, - "publisher": { - "value": "Microsoft.Compute" - }, - "type": { - "value": "JsonADDomainExtension" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDomainJoinConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDomainJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDomainJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": "[parameters('extensionDomainJoinConfig').settings]" - }, - "protectedSettings": { - "value": { - "Password": "[parameters('extensionDomainJoinPassword')]" - } - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_microsoftAntiMalwareExtension": { - "condition": "[parameters('extensionAntiMalwareConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-MicrosoftAntiMalware', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "MicrosoftAntiMalware" - }, - "publisher": { - "value": "Microsoft.Azure.Security" - }, - "type": { - "value": "IaaSAntimalware" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAntiMalwareConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAntiMalwareConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAntiMalwareConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": "[parameters('extensionAntiMalwareConfig').settings]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_azureMonitorAgentExtension": { - "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-AzureMonitorAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "AzureMonitorAgent" - }, - "publisher": { - "value": "Microsoft.Azure.Monitor" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureMonitorWindowsAgent'), createObject('value', 'AzureMonitorLinuxAgent'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.0'), createObject('value', '1.7')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": { - "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').customerId, '')]" - } - }, - "protectedSettings": { - "value": { - "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').primarySharedKey, '')]" - } - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss", - "vmss_logAnalyticsWorkspace" - ] - }, - "vmss_dependencyAgentExtension": { - "condition": "[parameters('extensionDependencyAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-DependencyAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DependencyAgent" - }, - "publisher": { - "value": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'DependencyAgentWindows'), createObject('value', 'DependencyAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDependencyAgentConfig').typeHandlerVersion), createObject('value', '9.5'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDependencyAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDependencyAgentConfig').enableAutomaticUpgrade), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_networkWatcherAgentExtension": { - "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-NetworkWatcherAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "NetworkWatcherAgent" - }, - "publisher": { - "value": "Microsoft.Azure.NetworkWatcher" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'NetworkWatcherAgentWindows'), createObject('value', 'NetworkWatcherAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').typeHandlerVersion), createObject('value', '1.4'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_desiredStateConfigurationExtension": { - "condition": "[parameters('extensionDSCConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DesiredStateConfiguration" - }, - "publisher": { - "value": "Microsoft.Powershell" - }, - "type": { - "value": "DSC" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionDSCConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDSCConfig').typeHandlerVersion), createObject('value', '2.77'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDSCConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDSCConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": "[if(contains(parameters('extensionDSCConfig'), 'settings'), createObject('value', parameters('extensionDSCConfig').settings), createObject('value', createObject()))]", - "protectedSettings": "[if(contains(parameters('extensionDSCConfig'), 'protectedSettings'), createObject('value', parameters('extensionDSCConfig').protectedSettings), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss" - ] - }, - "vmss_customScriptExtension": { - "condition": "[parameters('extensionCustomScriptConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-CustomScriptExtension', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "CustomScriptExtension" - }, - "publisher": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'Microsoft.Compute'), createObject('value', 'Microsoft.Azure.Extensions'))]", - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'CustomScriptExtension'), createObject('value', 'CustomScript'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionCustomScriptConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.10'), createObject('value', '2.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionCustomScriptConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionCustomScriptConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": { - "copy": [ - { - "name": "fileUris", - "count": "[length(parameters('extensionCustomScriptConfig').fileData)]", - "input": "[if(contains(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')], 'storageAccountId'), format('{0}?{1}', parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri, listAccountSas(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].storageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken), parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri)]" - } - ] - } - }, - "protectedSettings": "[if(contains(parameters('extensionCustomScriptConfig'), 'protectedSettings'), createObject('value', parameters('extensionCustomScriptConfig').protectedSettings), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss", - "vmss_desiredStateConfigurationExtension" - ] - }, - "vmss_azureDiskEncryptionExtension": { - "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-AzureDiskEncryption', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineScaleSetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "AzureDiskEncryption" - }, - "publisher": { - "value": "Microsoft.Azure.Security" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureDiskEncryption'), createObject('value', 'AzureDiskEncryptionForLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '2.2'), createObject('value', '1.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "forceUpdateTag": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').forceUpdateTag), createObject('value', '1.0'))]", - "settings": { - "value": "[parameters('extensionAzureDiskEncryptionConfig').settings]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11750050808770259539" - }, - "name": "Virtual Machine Scale Set Extensions", - "description": "This module deploys a Virtual Machine Scale Set Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineScaleSetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine scale set extension." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineScaleSetName'), parameters('name'))]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The ResourceId of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('virtualMachineScaleSetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vmss", - "vmss_azureMonitorAgentExtension", - "vmss_customScriptExtension" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual machine scale set." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the virtual machine scale set." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual machine scale set." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('vmss', '2022-11-01', 'full').identity, 'principalId')), reference('vmss', '2022-11-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('vmss', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep deleted file mode 100644 index b302bdc0c9..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep +++ /dev/null @@ -1,86 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep deleted file mode 100644 index 7878e685a0..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsslinmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'scaleSetAdmin' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - disablePasswordAuthentication: true - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - } -}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep deleted file mode 100644 index db780eec3b..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep +++ /dev/null @@ -1,148 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by disk encryption set - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys' - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(keyVault::key.id, 'Key Vault Crypto User', diskEncryptionSet.id) - scope: keyVault - properties: { - principalId: diskEncryptionSet.identity.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep deleted file mode 100644 index e283b6b1b1..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep +++ /dev/null @@ -1,126 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsslcmk' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep${namePrefix}kv${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - extensionMonitoringAgentConfig: { - enabled: true - } - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}001' - adminUsername: 'scaleSetAdmin' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { - id: nestedDependencies.outputs.diskEncryptionSetResourceId - } - } - } - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { - id: nestedDependencies.outputs.diskEncryptionSetResourceId - } - } - } - ] - osType: 'Linux' - skuName: 'Standard_B12ms' - disablePasswordAuthentication: true - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep deleted file mode 100644 index 556eb44538..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep +++ /dev/null @@ -1,193 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Deployment Script used to upload data to the Storage Account.') -param storageUploadDeploymentScriptName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource msiKVCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(keyVault::key.id, 'Key Vault Crypto User', managedIdentity.id) - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource blobService 'blobServices@2021-09-01' = { - name: 'default' - - resource container 'containers@2021-09-01' = { - name: 'scripts' - } - } -} - -resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: storageUploadDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The URL of the Custom Script Extension in the created Storage Account') -output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageAccount::blobService::container.name}/${storageAccountCSEFileName}' - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep deleted file mode 100644 index 13f29dad53..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep +++ /dev/null @@ -1,210 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = 'westeurope' //deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsslin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'scaleSetAdmin' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - availabilityZones: [ - '2' - ] - bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - disablePasswordAuthentication: true - encryptionAtHost: false - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'sudo apt-get update' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - scaleSetFaultDomain: 1 - skuCapacity: 1 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - upgradePolicyMode: 'Manual' - vmNamePrefix: 'vmsslinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep deleted file mode 100644 index 1166415e54..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep deleted file mode 100644 index e9eca80fae..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep +++ /dev/null @@ -1,90 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsswinmin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'localAdminUser' - adminPassword: password - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - } -}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep deleted file mode 100644 index b205e4d85c..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep +++ /dev/null @@ -1,166 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Deployment Script used to upload data to the Storage Account.') -param storageUploadDeploymentScriptName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Proximity Placement Group to create.') -param proximityPlacementGroupName string - -var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource msiKVCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(keyVault::key.id, 'Key Vault Crypto User', managedIdentity.id) - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource blobService 'blobServices@2021-09-01' = { - name: 'default' - - resource container 'containers@2021-09-01' = { - name: 'scripts' - } - } -} - -resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: storageUploadDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { - name: proximityPlacementGroupName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The URL of the Custom Script Extension in the created Storage Account') -output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageAccount::blobService::container.name}/${storageAccountCSEFileName}' - -@description('The name of the Custom Script Extension in the created Storage Account.') -output storageAccountCSEFileName string = storageAccountCSEFileName - -@description('The resource ID of the created Proximity Placement Group.') -output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep deleted file mode 100644 index e1c8c527ea..0000000000 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep +++ /dev/null @@ -1,206 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsswin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - adminPassword: password - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - skuCapacity: 1 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - upgradePolicyMode: 'Manual' - vmNamePrefix: 'vmsswinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/compute/virtual-machine-scale-set/version.json b/modules/compute/virtual-machine-scale-set/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/compute/virtual-machine-scale-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/virtual-machine/MOVED-TO-AVM.md b/modules/compute/virtual-machine/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/compute/virtual-machine/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 1841f3f83e..8c2c702b2f 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -1,3554 +1,7 @@ -# Virtual Machines `[Microsoft.Compute/virtualMachines]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/compute/virtual-machine](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/compute/virtual-machine).** -This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/compute/virtual-machine). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://learn.microsoft.com/en-us/azure/templates) | -| `Microsoft.Compute/virtualMachines` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachines) | -| `Microsoft.Compute/virtualMachines/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachines/extensions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/networkInterfaces` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkInterfaces) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine:1.0.0`. - -- [Linux.Atmg](#example-1-linuxatmg) -- [Linux.Min](#example-2-linuxmin) -- [Linux](#example-3-linux) -- [Windows.Atmg](#example-4-windowsatmg) -- [Windows.Min](#example-5-windowsmin) -- [Windows.Ssecmk](#example-6-windowsssecmk) -- [Windows](#example-7-windows) - -### Example 1: _Linux.Atmg_ - -
- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] - } - ] - nicSuffix: '-nic-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - location: '' - name: 'cvmlinatmg' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] - } - ], - "nicSuffix": "-nic-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmlinatmg" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Linux.Min_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - } - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - location: '' - name: 'cvmlinmin' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01" - }, - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmlinmin" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] - } - } -} -``` - -
-

- -### Example 3: _Linux_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlincom' - params: { - // Required parameters - adminUsername: 'localAdministrator' - imageReference: { - offer: '0001-com-ubuntu-server-focal' - publisher: 'Canonical' - sku: '' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - osDisk: { - caching: 'ReadOnly' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - availabilityZone: 1 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - computerName: 'linvm1' - dataDisks: [ - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - disablePasswordAuthentication: true - enableAutomaticUpdates: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - monitoringWorkspaceId: '' - name: 'cvmlincom' - patchMode: 'AutomaticByPlatform' - publicKeys: [ - { - keyData: '' - path: '/home/localAdministrator/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdministrator" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-focal", - "publisher": "Canonical", - "sku": "", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "deleteOption": "Delete", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "ipConfigurations": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] - } - ], - "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "osDisk": { - "value": { - "caching": "ReadOnly", - "createOption": "fromImage", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "availabilityZone": { - "value": 1 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "computerName": { - "value": "linvm1" - }, - "dataDisks": { - "value": [ - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableAutomaticUpdates": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAadJoinConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionDSCConfig": { - "value": { - "enabled": false, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringWorkspaceId": { - "value": "" - }, - "name": { - "value": "cvmlincom" - }, - "patchMode": { - "value": "AutomaticByPlatform" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdministrator/.ssh/authorized_keys" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Windows.Atmg_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwinatmg' - params: { - // Required parameters - adminUsername: 'localAdministrator' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - enableDefaultTelemetry: '' - location: '' - name: 'cvmwinatmg' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdministrator" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwinatmg" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _Windows.Min_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - enableDefaultTelemetry: '' - location: '' - name: 'cvmwinmin' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwinmin" - } - } -} -``` - -
-

- -### Example 6: _Windows.Ssecmk_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwincmk' - params: { - // Required parameters - adminUsername: 'VMAdministrator' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - dataDisks: [ - { - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - ] - enableDefaultTelemetry: '' - location: '' - name: 'cvmwincmk' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "VMAdministrator" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwincmk" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 7: _Windows_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwincom' - params: { - // Required parameters - adminUsername: 'VMAdmin' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - availabilityZone: 2 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - computerName: 'winvm1' - dataDisks: [ - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - enableAutomaticUpdates: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - monitoringWorkspaceId: '' - name: 'cvmwincom' - patchMode: 'AutomaticByPlatform' - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "VMAdmin" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "deleteOption": "Delete", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "ipConfigurations": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] - } - ], - "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "osDisk": { - "value": { - "caching": "None", - "createOption": "fromImage", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "availabilityZone": { - "value": 2 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "computerName": { - "value": "winvm1" - }, - "dataDisks": { - "value": [ - { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "enableAutomaticUpdates": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAadJoinConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": "true", - "Exclusions": { - "Extensions": ".ext1;.ext2", - "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", - "Processes": "excludedproc1.exe;excludedproc2.exe" - }, - "RealtimeProtectionEnabled": "true", - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" - } - }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - }, - "VolumeType": "All" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionDSCConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringWorkspaceId": { - "value": "" - }, - "name": { - "value": "cvmwincom" - }, - "patchMode": { - "value": "AutomaticByPlatform" - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`adminUsername`](#parameter-adminusername) | securestring | Administrator username. | -| [`configurationProfile`](#parameter-configurationprofile) | string | The configuration profile of automanage. | -| [`imageReference`](#parameter-imagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| [`nicConfigurations`](#parameter-nicconfigurations) | array | Configures NICs and PIPs. | -| [`osDisk`](#parameter-osdisk) | object | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| [`osType`](#parameter-ostype) | string | The chosen OS type. | -| [`vmSize`](#parameter-vmsize) | string | Specifies the size for the VMs. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`additionalUnattendContent`](#parameter-additionalunattendcontent) | array | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | -| [`allowExtensionOperations`](#parameter-allowextensionoperations) | bool | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | -| [`availabilitySetResourceId`](#parameter-availabilitysetresourceid) | string | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | -| [`availabilityZone`](#parameter-availabilityzone) | int | If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. | -| [`backupPolicyName`](#parameter-backuppolicyname) | string | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | -| [`backupVaultName`](#parameter-backupvaultname) | string | Recovery service vault name to add VMs to backup. | -| [`backupVaultResourceGroup`](#parameter-backupvaultresourcegroup) | string | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | -| [`bootDiagnostics`](#parameter-bootdiagnostics) | bool | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | -| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | -| [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | -| [`certificatesToBeInstalled`](#parameter-certificatestobeinstalled) | array | Specifies set of certificates that should be installed onto the virtual machine. | -| [`computerName`](#parameter-computername) | string | Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. | -| [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| [`dedicatedHostId`](#parameter-dedicatedhostid) | string | Specifies resource ID about the dedicated host that the virtual machine resides in. | -| [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | -| [`enableAutomaticUpdates`](#parameter-enableautomaticupdates) | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableEvictionPolicy`](#parameter-enableevictionpolicy) | bool | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| [`encryptionAtHost`](#parameter-encryptionathost) | bool | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| [`extensionAadJoinConfig`](#parameter-extensionaadjoinconfig) | object | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionAntiMalwareConfig`](#parameter-extensionantimalwareconfig) | object | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionAzureDiskEncryptionConfig`](#parameter-extensionazurediskencryptionconfig) | object | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | -| [`extensionCustomScriptConfig`](#parameter-extensioncustomscriptconfig) | object | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionCustomScriptProtectedSetting`](#parameter-extensioncustomscriptprotectedsetting) | secureObject | Any object that contains the extension specific protected settings. | -| [`extensionDependencyAgentConfig`](#parameter-extensiondependencyagentconfig) | object | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionDomainJoinConfig`](#parameter-extensiondomainjoinconfig) | object | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionDomainJoinPassword`](#parameter-extensiondomainjoinpassword) | securestring | Required if name is specified. Password of the user specified in user parameter. | -| [`extensionDSCConfig`](#parameter-extensiondscconfig) | object | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionMonitoringAgentConfig`](#parameter-extensionmonitoringagentconfig) | object | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`extensionNetworkWatcherAgentConfig`](#parameter-extensionnetworkwatcheragentconfig) | object | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". | -| [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | -| [`name`](#parameter-name) | string | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | -| [`patchAssessmentMode`](#parameter-patchassessmentmode) | string | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | -| [`patchMode`](#parameter-patchmode) | string | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. | -| [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| [`priority`](#parameter-priority) | string | Specifies the priority for the virtual machine. | -| [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| [`winRM`](#parameter-winrm) | object | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | - -### Parameter: `adminUsername` - -Administrator username. - -- Required: Yes -- Type: securestring - -### Parameter: `configurationProfile` - -The configuration profile of automanage. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - ] - ``` - -### Parameter: `imageReference` - -OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. - -- Required: Yes -- Type: object - -### Parameter: `nicConfigurations` - -Configures NICs and PIPs. - -- Required: Yes -- Type: array - -### Parameter: `osDisk` - -Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - -- Required: Yes -- Type: object - -### Parameter: `osType` - -The chosen OS type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `vmSize` - -Specifies the size for the VMs. - -- Required: Yes -- Type: string - -### Parameter: `additionalUnattendContent` - -Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `adminPassword` - -When specifying a Windows Virtual Machine, this value should be passed. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `allowExtensionOperations` - -Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `availabilitySetResourceId` - -Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `availabilityZone` - -If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. - -- Required: No -- Type: int -- Default: `0` -- Allowed: - ```Bicep - [ - 0 - 1 - 2 - 3 - ] - ``` - -### Parameter: `backupPolicyName` - -Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. - -- Required: No -- Type: string -- Default: `'DefaultPolicy'` - -### Parameter: `backupVaultName` - -Recovery service vault name to add VMs to backup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `backupVaultResourceGroup` - -Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `bootDiagnostics` - -Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `bootDiagnosticStorageAccountName` - -Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `bootDiagnosticStorageAccountUri` - -Storage account boot diagnostic base URI. - -- Required: No -- Type: string -- Default: `[format('.blob.{0}/', environment().suffixes.storage)]` - -### Parameter: `certificatesToBeInstalled` - -Specifies set of certificates that should be installed onto the virtual machine. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `computerName` - -Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `customData` - -Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dataDisks` - -Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dedicatedHostId` - -Specifies resource ID about the dedicated host that the virtual machine resides in. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `disablePasswordAuthentication` - -Specifies whether password authentication should be disabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableAutomaticUpdates` - -Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableEvictionPolicy` - -Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `encryptionAtHost` - -This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `extensionAadJoinConfig` - -The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionAntiMalwareConfig` - -The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionAzureDiskEncryptionConfig` - -The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionCustomScriptConfig` - -The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - fileData: [] - } - ``` - -### Parameter: `extensionCustomScriptProtectedSetting` - -Any object that contains the extension specific protected settings. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `extensionDependencyAgentConfig` - -The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionDomainJoinConfig` - -The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionDomainJoinPassword` - -Required if name is specified. Password of the user specified in user parameter. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `extensionDSCConfig` - -The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionMonitoringAgentConfig` - -The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `extensionNetworkWatcherAgentConfig` - -The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabled: false - } - ``` - -### Parameter: `licenseType` - -Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Windows_Client' - 'Windows_Server' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `maxPriceForLowPriorityVm` - -Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `monitoringWorkspaceId` - -Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `name` - -The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. - -- Required: No -- Type: string -- Default: `[take(toLower(uniqueString(resourceGroup().name)), 10)]` - -### Parameter: `patchAssessmentMode` - -VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. - -- Required: No -- Type: string -- Default: `'ImageDefault'` -- Allowed: - ```Bicep - [ - 'AutomaticByPlatform' - 'ImageDefault' - ] - ``` - -### Parameter: `patchMode` - -VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AutomaticByOS' - 'AutomaticByPlatform' - 'ImageDefault' - 'Manual' - ] - ``` - -### Parameter: `plan` - -Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `priority` - -Specifies the priority for the virtual machine. - -- Required: No -- Type: string -- Default: `'Regular'` -- Allowed: - ```Bicep - [ - 'Low' - 'Regular' - 'Spot' - ] - ``` - -### Parameter: `provisionVMAgent` - -Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `proximityPlacementGroupResourceId` - -Resource ID of a proximity placement group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `publicKeys` - -The list of SSH public keys used to authenticate with linux based VMs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sasTokenValidityLength` - -SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. - -- Required: No -- Type: string -- Default: `'PT8H'` - -### Parameter: `secureBootEnabled` - -Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `securityType` - -Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `timeZone` - -Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ultraSSDEnabled` - -The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vTpmEnabled` - -Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `winRM` - -Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a registration token. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VM. | -| `resourceGroupName` | string | The name of the resource group the VM was created in. | -| `resourceId` | string | The resource ID of the VM. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/network-interface` | Local reference | -| `modules/network/public-ip-address` | Local reference | -| `modules/recovery-services/vault/backup-fabric/protection-container/protected-item` | Local reference | - -## Notes - -### Automanage considerations - -Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: -- an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. -- a `DefaultResourceGroup-` resource group hosting a recovery services vault `DefaultBackupVault-` where virtual machine backups are stored -For further details on automanage please refer to [Automanage virtual machines](https://learn.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). - -### Parameter Usage: `imageReference` - -#### Marketplace images - -

- -Parameter JSON format - -```json -"imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } -} -``` - -
-
- -Bicep format - -```bicep -imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' -} -``` - -
-

- -#### Custom images - -

- -Parameter JSON format - -```json -"imageReference": { - "value": { - "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" - } -} -``` - -
- -
- -Bicep format - -```bicep -imageReference: { - id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' -} -``` - -
-

- -### Parameter Usage: `plan` - -

- -Parameter JSON format - -```json -"plan": { - "value": { - "name": "qvsa-25", - "product": "qualys-virtual-scanner", - "publisher": "qualysguard" - } -} -``` - -
- -
- -Bicep format - -```bicep -plan: { - name: 'qvsa-25' - product: 'qualys-virtual-scanner' - publisher: 'qualysguard' -} -``` - -
-

- -### Parameter Usage: `osDisk` - -

- -Parameter JSON format - -```json -"osDisk": { - "value": { - "createOption": "fromImage", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -osDisk: { - createOption: 'fromImage' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } -} -``` - -
-

- -### Parameter Usage: `dataDisks` - -

- -Parameter JSON format - -```json -"dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "diskSizeGB": "256", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } - } -] -``` - -
-

- -### Parameter Usage: `nicConfigurations` - -Comments: -- The field `nicSuffix` and `subnetResourceId` are mandatory. -- If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. -- Each IP config needs to have the mandatory field `name`. -- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VM to be deployed with a supported OS and VM size. - -

- -Parameter JSON format - -```json -"nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "ipConfigurations": [ - { - "name": "ipconfig1", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ] - } - }, - { - "name": "ipconfig2", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - } - ], - "nsgId": "/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ] - }, - { - "nicSuffix": "-nic-02", - "ipConfigurations": [ - { - "name": "ipconfig1", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-02" - } - }, - { - "name": "ipconfig2", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "privateIPAllocationMethod": "Static", - "privateIPAddress": "10.0.0.9" - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -nicConfigurations: { - value: [ - { - nicSuffix: '-nic-01' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - ipConfigurations: [ - { - name: 'ipconfig1' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - } - } - { - name: 'ipconfig2' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - } - ] - nsgId: '/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - } - { - nicSuffix: '-nic-02' - ipConfigurations: [ - { - name: 'ipconfig1' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - pipConfiguration: { - publicIpNameSuffix: '-pip-02' - } - } - { - name: 'ipconfig2' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - privateIPAllocationMethod: 'Static' - privateIPAddress: '10.0.0.9' - } - ] - } - ] -} -``` - -
-

- -### Parameter Usage: `configurationProfileAssignments` - -

- -Parameter JSON format - -```json -"configurationProfileAssignments": { - "value": [ - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction", - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest" - ] -} -``` - -
- -
- -Bicep format - -```bicep -configurationProfileAssignments: [ - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' -] -``` - -
-

- -### Parameter Usage: `extensionDomainJoinConfig` - -

- -Parameter JSON format - -```json -"extensionDomainJoinConfig": { - "value": { - "enabled": true, - "settings": { - "name": "contoso.com", - "user": "test.user@testcompany.com", - "ouPath": "OU=testOU; DC=contoso; DC=com", - "restart": true, - "options": 3 - } - } -}, -"extensionDomainJoinPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" - }, - "secretName": "domainJoinUser02-Password" - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionDomainJoinConfig: { - enabled: true - settings: { - name: 'contoso.com' - user: 'test.user@testcompany.com' - ouPath: 'OU=testOU; DC=contoso; DC=com' - restart: true - options: 3 - } -} - -resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { - name: 'adp-[[namePrefix]]-az-kv-x-001' - scope: resourceGroup('[[subscriptionId]]','validation-rg') -} - -extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') -``` - -
-

- -### Parameter Usage: `extensionAntiMalwareConfig` - -Only for OSType Windows - -

- -Parameter JSON format - -```json -"extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "isEnabled": "true", - "scanType": "Quick", - "day": "7", - "time": "120" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - isEnabled: 'true' - scanType: 'Quick' - day: '7' - time: '120' - } - } -} -``` - -
-

- -### Parameter Usage: `extensionAzureDiskEncryptionConfig` - -

- -Parameter JSON format - -```json -"extensionAzureDiskEncryptionConfig": { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "https://mykeyvault.vault.azure.net/", - "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys - "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - "VolumeType": "All", //'OS'/'Data'/'All' - "ResizeOSDisk": "false" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAzureDiskEncryptionConfig: { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KeyVaultURL: 'https://mykeyvault.vault.azure.net/' - KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys - KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - VolumeType: 'All' //'OS'/'Data'/'All' - ResizeOSDisk: 'false' - } -} -``` - -
-

- -### Parameter Usage: `extensionDSCConfig` - -

- -Parameter JSON format - -```json -"extensionDSCConfig": { - "value": { - { - "enabled": true, - "settings": { - "wmfVersion": "latest", - "configuration": { - "url": "http://validURLToConfigLocation", - "script": "ConfigurationScript.ps1", - "function": "ConfigurationFunction" - }, - "configurationArguments": { - "argument1": "Value1", - "argument2": "Value2" - }, - "configurationData": { - "url": "https://foo.psd1" - }, - "privacy": { - "dataCollection": "enable" - }, - "advancedOptions": { - "forcePullAndApply": false, - "downloadMappings": { - "specificDependencyKey": "https://myCustomDependencyLocation" - } - } - }, - "protectedSettings": { - "configurationArguments": { - "mySecret": "MyPlaceholder" - }, - "configurationUrlSasToken": "MyPlaceholder", - "configurationDataUrlSasToken": "MyPlaceholder" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionDSCConfig: { - { - enabled: true - settings: { - wmfVersion: 'latest' - configuration: { - url: 'http://validURLToConfigLocation' - script: 'ConfigurationScript.ps1' - function: 'ConfigurationFunction' - } - configurationArguments: { - argument1: 'Value1' - argument2: 'Value2' - } - configurationData: { - url: 'https://foo.psd1' - } - privacy: { - dataCollection: 'enable' - } - advancedOptions: { - forcePullAndApply: false - downloadMappings: { - specificDependencyKey: 'https://myCustomDependencyLocation' - } - } - } - protectedSettings: { - configurationArguments: { - mySecret: 'MyPlaceholder' - } - configurationUrlSasToken: 'MyPlaceholder' - configurationDataUrlSasToken: 'MyPlaceholder' - } - } -} -``` - -
-

- -### Parameter Usage: `extensionCustomScriptConfig` - -

- -Parameter JSON format - -```json -"extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - //storage accounts with SAS token requirement - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - "uri": "https://github.com/myProject/File3.ps1", - "storageAccountId": "" - } - ], - "settings": { - "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionCustomScriptConfig: { - enabled: true - fileData: [ - //storage accounts with SAS token requirement - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - uri: 'https://github.com/myProject/File3.ps1' - storageAccountId: '' - } - ] - settings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' - } -} -``` - -
-

- -### Parameter Usage: `extensionCustomScriptProtectedSetting` - -This is used if you are going to use secrets or other sensitive information that you don't want to be visible in the deployment and logs. - -

- -Parameter JSON format - -```json -"extensionCustomScriptProtectedSetting": { - "value": [ - { - "commandToExecute": "mycommandToRun -someParam MYSECRET" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -extensionCustomScriptProtectedSetting: [ - { - commandToExecute: 'mycommandToRun -someParam MYSECRET' - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md deleted file mode 100644 index 324ebc8179..0000000000 --- a/modules/compute/virtual-machine/extension/README.md +++ /dev/null @@ -1,165 +0,0 @@ -# Virtual Machine Extensions `[Microsoft.Compute/virtualMachines/extensions]` - -This module deploys a Virtual Machine Extension. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Compute/virtualMachines/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachines/extensions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoUpgradeMinorVersion`](#parameter-autoupgrademinorversion) | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | -| [`enableAutomaticUpgrade`](#parameter-enableautomaticupgrade) | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | -| [`name`](#parameter-name) | string | The name of the virtual machine extension. | -| [`publisher`](#parameter-publisher) | string | The name of the extension handler publisher. | -| [`type`](#parameter-type) | string | Specifies the type of the extension; an example is "CustomScriptExtension". | -| [`typeHandlerVersion`](#parameter-typehandlerversion) | string | Specifies the version of the script handler. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualMachineName`](#parameter-virtualmachinename) | string | The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`forceUpdateTag`](#parameter-forceupdatetag) | string | How the extension handler should be forced to update even if the extension configuration has not changed. | -| [`location`](#parameter-location) | string | The location the extension is deployed to. | -| [`protectedSettings`](#parameter-protectedsettings) | secureObject | Any object that contains the extension specific protected settings. | -| [`settings`](#parameter-settings) | object | Any object that contains the extension specific settings. | -| [`supressFailures`](#parameter-supressfailures) | bool | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `autoUpgradeMinorVersion` - -Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. - -- Required: Yes -- Type: bool - -### Parameter: `enableAutomaticUpgrade` - -Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. - -- Required: Yes -- Type: bool - -### Parameter: `name` - -The name of the virtual machine extension. - -- Required: Yes -- Type: string - -### Parameter: `publisher` - -The name of the extension handler publisher. - -- Required: Yes -- Type: string - -### Parameter: `type` - -Specifies the type of the extension; an example is "CustomScriptExtension". - -- Required: Yes -- Type: string - -### Parameter: `typeHandlerVersion` - -Specifies the version of the script handler. - -- Required: Yes -- Type: string - -### Parameter: `virtualMachineName` - -The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `forceUpdateTag` - -How the extension handler should be forced to update even if the extension configuration has not changed. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -The location the extension is deployed to. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `protectedSettings` - -Any object that contains the extension specific protected settings. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `settings` - -Any object that contains the extension specific settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `supressFailures` - -Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the extension. | -| `resourceGroupName` | string | The name of the Resource Group the extension was created in. | -| `resourceId` | string | The resource ID of the extension. | - -## Cross-referenced modules - -_None_ diff --git a/modules/compute/virtual-machine/extension/main.bicep b/modules/compute/virtual-machine/extension/main.bicep deleted file mode 100644 index 909805fe1c..0000000000 --- a/modules/compute/virtual-machine/extension/main.bicep +++ /dev/null @@ -1,92 +0,0 @@ -metadata name = 'Virtual Machine Extensions' -metadata description = 'This module deploys a Virtual Machine Extension.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment.') -param virtualMachineName string - -@description('Required. The name of the virtual machine extension.') -param name string - -@description('Optional. The location the extension is deployed to.') -param location string = resourceGroup().location - -@description('Required. The name of the extension handler publisher.') -param publisher string - -@description('Required. Specifies the type of the extension; an example is "CustomScriptExtension".') -param type string - -@description('Required. Specifies the version of the script handler.') -param typeHandlerVersion string - -@description('Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true.') -param autoUpgradeMinorVersion bool - -@description('Optional. How the extension handler should be forced to update even if the extension configuration has not changed.') -param forceUpdateTag string = '' - -@description('Optional. Any object that contains the extension specific settings.') -param settings object = {} - -@description('Optional. Any object that contains the extension specific protected settings.') -@secure() -param protectedSettings object = {} - -@description('Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false.') -param supressFailures bool = false - -@description('Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available.') -param enableAutomaticUpgrade bool - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Tags of the resource.') -param tags object? - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-11-01' existing = { - name: virtualMachineName -} - -resource extension 'Microsoft.Compute/virtualMachines/extensions@2022-11-01' = { - name: name - parent: virtualMachine - location: location - tags: tags - properties: { - publisher: publisher - type: type - typeHandlerVersion: typeHandlerVersion - autoUpgradeMinorVersion: autoUpgradeMinorVersion - enableAutomaticUpgrade: enableAutomaticUpgrade - forceUpdateTag: !empty(forceUpdateTag) ? forceUpdateTag : null - settings: !empty(settings) ? settings : null - protectedSettings: !empty(protectedSettings) ? protectedSettings : null - suppressFailures: supressFailures - } -} - -@description('The name of the extension.') -output name string = extension.name - -@description('The resource ID of the extension.') -output resourceId string = extension.id - -@description('The name of the Resource Group the extension was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = extension.location diff --git a/modules/compute/virtual-machine/extension/main.json b/modules/compute/virtual-machine/extension/main.json deleted file mode 100644 index 5ddd571641..0000000000 --- a/modules/compute/virtual-machine/extension/main.json +++ /dev/null @@ -1,181 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/virtual-machine/extension/version.json b/modules/compute/virtual-machine/extension/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/compute/virtual-machine/extension/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep deleted file mode 100644 index f908e4b473..0000000000 --- a/modules/compute/virtual-machine/main.bicep +++ /dev/null @@ -1,771 +0,0 @@ -metadata name = 'Virtual Machines' -metadata description = 'This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.' -metadata owner = 'Azure/module-maintainers' - -// Main resource -@description('Optional. The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group\'s name.') -param name string = take(toLower(uniqueString(resourceGroup().name)), 10) - -@description('Optional. Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name.') -param computerName string = name - -@description('Required. Specifies the size for the VMs.') -param vmSize string - -@description('Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.') -param encryptionAtHost bool = true - -@description('Optional. Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings.') -param securityType string = '' - -@description('Optional. Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings.') -param secureBootEnabled bool = false - -@description('Optional. Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings.') -param vTpmEnabled bool = false - -@description('Required. OS image reference. In case of marketplace images, it\'s the combination of the publisher, offer, sku, version attributes. In case of custom images it\'s the resource ID of the custom image.') -param imageReference object - -@description('Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use.') -param plan object = {} - -@description('Required. Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.') -param osDisk object - -@description('Optional. Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.') -param dataDisks array = [] - -@description('Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled.') -param ultraSSDEnabled bool = false - -@description('Required. Administrator username.') -@secure() -param adminUsername string - -@description('Optional. When specifying a Windows Virtual Machine, this value should be passed.') -@secure() -param adminPassword string = '' - -@description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.') -param customData string = '' - -@description('Optional. Specifies set of certificates that should be installed onto the virtual machine.') -param certificatesToBeInstalled array = [] - -@description('Optional. Specifies the priority for the virtual machine.') -@allowed([ - 'Regular' - 'Low' - 'Spot' -]) -param priority string = 'Regular' - -@description('Optional. Specifies the eviction policy for the low priority virtual machine. Will result in \'Deallocate\' eviction policy.') -param enableEvictionPolicy bool = false - -@description('Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars.') -param maxPriceForLowPriorityVm string = '' - -@description('Optional. Specifies resource ID about the dedicated host that the virtual machine resides in.') -param dedicatedHostId string = '' - -@description('Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system.') -@allowed([ - 'Windows_Client' - 'Windows_Server' - '' -]) -param licenseType string = '' - -@description('Optional. The list of SSH public keys used to authenticate with linux based VMs.') -param publicKeys array = [] - -@description('Optional. The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True".') -param managedIdentities managedIdentitiesType - -@description('Optional. Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled.') -param bootDiagnostics bool = false - -@description('Optional. Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided.') -param bootDiagnosticStorageAccountName string = '' - -@description('Optional. Storage account boot diagnostic base URI.') -param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.storage}/' - -@description('Optional. Resource ID of a proximity placement group.') -param proximityPlacementGroupResourceId string = '' - -@description('Optional. Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set.') -param availabilitySetResourceId string = '' - -@description('Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set.') -@allowed([ - 0 - 1 - 2 - 3 -]) -param availabilityZone int = 0 - -// External resources -@description('Required. Configures NICs and PIPs.') -param nicConfigurations array - -@description('Optional. Recovery service vault name to add VMs to backup.') -param backupVaultName string = '' - -@description('Optional. Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default.') -param backupVaultResourceGroup string = resourceGroup().name - -@description('Optional. Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault.') -param backupPolicyName string = 'DefaultPolicy' - -// Child resources -@description('Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine.') -param allowExtensionOperations bool = true - -@description('Optional. Required if name is specified. Password of the user specified in user parameter.') -@secure() -param extensionDomainJoinPassword string = '' - -@description('Optional. The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDomainJoinConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionAadJoinConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionAntiMalwareConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionMonitoringAgentConfig object = { - enabled: false -} - -@description('Optional. Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true.') -param monitoringWorkspaceId string = '' - -@description('Optional. The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDependencyAgentConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionNetworkWatcherAgentConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.') -param extensionAzureDiskEncryptionConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionDSCConfig object = { - enabled: false -} - -@description('Optional. The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionCustomScriptConfig object = { - enabled: false - fileData: [] -} - -@description('Optional. Any object that contains the extension specific protected settings.') -@secure() -param extensionCustomScriptProtectedSetting object = {} - -// Shared parameters -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Do not provide a value! This date value is used to generate a registration token.') -param baseTime string = utcNow('u') - -@description('Optional. SAS token validity length to use to download files from storage accounts. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours.') -param sasTokenValidityLength string = 'PT8H' - -@description('Required. The chosen OS type.') -@allowed([ - 'Windows' - 'Linux' -]) -param osType string - -@description('Optional. Specifies whether password authentication should be disabled.') -#disable-next-line secure-secrets-in-params // Not a secret -param disablePasswordAuthentication bool = false - -@description('Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later.') -param provisionVMAgent bool = true - -@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') -param enableAutomaticUpdates bool = true - -@description('Optional. VM guest patching orchestration mode. \'AutomaticByOS\' & \'Manual\' are for Windows only, \'ImageDefault\' for Linux only. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'.') -@allowed([ - 'AutomaticByPlatform' - 'AutomaticByOS' - 'Manual' - 'ImageDefault' - '' -]) -param patchMode string = '' - -@description('Optional. VM guest patching assessment mode. Set it to \'AutomaticByPlatform\' to enable automatically check for updates every 24 hours.') -@allowed([ - 'AutomaticByPlatform' - 'ImageDefault' -]) -param patchAssessmentMode string = 'ImageDefault' - -@description('Optional. Specifies the time zone of the virtual machine. e.g. \'Pacific Standard Time\'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`.') -param timeZone string = '' - -@description('Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object.') -param additionalUnattendContent array = [] - -@description('Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object.') -param winRM object = {} - -@description('Required. The configuration profile of automanage.') -@allowed([ - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' - '' -]) -param configurationProfile string = '' - -var publicKeysFormatted = [for publicKey in publicKeys: { - path: publicKey.path - keyData: publicKey.keyData -}] - -var linuxConfiguration = { - disablePasswordAuthentication: disablePasswordAuthentication - ssh: { - publicKeys: publicKeysFormatted - } - provisionVMAgent: provisionVMAgent - patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'ImageDefault')) ? { - patchMode: patchMode - assessmentMode: patchAssessmentMode - } : null -} - -var windowsConfiguration = { - provisionVMAgent: provisionVMAgent - enableAutomaticUpdates: enableAutomaticUpdates - patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'AutomaticByOS' || patchMode =~ 'Manual')) ? { - patchMode: patchMode - assessmentMode: patchAssessmentMode - } : null - timeZone: empty(timeZone) ? null : timeZone - additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent - winRM: !empty(winRM) ? { - listeners: winRM - } : null -} - -var accountSasProperties = { - signedServices: 'b' - signedPermission: 'r' - signedExpiry: dateTimeAdd(baseTime, sasTokenValidityLength) - signedResourceTypes: 'o' - signedProtocol: 'https' -} - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -// If AADJoin Extension is enabled then we automatically enable SystemAssigned (required by AADJoin), otherwise we follow the usual logic. -var identity = !empty(managedIdentities) ? { - type: (extensionAadJoinConfig.enabled ? true : (managedIdentities.?systemAssigned ?? false)) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module vm_nic 'modules/nested_networkInterface.bicep' = [for (nicConfiguration, index) in nicConfigurations: { - name: '${uniqueString(deployment().name, location)}-VM-Nic-${index}' - params: { - networkInterfaceName: '${name}${nicConfiguration.nicSuffix}' - virtualMachineName: name - location: location - enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false - enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true - dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : [] - networkSecurityGroupResourceId: contains(nicConfiguration, 'networkSecurityGroupResourceId') ? nicConfiguration.networkSecurityGroupResourceId : '' - ipConfigurations: nicConfiguration.ipConfigurations - lock: nicConfiguration.?lock ?? lock - tags: nicConfiguration.?tags ?? tags - diagnosticSettings: nicConfiguration.?diagnosticSettings - roleAssignments: nicConfiguration.?roleAssignments - } -}] - -resource vm 'Microsoft.Compute/virtualMachines@2022-11-01' = { - name: name - location: location - identity: identity - tags: tags - zones: availabilityZone != 0 ? array(availabilityZone) : null - plan: !empty(plan) ? plan : null - properties: { - hardwareProfile: { - vmSize: vmSize - } - securityProfile: { - encryptionAtHost: encryptionAtHost ? encryptionAtHost : null - securityType: securityType - uefiSettings: securityType == 'TrustedLaunch' ? { - secureBootEnabled: secureBootEnabled - vTpmEnabled: vTpmEnabled - } : null - } - storageProfile: { - imageReference: imageReference - osDisk: { - name: '${name}-disk-os-01' - createOption: contains(osDisk, 'createOption') ? osDisk.createOption : 'FromImage' - deleteOption: contains(osDisk, 'deleteOption') ? osDisk.deleteOption : 'Delete' - diskSizeGB: osDisk.diskSizeGB - caching: contains(osDisk, 'caching') ? osDisk.caching : 'ReadOnly' - managedDisk: { - storageAccountType: osDisk.managedDisk.storageAccountType - diskEncryptionSet: contains(osDisk.managedDisk, 'diskEncryptionSet') ? { - id: osDisk.managedDisk.diskEncryptionSet.id - } : null - } - } - dataDisks: [for (dataDisk, index) in dataDisks: { - lun: index - name: '${name}-disk-data-${padLeft((index + 1), 2, '0')}' - diskSizeGB: dataDisk.diskSizeGB - createOption: contains(dataDisk, 'createOption') ? dataDisk.createOption : 'Empty' - deleteOption: contains(dataDisk, 'deleteOption') ? dataDisk.deleteOption : 'Delete' - caching: contains(dataDisk, 'caching') ? dataDisk.caching : 'ReadOnly' - managedDisk: { - storageAccountType: dataDisk.managedDisk.storageAccountType - diskEncryptionSet: contains(dataDisk.managedDisk, 'diskEncryptionSet') ? { - id: dataDisk.managedDisk.diskEncryptionSet.id - } : null - } - }] - } - additionalCapabilities: { - ultraSSDEnabled: ultraSSDEnabled - } - osProfile: { - computerName: computerName - adminUsername: adminUsername - adminPassword: adminPassword - customData: !empty(customData) ? base64(customData) : null - windowsConfiguration: osType == 'Windows' ? windowsConfiguration : null - linuxConfiguration: osType == 'Linux' ? linuxConfiguration : null - secrets: certificatesToBeInstalled - allowExtensionOperations: allowExtensionOperations - } - networkProfile: { - networkInterfaces: [for (nicConfiguration, index) in nicConfigurations: { - properties: { - deleteOption: contains(nicConfiguration, 'deleteOption') ? nicConfiguration.deleteOption : 'Delete' - primary: index == 0 ? true : false - } - id: az.resourceId('Microsoft.Network/networkInterfaces', '${name}${nicConfiguration.nicSuffix}') - }] - } - diagnosticsProfile: { - bootDiagnostics: { - enabled: !empty(bootDiagnosticStorageAccountName) ? true : bootDiagnostics - storageUri: !empty(bootDiagnosticStorageAccountName) ? 'https://${bootDiagnosticStorageAccountName}${bootDiagnosticStorageAccountUri}' : null - } - } - availabilitySet: !empty(availabilitySetResourceId) ? { - id: availabilitySetResourceId - } : null - proximityPlacementGroup: !empty(proximityPlacementGroupResourceId) ? { - id: proximityPlacementGroupResourceId - } : null - priority: priority - evictionPolicy: enableEvictionPolicy ? 'Deallocate' : null - billingProfile: !empty(priority) && !empty(maxPriceForLowPriorityVm) ? { - maxPrice: maxPriceForLowPriorityVm - } : null - host: !empty(dedicatedHostId) ? { - id: dedicatedHostId - } : null - licenseType: !empty(licenseType) ? licenseType : null - } - dependsOn: [ - vm_nic - ] -} - -resource vm_configurationProfileAssignment 'Microsoft.Automanage/configurationProfileAssignments@2021-04-30-preview' = if (!empty(configurationProfile)) { - name: 'default' - properties: { - configurationProfile: configurationProfile - } - scope: vm -} - -module vm_aadJoinExtension 'extension/main.bicep' = if (extensionAadJoinConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-AADLogin' - params: { - virtualMachineName: vm.name - name: 'AADLogin' - publisher: 'Microsoft.Azure.ActiveDirectory' - type: osType == 'Windows' ? 'AADLoginForWindows' : 'AADSSHLoginforLinux' - typeHandlerVersion: contains(extensionAadJoinConfig, 'typeHandlerVersion') ? extensionAadJoinConfig.typeHandlerVersion : '1.0' - autoUpgradeMinorVersion: contains(extensionAadJoinConfig, 'autoUpgradeMinorVersion') ? extensionAadJoinConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAadJoinConfig, 'enableAutomaticUpgrade') ? extensionAadJoinConfig.enableAutomaticUpgrade : false - settings: contains(extensionAadJoinConfig, 'settings') ? extensionAadJoinConfig.settings : {} - tags: extensionAadJoinConfig.?tags ?? tags - } -} - -module vm_domainJoinExtension 'extension/main.bicep' = if (extensionDomainJoinConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-DomainJoin' - params: { - virtualMachineName: vm.name - name: 'DomainJoin' - publisher: 'Microsoft.Compute' - type: 'JsonADDomainExtension' - typeHandlerVersion: contains(extensionDomainJoinConfig, 'typeHandlerVersion') ? extensionDomainJoinConfig.typeHandlerVersion : '1.3' - autoUpgradeMinorVersion: contains(extensionDomainJoinConfig, 'autoUpgradeMinorVersion') ? extensionDomainJoinConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDomainJoinConfig, 'enableAutomaticUpgrade') ? extensionDomainJoinConfig.enableAutomaticUpgrade : false - settings: extensionDomainJoinConfig.settings - tags: extensionDomainJoinConfig.?tags ?? tags - protectedSettings: { - Password: extensionDomainJoinPassword - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vm_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extensionAntiMalwareConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-MicrosoftAntiMalware' - params: { - virtualMachineName: vm.name - name: 'MicrosoftAntiMalware' - publisher: 'Microsoft.Azure.Security' - type: 'IaaSAntimalware' - typeHandlerVersion: contains(extensionAntiMalwareConfig, 'typeHandlerVersion') ? extensionAntiMalwareConfig.typeHandlerVersion : '1.3' - autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') ? extensionAntiMalwareConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') ? extensionAntiMalwareConfig.enableAutomaticUpgrade : false - settings: extensionAntiMalwareConfig.settings - tags: extensionAntiMalwareConfig.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource vm_logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(monitoringWorkspaceId)) { - name: last(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : 'law'), '/'))! - scope: az.resourceGroup(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '//'), '/')[2], split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '////'), '/')[4]) -} - -module vm_microsoftMonitoringAgentExtension 'extension/main.bicep' = if (extensionMonitoringAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-MicrosoftMonitoringAgent' - params: { - virtualMachineName: vm.name - name: 'MicrosoftMonitoringAgent' - publisher: 'Microsoft.EnterpriseCloud.Monitoring' - type: osType == 'Windows' ? 'MicrosoftMonitoringAgent' : 'OmsAgentForLinux' - typeHandlerVersion: contains(extensionMonitoringAgentConfig, 'typeHandlerVersion') ? extensionMonitoringAgentConfig.typeHandlerVersion : (osType == 'Windows' ? '1.0' : '1.7') - autoUpgradeMinorVersion: contains(extensionMonitoringAgentConfig, 'autoUpgradeMinorVersion') ? extensionMonitoringAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionMonitoringAgentConfig, 'enableAutomaticUpgrade') ? extensionMonitoringAgentConfig.enableAutomaticUpgrade : false - settings: { - workspaceId: !empty(monitoringWorkspaceId) ? vm_logAnalyticsWorkspace.properties.customerId : '' - } - tags: extensionMonitoringAgentConfig.?tags ?? tags - protectedSettings: { - workspaceKey: !empty(monitoringWorkspaceId) ? vm_logAnalyticsWorkspace.listKeys().primarySharedKey : '' - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vm_dependencyAgentExtension 'extension/main.bicep' = if (extensionDependencyAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-DependencyAgent' - params: { - virtualMachineName: vm.name - name: 'DependencyAgent' - publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' - type: osType == 'Windows' ? 'DependencyAgentWindows' : 'DependencyAgentLinux' - typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion') ? extensionDependencyAgentConfig.typeHandlerVersion : '9.5' - autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') ? extensionDependencyAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') ? extensionDependencyAgentConfig.enableAutomaticUpgrade : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - tags: extensionDependencyAgentConfig.?tags ?? tags - } -} - -module vm_networkWatcherAgentExtension 'extension/main.bicep' = if (extensionNetworkWatcherAgentConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-NetworkWatcherAgent' - params: { - virtualMachineName: vm.name - name: 'NetworkWatcherAgent' - publisher: 'Microsoft.Azure.NetworkWatcher' - type: osType == 'Windows' ? 'NetworkWatcherAgentWindows' : 'NetworkWatcherAgentLinux' - typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion') ? extensionNetworkWatcherAgentConfig.typeHandlerVersion : '1.4' - autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - tags: extensionNetworkWatcherAgentConfig.?tags ?? tags - } -} - -module vm_desiredStateConfigurationExtension 'extension/main.bicep' = if (extensionDSCConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-DesiredStateConfiguration' - params: { - virtualMachineName: vm.name - name: 'DesiredStateConfiguration' - publisher: 'Microsoft.Powershell' - type: 'DSC' - typeHandlerVersion: contains(extensionDSCConfig, 'typeHandlerVersion') ? extensionDSCConfig.typeHandlerVersion : '2.77' - autoUpgradeMinorVersion: contains(extensionDSCConfig, 'autoUpgradeMinorVersion') ? extensionDSCConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') ? extensionDSCConfig.enableAutomaticUpgrade : false - settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} - tags: extensionDSCConfig.?tags ?? tags - protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module vm_customScriptExtension 'extension/main.bicep' = if (extensionCustomScriptConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-CustomScriptExtension' - params: { - virtualMachineName: vm.name - name: 'CustomScriptExtension' - publisher: osType == 'Windows' ? 'Microsoft.Compute' : 'Microsoft.Azure.Extensions' - type: osType == 'Windows' ? 'CustomScriptExtension' : 'CustomScript' - typeHandlerVersion: contains(extensionCustomScriptConfig, 'typeHandlerVersion') ? extensionCustomScriptConfig.typeHandlerVersion : (osType == 'Windows' ? '1.10' : '2.1') - autoUpgradeMinorVersion: contains(extensionCustomScriptConfig, 'autoUpgradeMinorVersion') ? extensionCustomScriptConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionCustomScriptConfig, 'enableAutomaticUpgrade') ? extensionCustomScriptConfig.enableAutomaticUpgrade : false - settings: { - fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri] - } - tags: extensionCustomScriptConfig.?tags ?? tags - protectedSettings: extensionCustomScriptProtectedSetting - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - vm_desiredStateConfigurationExtension - ] -} - -module vm_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionAzureDiskEncryptionConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-AzureDiskEncryption' - params: { - virtualMachineName: vm.name - name: 'AzureDiskEncryption' - publisher: 'Microsoft.Azure.Security' - type: osType == 'Windows' ? 'AzureDiskEncryption' : 'AzureDiskEncryptionForLinux' - typeHandlerVersion: contains(extensionAzureDiskEncryptionConfig, 'typeHandlerVersion') ? extensionAzureDiskEncryptionConfig.typeHandlerVersion : (osType == 'Windows' ? '2.2' : '1.1') - autoUpgradeMinorVersion: contains(extensionAzureDiskEncryptionConfig, 'autoUpgradeMinorVersion') ? extensionAzureDiskEncryptionConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAzureDiskEncryptionConfig, 'enableAutomaticUpgrade') ? extensionAzureDiskEncryptionConfig.enableAutomaticUpgrade : false - forceUpdateTag: contains(extensionAzureDiskEncryptionConfig, 'forceUpdateTag') ? extensionAzureDiskEncryptionConfig.forceUpdateTag : '1.0' - settings: extensionAzureDiskEncryptionConfig.settings - tags: extensionAzureDiskEncryptionConfig.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - vm_customScriptExtension - vm_microsoftMonitoringAgentExtension - ] -} - -module vm_backup '../../recovery-services/vault/backup-fabric/protection-container/protected-item/main.bicep' = if (!empty(backupVaultName)) { - name: '${uniqueString(deployment().name, location)}-VM-Backup' - params: { - name: 'vm;iaasvmcontainerv2;${resourceGroup().name};${vm.name}' - policyId: az.resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', backupVaultName, backupPolicyName) - protectedItemType: 'Microsoft.Compute/virtualMachines' - protectionContainerName: 'iaasvmcontainer;iaasvmcontainerv2;${resourceGroup().name};${vm.name}' - recoveryVaultName: backupVaultName - sourceResourceId: vm.id - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - scope: az.resourceGroup(backupVaultResourceGroup) - dependsOn: [ - vm_aadJoinExtension - vm_domainJoinExtension - vm_microsoftMonitoringAgentExtension - vm_microsoftAntiMalwareExtension - vm_networkWatcherAgentExtension - vm_dependencyAgentExtension - vm_desiredStateConfigurationExtension - vm_customScriptExtension - ] -} - -resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: vm -} - -resource vm_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(vm.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: vm -}] - -@description('The name of the VM.') -output name string = vm.name - -@description('The resource ID of the VM.') -output resourceId string = vm.id - -@description('The name of the resource group the VM was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(vm.identity, 'principalId') ? vm.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = vm.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json deleted file mode 100644 index cb696cbdcc..0000000000 --- a/modules/compute/virtual-machine/main.json +++ /dev/null @@ -1,4524 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "89939038941992549" - }, - "name": "Virtual Machines", - "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[take(toLower(uniqueString(resourceGroup().name)), 10)]", - "metadata": { - "description": "Optional. The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name." - } - }, - "computerName": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name." - } - }, - "vmSize": { - "type": "string", - "metadata": { - "description": "Required. Specifies the size for the VMs." - } - }, - "encryptionAtHost": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs." - } - }, - "securityType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings." - } - }, - "secureBootEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings." - } - }, - "vTpmEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings." - } - }, - "imageReference": { - "type": "object", - "metadata": { - "description": "Required. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." - } - }, - "plan": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use." - } - }, - "osDisk": { - "type": "object", - "metadata": { - "description": "Required. Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs." - } - }, - "dataDisks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs." - } - }, - "ultraSSDEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled." - } - }, - "adminUsername": { - "type": "securestring", - "metadata": { - "description": "Required. Administrator username." - } - }, - "adminPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. When specifying a Windows Virtual Machine, this value should be passed." - } - }, - "customData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format." - } - }, - "certificatesToBeInstalled": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies set of certificates that should be installed onto the virtual machine." - } - }, - "priority": { - "type": "string", - "defaultValue": "Regular", - "allowedValues": [ - "Regular", - "Low", - "Spot" - ], - "metadata": { - "description": "Optional. Specifies the priority for the virtual machine." - } - }, - "enableEvictionPolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy." - } - }, - "maxPriceForLowPriorityVm": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." - } - }, - "dedicatedHostId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies resource ID about the dedicated host that the virtual machine resides in." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Windows_Client", - "Windows_Server", - "" - ], - "metadata": { - "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system." - } - }, - "publicKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = \"True\"." - } - }, - "bootDiagnostics": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled." - } - }, - "bootDiagnosticStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided." - } - }, - "bootDiagnosticStorageAccountUri": { - "type": "string", - "defaultValue": "[format('.blob.{0}/', environment().suffixes.storage)]", - "metadata": { - "description": "Optional. Storage account boot diagnostic base URI." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a proximity placement group." - } - }, - "availabilitySetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set." - } - }, - "availabilityZone": { - "type": "int", - "defaultValue": 0, - "allowedValues": [ - 0, - 1, - 2, - 3 - ], - "metadata": { - "description": "Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set." - } - }, - "nicConfigurations": { - "type": "array", - "metadata": { - "description": "Required. Configures NICs and PIPs." - } - }, - "backupVaultName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Recovery service vault name to add VMs to backup." - } - }, - "backupVaultResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default." - } - }, - "backupPolicyName": { - "type": "string", - "defaultValue": "DefaultPolicy", - "metadata": { - "description": "Optional. Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault." - } - }, - "allowExtensionOperations": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine." - } - }, - "extensionDomainJoinPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if name is specified. Password of the user specified in user parameter." - } - }, - "extensionDomainJoinConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Domain Join] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionAadJoinConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionAntiMalwareConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Anti Malware] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionMonitoringAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "monitoringWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true." - } - }, - "extensionDependencyAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Dependency Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionNetworkWatcherAgentConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Network Watcher Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionAzureDiskEncryptionConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Azure Disk Encryption] extension. Must at least contain the [\"enabled\": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys." - } - }, - "extensionDSCConfig": { - "type": "object", - "defaultValue": { - "enabled": false - }, - "metadata": { - "description": "Optional. The configuration for the [Desired State Configuration] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionCustomScriptConfig": { - "type": "object", - "defaultValue": { - "enabled": false, - "fileData": [] - }, - "metadata": { - "description": "Optional. The configuration for the [Custom Script] extension. Must at least contain the [\"enabled\": true] property to be executed." - } - }, - "extensionCustomScriptProtectedSetting": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a registration token." - } - }, - "sasTokenValidityLength": { - "type": "string", - "defaultValue": "PT8H", - "metadata": { - "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." - } - }, - "osType": { - "type": "string", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Required. The chosen OS type." - } - }, - "disablePasswordAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether password authentication should be disabled." - } - }, - "provisionVMAgent": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later." - } - }, - "enableAutomaticUpdates": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning." - } - }, - "patchMode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AutomaticByPlatform", - "AutomaticByOS", - "Manual", - "ImageDefault", - "" - ], - "metadata": { - "description": "Optional. VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'." - } - }, - "patchAssessmentMode": { - "type": "string", - "defaultValue": "ImageDefault", - "allowedValues": [ - "AutomaticByPlatform", - "ImageDefault" - ], - "metadata": { - "description": "Optional. VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`." - } - }, - "additionalUnattendContent": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object." - } - }, - "winRM": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object." - } - }, - "configurationProfile": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction", - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest", - "" - ], - "metadata": { - "description": "Required. The configuration profile of automanage." - } - } - }, - "variables": { - "copy": [ - { - "name": "publicKeysFormatted", - "count": "[length(parameters('publicKeys'))]", - "input": { - "path": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].path]", - "keyData": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].keyData]" - } - } - ], - "linuxConfiguration": { - "disablePasswordAuthentication": "[parameters('disablePasswordAuthentication')]", - "ssh": { - "publicKeys": "[variables('publicKeysFormatted')]" - }, - "provisionVMAgent": "[parameters('provisionVMAgent')]", - "patchSettings": "[if(and(parameters('provisionVMAgent'), or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('ImageDefault')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode')), null())]" - }, - "windowsConfiguration": { - "provisionVMAgent": "[parameters('provisionVMAgent')]", - "enableAutomaticUpdates": "[parameters('enableAutomaticUpdates')]", - "patchSettings": "[if(and(parameters('provisionVMAgent'), or(or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('AutomaticByOS'))), equals(toLower(parameters('patchMode')), toLower('Manual')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode')), null())]", - "timeZone": "[if(empty(parameters('timeZone')), null(), parameters('timeZone'))]", - "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), parameters('additionalUnattendContent'))]", - "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM')), null())]" - }, - "accountSasProperties": { - "signedServices": "b", - "signedPermission": "r", - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", - "signedResourceTypes": "o", - "signedProtocol": "https" - }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "vm": { - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "zones": "[if(not(equals(parameters('availabilityZone'), 0)), array(parameters('availabilityZone')), null())]", - "plan": "[if(not(empty(parameters('plan'))), parameters('plan'), null())]", - "properties": { - "hardwareProfile": { - "vmSize": "[parameters('vmSize')]" - }, - "securityProfile": { - "encryptionAtHost": "[if(parameters('encryptionAtHost'), parameters('encryptionAtHost'), null())]", - "securityType": "[parameters('securityType')]", - "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), createObject('secureBootEnabled', parameters('secureBootEnabled'), 'vTpmEnabled', parameters('vTpmEnabled')), null())]" - }, - "storageProfile": { - "copy": [ - { - "name": "dataDisks", - "count": "[length(parameters('dataDisks'))]", - "input": { - "lun": "[copyIndex('dataDisks')]", - "name": "[format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0'))]", - "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", - "createOption": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')], 'createOption'), parameters('dataDisks')[copyIndex('dataDisks')].createOption, 'Empty')]", - "deleteOption": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')], 'deleteOption'), parameters('dataDisks')[copyIndex('dataDisks')].deleteOption, 'Delete')]", - "caching": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')], 'caching'), parameters('dataDisks')[copyIndex('dataDisks')].caching, 'ReadOnly')]", - "managedDisk": { - "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", - "diskEncryptionSet": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSet'), createObject('id', parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id), null())]" - } - } - } - ], - "imageReference": "[parameters('imageReference')]", - "osDisk": { - "name": "[format('{0}-disk-os-01', parameters('name'))]", - "createOption": "[if(contains(parameters('osDisk'), 'createOption'), parameters('osDisk').createOption, 'FromImage')]", - "deleteOption": "[if(contains(parameters('osDisk'), 'deleteOption'), parameters('osDisk').deleteOption, 'Delete')]", - "diskSizeGB": "[parameters('osDisk').diskSizeGB]", - "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, 'ReadOnly')]", - "managedDisk": { - "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]", - "diskEncryptionSet": "[if(contains(parameters('osDisk').managedDisk, 'diskEncryptionSet'), createObject('id', parameters('osDisk').managedDisk.diskEncryptionSet.id), null())]" - } - } - }, - "additionalCapabilities": { - "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]" - }, - "osProfile": { - "computerName": "[parameters('computerName')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPassword')]", - "customData": "[if(not(empty(parameters('customData'))), base64(parameters('customData')), null())]", - "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null())]", - "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null())]", - "secrets": "[parameters('certificatesToBeInstalled')]", - "allowExtensionOperations": "[parameters('allowExtensionOperations')]" - }, - "networkProfile": { - "copy": [ - { - "name": "networkInterfaces", - "count": "[length(parameters('nicConfigurations'))]", - "input": { - "properties": { - "deleteOption": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaces')], 'deleteOption'), parameters('nicConfigurations')[copyIndex('networkInterfaces')].deleteOption, 'Delete')]", - "primary": "[if(equals(copyIndex('networkInterfaces'), 0), true(), false())]" - }, - "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}{1}', parameters('name'), parameters('nicConfigurations')[copyIndex('networkInterfaces')].nicSuffix))]" - } - } - ] - }, - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), true(), parameters('bootDiagnostics'))]", - "storageUri": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), format('https://{0}{1}', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')), null())]" - } - }, - "availabilitySet": "[if(not(empty(parameters('availabilitySetResourceId'))), createObject('id', parameters('availabilitySetResourceId')), null())]", - "proximityPlacementGroup": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), createObject('id', parameters('proximityPlacementGroupResourceId')), null())]", - "priority": "[parameters('priority')]", - "evictionPolicy": "[if(parameters('enableEvictionPolicy'), 'Deallocate', null())]", - "billingProfile": "[if(and(not(empty(parameters('priority'))), not(empty(parameters('maxPriceForLowPriorityVm')))), createObject('maxPrice', parameters('maxPriceForLowPriorityVm')), null())]", - "host": "[if(not(empty(parameters('dedicatedHostId'))), createObject('id', parameters('dedicatedHostId')), null())]", - "licenseType": "[if(not(empty(parameters('licenseType'))), parameters('licenseType'), null())]" - }, - "dependsOn": [ - "vm_nic" - ] - }, - "vm_configurationProfileAssignment": { - "condition": "[not(empty(parameters('configurationProfile')))]", - "type": "Microsoft.Automanage/configurationProfileAssignments", - "apiVersion": "2021-04-30-preview", - "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", - "name": "default", - "properties": { - "configurationProfile": "[parameters('configurationProfile')]" - }, - "dependsOn": [ - "vm" - ] - }, - "vm_logAnalyticsWorkspace": { - "condition": "[not(empty(parameters('monitoringWorkspaceId')))]", - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-06-01", - "subscriptionId": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))]" - }, - "vm_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "vm" - ] - }, - "vm_roleAssignments": { - "copy": { - "name": "vm_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "vm" - ] - }, - "vm_nic": { - "copy": { - "name": "vm_nic", - "count": "[length(parameters('nicConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-Nic-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkInterfaceName": { - "value": "[format('{0}{1}', parameters('name'), parameters('nicConfigurations')[copyIndex()].nicSuffix)]" - }, - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableIPForwarding": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'enableIPForwarding'), if(not(empty(parameters('nicConfigurations')[copyIndex()].enableIPForwarding)), createObject('value', parameters('nicConfigurations')[copyIndex()].enableIPForwarding), createObject('value', false())), createObject('value', false()))]", - "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'enableAcceleratedNetworking'), createObject('value', parameters('nicConfigurations')[copyIndex()].enableAcceleratedNetworking), createObject('value', true()))]", - "dnsServers": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'dnsServers'), if(not(empty(parameters('nicConfigurations')[copyIndex()].dnsServers)), createObject('value', parameters('nicConfigurations')[copyIndex()].dnsServers), createObject('value', createArray())), createObject('value', createArray()))]", - "networkSecurityGroupResourceId": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'networkSecurityGroupResourceId'), createObject('value', parameters('nicConfigurations')[copyIndex()].networkSecurityGroupResourceId), createObject('value', ''))]", - "ipConfigurations": { - "value": "[parameters('nicConfigurations')[copyIndex()].ipConfigurations]" - }, - "lock": { - "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'diagnosticSettings')]" - }, - "roleAssignments": { - "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11123708724712871468" - } - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \u0007llLogs to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "networkInterfaceName": { - "type": "string" - }, - "virtualMachineName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "tags": { - "type": "object", - "nullable": true - }, - "enableIPForwarding": { - "type": "bool", - "defaultValue": false - }, - "enableAcceleratedNetworking": { - "type": "bool", - "defaultValue": false - }, - "dnsServers": { - "type": "array", - "defaultValue": [] - }, - "networkSecurityGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The network security group (NSG) to attach to the network interface." - } - }, - "ipConfigurations": { - "type": "array" - }, - "lock": { - "$ref": "#/definitions/lockType" - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the Network Interface." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "networkInterface_publicIPAddresses": { - "copy": { - "name": "networkInterface_publicIPAddresses", - "count": "[length(parameters('ipConfigurations'))]" - }, - "condition": "[contains(parameters('ipConfigurations')[copyIndex()], 'pipconfiguration')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-publicIP-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}{1}', parameters('virtualMachineName'), parameters('ipConfigurations')[copyIndex()].pipconfiguration.publicIpNameSuffix)]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('ipConfigurations')[copyIndex()], 'diagnosticSettings')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, - "publicIPAddressVersion": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressVersion'), createObject('value', parameters('ipConfigurations')[copyIndex()].publicIPAddressVersion), createObject('value', 'IPv4'))]", - "publicIPAllocationMethod": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'publicIPAllocationMethod'), createObject('value', parameters('ipConfigurations')[copyIndex()].publicIPAllocationMethod), createObject('value', 'Static'))]", - "publicIPPrefixResourceId": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'publicIPPrefixResourceId'), createObject('value', parameters('ipConfigurations')[copyIndex()].publicIPPrefixResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'roleAssignments'), createObject('value', parameters('ipConfigurations')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "skuName": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'skuName'), createObject('value', parameters('ipConfigurations')[copyIndex()].skuName), createObject('value', 'Standard'))]", - "skuTier": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'skuTier'), createObject('value', parameters('ipConfigurations')[copyIndex()].skuTier), createObject('value', 'Regional'))]", - "tags": { - "value": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "zones": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'zones'), createObject('value', parameters('ipConfigurations')[copyIndex()].zones), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - }, - "networkInterface": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkInterface', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('networkInterfaceName')]" - }, - "ipConfigurations": { - "copy": [ - { - "name": "value", - "count": "[length(parameters('ipConfigurations'))]", - "input": "[createObject('name', if(not(empty(parameters('ipConfigurations')[copyIndex('value')].name)), parameters('ipConfigurations')[copyIndex('value')].name, null()), 'primary', equals(copyIndex('value'), 0), 'privateIPAllocationMethod', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAllocationMethod'), if(not(empty(parameters('ipConfigurations')[copyIndex('value')].privateIPAllocationMethod)), parameters('ipConfigurations')[copyIndex('value')].privateIPAllocationMethod, null()), null()), 'privateIPAddress', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAddress'), if(not(empty(parameters('ipConfigurations')[copyIndex('value')].privateIPAddress)), parameters('ipConfigurations')[copyIndex('value')].privateIPAddress, null()), null()), 'publicIPAddressResourceId', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'pipconfiguration'), resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', parameters('virtualMachineName'), parameters('ipConfigurations')[copyIndex('value')].pipconfiguration.publicIpNameSuffix)), null()), 'subnetResourceId', parameters('ipConfigurations')[copyIndex('value')].subnetResourceId, 'loadBalancerBackendAddressPools', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'loadBalancerBackendAddressPools'), parameters('ipConfigurations')[copyIndex('value')].loadBalancerBackendAddressPools, null()), 'applicationSecurityGroups', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'applicationSecurityGroups'), parameters('ipConfigurations')[copyIndex('value')].applicationSecurityGroups, null()), 'applicationGatewayBackendAddressPools', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'applicationGatewayBackendAddressPools'), parameters('ipConfigurations')[copyIndex('value')].applicationGatewayBackendAddressPools, null()), 'gatewayLoadBalancer', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'gatewayLoadBalancer'), parameters('ipConfigurations')[copyIndex('value')].gatewayLoadBalancer, null()), 'loadBalancerInboundNatRules', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'loadBalancerInboundNatRules'), parameters('ipConfigurations')[copyIndex('value')].loadBalancerInboundNatRules, null()), 'privateIPAddressVersion', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAddressVersion'), parameters('ipConfigurations')[copyIndex('value')].privateIPAddressVersion, null()), 'virtualNetworkTaps', if(contains(parameters('ipConfigurations')[copyIndex('value')], 'virtualNetworkTaps'), parameters('ipConfigurations')[copyIndex('value')].virtualNetworkTaps, null()))]" - } - ] - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "diagnosticSettings": { - "value": "[parameters('diagnosticSettings')]" - }, - "dnsServers": "[if(not(empty(parameters('dnsServers'))), createObject('value', parameters('dnsServers')), createObject('value', createArray()))]", - "enableAcceleratedNetworking": { - "value": "[parameters('enableAcceleratedNetworking')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "enableIPForwarding": { - "value": "[parameters('enableIPForwarding')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, - "networkSecurityGroupResourceId": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('value', parameters('networkSecurityGroupResourceId')), createObject('value', ''))]", - "roleAssignments": "[if(not(empty(parameters('roleAssignments'))), createObject('value', parameters('roleAssignments')), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2750011165297287068" - }, - "name": "Network Interface", - "description": "This module deploys a Network Interface.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the network interface." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "enableIPForwarding": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether IP forwarding is enabled on this network interface." - } - }, - "enableAcceleratedNetworking": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the network interface is accelerated networking enabled." - } - }, - "dnsServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection." - } - }, - "networkSecurityGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The network security group (NSG) to attach to the network interface." - } - }, - "auxiliaryMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Floating", - "MaxConnections", - "None" - ], - "metadata": { - "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - } - }, - "auxiliarySku": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "A1", - "A2", - "A4", - "A8", - "None" - ], - "metadata": { - "description": "Optional. Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - } - }, - "disableTcpStateTracking": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true." - } - }, - "ipConfigurations": { - "type": "array", - "metadata": { - "description": "Required. A list of IPConfigurations of the network interface." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkInterface": { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "ipConfigurations", - "count": "[length(parameters('ipConfigurations'))]", - "input": { - "name": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'name'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].name, format('ipconfig0{0}', add(copyIndex('ipConfigurations'), 1)))]", - "properties": { - "primary": "[if(equals(copyIndex('ipConfigurations'), 0), true(), false())]", - "privateIPAllocationMethod": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAllocationMethod'), if(not(empty(parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAllocationMethod)), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAllocationMethod, null()), null())]", - "privateIPAddress": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddress'), if(not(empty(parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddress)), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddress, null()), null())]", - "publicIPAddress": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'publicIPAddressResourceId'), if(not(equals(parameters('ipConfigurations')[copyIndex('ipConfigurations')].publicIPAddressResourceId, null())), createObject('id', parameters('ipConfigurations')[copyIndex('ipConfigurations')].publicIPAddressResourceId), null()), null())]", - "subnet": { - "id": "[parameters('ipConfigurations')[copyIndex('ipConfigurations')].subnetResourceId]" - }, - "loadBalancerBackendAddressPools": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerBackendAddressPools'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].loadBalancerBackendAddressPools, null())]", - "applicationSecurityGroups": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationSecurityGroups'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].applicationSecurityGroups, null())]", - "applicationGatewayBackendAddressPools": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationGatewayBackendAddressPools'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].applicationGatewayBackendAddressPools, null())]", - "gatewayLoadBalancer": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'gatewayLoadBalancer'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].gatewayLoadBalancer, null())]", - "loadBalancerInboundNatRules": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerInboundNatRules'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].loadBalancerInboundNatRules, null())]", - "privateIPAddressVersion": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddressVersion'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddressVersion, null())]", - "virtualNetworkTaps": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'virtualNetworkTaps'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].virtualNetworkTaps, null())]" - } - } - } - ], - "auxiliaryMode": "[parameters('auxiliaryMode')]", - "auxiliarySku": "[parameters('auxiliarySku')]", - "disableTcpStateTracking": "[parameters('disableTcpStateTracking')]", - "dnsSettings": "[if(not(empty(parameters('dnsServers'))), createObject('dnsServers', parameters('dnsServers')), null())]", - "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", - "enableIPForwarding": "[parameters('enableIPForwarding')]", - "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('id', parameters('networkSecurityGroupResourceId')), null())]" - } - }, - "networkInterface_diagnosticSettings": { - "copy": { - "name": "networkInterface_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "networkInterface" - ] - }, - "networkInterface_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "networkInterface" - ] - }, - "networkInterface_roleAssignments": { - "copy": { - "name": "networkInterface_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "networkInterface" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed resource." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed resource." - }, - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed resource." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('networkInterface', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "networkInterface_publicIPAddresses" - ] - } - } - } - } - }, - "vm_aadJoinExtension": { - "condition": "[parameters('extensionAadJoinConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-AADLogin', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "AADLogin" - }, - "publisher": { - "value": "Microsoft.Azure.ActiveDirectory" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AADLoginForWindows'), createObject('value', 'AADSSHLoginforLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionAadJoinConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAadJoinConfig').typeHandlerVersion), createObject('value', '1.0'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAadJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAadJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAadJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAadJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": "[if(contains(parameters('extensionAadJoinConfig'), 'settings'), createObject('value', parameters('extensionAadJoinConfig').settings), createObject('value', createObject()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_domainJoinExtension": { - "condition": "[parameters('extensionDomainJoinConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-DomainJoin', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DomainJoin" - }, - "publisher": { - "value": "Microsoft.Compute" - }, - "type": { - "value": "JsonADDomainExtension" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDomainJoinConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDomainJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDomainJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": "[parameters('extensionDomainJoinConfig').settings]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'tags'), parameters('tags'))]" - }, - "protectedSettings": { - "value": { - "Password": "[parameters('extensionDomainJoinPassword')]" - } - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_microsoftAntiMalwareExtension": { - "condition": "[parameters('extensionAntiMalwareConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-MicrosoftAntiMalware', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "MicrosoftAntiMalware" - }, - "publisher": { - "value": "Microsoft.Azure.Security" - }, - "type": { - "value": "IaaSAntimalware" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAntiMalwareConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAntiMalwareConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAntiMalwareConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": "[parameters('extensionAntiMalwareConfig').settings]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_microsoftMonitoringAgentExtension": { - "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-MicrosoftMonitoringAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "MicrosoftMonitoringAgent" - }, - "publisher": { - "value": "Microsoft.EnterpriseCloud.Monitoring" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'MicrosoftMonitoringAgent'), createObject('value', 'OmsAgentForLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.0'), createObject('value', '1.7')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": { - "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference('vm_logAnalyticsWorkspace').customerId, '')]" - } - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'tags'), parameters('tags'))]" - }, - "protectedSettings": { - "value": { - "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').primarySharedKey, '')]" - } - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm", - "vm_logAnalyticsWorkspace" - ] - }, - "vm_dependencyAgentExtension": { - "condition": "[parameters('extensionDependencyAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-DependencyAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DependencyAgent" - }, - "publisher": { - "value": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'DependencyAgentWindows'), createObject('value', 'DependencyAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDependencyAgentConfig').typeHandlerVersion), createObject('value', '9.5'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDependencyAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDependencyAgentConfig').enableAutomaticUpgrade), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_networkWatcherAgentExtension": { - "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-NetworkWatcherAgent', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "NetworkWatcherAgent" - }, - "publisher": { - "value": "Microsoft.Azure.NetworkWatcher" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'NetworkWatcherAgentWindows'), createObject('value', 'NetworkWatcherAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').typeHandlerVersion), createObject('value', '1.4'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_desiredStateConfigurationExtension": { - "condition": "[parameters('extensionDSCConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "DesiredStateConfiguration" - }, - "publisher": { - "value": "Microsoft.Powershell" - }, - "type": { - "value": "DSC" - }, - "typeHandlerVersion": "[if(contains(parameters('extensionDSCConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDSCConfig').typeHandlerVersion), createObject('value', '2.77'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDSCConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDSCConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": "[if(contains(parameters('extensionDSCConfig'), 'settings'), createObject('value', parameters('extensionDSCConfig').settings), createObject('value', createObject()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'tags'), parameters('tags'))]" - }, - "protectedSettings": "[if(contains(parameters('extensionDSCConfig'), 'protectedSettings'), createObject('value', parameters('extensionDSCConfig').protectedSettings), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm" - ] - }, - "vm_customScriptExtension": { - "condition": "[parameters('extensionCustomScriptConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-CustomScriptExtension', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "CustomScriptExtension" - }, - "publisher": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'Microsoft.Compute'), createObject('value', 'Microsoft.Azure.Extensions'))]", - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'CustomScriptExtension'), createObject('value', 'CustomScript'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionCustomScriptConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.10'), createObject('value', '2.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionCustomScriptConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionCustomScriptConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": { - "value": { - "copy": [ - { - "name": "fileUris", - "count": "[length(parameters('extensionCustomScriptConfig').fileData)]", - "input": "[if(contains(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')], 'storageAccountId'), format('{0}?{1}', parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri, listAccountSas(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].storageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken), parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri)]" - } - ] - } - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'tags'), parameters('tags'))]" - }, - "protectedSettings": { - "value": "[parameters('extensionCustomScriptProtectedSetting')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm", - "vm_desiredStateConfigurationExtension" - ] - }, - "vm_azureDiskEncryptionExtension": { - "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-AzureDiskEncryption', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualMachineName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "AzureDiskEncryption" - }, - "publisher": { - "value": "Microsoft.Azure.Security" - }, - "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureDiskEncryption'), createObject('value', 'AzureDiskEncryptionForLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '2.2'), createObject('value', '1.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "forceUpdateTag": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').forceUpdateTag), createObject('value', '1.0'))]", - "settings": { - "value": "[parameters('extensionAzureDiskEncryptionConfig').settings]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5421737065579119324" - }, - "name": "Virtual Machine Extensions", - "description": "This module deploys a Virtual Machine Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "virtualMachineName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual machine extension." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location the extension is deployed to." - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "Required. The name of the extension handler publisher." - } - }, - "type": { - "type": "string", - "metadata": { - "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"." - } - }, - "typeHandlerVersion": { - "type": "string", - "metadata": { - "description": "Required. Specifies the version of the script handler." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true." - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific settings." - } - }, - "protectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Any object that contains the extension specific protected settings." - } - }, - "supressFailures": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualMachine": { - "existing": true, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", - "name": "[parameters('virtualMachineName')]" - }, - "extension": { - "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publisher": "[parameters('publisher')]", - "type": "[parameters('type')]", - "typeHandlerVersion": "[parameters('typeHandlerVersion')]", - "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", - "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", - "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", - "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", - "suppressFailures": "[parameters('supressFailures')]" - }, - "dependsOn": [ - "virtualMachine" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the extension was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('extension', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "vm", - "vm_customScriptExtension", - "vm_microsoftMonitoringAgentExtension" - ] - }, - "vm_backup": { - "condition": "[not(empty(parameters('backupVaultName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-Backup', uniqueString(deployment().name, parameters('location')))]", - "resourceGroup": "[parameters('backupVaultResourceGroup')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('vm;iaasvmcontainerv2;{0};{1}', resourceGroup().name, parameters('name'))]" - }, - "policyId": { - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('backupVaultName'), parameters('backupPolicyName'))]" - }, - "protectedItemType": { - "value": "Microsoft.Compute/virtualMachines" - }, - "protectionContainerName": { - "value": "[format('iaasvmcontainer;iaasvmcontainerv2;{0};{1}', resourceGroup().name, parameters('name'))]" - }, - "recoveryVaultName": { - "value": "[parameters('backupVaultName')]" - }, - "sourceResourceId": { - "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9921011786088905122" - }, - "name": "Recovery Service Vaults Protection Container Protected Item", - "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "protectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment." - } - }, - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "protectedItemType": { - "type": "string", - "allowedValues": [ - "AzureFileShareProtectedItem", - "AzureVmWorkloadSAPAseDatabase", - "AzureVmWorkloadSAPHanaDatabase", - "AzureVmWorkloadSQLDatabase", - "DPMProtectedItem", - "GenericProtectedItem", - "MabFileFolderProtectedItem", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "Microsoft.Sql/servers/databases" - ], - "metadata": { - "description": "Required. The backup item type." - } - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Required. ID of the backup policy with which this item is backed up." - } - }, - "sourceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource to back up." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "protectedItemType": "[parameters('protectedItemType')]", - "policyId": "[parameters('policyId')]", - "sourceResourceId": "[parameters('sourceResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the protected item was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the protected item." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems', split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[2], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[3])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the protected item." - }, - "value": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "vm", - "vm_aadJoinExtension", - "vm_customScriptExtension", - "vm_dependencyAgentExtension", - "vm_desiredStateConfigurationExtension", - "vm_domainJoinExtension", - "vm_microsoftAntiMalwareExtension", - "vm_microsoftMonitoringAgentExtension", - "vm_networkWatcherAgentExtension" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the VM." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the VM." - }, - "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the VM was created in." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('vm', '2022-11-01', 'full').identity, 'principalId')), reference('vm', '2022-11-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('vm', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep deleted file mode 100644 index a7e44aaf79..0000000000 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ /dev/null @@ -1,147 +0,0 @@ -param networkInterfaceName string -param virtualMachineName string -param location string -param tags object? -param enableIPForwarding bool = false -param enableAcceleratedNetworking bool = false -param dnsServers array = [] - -@description('Optional. The network security group (NSG) to attach to the network interface.') -param networkSecurityGroupResourceId string = '' - -param ipConfigurations array -param lock lockType - -@description('Optional. The diagnostic settings of the Network Interface.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var enableReferencedModulesTelemetry = false - -module networkInterface_publicIPAddresses '../../../network/public-ip-address/main.bicep' = [for (ipConfiguration, index) in ipConfigurations: if (contains(ipConfiguration, 'pipconfiguration')) { - name: '${deployment().name}-publicIP-${index}' - params: { - name: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' - diagnosticSettings: ipConfiguration.?diagnosticSettings - location: location - lock: lock - publicIPAddressVersion: contains(ipConfiguration, 'publicIPAddressVersion') ? ipConfiguration.publicIPAddressVersion : 'IPv4' - publicIPAllocationMethod: contains(ipConfiguration, 'publicIPAllocationMethod') ? ipConfiguration.publicIPAllocationMethod : 'Static' - publicIPPrefixResourceId: contains(ipConfiguration, 'publicIPPrefixResourceId') ? ipConfiguration.publicIPPrefixResourceId : '' - roleAssignments: contains(ipConfiguration, 'roleAssignments') ? ipConfiguration.roleAssignments : [] - skuName: contains(ipConfiguration, 'skuName') ? ipConfiguration.skuName : 'Standard' - skuTier: contains(ipConfiguration, 'skuTier') ? ipConfiguration.skuTier : 'Regional' - tags: ipConfiguration.?tags ?? tags - zones: contains(ipConfiguration, 'zones') ? ipConfiguration.zones : [] - } -}] - -module networkInterface '../../../network/network-interface/main.bicep' = { - name: '${deployment().name}-NetworkInterface' - params: { - name: networkInterfaceName - ipConfigurations: [for (ipConfiguration, index) in ipConfigurations: { - name: !empty(ipConfiguration.name) ? ipConfiguration.name : null - primary: index == 0 - privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null - privateIPAddress: contains(ipConfiguration, 'privateIPAddress') ? (!empty(ipConfiguration.privateIPAddress) ? ipConfiguration.privateIPAddress : null) : null - publicIPAddressResourceId: contains(ipConfiguration, 'pipconfiguration') ? resourceId('Microsoft.Network/publicIPAddresses', '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}') : null - subnetResourceId: ipConfiguration.subnetResourceId - loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null - applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null - applicationGatewayBackendAddressPools: contains(ipConfiguration, 'applicationGatewayBackendAddressPools') ? ipConfiguration.applicationGatewayBackendAddressPools : null - gatewayLoadBalancer: contains(ipConfiguration, 'gatewayLoadBalancer') ? ipConfiguration.gatewayLoadBalancer : null - loadBalancerInboundNatRules: contains(ipConfiguration, 'loadBalancerInboundNatRules') ? ipConfiguration.loadBalancerInboundNatRules : null - privateIPAddressVersion: contains(ipConfiguration, 'privateIPAddressVersion') ? ipConfiguration.privateIPAddressVersion : null - virtualNetworkTaps: contains(ipConfiguration, 'virtualNetworkTaps') ? ipConfiguration.virtualNetworkTaps : null - }] - location: location - tags: tags - diagnosticSettings: diagnosticSettings - dnsServers: !empty(dnsServers) ? dnsServers : [] - enableAcceleratedNetworking: enableAcceleratedNetworking - enableDefaultTelemetry: enableReferencedModulesTelemetry - enableIPForwarding: enableIPForwarding - lock: lock - networkSecurityGroupResourceId: !empty(networkSecurityGroupResourceId) ? networkSecurityGroupResourceId : '' - roleAssignments: !empty(roleAssignments) ? roleAssignments : [] - } - dependsOn: [ - networkInterface_publicIPAddresses - ] -} - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to llLogs to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep deleted file mode 100644 index d8b2e100e0..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep +++ /dev/null @@ -1,86 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: ' -SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep deleted file mode 100644 index 4e53732a23..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep +++ /dev/null @@ -1,123 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmlinatmg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -// resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' existing = { -// name: sshKeyName -// scope: resourceGroup -// } - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - zones: [ - '1' - '2' - '3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - disablePasswordAuthentication: true - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - dependsOn: [ - nestedDependencies // Required to leverage `existing` SSH key reference - ] -} diff --git a/modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep deleted file mode 100644 index c88f2b1230..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep +++ /dev/null @@ -1,86 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep deleted file mode 100644 index 4c3fffb43d..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep +++ /dev/null @@ -1,102 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmlinmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -// resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' existing = { -// name: sshKeyName -// scope: resourceGroup -// } - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - } - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - disablePasswordAuthentication: true - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - } - dependsOn: [ - nestedDependencies // Required to leverage `existing` SSH key reference - ] -} diff --git a/modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep deleted file mode 100644 index 4dbd74b07b..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep +++ /dev/null @@ -1,337 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Recovery Services Vault to create.') -param recoveryServicesVaultName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Deployment Script used to upload data to the Storage Account.') -param storageUploadDeploymentScriptName string - -@description('Required. The name of the Deployment Script to create for the SSH Key generation.') -param sshDeploymentScriptName string - -@description('Required. The name of the SSH Key to create.') -param sshKeyName string - -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - properties: { - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: virtualNetwork.properties.subnets[0] - } - } - ] - backendAddressPools: [ - { - name: 'servers' - } - ] - } -} - -resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2022-04-01' = { - name: recoveryServicesVaultName - location: location - sku: { - name: 'RS0' - tier: 'Standard' - } - properties: {} - - resource backupPolicy 'backupPolicies@2022-03-01' = { - name: 'backupPolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - dailySchedule: { - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 180 - durationType: 'Days' - } - } - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - } - monthlySchedule: { - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 60 - durationType: 'Months' - } - } - yearlySchedule: { - retentionScheduleFormatType: 'Weekly' - monthsOfYear: [ - 'January' - ] - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - } - } - instantRpRetentionRangeInDays: 2 - timeZone: 'UTC' - protectedItemsCount: 0 - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource msiKVCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource blobService 'blobServices@2021-09-01' = { - name: 'default' - - resource container 'containers@2021-09-01' = { - name: 'scripts' - } - } -} - -resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: storageUploadDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: sshDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = { - name: sshKeyName - location: location - properties: { - publicKey: sshDeploymentScript.properties.outputs.publicKey - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Load Balancer Backend Pool.') -output loadBalancerBackendPoolResourceId string = loadBalancer.properties.backendAddressPools[0].id - -@description('The name of the created Recovery Services Vault.') -output recoveryServicesVaultName string = recoveryServicesVault.name - -@description('The name of the Resource Group, the Recovery Services Vault was created in.') -output recoveryServicesVaultResourceGroupName string = resourceGroup().name - -@description('The name of the Backup Policy created in the Backup Recovery Vault.') -output recoveryServicesVaultBackupPolicyName string = recoveryServicesVault::backupPolicy.name - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The URL of the Custom Script Extension in the created Storage Account.') -output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageAccount::blobService::container.name}/${storageAccountCSEFileName}' - -@description('The name of the Custom Script Extension in the created Storage Account.') -output storageAccountCSEFileName string = storageAccountCSEFileName - -@description('The Public Key of the created SSH Key.') -output SSHKeyPublicKey string = sshKey.properties.publicKey diff --git a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep deleted file mode 100644 index b4b5e7ba57..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep +++ /dev/null @@ -1,314 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmlincom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - computerName: '${namePrefix}linvm1' - location: location - adminUsername: 'localAdministrator' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-focal' - sku: '20_04-lts-gen2' // Note: 22.04 does not support OMS extension - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - zones: [ - '1' - '2' - '3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - osDisk: { - caching: 'ReadOnly' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - availabilityZone: 1 - backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName - backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName - backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName - dataDisks: [ - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - enableAutomaticUpdates: true - patchMode: 'AutomaticByPlatform' - disablePasswordAuthentication: true - encryptionAtHost: false - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: 'value=$(./${nestedDependencies.outputs.storageAccountCSEFileName}); echo "$value"' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionAadJoinConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: false - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/localAdministrator/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - dependsOn: [ - nestedDependencies // Required to leverage `existing` SSH key reference - ] -} diff --git a/modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep deleted file mode 100644 index a546ea7dba..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep deleted file mode 100644 index b1314bce14..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep +++ /dev/null @@ -1,92 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwinatmg' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - adminUsername: 'localAdministrator' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep deleted file mode 100644 index 68972ec7ec..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep deleted file mode 100644 index 68c34d8494..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep +++ /dev/null @@ -1,85 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwinmin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - } -} diff --git a/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep deleted file mode 100644 index e5cb91cea0..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep +++ /dev/null @@ -1,92 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by disk encryption set - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys' - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(keyVault::key.id, 'Key Vault Crypto User', diskEncryptionSet.id) - scope: keyVault - properties: { - principalId: diskEncryptionSet.identity.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id diff --git a/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep deleted file mode 100644 index ff7c06d244..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep +++ /dev/null @@ -1,110 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwincmk' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep${namePrefix}kv${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - adminUsername: 'VMAdministrator' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { - id: nestedDependencies.outputs.diskEncryptionSetResourceId - } - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - dataDisks: [ - { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { - id: nestedDependencies.outputs.diskEncryptionSetResourceId - } - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep deleted file mode 100644 index 6a1f5fcc13..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep +++ /dev/null @@ -1,310 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Recovery Services Vault to create.') -param recoveryServicesVaultName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Deployment Script used to upload data to the Storage Account.') -param storageUploadDeploymentScriptName string - -@description('Required. The name of the Proximity Placement Group to create.') -param proximityPlacementGroupName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1' -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', managedIdentity.id) - scope: resourceGroup() - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - properties: { - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: virtualNetwork.properties.subnets[0] - } - } - ] - backendAddressPools: [ - { - name: 'servers' - } - ] - } -} - -resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2022-04-01' = { - name: recoveryServicesVaultName - location: location - sku: { - name: 'RS0' - tier: 'Standard' - } - properties: {} - - resource backupPolicy 'backupPolicies@2022-03-01' = { - name: 'backupPolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - dailySchedule: { - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 180 - durationType: 'Days' - } - } - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - } - monthlySchedule: { - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 60 - durationType: 'Months' - } - } - yearlySchedule: { - retentionScheduleFormatType: 'Weekly' - monthsOfYear: [ - 'January' - ] - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - } - } - instantRpRetentionRangeInDays: 2 - timeZone: 'UTC' - protectedItemsCount: 0 - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource msiKVReadRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource blobService 'blobServices@2021-09-01' = { - name: 'default' - - resource container 'containers@2021-09-01' = { - name: 'scripts' - } - } -} - -resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: storageUploadDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '9.0' - retentionInterval: 'P1D' - arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') - } - dependsOn: [ - msiRGContrRoleAssignment - ] -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { - name: proximityPlacementGroupName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Load Balancer Backend Pool.') -output loadBalancerBackendPoolResourceId string = loadBalancer.properties.backendAddressPools[0].id - -@description('The name of the created Recovery Services Vault.') -output recoveryServicesVaultName string = recoveryServicesVault.name - -@description('The name of the Resource Group, the Recovery Services Vault was created in.') -output recoveryServicesVaultResourceGroupName string = resourceGroup().name - -@description('The name of the Backup Policy created in the Backup Recovery Vault.') -output recoveryServicesVaultBackupPolicyName string = recoveryServicesVault::backupPolicy.name - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the Custom Script Extension in the created Storage Account.') -output storageAccountCSEFileName string = storageAccountCSEFileName - -@description('The URL of the Custom Script Extension in the created Storage Account') -output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageAccount::blobService::container.name}/${storageAccountCSEFileName}' - -@description('The resource ID of the created Proximity Placement Group.') -output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep deleted file mode 100644 index 7bc8a2c00f..0000000000 --- a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep +++ /dev/null @@ -1,332 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwincom' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - computerName: '${namePrefix}winvm1' - adminUsername: 'VMAdmin' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - zones: [ - '1' - '2' - '3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - availabilityZone: 2 - backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName - backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName - backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName - dataDisks: [ - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - enableAutomaticUpdates: true - patchMode: 'AutomaticByPlatform' - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } - extensionAadJoinConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/compute/virtual-machine/version.json b/modules/compute/virtual-machine/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/compute/virtual-machine/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/consumption/budget/MOVED-TO-AVM.md b/modules/consumption/budget/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/consumption/budget/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index 5d97a98433..7421738bc7 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -1,407 +1,7 @@ -# Consumption Budgets `[Microsoft.Consumption/budgets]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/consumption/budget](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/consumption/budget).** -This module deploys a Consumption Budget for Subscriptions. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/consumption/budget). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Consumption/budgets` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Consumption/2021-10-01/budgets) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/consumption.budget:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module budget 'br:bicep/modules/consumption.budget:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-cbmin' - params: { - // Required parameters - amount: 500 - name: 'cbmin001' - // Non-required parameters - contactEmails: [ - 'dummy@contoso.com' - ] - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "amount": { - "value": 500 - }, - "name": { - "value": "cbmin001" - }, - // Non-required parameters - "contactEmails": { - "value": [ - "dummy@contoso.com" - ] - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module budget 'br:bicep/modules/consumption.budget:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-cbmax' - params: { - // Required parameters - amount: 500 - name: 'cbmax001' - // Non-required parameters - contactEmails: [ - 'dummy@contoso.com' - ] - enableDefaultTelemetry: '' - thresholds: [ - 50 - 75 - 90 - 100 - 110 - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "amount": { - "value": 500 - }, - "name": { - "value": "cbmax001" - }, - // Non-required parameters - "contactEmails": { - "value": [ - "dummy@contoso.com" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "thresholds": { - "value": [ - 50, - 75, - 90, - 100, - 110 - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module budget 'br:bicep/modules/consumption.budget:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-cbwaf' - params: { - // Required parameters - amount: 500 - name: 'cbwaf001' - // Non-required parameters - contactEmails: [ - 'dummy@contoso.com' - ] - enableDefaultTelemetry: '' - thresholds: [ - 50 - 75 - 90 - 100 - 110 - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "amount": { - "value": 500 - }, - "name": { - "value": "cbwaf001" - }, - // Non-required parameters - "contactEmails": { - "value": [ - "dummy@contoso.com" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "thresholds": { - "value": [ - 50, - 75, - 90, - 100, - 110 - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`amount`](#parameter-amount) | int | The total amount of cost or usage to track with the budget. | -| [`name`](#parameter-name) | string | The name of the budget. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actionGroups`](#parameter-actiongroups) | array | List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. | -| [`contactEmails`](#parameter-contactemails) | array | The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. | -| [`contactRoles`](#parameter-contactroles) | array | The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`category`](#parameter-category) | string | The category of the budget, whether the budget tracks cost or usage. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endDate`](#parameter-enddate) | string | The end date for the budget. If not provided, it will default to 10 years from the start date. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`resetPeriod`](#parameter-resetperiod) | string | The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | -| [`startDate`](#parameter-startdate) | string | The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | -| [`thresholds`](#parameter-thresholds) | array | Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | - -### Parameter: `amount` - -The total amount of cost or usage to track with the budget. - -- Required: Yes -- Type: int - -### Parameter: `name` - -The name of the budget. - -- Required: Yes -- Type: string - -### Parameter: `actionGroups` - -List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `contactEmails` - -The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `contactRoles` - -The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `category` - -The category of the budget, whether the budget tracks cost or usage. - -- Required: No -- Type: string -- Default: `'Cost'` -- Allowed: - ```Bicep - [ - 'Cost' - 'Usage' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endDate` - -The end date for the budget. If not provided, it will default to 10 years from the start date. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `resetPeriod` - -The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. - -- Required: No -- Type: string -- Default: `'Monthly'` -- Allowed: - ```Bicep - [ - 'Annually' - 'BillingAnnual' - 'BillingMonth' - 'BillingQuarter' - 'Monthly' - 'Quarterly' - ] - ``` - -### Parameter: `startDate` - -The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). - -- Required: No -- Type: string -- Default: `[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]` - -### Parameter: `thresholds` - -Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 50 - 75 - 90 - 100 - 110 - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the budget. | -| `resourceId` | string | The resource ID of the budget. | -| `subscriptionName` | string | The subscription the budget was deployed into. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/consumption/budget/main.bicep b/modules/consumption/budget/main.bicep deleted file mode 100644 index 853e144964..0000000000 --- a/modules/consumption/budget/main.bicep +++ /dev/null @@ -1,111 +0,0 @@ -metadata name = 'Consumption Budgets' -metadata description = 'This module deploys a Consumption Budget for Subscriptions.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Required. The name of the budget.') -param name string - -@allowed([ - 'Cost' - 'Usage' -]) -@description('Optional. The category of the budget, whether the budget tracks cost or usage.') -param category string = 'Cost' - -@description('Required. The total amount of cost or usage to track with the budget.') -param amount int - -@allowed([ - 'Monthly' - 'Quarterly' - 'Annually' - 'BillingMonth' - 'BillingQuarter' - 'BillingAnnual' -]) -@description('Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers.') -param resetPeriod string = 'Monthly' - -@description('Optional. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month).') -param startDate string = '${utcNow('yyyy')}-${utcNow('MM')}-01T00:00:00Z' - -@description('Optional. The end date for the budget. If not provided, it will default to 10 years from the start date.') -param endDate string = '' - -@maxLength(5) -@description('Optional. Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000.') -param thresholds array = [ - 50 - 75 - 90 - 100 - 110 -] - -@description('Conditional. The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided.') -param contactEmails array = [] - -@description('Conditional. The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided.') -param contactRoles array = [] - -@description('Conditional. List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided.') -param actionGroups array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -var notificationsArray = [for threshold in thresholds: { - 'Actual_GreaterThan_${threshold}_Percentage': { - enabled: true - operator: 'GreaterThan' - threshold: threshold - contactEmails: empty(contactEmails) ? null : array(contactEmails) - contactRoles: empty(contactRoles) ? null : array(contactRoles) - contactGroups: empty(actionGroups) ? null : array(actionGroups) - thresholdType: 'Actual' - } -}] - -var notifications = json(replace(replace(replace(string(notificationsArray), '[{', '{'), '}]', '}'), '}},{', '},')) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource budget 'Microsoft.Consumption/budgets@2021-10-01' = { - name: name - properties: { - category: category - amount: amount - timeGrain: resetPeriod - timePeriod: { - startDate: startDate - endDate: endDate - } - filter: {} - notifications: notifications - } -} - -@description('The name of the budget.') -output name string = budget.name - -@description('The resource ID of the budget.') -output resourceId string = budget.id - -@description('The subscription the budget was deployed into.') -output subscriptionName string = subscription().displayName diff --git a/modules/consumption/budget/main.json b/modules/consumption/budget/main.json deleted file mode 100644 index 31a5523934..0000000000 --- a/modules/consumption/budget/main.json +++ /dev/null @@ -1,193 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10861664842554589267" - }, - "name": "Consumption Budgets", - "description": "This module deploys a Consumption Budget for Subscriptions.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the budget." - } - }, - "category": { - "type": "string", - "defaultValue": "Cost", - "allowedValues": [ - "Cost", - "Usage" - ], - "metadata": { - "description": "Optional. The category of the budget, whether the budget tracks cost or usage." - } - }, - "amount": { - "type": "int", - "metadata": { - "description": "Required. The total amount of cost or usage to track with the budget." - } - }, - "resetPeriod": { - "type": "string", - "defaultValue": "Monthly", - "allowedValues": [ - "Monthly", - "Quarterly", - "Annually", - "BillingMonth", - "BillingQuarter", - "BillingAnnual" - ], - "metadata": { - "description": "Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers." - } - }, - "startDate": { - "type": "string", - "defaultValue": "[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]", - "metadata": { - "description": "Optional. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month)." - } - }, - "endDate": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The end date for the budget. If not provided, it will default to 10 years from the start date." - } - }, - "thresholds": { - "type": "array", - "defaultValue": [ - 50, - 75, - 90, - 100, - 110 - ], - "maxLength": 5, - "metadata": { - "description": "Optional. Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000." - } - }, - "contactEmails": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided." - } - }, - "contactRoles": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided." - } - }, - "actionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - } - }, - "variables": { - "copy": [ - { - "name": "notificationsArray", - "count": "[length(parameters('thresholds'))]", - "input": { - "[format('Actual_GreaterThan_{0}_Percentage', parameters('thresholds')[copyIndex('notificationsArray')])]": { - "enabled": true, - "operator": "GreaterThan", - "threshold": "[parameters('thresholds')[copyIndex('notificationsArray')]]", - "contactEmails": "[if(empty(parameters('contactEmails')), null(), array(parameters('contactEmails')))]", - "contactRoles": "[if(empty(parameters('contactRoles')), null(), array(parameters('contactRoles')))]", - "contactGroups": "[if(empty(parameters('actionGroups')), null(), array(parameters('actionGroups')))]", - "thresholdType": "Actual" - } - } - } - ], - "notifications": "[json(replace(replace(replace(string(variables('notificationsArray')), '[{', '{'), '}]', '}'), '}},{', '},'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Consumption/budgets", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "category": "[parameters('category')]", - "amount": "[parameters('amount')]", - "timeGrain": "[parameters('resetPeriod')]", - "timePeriod": { - "startDate": "[parameters('startDate')]", - "endDate": "[parameters('endDate')]" - }, - "filter": {}, - "notifications": "[variables('notifications')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the budget." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the budget." - }, - "value": "[subscriptionResourceId('Microsoft.Consumption/budgets', parameters('name'))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The subscription the budget was deployed into." - }, - "value": "[subscription().displayName]" - } - } -} \ No newline at end of file diff --git a/modules/consumption/budget/tests/e2e/defaults/main.test.bicep b/modules/consumption/budget/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 44789640d2..0000000000 --- a/modules/consumption/budget/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,34 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cbmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - amount: 500 - contactEmails: [ - 'dummy@contoso.com' - ] - } -}] diff --git a/modules/consumption/budget/tests/e2e/max/main.test.bicep b/modules/consumption/budget/tests/e2e/max/main.test.bicep deleted file mode 100644 index 15fa49855c..0000000000 --- a/modules/consumption/budget/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,41 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cbmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - amount: 500 - contactEmails: [ - 'dummy@contoso.com' - ] - thresholds: [ - 50 - 75 - 90 - 100 - 110 - ] - } -}] diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 0d2260e7d8..0000000000 --- a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,41 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cbwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - amount: 500 - contactEmails: [ - 'dummy@contoso.com' - ] - thresholds: [ - 50 - 75 - 90 - 100 - 110 - ] - } -}] diff --git a/modules/consumption/budget/version.json b/modules/consumption/budget/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/consumption/budget/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 8e0da9832e..fdc19805ad 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -1,1469 +1,7 @@ -# Container Instances Container Groups `[Microsoft.ContainerInstance/containerGroups]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Container Instance Container Group. +**This module has been evolved into the following AVM module: [avm/res/container-instance/container-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/container-instance/container-group).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/container-instance/container-group). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.ContainerInstance/containerGroups` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2022-09-01/containerGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-instance.container-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Private](#example-4-private) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgmin' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 443 - protocol: 'Tcp' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 443, - "protocol": "Tcp" - } - ] - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgenc' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: 'az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgenc001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 80 - protocol: 'Tcp' - } - { - port: 443 - protocol: 'Tcp' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "80", - "protocol": "Tcp" - }, - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - }, - { - "name": "az-aci-x-002", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "8080", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgenc001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 80, - "protocol": "Tcp" - }, - { - "port": 443, - "protocol": "Tcp" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgmax' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: 'az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgmax001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 80 - protocol: 'Tcp' - } - { - port: 443 - protocol: 'Tcp' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "80", - "protocol": "Tcp" - }, - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - }, - { - "name": "az-aci-x-002", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "8080", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 80, - "protocol": "Tcp" - }, - { - "port": 443, - "protocol": "Tcp" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Private_ - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgprivate' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 4 - } - } - volumeMounts: [ - { - mountPath: '/mnt/empty' - name: 'my-name' - } - ] - } - } - { - name: 'az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgprivate001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 80 - protocol: 'Tcp' - } - { - port: 443 - protocol: 'Tcp' - } - { - port: '8080' - protocol: 'Tcp' - } - ] - ipAddressType: 'Private' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - subnetId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - volumes: [ - { - emptyDir: {} - name: 'my-name' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "80", - "protocol": "Tcp" - }, - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 4 - } - }, - "volumeMounts": [ - { - "mountPath": "/mnt/empty", - "name": "my-name" - } - ] - } - }, - { - "name": "az-aci-x-002", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "8080", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgprivate001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 80, - "protocol": "Tcp" - }, - { - "port": 443, - "protocol": "Tcp" - }, - { - "port": "8080", - "protocol": "Tcp" - } - ] - }, - "ipAddressType": { - "value": "Private" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "subnetId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "volumes": { - "value": [ - { - "emptyDir": {}, - "name": "my-name" - } - ] - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgwaf' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: 'az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 80 - protocol: 'Tcp' - } - { - port: 443 - protocol: 'Tcp' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "80", - "protocol": "Tcp" - }, - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - }, - { - "name": "az-aci-x-002", - "properties": { - "command": [], - "environmentVariables": [], - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "8080", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 80, - "protocol": "Tcp" - }, - { - "port": 443, - "protocol": "Tcp" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containers`](#parameter-containers) | array | The containers and their respective config within the container group. | -| [`name`](#parameter-name) | string | Name for the container group. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`ipAddressPorts`](#parameter-ipaddressports) | array | Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoGeneratedDomainNameLabelScope`](#parameter-autogenerateddomainnamelabelscope) | string | Specify level of protection of the domain name label. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`dnsNameLabel`](#parameter-dnsnamelabel) | string | The Dns name label for the resource. | -| [`dnsNameServers`](#parameter-dnsnameservers) | array | List of dns servers used by the containers for lookups. | -| [`dnsSearchDomains`](#parameter-dnssearchdomains) | string | DNS search domain which will be appended to each DNS lookup. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`imageRegistryCredentials`](#parameter-imageregistrycredentials) | array | The image registry credentials by which the container group is created from. | -| [`initContainers`](#parameter-initcontainers) | array | A list of container definitions which will be executed before the application container starts. | -| [`ipAddressType`](#parameter-ipaddresstype) | string | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`osType`](#parameter-ostype) | string | The operating system type required by the containers in the container group. - Windows or Linux. | -| [`restartPolicy`](#parameter-restartpolicy) | string | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | -| [`sku`](#parameter-sku) | string | The container group SKU. | -| [`subnetId`](#parameter-subnetid) | string | Resource ID of the subnet. Only specify when ipAddressType is Private. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`volumes`](#parameter-volumes) | array | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | - -### Parameter: `containers` - -The containers and their respective config within the container group. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name for the container group. - -- Required: Yes -- Type: string - -### Parameter: `ipAddressPorts` - -Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `autoGeneratedDomainNameLabelScope` - -Specify level of protection of the domain name label. - -- Required: No -- Type: string -- Default: `'TenantReuse'` -- Allowed: - ```Bicep - [ - 'Noreuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' - 'Unsecure' - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `dnsNameLabel` - -The Dns name label for the resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dnsNameServers` - -List of dns servers used by the containers for lookups. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dnsSearchDomains` - -DNS search domain which will be appended to each DNS lookup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `imageRegistryCredentials` - -The image registry credentials by which the container group is created from. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `initContainers` - -A list of container definitions which will be executed before the application container starts. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipAddressType` - -Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. - -- Required: No -- Type: string -- Default: `'Public'` -- Allowed: - ```Bicep - [ - 'Private' - 'Public' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `osType` - -The operating system type required by the containers in the container group. - Windows or Linux. - -- Required: No -- Type: string -- Default: `'Linux'` - -### Parameter: `restartPolicy` - -Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. - -- Required: No -- Type: string -- Default: `'Always'` -- Allowed: - ```Bicep - [ - 'Always' - 'Never' - 'OnFailure' - ] - ``` - -### Parameter: `sku` - -The container group SKU. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Dedicated' - 'Standard' - ] - ``` - -### Parameter: `subnetId` - -Resource ID of the subnet. Only specify when ipAddressType is Private. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `volumes` - -Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `iPv4Address` | string | The IPv4 address of the container group. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the container group. | -| `resourceGroupName` | string | The resource group the container group was deployed into. | -| `resourceId` | string | The resource ID of the container group. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `imageRegistryCredentials` - -The image registry credentials by which the container group is created from. - -

- -Parameter JSON format - -```json -"imageRegistryCredentials": { - "value": [ - { - "server": "sxxazacrx001.azurecr.io", - "username": "sxxazacrx001" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -imageRegistryCredentials: [ - { - server: 'sxxazacrx001.azurecr.io' - username: 'sxxazacrx001' - } -] -``` - -
-

- -### Parameter Usage: `autoGeneratedDomainNameLabelScope` - -DNS name reuse is convenient for DevOps within any modern company. The idea of redeploying an application by reusing the DNS name fulfills an on-demand philosophy that secures cloud development. Therefore, it's important to note that DNS names that are available to anyone become a problem when one customer releases a name only to have that same name taken by another customer. This is called subdomain takeover. A customer releases a resource using a particular name, and another customer creates a new resource with that same DNS name. If there were any records pointing to the old resource, they now also point to the new resource. - -This field can only be used when the `ipAddressType` is set to `Public`. - -Allowed values are: -| Policy name | Policy definition | | | | -|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|---| -| unsecure | Hash will be generated based on only the DNS name. Avoiding subdomain takeover is not guaranteed if another customer uses the same DNS name. | | | | -| tenantReuse | Default Hash will be generated based on the DNS name and the tenant ID. Object's domain name label can be reused within the same tenant. | | | | -| subscriptionReuse | Hash will be generated based on the DNS name and the tenant ID and subscription ID. Object's domain name label can be reused within the same subscription. | | | | -| resourceGroupReuse | Hash will be generated based on the DNS name and the tenant ID, subscription ID, and resource group name. Object's domain name label can be reused within the same resource group. | | | | -| noReuse | Hash will not be generated. Object's domain label can't be reused within resource group, subscription, or tenant. | | | | - -

- -Parameter JSON format - -```json -"autoGeneratedDomainNameLabelScope": { - "value": "Unsecure" - }, -``` - -
- -
- -Bicep format - -```bicep -autoGeneratedDomainNameLabelScope: 'Unsecure' -``` - -
-

- -### Parameter Usage: `volumes` - -By default, Azure Container Instances are stateless. If the container is restarted, crashes, or stops, all of its state is lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. Currently, Azure volume mounting is only supported on a linux based image. - -You can mount: - -- an Azure File Share (make sure the storage account has a service endpoint when running the container in private mode!) -- a secret -- a GitHub Repository -- an empty local directory - -

- -Parameter JSON format - -```json -"volumes": [ - { - "azureFile": { - "readOnly": "bool", - "shareName": "string", - "storageAccountKey": "string", - "storageAccountName": "string" - }, - "emptyDir": {}, - "gitRepo": { - "directory": "string", - "repository": "string", - "revision": "string" - }, - "name": "string", - "secret": {} - } - ] -``` - -
- -
- -Bicep format - -```bicep -volumes: [ - { - azureFile: { - readOnly: bool - shareName: 'string' - storageAccountKey: 'string' - storageAccountName: 'string' - } - emptyDir: any() - gitRepo: { - directory: 'string' - repository: 'string' - revision: 'string' - } - name: 'string' - secret: {} - } - ] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep deleted file mode 100644 index bb632fbba5..0000000000 --- a/modules/container-instance/container-group/main.bicep +++ /dev/null @@ -1,218 +0,0 @@ -metadata name = 'Container Instances Container Groups' -metadata description = 'This module deploys a Container Instance Container Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name for the container group.') -param name string - -@description('Required. The containers and their respective config within the container group.') -param containers array - -@description('Conditional. Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`.') -param ipAddressPorts array = [] - -@description('Optional. The operating system type required by the containers in the container group. - Windows or Linux.') -param osType string = 'Linux' - -@allowed([ - 'Always' - 'OnFailure' - 'Never' -]) -@description('Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never.') -param restartPolicy string = 'Always' - -@allowed([ - 'Public' - 'Private' -]) -@description('Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private.') -param ipAddressType string = 'Public' - -@description('Optional. The image registry credentials by which the container group is created from.') -param imageRegistryCredentials array = [] - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@allowed([ - 'Noreuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' - 'Unsecure' -]) -@description('Optional. Specify level of protection of the domain name label.') -param autoGeneratedDomainNameLabelScope string = 'TenantReuse' - -@description('Optional. The Dns name label for the resource.') -param dnsNameLabel string = '' - -@description('Optional. List of dns servers used by the containers for lookups.') -param dnsNameServers array = [] - -@description('Optional. DNS search domain which will be appended to each DNS lookup.') -param dnsSearchDomains string = '' - -@description('Optional. A list of container definitions which will be executed before the application container starts.') -param initContainers array = [] - -@description('Optional. Resource ID of the subnet. Only specify when ipAddressType is Private.') -param subnetId string = '' - -@description('Optional. Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup.') -param volumes array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The container group SKU.') -@allowed([ - 'Dedicated' - 'Standard' -]) -param sku string = 'Standard' - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' = { - name: name - location: location - identity: identity - tags: tags - properties: union({ - containers: containers - encryptionProperties: !empty(customerManagedKey) ? { - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.id : null - keyName: customerManagedKey!.keyName - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - vaultBaseUrl: cMKKeyVault.properties.vaultUri - } : null - imageRegistryCredentials: imageRegistryCredentials - initContainers: initContainers - restartPolicy: restartPolicy - osType: osType - ipAddress: { - type: ipAddressType - autoGeneratedDomainNameLabelScope: !empty(dnsNameServers) ? autoGeneratedDomainNameLabelScope : null - dnsNameLabel: dnsNameLabel - ports: ipAddressPorts - } - sku: sku - subnetIds: !empty(subnetId) ? [ - { - id: subnetId - } - ] : null - volumes: volumes - }, !empty(dnsNameServers) ? { - dnsConfig: { - nameServers: dnsNameServers - searchDomains: dnsSearchDomains - } - } : {}) -} - -resource containergroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: containergroup -} - -@description('The name of the container group.') -output name string = containergroup.name - -@description('The resource ID of the container group.') -output resourceId string = containergroup.id - -@description('The resource group the container group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The IPv4 address of the container group.') -output iPv4Address string = containergroup.properties.ipAddress.ip - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containergroup.identity, 'principalId') ? containergroup.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = containergroup.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json deleted file mode 100644 index d62ed5361c..0000000000 --- a/modules/container-instance/container-group/main.json +++ /dev/null @@ -1,382 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "943190617690035013" - }, - "name": "Container Instances Container Groups", - "description": "This module deploys a Container Instance Container Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name for the container group." - } - }, - "containers": { - "type": "array", - "metadata": { - "description": "Required. The containers and their respective config within the container group." - } - }, - "ipAddressPorts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`." - } - }, - "osType": { - "type": "string", - "defaultValue": "Linux", - "metadata": { - "description": "Optional. The operating system type required by the containers in the container group. - Windows or Linux." - } - }, - "restartPolicy": { - "type": "string", - "defaultValue": "Always", - "allowedValues": [ - "Always", - "OnFailure", - "Never" - ], - "metadata": { - "description": "Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never." - } - }, - "ipAddressType": { - "type": "string", - "defaultValue": "Public", - "allowedValues": [ - "Public", - "Private" - ], - "metadata": { - "description": "Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private." - } - }, - "imageRegistryCredentials": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The image registry credentials by which the container group is created from." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "autoGeneratedDomainNameLabelScope": { - "type": "string", - "defaultValue": "TenantReuse", - "allowedValues": [ - "Noreuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse", - "Unsecure" - ], - "metadata": { - "description": "Optional. Specify level of protection of the domain name label." - } - }, - "dnsNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Dns name label for the resource." - } - }, - "dnsNameServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of dns servers used by the containers for lookups." - } - }, - "dnsSearchDomains": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. DNS search domain which will be appended to each DNS lookup." - } - }, - "initContainers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of container definitions which will be executed before the application container starts." - } - }, - "subnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the subnet. Only specify when ipAddressType is Private." - } - }, - "volumes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Dedicated", - "Standard" - ], - "metadata": { - "description": "Optional. The container group SKU." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "containergroup": { - "type": "Microsoft.ContainerInstance/containerGroups", - "apiVersion": "2022-09-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": "[union(createObject('containers', parameters('containers'), 'encryptionProperties', if(not(empty(parameters('customerManagedKey'))), createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null()), 'imageRegistryCredentials', parameters('imageRegistryCredentials'), 'initContainers', parameters('initContainers'), 'restartPolicy', parameters('restartPolicy'), 'osType', parameters('osType'), 'ipAddress', createObject('type', parameters('ipAddressType'), 'autoGeneratedDomainNameLabelScope', if(not(empty(parameters('dnsNameServers'))), parameters('autoGeneratedDomainNameLabelScope'), null()), 'dnsNameLabel', parameters('dnsNameLabel'), 'ports', parameters('ipAddressPorts')), 'sku', parameters('sku'), 'subnetIds', if(not(empty(parameters('subnetId'))), createArray(createObject('id', parameters('subnetId'))), null()), 'volumes', parameters('volumes')), if(not(empty(parameters('dnsNameServers'))), createObject('dnsConfig', createObject('nameServers', parameters('dnsNameServers'), 'searchDomains', parameters('dnsSearchDomains'))), createObject()))]", - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "containergroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ContainerInstance/containerGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "containergroup" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the container group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the container group." - }, - "value": "[resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the container group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "iPv4Address": { - "type": "string", - "metadata": { - "description": "The IPv4 address of the container group." - }, - "value": "[reference('containergroup').ipAddress.ip]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containergroup', '2022-09-01', 'full').identity, 'principalId')), reference('containergroup', '2022-09-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('containergroup', '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep b/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index d8bb8445fd..0000000000 --- a/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - containers: [ - { - name: '${namePrefix}-az-aci-x-001' - properties: { - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - ipAddressPorts: [ - { - protocol: 'Tcp' - port: 443 - } - ] - } -}] diff --git a/modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index 465dc8e415..0000000000 --- a/modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -@minLength(3) -@maxLength(24) -param keyVaultName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key Vault Crypto Service Encryption User') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User. Allows Keys: get, list, wrap key, unwrap key - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name diff --git a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 661a32df6f..0000000000 --- a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,135 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgenc' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - containers: [ - { - name: '${namePrefix}-az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: '${namePrefix}-az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - ipAddressPorts: [ - { - protocol: 'Tcp' - port: 80 - } - { - protocol: 'Tcp' - port: 443 - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-instance/container-group/tests/e2e/max/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 66dc10c2f2..0000000000 --- a/modules/container-instance/container-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index cf13c2ed38..0000000000 --- a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,128 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - containers: [ - { - name: '${namePrefix}-az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: '${namePrefix}-az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - ipAddressPorts: [ - { - protocol: 'Tcp' - port: 80 - } - { - protocol: 'Tcp' - port: 443 - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-instance/container-group/tests/e2e/private/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/private/dependencies.bicep deleted file mode 100644 index 4b89b7a4bd..0000000000 --- a/modules/container-instance/container-group/tests/e2e/private/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'Microsoft.ContainerInstance.containerGroups' - properties: { - serviceName: 'Microsoft.ContainerInstance/containerGroups' - } - } - ] - } - } - ] - } -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep deleted file mode 100644 index 31b7606b89..0000000000 --- a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep +++ /dev/null @@ -1,144 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgprivate' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - containers: [ - { - name: '${namePrefix}-az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 4 - } - } - volumeMounts: [ - { - name: 'my-name' - mountPath: '/mnt/empty' - } - ] - } - } - { - name: '${namePrefix}-az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - ipAddressType: 'Private' - ipAddressPorts: [ - { - protocol: 'Tcp' - port: 80 - } - { - protocol: 'Tcp' - port: 443 - } - { - protocol: 'Tcp' - port: '8080' - } - ] - subnetId: nestedDependencies.outputs.subnetResourceId - volumes: [ - { - emptyDir: {} - name: 'my-name' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 66dc10c2f2..0000000000 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index cba1ba2b00..0000000000 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,128 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - containers: [ - { - name: '${namePrefix}-az-aci-x-001' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '80' - protocol: 'Tcp' - } - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - { - name: '${namePrefix}-az-aci-x-002' - properties: { - command: [] - environmentVariables: [] - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '8080' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - ipAddressPorts: [ - { - protocol: 'Tcp' - port: 80 - } - { - protocol: 'Tcp' - port: 443 - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-instance/container-group/version.json b/modules/container-instance/container-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/container-instance/container-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-registry/registry/MOVED-TO-AVM.md b/modules/container-registry/registry/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/container-registry/registry/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index df58ea2139..3b0353cbf8 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -1,1656 +1,7 @@ -# Azure Container Registries (ACR) `[Microsoft.ContainerRegistry/registries]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/container-registry/registry](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/container-registry/registry).** -This module deploys an Azure Container Registry (ACR). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/container-registry/registry). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ContainerRegistry/registries` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries) | -| `Microsoft.ContainerRegistry/registries/cacheRules` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/cacheRules) | -| `Microsoft.ContainerRegistry/registries/replications` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/replications) | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/webhooks) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-registry.registry:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Pe](#example-4-pe) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrmin' - params: { - // Required parameters - name: 'crrmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrencr' - params: { - // Required parameters - name: 'crrencr001' - // Non-required parameters - acrSku: 'Premium' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - publicNetworkAccess: 'Disabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrencr001" - }, - // Non-required parameters - "acrSku": { - "value": "Premium" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrmax' - params: { - // Required parameters - name: 'crrmax001' - // Non-required parameters - acrAdminUserEnabled: false - acrSku: 'Premium' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - exportPolicyStatus: 'enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'registry' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: '' - name: '' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - softDeletePolicyDays: 7 - softDeletePolicyStatus: 'disabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - trustPolicyStatus: 'enabled' - webhooks: [ - { - name: 'acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrmax001" - }, - // Non-required parameters - "acrAdminUserEnabled": { - "value": false - }, - "acrSku": { - "value": "Premium" - }, - "azureADAuthenticationAsArmPolicyStatus": { - "value": "enabled" - }, - "cacheRules": { - "value": [ - { - "name": "customRule", - "sourceRepository": "docker.io/library/hello-world", - "targetRepository": "cached-docker-hub/hello-world" - }, - { - "sourceRepository": "docker.io/library/hello-world" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "exportPolicyStatus": { - "value": "enabled" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkRuleSetIpRules": { - "value": [ - { - "action": "Allow", - "value": "40.74.28.0/23" - } - ] - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "registry", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "quarantinePolicyStatus": { - "value": "enabled" - }, - "replications": { - "value": [ - { - "location": "", - "name": "" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "softDeletePolicyDays": { - "value": 7 - }, - "softDeletePolicyStatus": { - "value": "disabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "trustPolicyStatus": { - "value": "enabled" - }, - "webhooks": { - "value": [ - { - "name": "acrx001webhook", - "serviceUri": "https://www.contoso.com/webhook" - } - ] - } - } -} -``` - -
-

- -### Example 4: _Pe_ - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrpe' - params: { - // Required parameters - name: 'crrpe001' - // Non-required parameters - acrSku: 'Premium' - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrpe001" - }, - // Non-required parameters - "acrSku": { - "value": "Premium" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrwaf' - params: { - // Required parameters - name: 'crrwaf001' - // Non-required parameters - acrAdminUserEnabled: false - acrSku: 'Premium' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - exportPolicyStatus: 'enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'registry' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: '' - name: '' - } - ] - softDeletePolicyDays: 7 - softDeletePolicyStatus: 'disabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - trustPolicyStatus: 'enabled' - webhooks: [ - { - name: 'acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrwaf001" - }, - // Non-required parameters - "acrAdminUserEnabled": { - "value": false - }, - "acrSku": { - "value": "Premium" - }, - "azureADAuthenticationAsArmPolicyStatus": { - "value": "enabled" - }, - "cacheRules": { - "value": [ - { - "name": "customRule", - "sourceRepository": "docker.io/library/hello-world", - "targetRepository": "cached-docker-hub/hello-world" - }, - { - "sourceRepository": "docker.io/library/hello-world" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "exportPolicyStatus": { - "value": "enabled" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkRuleSetIpRules": { - "value": [ - { - "action": "Allow", - "value": "40.74.28.0/23" - } - ] - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "registry", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "quarantinePolicyStatus": { - "value": "enabled" - }, - "replications": { - "value": [ - { - "location": "", - "name": "" - } - ] - }, - "softDeletePolicyDays": { - "value": 7 - }, - "softDeletePolicyStatus": { - "value": "disabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "trustPolicyStatus": { - "value": "enabled" - }, - "webhooks": { - "value": [ - { - "name": "acrx001webhook", - "serviceUri": "https://www.contoso.com/webhook" - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of your Azure container registry. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`acrAdminUserEnabled`](#parameter-acradminuserenabled) | bool | Enable admin user that have push / pull permission to the registry. | -| [`acrSku`](#parameter-acrsku) | string | Tier of your Azure container registry. | -| [`anonymousPullEnabled`](#parameter-anonymouspullenabled) | bool | Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. | -| [`azureADAuthenticationAsArmPolicyStatus`](#parameter-azureadauthenticationasarmpolicystatus) | string | The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. | -| [`cacheRules`](#parameter-cacherules) | array | Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`dataEndpointEnabled`](#parameter-dataendpointenabled) | bool | Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exportPolicyStatus`](#parameter-exportpolicystatus) | string | The value that indicates whether the export policy is enabled or not. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`networkRuleBypassOptions`](#parameter-networkrulebypassoptions) | string | Whether to allow trusted Azure services to access a network restricted registry. | -| [`networkRuleSetDefaultAction`](#parameter-networkrulesetdefaultaction) | string | The default action of allow or deny when no other rules match. | -| [`networkRuleSetIpRules`](#parameter-networkrulesetiprules) | array | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. | -| [`quarantinePolicyStatus`](#parameter-quarantinepolicystatus) | string | The value that indicates whether the quarantine policy is enabled or not. | -| [`replications`](#parameter-replications) | array | All replications to create. | -| [`retentionPolicyDays`](#parameter-retentionpolicydays) | int | The number of days to retain an untagged manifest after which it gets purged. | -| [`retentionPolicyStatus`](#parameter-retentionpolicystatus) | string | The value that indicates whether the retention policy is enabled or not. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. | -| [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`trustPolicyStatus`](#parameter-trustpolicystatus) | string | The value that indicates whether the trust policy is enabled or not. | -| [`webhooks`](#parameter-webhooks) | array | All webhooks to create. | -| [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | - -### Parameter: `name` - -Name of your Azure container registry. - -- Required: Yes -- Type: string - -### Parameter: `acrAdminUserEnabled` - -Enable admin user that have push / pull permission to the registry. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `acrSku` - -Tier of your Azure container registry. - -- Required: No -- Type: string -- Default: `'Basic'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `anonymousPullEnabled` - -Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `azureADAuthenticationAsArmPolicyStatus` - -The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. - -- Required: No -- Type: string -- Default: `'enabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `cacheRules` - -Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `dataEndpointEnabled` - -Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exportPolicyStatus` - -The value that indicates whether the export policy is enabled or not. - -- Required: No -- Type: string -- Default: `'disabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `networkRuleBypassOptions` - -Whether to allow trusted Azure services to access a network restricted registry. - -- Required: No -- Type: string -- Default: `'AzureServices'` -- Allowed: - ```Bicep - [ - 'AzureServices' - 'None' - ] - ``` - -### Parameter: `networkRuleSetDefaultAction` - -The default action of allow or deny when no other rules match. - -- Required: No -- Type: string -- Default: `'Deny'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `networkRuleSetIpRules` - -The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `quarantinePolicyStatus` - -The value that indicates whether the quarantine policy is enabled or not. - -- Required: No -- Type: string -- Default: `'disabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `replications` - -All replications to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `retentionPolicyDays` - -The number of days to retain an untagged manifest after which it gets purged. - -- Required: No -- Type: int -- Default: `15` - -### Parameter: `retentionPolicyStatus` - -The value that indicates whether the retention policy is enabled or not. - -- Required: No -- Type: string -- Default: `'enabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `softDeletePolicyDays` - -The number of days after which a soft-deleted item is permanently deleted. - -- Required: No -- Type: int -- Default: `7` - -### Parameter: `softDeletePolicyStatus` - -Soft Delete policy status. Default is disabled. - -- Required: No -- Type: string -- Default: `'disabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `trustPolicyStatus` - -The value that indicates whether the trust policy is enabled or not. - -- Required: No -- Type: string -- Default: `'disabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `webhooks` - -All webhooks to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `zoneRedundancy` - -Whether or not zone redundancy is enabled for this container registry. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `loginServer` | string | The reference to the Azure container registry. | -| `name` | string | The Name of the Azure container registry. | -| `resourceGroupName` | string | The name of the Azure container registry. | -| `resourceId` | string | The resource ID of the Azure container registry. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/container-registry/registry/cache-rules/README.md b/modules/container-registry/registry/cache-rules/README.md deleted file mode 100644 index 9e9dd03dda..0000000000 --- a/modules/container-registry/registry/cache-rules/README.md +++ /dev/null @@ -1,93 +0,0 @@ -# Container Registries Cache `[Microsoft.ContainerRegistry/registries/cacheRules]` - -Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)). - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ContainerRegistry/registries/cacheRules` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/cacheRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | -| [`sourceRepository`](#parameter-sourcerepository) | string | Source repository pulled from upstream. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`credentialSetResourceId`](#parameter-credentialsetresourceid) | string | The resource ID of the credential store which is associated with the cache rule. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the cache rule. Will be dereived from the source repository name if not defined. | -| [`targetRepository`](#parameter-targetrepository) | string | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | - -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `sourceRepository` - -Source repository pulled from upstream. - -- Required: Yes -- Type: string - -### Parameter: `credentialSetResourceId` - -The resource ID of the credential store which is associated with the cache rule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the cache rule. Will be dereived from the source repository name if not defined. - -- Required: No -- Type: string -- Default: `[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]` - -### Parameter: `targetRepository` - -Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. - -- Required: No -- Type: string -- Default: `[parameters('sourceRepository')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Name of the Cache Rule. | -| `resourceGroupName` | string | The name of the Cache Rule. | -| `resourceId` | string | The resource ID of the Cache Rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/container-registry/registry/cache-rules/main.bicep b/modules/container-registry/registry/cache-rules/main.bicep deleted file mode 100644 index 7b263e5407..0000000000 --- a/modules/container-registry/registry/cache-rules/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'Container Registries Cache' -metadata description = 'Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the parent registry. Required if the template is used in a standalone deployment.') -param registryName string - -@description('Optional. The name of the cache rule. Will be dereived from the source repository name if not defined.') -param name string = replace(replace(sourceRepository, '/', '-'), '.', '-') - -@description('Required. Source repository pulled from upstream.') -param sourceRepository string - -@description('Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}.') -param targetRepository string = sourceRepository - -@description('Optional. The resource ID of the credential store which is associated with the cache rule.') -param credentialSetResourceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' existing = { - name: registryName -} - -resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-06-01-preview' = { - name: name - parent: registry - properties: { - sourceRepository: sourceRepository - targetRepository: targetRepository - credentialSetResourceId: !empty(credentialSetResourceId) ? credentialSetResourceId : null - } -} - -@description('The Name of the Cache Rule.') -output name string = cacheRule.name - -@description('The name of the Cache Rule.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Cache Rule.') -output resourceId string = cacheRule.id diff --git a/modules/container-registry/registry/cache-rules/main.json b/modules/container-registry/registry/cache-rules/main.json deleted file mode 100644 index e4224727b4..0000000000 --- a/modules/container-registry/registry/cache-rules/main.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9350283035071510554" - }, - "name": "Container Registries Cache", - "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]", - "metadata": { - "description": "Optional. The name of the cache rule. Will be dereived from the source repository name if not defined." - } - }, - "sourceRepository": { - "type": "string", - "metadata": { - "description": "Required. Source repository pulled from upstream." - } - }, - "targetRepository": { - "type": "string", - "defaultValue": "[parameters('sourceRepository')]", - "metadata": { - "description": "Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}." - } - }, - "credentialSetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the credential store which is associated with the cache rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ContainerRegistry/registries/cacheRules", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "properties": { - "sourceRepository": "[parameters('sourceRepository')]", - "targetRepository": "[parameters('targetRepository')]", - "credentialSetResourceId": "[if(not(empty(parameters('credentialSetResourceId'))), parameters('credentialSetResourceId'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Cache Rule." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Cache Rule." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Cache Rule." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/cacheRules', parameters('registryName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/container-registry/registry/cache-rules/version.json b/modules/container-registry/registry/cache-rules/version.json deleted file mode 100644 index cceb46e9bf..0000000000 --- a/modules/container-registry/registry/cache-rules/version.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "1.0", - "pathFilters": [ - "./main.json", - "./metadata.json" - ] -} diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep deleted file mode 100644 index ff38067ac0..0000000000 --- a/modules/container-registry/registry/main.bicep +++ /dev/null @@ -1,543 +0,0 @@ -metadata name = 'Azure Container Registries (ACR)' -metadata description = 'This module deploys an Azure Container Registry (ACR).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of your Azure container registry.') -@minLength(5) -@maxLength(50) -param name string - -@description('Optional. Enable admin user that have push / pull permission to the registry.') -param acrAdminUserEnabled bool = false - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tier of your Azure container registry.') -@allowed([ - 'Basic' - 'Premium' - 'Standard' -]) -param acrSku string = 'Basic' - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The value that indicates whether the export policy is enabled or not.') -param exportPolicyStatus string = 'disabled' - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The value that indicates whether the quarantine policy is enabled or not.') -param quarantinePolicyStatus string = 'disabled' - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The value that indicates whether the trust policy is enabled or not.') -param trustPolicyStatus string = 'disabled' - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The value that indicates whether the retention policy is enabled or not.') -param retentionPolicyStatus string = 'enabled' - -@description('Optional. The number of days to retain an untagged manifest after which it gets purged.') -param retentionPolicyDays int = 15 - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled.') -param azureADAuthenticationAsArmPolicyStatus string = 'enabled' - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. Soft Delete policy status. Default is disabled.') -param softDeletePolicyStatus string = 'disabled' - -@description('Optional. The number of days after which a soft-deleted item is permanently deleted.') -param softDeletePolicyDays int = 7 - -@description('Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the \'acrSku\' to be \'Premium\'.') -param dataEndpointEnabled bool = false - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the \'acrSku\' to be \'Premium\'.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@allowed([ - 'AzureServices' - 'None' -]) -@description('Optional. Whether to allow trusted Azure services to access a network restricted registry.') -param networkRuleBypassOptions string = 'AzureServices' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('Optional. The default action of allow or deny when no other rules match.') -param networkRuleSetDefaultAction string = 'Deny' - -@description('Optional. The IP ACL rules. Note, requires the \'acrSku\' to be \'Premium\'.') -param networkRuleSetIpRules array = [] - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the \'acrSku\' to be \'Premium\'.') -param privateEndpoints privateEndpointType - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether or not zone redundancy is enabled for this container registry.') -param zoneRedundancy string = 'Disabled' - -@description('Optional. All replications to create.') -param replications array = [] - -@description('Optional. All webhooks to create.') -param webhooks array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enables registry-wide pull from unauthenticated clients. It\'s in preview and available in the Standard and Premium service tiers.') -param anonymousPullEnabled bool = false - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)).') -param cacheRules array = [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - AcrDelete: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11') - AcrImageSigner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f') - AcrPull: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') - AcrPush: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec') - AcrQuarantineReader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04') - AcrQuarantineWriter: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = { - name: name - location: location - identity: identity - tags: tags - sku: { - name: acrSku - } - properties: { - anonymousPullEnabled: anonymousPullEnabled - adminUserEnabled: acrAdminUserEnabled - encryption: !empty(customerManagedKey) ? { - status: 'enabled' - keyVaultProperties: { - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.properties.clientId : null - keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - } - } : null - policies: { - azureADAuthenticationAsArmPolicy: { - status: azureADAuthenticationAsArmPolicyStatus - } - exportPolicy: acrSku == 'Premium' ? { - status: exportPolicyStatus - } : null - quarantinePolicy: { - status: quarantinePolicyStatus - } - trustPolicy: { - type: 'Notary' - status: trustPolicyStatus - } - retentionPolicy: acrSku == 'Premium' ? { - days: retentionPolicyDays - status: retentionPolicyStatus - } : null - softDeletePolicy: { - retentionDays: softDeletePolicyDays - status: softDeletePolicyStatus - } - } - dataEndpointEnabled: dataEndpointEnabled - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkRuleSetIpRules) ? 'Disabled' : null) - networkRuleBypassOptions: networkRuleBypassOptions - networkRuleSet: !empty(networkRuleSetIpRules) ? { - defaultAction: networkRuleSetDefaultAction - ipRules: networkRuleSetIpRules - } : null - zoneRedundancy: acrSku == 'Premium' ? zoneRedundancy : null - } -} - -module registry_replications 'replication/main.bicep' = [for (replication, index) in replications: { - name: '${uniqueString(deployment().name, location)}-Registry-Replication-${index}' - params: { - name: replication.name - registryName: registry.name - location: replication.location - regionEndpointEnabled: contains(replication, 'regionEndpointEnabled') ? replication.regionEndpointEnabled : true - zoneRedundancy: contains(replication, 'zoneRedundancy') ? replication.zoneRedundancy : 'Disabled' - tags: replication.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module registry_cacheRules 'cache-rules/main.bicep' = [for (cacheRule, index) in cacheRules: { - name: '${uniqueString(deployment().name, location)}-Registry-Cache-${index}' - params: { - registryName: registry.name - sourceRepository: cacheRule.sourceRepository - name: contains(cacheRule, 'name') ? cacheRule.name : replace(replace(cacheRule.sourceRepository, '/', '-'), '.', '-') - targetRepository: contains(cacheRule, 'targetRepository') ? cacheRule.targetRepository : cacheRule.sourceRepository - credentialSetResourceId: contains(cacheRule, 'credentialSetResourceId') ? cacheRule.credentialSetResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module registry_webhooks 'webhook/main.bicep' = [for (webhook, index) in webhooks: { - name: '${uniqueString(deployment().name, location)}-Registry-Webhook-${index}' - params: { - name: webhook.name - registryName: registry.name - location: contains(webhook, 'location') ? webhook.location : location - action: contains(webhook, 'action') ? webhook.action : [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' - ] - customHeaders: contains(webhook, 'customHeaders') ? webhook.customHeaders : {} - scope: contains(webhook, 'scope') ? webhook.scope : '' - status: contains(webhook, 'status') ? webhook.status : 'enabled' - serviceUri: webhook.serviceUri - tags: webhook.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: registry -} - -resource registry_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: registry -}] - -resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(registry.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: registry -}] - -module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-registry-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'registry' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(registry.id, '/'))}-${privateEndpoint.?service ?? 'registry'}-${index}' - serviceResourceId: registry.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The Name of the Azure container registry.') -output name string = registry.name - -@description('The reference to the Azure container registry.') -output loginServer string = reference(registry.id, '2019-05-01').loginServer - -@description('The name of the Azure container registry.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Azure container registry.') -output resourceId string = registry.id - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(registry.identity, 'principalId') ? registry.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = registry.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json deleted file mode 100644 index 39a04d3a66..0000000000 --- a/modules/container-registry/registry/main.json +++ /dev/null @@ -1,2058 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6862455028328660677" - }, - "name": "Azure Container Registries (ACR)", - "description": "This module deploys an Azure Container Registry (ACR).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 5, - "maxLength": 50, - "metadata": { - "description": "Required. Name of your Azure container registry." - } - }, - "acrAdminUserEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable admin user that have push / pull permission to the registry." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "acrSku": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Tier of your Azure container registry." - } - }, - "exportPolicyStatus": { - "type": "string", - "defaultValue": "disabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The value that indicates whether the export policy is enabled or not." - } - }, - "quarantinePolicyStatus": { - "type": "string", - "defaultValue": "disabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The value that indicates whether the quarantine policy is enabled or not." - } - }, - "trustPolicyStatus": { - "type": "string", - "defaultValue": "disabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The value that indicates whether the trust policy is enabled or not." - } - }, - "retentionPolicyStatus": { - "type": "string", - "defaultValue": "enabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The value that indicates whether the retention policy is enabled or not." - } - }, - "retentionPolicyDays": { - "type": "int", - "defaultValue": 15, - "metadata": { - "description": "Optional. The number of days to retain an untagged manifest after which it gets purged." - } - }, - "azureADAuthenticationAsArmPolicyStatus": { - "type": "string", - "defaultValue": "enabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled." - } - }, - "softDeletePolicyStatus": { - "type": "string", - "defaultValue": "disabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. Soft Delete policy status. Default is disabled." - } - }, - "softDeletePolicyDays": { - "type": "int", - "defaultValue": 7, - "metadata": { - "description": "Optional. The number of days after which a soft-deleted item is permanently deleted." - } - }, - "dataEndpointEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'." - } - }, - "networkRuleBypassOptions": { - "type": "string", - "defaultValue": "AzureServices", - "allowedValues": [ - "AzureServices", - "None" - ], - "metadata": { - "description": "Optional. Whether to allow trusted Azure services to access a network restricted registry." - } - }, - "networkRuleSetDefaultAction": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. The default action of allow or deny when no other rules match." - } - }, - "networkRuleSetIpRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'." - } - }, - "zoneRedundancy": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether or not zone redundancy is enabled for this container registry." - } - }, - "replications": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. All replications to create." - } - }, - "webhooks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. All webhooks to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "anonymousPullEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "cacheRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview))." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "registry": { - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-06-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('acrSku')]" - }, - "properties": { - "anonymousPullEnabled": "[parameters('anonymousPullEnabled')]", - "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", - "policies": { - "azureADAuthenticationAsArmPolicy": { - "status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]" - }, - "exportPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('status', parameters('exportPolicyStatus')), null())]", - "quarantinePolicy": { - "status": "[parameters('quarantinePolicyStatus')]" - }, - "trustPolicy": { - "type": "Notary", - "status": "[parameters('trustPolicyStatus')]" - }, - "retentionPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('days', parameters('retentionPolicyDays'), 'status', parameters('retentionPolicyStatus')), null())]", - "softDeletePolicy": { - "retentionDays": "[parameters('softDeletePolicyDays')]", - "status": "[parameters('softDeletePolicyStatus')]" - } - }, - "dataEndpointEnabled": "[parameters('dataEndpointEnabled')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSetIpRules'))), 'Disabled', null()))]", - "networkRuleBypassOptions": "[parameters('networkRuleBypassOptions')]", - "networkRuleSet": "[if(not(empty(parameters('networkRuleSetIpRules'))), createObject('defaultAction', parameters('networkRuleSetDefaultAction'), 'ipRules', parameters('networkRuleSetIpRules')), null())]", - "zoneRedundancy": "[if(equals(parameters('acrSku'), 'Premium'), parameters('zoneRedundancy'), null())]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "registry_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "registry" - ] - }, - "registry_diagnosticSettings": { - "copy": { - "name": "registry_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "registry" - ] - }, - "registry_roleAssignments": { - "copy": { - "name": "registry_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "registry" - ] - }, - "registry_replications": { - "copy": { - "name": "registry_replications", - "count": "[length(parameters('replications'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Registry-Replication-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('replications')[copyIndex()].name]" - }, - "registryName": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('replications')[copyIndex()].location]" - }, - "regionEndpointEnabled": "[if(contains(parameters('replications')[copyIndex()], 'regionEndpointEnabled'), createObject('value', parameters('replications')[copyIndex()].regionEndpointEnabled), createObject('value', true()))]", - "zoneRedundancy": "[if(contains(parameters('replications')[copyIndex()], 'zoneRedundancy'), createObject('value', parameters('replications')[copyIndex()].zoneRedundancy), createObject('value', 'Disabled'))]", - "tags": { - "value": "[coalesce(tryGet(parameters('replications')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17278738816613868587" - }, - "name": "Azure Container Registry (ACR) Replications", - "description": "This module deploys an Azure Container Registry (ACR) Replication.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "regionEndpointEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications." - } - }, - "zoneRedundancy": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether or not zone redundancy is enabled for this container registry." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "registry": { - "existing": true, - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-06-01-preview", - "name": "[parameters('registryName')]" - }, - "replication": { - "type": "Microsoft.ContainerRegistry/registries/replications", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "regionEndpointEnabled": "[parameters('regionEndpointEnabled')]", - "zoneRedundancy": "[parameters('zoneRedundancy')]" - }, - "dependsOn": [ - "registry" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/replications', parameters('registryName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('replication', '2023-06-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "registry" - ] - }, - "registry_cacheRules": { - "copy": { - "name": "registry_cacheRules", - "count": "[length(parameters('cacheRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Registry-Cache-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "registryName": { - "value": "[parameters('name')]" - }, - "sourceRepository": { - "value": "[parameters('cacheRules')[copyIndex()].sourceRepository]" - }, - "name": "[if(contains(parameters('cacheRules')[copyIndex()], 'name'), createObject('value', parameters('cacheRules')[copyIndex()].name), createObject('value', replace(replace(parameters('cacheRules')[copyIndex()].sourceRepository, '/', '-'), '.', '-')))]", - "targetRepository": "[if(contains(parameters('cacheRules')[copyIndex()], 'targetRepository'), createObject('value', parameters('cacheRules')[copyIndex()].targetRepository), createObject('value', parameters('cacheRules')[copyIndex()].sourceRepository))]", - "credentialSetResourceId": "[if(contains(parameters('cacheRules')[copyIndex()], 'credentialSetResourceId'), createObject('value', parameters('cacheRules')[copyIndex()].credentialSetResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9350283035071510554" - }, - "name": "Container Registries Cache", - "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]", - "metadata": { - "description": "Optional. The name of the cache rule. Will be dereived from the source repository name if not defined." - } - }, - "sourceRepository": { - "type": "string", - "metadata": { - "description": "Required. Source repository pulled from upstream." - } - }, - "targetRepository": { - "type": "string", - "defaultValue": "[parameters('sourceRepository')]", - "metadata": { - "description": "Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}." - } - }, - "credentialSetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the credential store which is associated with the cache rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ContainerRegistry/registries/cacheRules", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "properties": { - "sourceRepository": "[parameters('sourceRepository')]", - "targetRepository": "[parameters('targetRepository')]", - "credentialSetResourceId": "[if(not(empty(parameters('credentialSetResourceId'))), parameters('credentialSetResourceId'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Cache Rule." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Cache Rule." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Cache Rule." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/cacheRules', parameters('registryName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "registry" - ] - }, - "registry_webhooks": { - "copy": { - "name": "registry_webhooks", - "count": "[length(parameters('webhooks'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Registry-Webhook-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('webhooks')[copyIndex()].name]" - }, - "registryName": { - "value": "[parameters('name')]" - }, - "location": "[if(contains(parameters('webhooks')[copyIndex()], 'location'), createObject('value', parameters('webhooks')[copyIndex()].location), createObject('value', parameters('location')))]", - "action": "[if(contains(parameters('webhooks')[copyIndex()], 'action'), createObject('value', parameters('webhooks')[copyIndex()].action), createObject('value', createArray('chart_delete', 'chart_push', 'delete', 'push', 'quarantine')))]", - "customHeaders": "[if(contains(parameters('webhooks')[copyIndex()], 'customHeaders'), createObject('value', parameters('webhooks')[copyIndex()].customHeaders), createObject('value', createObject()))]", - "scope": "[if(contains(parameters('webhooks')[copyIndex()], 'scope'), createObject('value', parameters('webhooks')[copyIndex()].scope), createObject('value', ''))]", - "status": "[if(contains(parameters('webhooks')[copyIndex()], 'status'), createObject('value', parameters('webhooks')[copyIndex()].status), createObject('value', 'enabled'))]", - "serviceUri": { - "value": "[parameters('webhooks')[copyIndex()].serviceUri]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('webhooks')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4878566967080590991" - }, - "name": "Azure Container Registry (ACR) Webhooks", - "description": "This module deploys an Azure Container Registry (ACR) Webhook.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}webhook', parameters('registryName'))]", - "minLength": 5, - "maxLength": 50, - "metadata": { - "description": "Optional. The name of the registry webhook." - } - }, - "serviceUri": { - "type": "string", - "metadata": { - "description": "Required. The service URI for the webhook to post notifications." - } - }, - "status": { - "type": "string", - "defaultValue": "enabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The status of the webhook at the time the operation was called." - } - }, - "action": { - "type": "array", - "defaultValue": [ - "chart_delete", - "chart_push", - "delete", - "push", - "quarantine" - ], - "metadata": { - "description": "Optional. The list of actions that trigger the webhook to post notifications." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "customHeaders": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Custom headers that will be added to the webhook notifications." - } - }, - "scope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "registry": { - "existing": true, - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-06-01-preview", - "name": "[parameters('registryName')]" - }, - "webhook": { - "type": "Microsoft.ContainerRegistry/registries/webhooks", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "actions": "[parameters('action')]", - "customHeaders": "[parameters('customHeaders')]", - "scope": "[parameters('scope')]", - "serviceUri": "[parameters('serviceUri')]", - "status": "[parameters('status')]" - }, - "dependsOn": [ - "registry" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the webhook." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the webhook." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Azure container registry." - }, - "value": "[resourceGroup().name]" - }, - "actions": { - "type": "array", - "metadata": { - "description": "The actions of the webhook." - }, - "value": "[reference('webhook').actions]" - }, - "status": { - "type": "string", - "metadata": { - "description": "The status of the webhook." - }, - "value": "[reference('webhook').status]" - }, - "provistioningState": { - "type": "string", - "metadata": { - "description": "The provisioning state of the webhook." - }, - "value": "[reference('webhook').provisioningState]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('webhook', '2023-06-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "registry" - ] - }, - "registry_privateEndpoints": { - "copy": { - "name": "registry_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-registry-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "registry" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Azure container registry." - }, - "value": "[parameters('name')]" - }, - "loginServer": { - "type": "string", - "metadata": { - "description": "The reference to the Azure container registry." - }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '2019-05-01').loginServer]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Azure container registry." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Azure container registry." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('registry', '2023-06-01-preview', 'full').identity, 'principalId')), reference('registry', '2023-06-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('registry', '2023-06-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md deleted file mode 100644 index 6f7f21c1f1..0000000000 --- a/modules/container-registry/registry/replication/README.md +++ /dev/null @@ -1,114 +0,0 @@ -# Azure Container Registry (ACR) Replications `[Microsoft.ContainerRegistry/registries/replications]` - -This module deploys an Azure Container Registry (ACR) Replication. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ContainerRegistry/registries/replications` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/replications) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the replication. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`regionEndpointEnabled`](#parameter-regionendpointenabled) | bool | Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | - -### Parameter: `name` - -The name of the replication. - -- Required: Yes -- Type: string - -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `regionEndpointEnabled` - -Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneRedundancy` - -Whether or not zone redundancy is enabled for this container registry. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the replication. | -| `resourceGroupName` | string | The name of the resource group the replication was created in. | -| `resourceId` | string | The resource ID of the replication. | - -## Cross-referenced modules - -_None_ diff --git a/modules/container-registry/registry/replication/main.bicep b/modules/container-registry/registry/replication/main.bicep deleted file mode 100644 index a382a85fc0..0000000000 --- a/modules/container-registry/registry/replication/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Azure Container Registry (ACR) Replications' -metadata description = 'This module deploys an Azure Container Registry (ACR) Replication.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent registry. Required if the template is used in a standalone deployment.') -param registryName string - -@description('Required. The name of the replication.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications.') -param regionEndpointEnabled bool = true - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Whether or not zone redundancy is enabled for this container registry.') -param zoneRedundancy string = 'Disabled' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' existing = { - name: registryName -} - -resource replication 'Microsoft.ContainerRegistry/registries/replications@2023-06-01-preview' = { - name: name - parent: registry - location: location - tags: tags - properties: { - regionEndpointEnabled: regionEndpointEnabled - zoneRedundancy: zoneRedundancy - } -} - -@description('The name of the replication.') -output name string = replication.name - -@description('The resource ID of the replication.') -output resourceId string = replication.id - -@description('The name of the resource group the replication was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = replication.location diff --git a/modules/container-registry/registry/replication/main.json b/modules/container-registry/registry/replication/main.json deleted file mode 100644 index 5abda75971..0000000000 --- a/modules/container-registry/registry/replication/main.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17278738816613868587" - }, - "name": "Azure Container Registry (ACR) Replications", - "description": "This module deploys an Azure Container Registry (ACR) Replication.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "regionEndpointEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications." - } - }, - "zoneRedundancy": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Whether or not zone redundancy is enabled for this container registry." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "registry": { - "existing": true, - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-06-01-preview", - "name": "[parameters('registryName')]" - }, - "replication": { - "type": "Microsoft.ContainerRegistry/registries/replications", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "regionEndpointEnabled": "[parameters('regionEndpointEnabled')]", - "zoneRedundancy": "[parameters('zoneRedundancy')]" - }, - "dependsOn": [ - "registry" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/replications', parameters('registryName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('replication', '2023-06-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/container-registry/registry/replication/version.json b/modules/container-registry/registry/replication/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/container-registry/registry/replication/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep b/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 648869f165..0000000000 --- a/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/container-registry/registry/tests/e2e/encr/dependencies.bicep b/modules/container-registry/registry/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index 2a44c0d13c..0000000000 --- a/modules/container-registry/registry/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,87 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - // Key Vault Crypto User - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name diff --git a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep deleted file mode 100644 index b24ad4c628..0000000000 --- a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,77 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrSku: 'Premium' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - publicNetworkAccess: 'Disabled' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-registry/registry/tests/e2e/max/dependencies.bicep b/modules/container-registry/registry/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 4e89a810a0..0000000000 --- a/modules/container-registry/registry/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,99 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.acrLoginServer}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName diff --git a/modules/container-registry/registry/tests/e2e/max/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep deleted file mode 100644 index 767cc9ee2e..0000000000 --- a/modules/container-registry/registry/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,171 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrAdminUserEnabled: false - acrSku: 'Premium' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - exportPolicyStatus: 'enabled' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - softDeletePolicyStatus: 'disabled' - softDeletePolicyDays: 7 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - service: 'registry' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: nestedDependencies.outputs.pairedRegionName - name: nestedDependencies.outputs.pairedRegionName - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - trustPolicyStatus: 'enabled' - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - webhooks: [ - { - name: '${namePrefix}acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-registry/registry/tests/e2e/pe/dependencies.bicep b/modules/container-registry/registry/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index 0422180c41..0000000000 --- a/modules/container-registry/registry/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.acrLoginServer}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/container-registry/registry/tests/e2e/pe/main.test.bicep b/modules/container-registry/registry/tests/e2e/pe/main.test.bicep deleted file mode 100644 index ead4de2de4..0000000000 --- a/modules/container-registry/registry/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrSku: 'Premium' - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 4e89a810a0..0000000000 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,99 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.acrLoginServer}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 7f6dd675d7..0000000000 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,154 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrAdminUserEnabled: false - acrSku: 'Premium' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - exportPolicyStatus: 'enabled' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - softDeletePolicyStatus: 'disabled' - softDeletePolicyDays: 7 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - service: 'registry' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: nestedDependencies.outputs.pairedRegionName - name: nestedDependencies.outputs.pairedRegionName - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - trustPolicyStatus: 'enabled' - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - webhooks: [ - { - name: '${namePrefix}acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/container-registry/registry/version.json b/modules/container-registry/registry/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/container-registry/registry/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md deleted file mode 100644 index 55b48b3f3e..0000000000 --- a/modules/container-registry/registry/webhook/README.md +++ /dev/null @@ -1,153 +0,0 @@ -# Azure Container Registry (ACR) Webhooks `[Microsoft.ContainerRegistry/registries/webhooks]` - -This module deploys an Azure Container Registry (ACR) Webhook. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2023-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/registries/webhooks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serviceUri`](#parameter-serviceuri) | string | The service URI for the webhook to post notifications. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`action`](#parameter-action) | array | The list of actions that trigger the webhook to post notifications. | -| [`customHeaders`](#parameter-customheaders) | object | Custom headers that will be added to the webhook notifications. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`name`](#parameter-name) | string | The name of the registry webhook. | -| [`scope`](#parameter-scope) | string | The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. | -| [`status`](#parameter-status) | string | The status of the webhook at the time the operation was called. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `serviceUri` - -The service URI for the webhook to post notifications. - -- Required: Yes -- Type: string - -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `action` - -The list of actions that trigger the webhook to post notifications. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' - ] - ``` - -### Parameter: `customHeaders` - -Custom headers that will be added to the webhook notifications. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `name` - -The name of the registry webhook. - -- Required: No -- Type: string -- Default: `[format('{0}webhook', parameters('registryName'))]` - -### Parameter: `scope` - -The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `status` - -The status of the webhook at the time the operation was called. - -- Required: No -- Type: string -- Default: `'enabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `actions` | array | The actions of the webhook. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the webhook. | -| `provistioningState` | string | The provisioning state of the webhook. | -| `resourceGroupName` | string | The name of the Azure container registry. | -| `resourceId` | string | The resource ID of the webhook. | -| `status` | string | The status of the webhook. | - -## Cross-referenced modules - -_None_ diff --git a/modules/container-registry/registry/webhook/main.bicep b/modules/container-registry/registry/webhook/main.bicep deleted file mode 100644 index c537ad5153..0000000000 --- a/modules/container-registry/registry/webhook/main.bicep +++ /dev/null @@ -1,96 +0,0 @@ -metadata name = 'Azure Container Registry (ACR) Webhooks' -metadata description = 'This module deploys an Azure Container Registry (ACR) Webhook.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent registry. Required if the template is used in a standalone deployment.') -param registryName string - -@description('Optional. The name of the registry webhook.') -@minLength(5) -@maxLength(50) -param name string = '${registryName}webhook' - -@description('Required. The service URI for the webhook to post notifications.') -param serviceUri string - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The status of the webhook at the time the operation was called.') -param status string = 'enabled' - -@description('Optional. The list of actions that trigger the webhook to post notifications.') -param action array = [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' -] - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Custom headers that will be added to the webhook notifications.') -param customHeaders object = {} - -@description('Optional. The scope of repositories where the event can be triggered. For example, \'foo:*\' means events for all tags under repository \'foo\'. \'foo:bar\' means events for \'foo:bar\' only. \'foo\' is equivalent to \'foo:latest\'. Empty means all events.') -param scope string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' existing = { - name: registryName -} - -resource webhook 'Microsoft.ContainerRegistry/registries/webhooks@2023-06-01-preview' = { - name: name - parent: registry - location: location - tags: tags - properties: { - actions: action - customHeaders: customHeaders - scope: scope - serviceUri: serviceUri - status: status - } -} - -@description('The resource ID of the webhook.') -output resourceId string = webhook.id - -@description('The name of the webhook.') -output name string = webhook.name - -@description('The name of the Azure container registry.') -output resourceGroupName string = resourceGroup().name - -@description('The actions of the webhook.') -output actions array = webhook.properties.actions - -@description('The status of the webhook.') -output status string = webhook.properties.status - -@description('The provisioning state of the webhook.') -output provistioningState string = webhook.properties.provisioningState - -@description('The location the resource was deployed into.') -output location string = webhook.location diff --git a/modules/container-registry/registry/webhook/main.json b/modules/container-registry/registry/webhook/main.json deleted file mode 100644 index 2eb1a3a71b..0000000000 --- a/modules/container-registry/registry/webhook/main.json +++ /dev/null @@ -1,187 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4878566967080590991" - }, - "name": "Azure Container Registry (ACR) Webhooks", - "description": "This module deploys an Azure Container Registry (ACR) Webhook.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "registryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}webhook', parameters('registryName'))]", - "minLength": 5, - "maxLength": 50, - "metadata": { - "description": "Optional. The name of the registry webhook." - } - }, - "serviceUri": { - "type": "string", - "metadata": { - "description": "Required. The service URI for the webhook to post notifications." - } - }, - "status": { - "type": "string", - "defaultValue": "enabled", - "allowedValues": [ - "disabled", - "enabled" - ], - "metadata": { - "description": "Optional. The status of the webhook at the time the operation was called." - } - }, - "action": { - "type": "array", - "defaultValue": [ - "chart_delete", - "chart_push", - "delete", - "push", - "quarantine" - ], - "metadata": { - "description": "Optional. The list of actions that trigger the webhook to post notifications." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "customHeaders": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Custom headers that will be added to the webhook notifications." - } - }, - "scope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "registry": { - "existing": true, - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-06-01-preview", - "name": "[parameters('registryName')]" - }, - "webhook": { - "type": "Microsoft.ContainerRegistry/registries/webhooks", - "apiVersion": "2023-06-01-preview", - "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "actions": "[parameters('action')]", - "customHeaders": "[parameters('customHeaders')]", - "scope": "[parameters('scope')]", - "serviceUri": "[parameters('serviceUri')]", - "status": "[parameters('status')]" - }, - "dependsOn": [ - "registry" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the webhook." - }, - "value": "[resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the webhook." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Azure container registry." - }, - "value": "[resourceGroup().name]" - }, - "actions": { - "type": "array", - "metadata": { - "description": "The actions of the webhook." - }, - "value": "[reference('webhook').actions]" - }, - "status": { - "type": "string", - "metadata": { - "description": "The status of the webhook." - }, - "value": "[reference('webhook').status]" - }, - "provistioningState": { - "type": "string", - "metadata": { - "description": "The provisioning state of the webhook." - }, - "value": "[reference('webhook').provisioningState]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('webhook', '2023-06-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/container-registry/registry/webhook/version.json b/modules/container-registry/registry/webhook/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/container-registry/registry/webhook/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-service/managed-cluster/MOVED-TO-AVM.md b/modules/container-service/managed-cluster/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/container-service/managed-cluster/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 5b5a10a109..b1e154ab73 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -1,2503 +1,7 @@ -# Azure Kubernetes Service (AKS) Managed Clusters `[Microsoft.ContainerService/managedClusters]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/container-service/managed-cluster](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/container-service/managed-cluster).** -This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/container-service/managed-cluster). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ContainerService/managedClusters` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters) | -| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-service.managed-cluster:1.0.0`. - -- [Azure](#example-1-azure) -- [Using only defaults](#example-2-using-only-defaults) -- [Kubenet](#example-3-kubenet) -- [Priv](#example-4-priv) - -### Example 1: _Azure_ - -
- -via Bicep module - -```bicep -module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csmaz' - params: { - // Required parameters - name: 'csmaz001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: '' - } - ] - // Non-required parameters - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - proximityPlacementGroupResourceId: '' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: '' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: '' - } - ] - autoUpgradeProfileUpgradeChannel: 'stable' - customerManagedKey: { - keyName: '' - keyVaultNetworkAccess: 'Public' - keyVaultResourceId: '' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - diskEncryptionSetID: '' - enableAzureDefender: true - enableAzureMonitorProfileMetrics: true - enableDefaultTelemetry: '' - enableKeyvaultSecretsProvider: true - enableOidcIssuerProfile: true - enablePodSecurityPolicy: false - enableStorageProfileBlobCSIDriver: true - enableStorageProfileDiskCSIDriver: true - enableStorageProfileFileCSIDriver: true - enableStorageProfileSnapshotController: true - enableWorkloadIdentity: true - fluxExtension: { - configurations: [ - { - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - namespace: 'flux-system' - } - { - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' - } - kustomizations: { - apps: { - dependsOn: [ - 'infra' - ] - path: './apps/staging' - prune: true - retryIntervalInSeconds: 120 - syncIntervalInSeconds: 600 - timeoutInSeconds: 600 - } - infra: { - dependsOn: [] - path: './infrastructure' - prune: true - syncIntervalInSeconds: 600 - timeoutInSeconds: 600 - validation: 'none' - } - } - namespace: 'flux-system-helm' - } - ] - configurationSettings: { - 'helm-controller.enabled': 'true' - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'true' - 'source-controller.enabled': 'true' - } - } - identityProfile: { - kubeletidentity: { - resourceId: '' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - monitoringWorkspaceId: '' - networkDataplane: 'azure' - networkPlugin: 'azure' - networkPluginMode: 'overlay' - omsAgentEnabled: true - openServiceMeshEnabled: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "csmaz001" - }, - "primaryAgentPoolProfile": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 1, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "mode": "System", - "name": "systempool", - "osDiskSizeGB": 0, - "osType": "Linux", - "serviceCidr": "", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2", - "vnetSubnetID": "" - } - ] - }, - // Non-required parameters - "agentPools": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool1", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "proximityPlacementGroupResourceId": "", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2", - "vnetSubnetID": "" - }, - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool2", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2", - "vnetSubnetID": "" - } - ] - }, - "autoUpgradeProfileUpgradeChannel": { - "value": "stable" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultNetworkAccess": "Public", - "keyVaultResourceId": "" - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "diskEncryptionSetID": { - "value": "" - }, - "enableAzureDefender": { - "value": true - }, - "enableAzureMonitorProfileMetrics": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableKeyvaultSecretsProvider": { - "value": true - }, - "enableOidcIssuerProfile": { - "value": true - }, - "enablePodSecurityPolicy": { - "value": false - }, - "enableStorageProfileBlobCSIDriver": { - "value": true - }, - "enableStorageProfileDiskCSIDriver": { - "value": true - }, - "enableStorageProfileFileCSIDriver": { - "value": true - }, - "enableStorageProfileSnapshotController": { - "value": true - }, - "enableWorkloadIdentity": { - "value": true - }, - "fluxExtension": { - "value": { - "configurations": [ - { - "gitRepository": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - }, - "namespace": "flux-system" - }, - { - "gitRepository": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/Azure/gitops-flux2-kustomize-helm-mt" - }, - "kustomizations": { - "apps": { - "dependsOn": [ - "infra" - ], - "path": "./apps/staging", - "prune": true, - "retryIntervalInSeconds": 120, - "syncIntervalInSeconds": 600, - "timeoutInSeconds": 600 - }, - "infra": { - "dependsOn": [], - "path": "./infrastructure", - "prune": true, - "syncIntervalInSeconds": 600, - "timeoutInSeconds": 600, - "validation": "none" - } - }, - "namespace": "flux-system-helm" - } - ], - "configurationSettings": { - "helm-controller.enabled": "true", - "image-automation-controller.enabled": "false", - "image-reflector-controller.enabled": "false", - "kustomize-controller.enabled": "true", - "notification-controller.enabled": "true", - "source-controller.enabled": "true" - } - } - }, - "identityProfile": { - "value": { - "kubeletidentity": { - "resourceId": "" - } - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringWorkspaceId": { - "value": "" - }, - "networkDataplane": { - "value": "azure" - }, - "networkPlugin": { - "value": "azure" - }, - "networkPluginMode": { - "value": "overlay" - }, - "omsAgentEnabled": { - "value": true - }, - "openServiceMeshEnabled": { - "value": true - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csmmin' - params: { - // Required parameters - name: 'csmmin001' - primaryAgentPoolProfile: [ - { - count: 1 - mode: 'System' - name: 'systempool' - vmSize: 'Standard_DS2_v2' - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "csmmin001" - }, - "primaryAgentPoolProfile": { - "value": [ - { - "count": 1, - "mode": "System", - "name": "systempool", - "vmSize": "Standard_DS2_v2" - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - } - } -} -``` - -
-

- -### Example 3: _Kubenet_ - -

- -via Bicep module - -```bicep -module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csmkube' - params: { - // Required parameters - name: 'csmkube001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - // Non-required parameters - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - networkPlugin: 'kubenet' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "csmkube001" - }, - "primaryAgentPoolProfile": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 1, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "mode": "System", - "name": "systempool", - "osDiskSizeGB": 0, - "osType": "Linux", - "serviceCidr": "", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2" - } - ] - }, - // Non-required parameters - "agentPools": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool1", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2" - }, - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool2", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkPlugin": { - "value": "kubenet" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Priv_ - -

- -via Bicep module - -```bicep -module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csmpriv' - params: { - // Required parameters - name: 'csmpriv001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: '' - } - ] - // Non-required parameters - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: '' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - dnsServiceIP: '10.10.200.10' - enableDefaultTelemetry: '' - enablePrivateCluster: true - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - networkPlugin: 'azure' - privateDNSZone: '' - serviceCidr: '10.10.200.0/24' - skuTier: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "csmpriv001" - }, - "primaryAgentPoolProfile": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 1, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "mode": "System", - "name": "systempool", - "osDiskSizeGB": 0, - "osType": "Linux", - "serviceCidr": "", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2", - "vnetSubnetID": "" - } - ] - }, - // Non-required parameters - "agentPools": { - "value": [ - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool1", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2", - "vnetSubnetID": "" - }, - { - "availabilityZones": [ - "3" - ], - "count": 2, - "enableAutoScaling": true, - "maxCount": 3, - "maxPods": 30, - "minCount": 1, - "minPods": 2, - "mode": "User", - "name": "userpool2", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "osDiskSizeGB": 128, - "osType": "Linux", - "scaleSetEvictionPolicy": "Delete", - "scaleSetPriority": "Regular", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "vmSize": "Standard_DS2_v2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "dnsServiceIP": { - "value": "10.10.200.10" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePrivateCluster": { - "value": true - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkPlugin": { - "value": "azure" - }, - "privateDNSZone": { - "value": "" - }, - "serviceCidr": { - "value": "10.10.200.0/24" - }, - "skuTier": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the AKS cluster. | -| [`primaryAgentPoolProfile`](#parameter-primaryagentpoolprofile) | array | Properties of the primary agent pool. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aksServicePrincipalProfile`](#parameter-aksserviceprincipalprofile) | object | Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. | -| [`appGatewayResourceId`](#parameter-appgatewayresourceid) | string | Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aadProfileAdminGroupObjectIDs`](#parameter-aadprofileadmingroupobjectids) | array | Specifies the AAD group object IDs that will have admin role of the cluster. | -| [`aadProfileClientAppID`](#parameter-aadprofileclientappid) | string | The client AAD application ID. | -| [`aadProfileEnableAzureRBAC`](#parameter-aadprofileenableazurerbac) | bool | Specifies whether to enable Azure RBAC for Kubernetes authorization. | -| [`aadProfileManaged`](#parameter-aadprofilemanaged) | bool | Specifies whether to enable managed AAD integration. | -| [`aadProfileServerAppID`](#parameter-aadprofileserverappid) | string | The server AAD application ID. | -| [`aadProfileServerAppSecret`](#parameter-aadprofileserverappsecret) | string | The server AAD application secret. | -| [`aadProfileTenantId`](#parameter-aadprofiletenantid) | string | Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. | -| [`aciConnectorLinuxEnabled`](#parameter-aciconnectorlinuxenabled) | bool | Specifies whether the aciConnectorLinux add-on is enabled or not. | -| [`adminUsername`](#parameter-adminusername) | string | Specifies the administrator username of Linux virtual machines. | -| [`agentPools`](#parameter-agentpools) | array | Define one or more secondary/additional agent pools. | -| [`authorizedIPRanges`](#parameter-authorizedipranges) | array | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. | -| [`autoScalerProfileBalanceSimilarNodeGroups`](#parameter-autoscalerprofilebalancesimilarnodegroups) | string | Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileExpander`](#parameter-autoscalerprofileexpander) | string | Specifies the expand strategy for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileMaxEmptyBulkDelete`](#parameter-autoscalerprofilemaxemptybulkdelete) | string | Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileMaxGracefulTerminationSec`](#parameter-autoscalerprofilemaxgracefulterminationsec) | string | Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileMaxNodeProvisionTime`](#parameter-autoscalerprofilemaxnodeprovisiontime) | string | Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. | -| [`autoScalerProfileMaxTotalUnreadyPercentage`](#parameter-autoscalerprofilemaxtotalunreadypercentage) | string | Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. | -| [`autoScalerProfileNewPodScaleUpDelay`](#parameter-autoscalerprofilenewpodscaleupdelay) | string | For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). | -| [`autoScalerProfileOkTotalUnreadyCount`](#parameter-autoscalerprofileoktotalunreadycount) | string | Specifies the OK total unready count for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScaleDownDelayAfterAdd`](#parameter-autoscalerprofilescaledowndelayafteradd) | string | Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScaleDownDelayAfterDelete`](#parameter-autoscalerprofilescaledowndelayafterdelete) | string | Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScaleDownDelayAfterFailure`](#parameter-autoscalerprofilescaledowndelayafterfailure) | string | Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScaleDownUnneededTime`](#parameter-autoscalerprofilescaledownunneededtime) | string | Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScaleDownUnreadyTime`](#parameter-autoscalerprofilescaledownunreadytime) | string | Specifies the scale down unready time of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileScanInterval`](#parameter-autoscalerprofilescaninterval) | string | Specifies the scan interval of the auto-scaler of the AKS cluster. | -| [`autoScalerProfileSkipNodesWithLocalStorage`](#parameter-autoscalerprofileskipnodeswithlocalstorage) | string | Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileSkipNodesWithSystemPods`](#parameter-autoscalerprofileskipnodeswithsystempods) | string | Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. | -| [`autoScalerProfileUtilizationThreshold`](#parameter-autoscalerprofileutilizationthreshold) | string | Specifies the utilization threshold of the auto-scaler of the AKS cluster. | -| [`autoUpgradeProfileUpgradeChannel`](#parameter-autoupgradeprofileupgradechannel) | string | Auto-upgrade channel on the AKS cluster. | -| [`azurePolicyEnabled`](#parameter-azurepolicyenabled) | bool | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. | -| [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | -| [`disableRunCommand`](#parameter-disableruncommand) | bool | Whether to disable run command for the cluster or not. | -| [`diskEncryptionSetID`](#parameter-diskencryptionsetid) | string | The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. | -| [`dnsPrefix`](#parameter-dnsprefix) | string | Specifies the DNS prefix specified when creating the managed cluster. | -| [`dnsServiceIP`](#parameter-dnsserviceip) | string | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | -| [`dnsZoneResourceId`](#parameter-dnszoneresourceid) | string | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. | -| [`enableAzureDefender`](#parameter-enableazuredefender) | bool | Whether to enable Azure Defender. | -| [`enableAzureMonitorProfileMetrics`](#parameter-enableazuremonitorprofilemetrics) | bool | Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableDnsZoneContributorRoleAssignment`](#parameter-enablednszonecontributorroleassignment) | bool | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. | -| [`enableKeyvaultSecretsProvider`](#parameter-enablekeyvaultsecretsprovider) | bool | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. | -| [`enableOidcIssuerProfile`](#parameter-enableoidcissuerprofile) | bool | Whether the The OIDC issuer profile of the Managed Cluster is enabled. | -| [`enablePodSecurityPolicy`](#parameter-enablepodsecuritypolicy) | bool | Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. | -| [`enablePrivateCluster`](#parameter-enableprivatecluster) | bool | Specifies whether to create the cluster as a private cluster or not. | -| [`enablePrivateClusterPublicFQDN`](#parameter-enableprivateclusterpublicfqdn) | bool | Whether to create additional public FQDN for private cluster or not. | -| [`enableRBAC`](#parameter-enablerbac) | bool | Whether to enable Kubernetes Role-Based Access Control. | -| [`enableSecretRotation`](#parameter-enablesecretrotation) | string | Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. | -| [`enableStorageProfileBlobCSIDriver`](#parameter-enablestorageprofileblobcsidriver) | bool | Whether the AzureBlob CSI Driver for the storage profile is enabled. | -| [`enableStorageProfileDiskCSIDriver`](#parameter-enablestorageprofilediskcsidriver) | bool | Whether the AzureDisk CSI Driver for the storage profile is enabled. | -| [`enableStorageProfileFileCSIDriver`](#parameter-enablestorageprofilefilecsidriver) | bool | Whether the AzureFile CSI Driver for the storage profile is enabled. | -| [`enableStorageProfileSnapshotController`](#parameter-enablestorageprofilesnapshotcontroller) | bool | Whether the snapshot controller for the storage profile is enabled. | -| [`enableWorkloadIdentity`](#parameter-enableworkloadidentity) | bool | Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. | -| [`fluxConfigurationProtectedSettings`](#parameter-fluxconfigurationprotectedsettings) | secureObject | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | -| [`fluxExtension`](#parameter-fluxextension) | object | Settings and configurations for the flux extension. | -| [`httpApplicationRoutingEnabled`](#parameter-httpapplicationroutingenabled) | bool | Specifies whether the httpApplicationRouting add-on is enabled or not. | -| [`httpProxyConfig`](#parameter-httpproxyconfig) | object | Configurations for provisioning the cluster with HTTP proxy servers. | -| [`identityProfile`](#parameter-identityprofile) | object | Identities associated with the cluster. | -| [`ingressApplicationGatewayEnabled`](#parameter-ingressapplicationgatewayenabled) | bool | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. | -| [`kubeDashboardEnabled`](#parameter-kubedashboardenabled) | bool | Specifies whether the kubeDashboard add-on is enabled or not. | -| [`kubernetesVersion`](#parameter-kubernetesversion) | string | Version of Kubernetes specified when creating the managed cluster. | -| [`loadBalancerSku`](#parameter-loadbalancersku) | string | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | -| [`location`](#parameter-location) | string | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`managedOutboundIPCount`](#parameter-managedoutboundipcount) | int | Outbound IP Count for the Load balancer. | -| [`metricAnnotationsAllowList`](#parameter-metricannotationsallowlist) | string | A comma-separated list of Kubernetes annotation keys. | -| [`metricLabelsAllowlist`](#parameter-metriclabelsallowlist) | string | A comma-separated list of additional Kubernetes label keys. | -| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | -| [`networkDataplane`](#parameter-networkdataplane) | string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | -| [`networkPlugin`](#parameter-networkplugin) | string | Specifies the network plugin used for building Kubernetes network. | -| [`networkPluginMode`](#parameter-networkpluginmode) | string | Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. | -| [`networkPolicy`](#parameter-networkpolicy) | string | Specifies the network policy used for building Kubernetes network. - calico or azure. | -| [`nodeResourceGroup`](#parameter-noderesourcegroup) | string | Name of the resource group containing agent pool nodes. | -| [`omsAgentEnabled`](#parameter-omsagentenabled) | bool | Specifies whether the OMS agent is enabled. | -| [`openServiceMeshEnabled`](#parameter-openservicemeshenabled) | bool | Specifies whether the openServiceMesh add-on is enabled or not. | -| [`outboundType`](#parameter-outboundtype) | string | Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | -| [`podCidr`](#parameter-podcidr) | string | Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | -| [`podIdentityProfileAllowNetworkPluginKubenet`](#parameter-podidentityprofileallownetworkpluginkubenet) | bool | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. | -| [`podIdentityProfileEnable`](#parameter-podidentityprofileenable) | bool | Whether the pod identity addon is enabled. | -| [`podIdentityProfileUserAssignedIdentities`](#parameter-podidentityprofileuserassignedidentities) | array | The pod identities to use in the cluster. | -| [`podIdentityProfileUserAssignedIdentityExceptions`](#parameter-podidentityprofileuserassignedidentityexceptions) | array | The pod identity exceptions to allow. | -| [`privateDNSZone`](#parameter-privatednszone) | string | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`serviceCidr`](#parameter-servicecidr) | string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | -| [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. - Free or Standard. | -| [`sshPublicKey`](#parameter-sshpublickey) | string | Specifies the SSH RSA public key string for the Linux nodes. | -| [`supportPlan`](#parameter-supportplan) | string | The support plan for the Managed Cluster. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`webApplicationRoutingEnabled`](#parameter-webapplicationroutingenabled) | bool | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | - -### Parameter: `name` - -Specifies the name of the AKS cluster. - -- Required: Yes -- Type: string - -### Parameter: `primaryAgentPoolProfile` - -Properties of the primary agent pool. - -- Required: Yes -- Type: array - -### Parameter: `aksServicePrincipalProfile` - -Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `appGatewayResourceId` - -Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `aadProfileAdminGroupObjectIDs` - -Specifies the AAD group object IDs that will have admin role of the cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `aadProfileClientAppID` - -The client AAD application ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `aadProfileEnableAzureRBAC` - -Specifies whether to enable Azure RBAC for Kubernetes authorization. - -- Required: No -- Type: bool -- Default: `[parameters('enableRBAC')]` - -### Parameter: `aadProfileManaged` - -Specifies whether to enable managed AAD integration. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `aadProfileServerAppID` - -The server AAD application ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `aadProfileServerAppSecret` - -The server AAD application secret. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `aadProfileTenantId` - -Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. - -- Required: No -- Type: string -- Default: `[subscription().tenantId]` - -### Parameter: `aciConnectorLinuxEnabled` - -Specifies whether the aciConnectorLinux add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `adminUsername` - -Specifies the administrator username of Linux virtual machines. - -- Required: No -- Type: string -- Default: `'azureuser'` - -### Parameter: `agentPools` - -Define one or more secondary/additional agent pools. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `authorizedIPRanges` - -IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `autoScalerProfileBalanceSimilarNodeGroups` - -Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'false'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `autoScalerProfileExpander` - -Specifies the expand strategy for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'random'` -- Allowed: - ```Bicep - [ - 'least-waste' - 'most-pods' - 'priority' - 'random' - ] - ``` - -### Parameter: `autoScalerProfileMaxEmptyBulkDelete` - -Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'10'` - -### Parameter: `autoScalerProfileMaxGracefulTerminationSec` - -Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'600'` - -### Parameter: `autoScalerProfileMaxNodeProvisionTime` - -Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. - -- Required: No -- Type: string -- Default: `'15m'` - -### Parameter: `autoScalerProfileMaxTotalUnreadyPercentage` - -Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. - -- Required: No -- Type: string -- Default: `'45'` - -### Parameter: `autoScalerProfileNewPodScaleUpDelay` - -For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). - -- Required: No -- Type: string -- Default: `'0s'` - -### Parameter: `autoScalerProfileOkTotalUnreadyCount` - -Specifies the OK total unready count for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'3'` - -### Parameter: `autoScalerProfileScaleDownDelayAfterAdd` - -Specifies the scale down delay after add of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'10m'` - -### Parameter: `autoScalerProfileScaleDownDelayAfterDelete` - -Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'20s'` - -### Parameter: `autoScalerProfileScaleDownDelayAfterFailure` - -Specifies scale down delay after failure of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'3m'` - -### Parameter: `autoScalerProfileScaleDownUnneededTime` - -Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'10m'` - -### Parameter: `autoScalerProfileScaleDownUnreadyTime` - -Specifies the scale down unready time of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'20m'` - -### Parameter: `autoScalerProfileScanInterval` - -Specifies the scan interval of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'10s'` - -### Parameter: `autoScalerProfileSkipNodesWithLocalStorage` - -Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'true'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `autoScalerProfileSkipNodesWithSystemPods` - -Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'true'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `autoScalerProfileUtilizationThreshold` - -Specifies the utilization threshold of the auto-scaler of the AKS cluster. - -- Required: No -- Type: string -- Default: `'0.5'` - -### Parameter: `autoUpgradeProfileUpgradeChannel` - -Auto-upgrade channel on the AKS cluster. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'node-image' - 'none' - 'patch' - 'rapid' - 'stable' - ] - ``` - -### Parameter: `azurePolicyEnabled` - -Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `azurePolicyVersion` - -Specifies the azure policy version to use. - -- Required: No -- Type: string -- Default: `'v2'` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | string | Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultNetworkAccess` - -Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Private' - 'Public' - ] - ``` - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAccounts` - -If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableRunCommand` - -Whether to disable run command for the cluster or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `diskEncryptionSetID` - -The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dnsPrefix` - -Specifies the DNS prefix specified when creating the managed cluster. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `dnsServiceIP` - -Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dnsZoneResourceId` - -Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableAzureDefender` - -Whether to enable Azure Defender. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableAzureMonitorProfileMetrics` - -Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDnsZoneContributorRoleAssignment` - -Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableKeyvaultSecretsProvider` - -Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableOidcIssuerProfile` - -Whether the The OIDC issuer profile of the Managed Cluster is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePodSecurityPolicy` - -Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePrivateCluster` - -Specifies whether to create the cluster as a private cluster or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePrivateClusterPublicFQDN` - -Whether to create additional public FQDN for private cluster or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableRBAC` - -Whether to enable Kubernetes Role-Based Access Control. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableSecretRotation` - -Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. - -- Required: No -- Type: string -- Default: `'false'` -- Allowed: - ```Bicep - [ - 'false' - 'true' - ] - ``` - -### Parameter: `enableStorageProfileBlobCSIDriver` - -Whether the AzureBlob CSI Driver for the storage profile is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableStorageProfileDiskCSIDriver` - -Whether the AzureDisk CSI Driver for the storage profile is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableStorageProfileFileCSIDriver` - -Whether the AzureFile CSI Driver for the storage profile is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableStorageProfileSnapshotController` - -Whether the snapshot controller for the storage profile is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableWorkloadIdentity` - -Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `fluxConfigurationProtectedSettings` - -Configuration settings that are sensitive, as name-value pairs for configuring this extension. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `fluxExtension` - -Settings and configurations for the flux extension. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `httpApplicationRoutingEnabled` - -Specifies whether the httpApplicationRouting add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `httpProxyConfig` - -Configurations for provisioning the cluster with HTTP proxy servers. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `identityProfile` - -Identities associated with the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `ingressApplicationGatewayEnabled` - -Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `kubeDashboardEnabled` - -Specifies whether the kubeDashboard add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `kubernetesVersion` - -Version of Kubernetes specified when creating the managed cluster. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `loadBalancerSku` - -Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. - -- Required: No -- Type: string -- Default: `'standard'` -- Allowed: - ```Bicep - [ - 'basic' - 'standard' - ] - ``` - -### Parameter: `location` - -Specifies the location of AKS cluster. It picks up Resource Group's location by default. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `managedOutboundIPCount` - -Outbound IP Count for the Load balancer. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `metricAnnotationsAllowList` - -A comma-separated list of Kubernetes annotation keys. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `metricLabelsAllowlist` - -A comma-separated list of additional Kubernetes label keys. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `monitoringWorkspaceId` - -Resource ID of the monitoring log analytics workspace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `networkDataplane` - -Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'azure' - 'cilium' - ] - ``` - -### Parameter: `networkPlugin` - -Specifies the network plugin used for building Kubernetes network. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'azure' - 'kubenet' - ] - ``` - -### Parameter: `networkPluginMode` - -Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'overlay' - ] - ``` - -### Parameter: `networkPolicy` - -Specifies the network policy used for building Kubernetes network. - calico or azure. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'azure' - 'calico' - ] - ``` - -### Parameter: `nodeResourceGroup` - -Name of the resource group containing agent pool nodes. - -- Required: No -- Type: string -- Default: `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]` - -### Parameter: `omsAgentEnabled` - -Specifies whether the OMS agent is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `openServiceMeshEnabled` - -Specifies whether the openServiceMesh add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `outboundType` - -Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. - -- Required: No -- Type: string -- Default: `'loadBalancer'` -- Allowed: - ```Bicep - [ - 'loadBalancer' - 'userDefinedRouting' - ] - ``` - -### Parameter: `podCidr` - -Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `podIdentityProfileAllowNetworkPluginKubenet` - -Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `podIdentityProfileEnable` - -Whether the pod identity addon is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `podIdentityProfileUserAssignedIdentities` - -The pod identities to use in the cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `podIdentityProfileUserAssignedIdentityExceptions` - -The pod identity exceptions to allow. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `privateDNSZone` - -Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceCidr` - -A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuTier` - -Tier of a managed cluster SKU. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `sshPublicKey` - -Specifies the SSH RSA public key string for the Linux nodes. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `supportPlan` - -The support plan for the Managed Cluster. - -- Required: No -- Type: string -- Default: `'KubernetesOfficial'` -- Allowed: - ```Bicep - [ - 'AKSLongTermSupport' - 'KubernetesOfficial' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `webApplicationRoutingEnabled` - -Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `addonProfiles` | object | The addonProfiles of the Kubernetes cluster. | -| `controlPlaneFQDN` | string | The control plane FQDN of the managed cluster. | -| `ingressApplicationGatewayIdentityObjectId` | string | The Object ID of Application Gateway Ingress Controller (AGIC) identity. | -| `keyvaultIdentityClientId` | string | The Client ID of the Key Vault Secrets Provider identity. | -| `keyvaultIdentityObjectId` | string | The Object ID of the Key Vault Secrets Provider identity. | -| `kubeletidentityObjectId` | string | The Object ID of the AKS identity. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the managed cluster. | -| `oidcIssuerUrl` | string | The OIDC token issuer URL. | -| `omsagentIdentityObjectId` | string | The Object ID of the OMS agent identity. | -| `resourceGroupName` | string | The resource group the managed cluster was deployed into. | -| `resourceId` | string | The resource ID of the managed cluster. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `webAppRoutingIdentityObjectId` | string | The Object ID of Web Application Routing. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/kubernetes-configuration/extension` | Local reference | -| `modules/kubernetes-configuration/flux-configuration` | Local reference | - -## Notes - -### Parameter Usage: `httpProxyConfig` - -Configurations for provisioning the cluster with HTTP proxy servers. You can specify in the following format: - -

- -Parameter JSON format - -```json -"httpProxyConfig": { - "value": { - "httpProxy": "http://proxy.contoso.com:8080/", - "httpsProxy": "http://proxy.contoso.com:8080/", - "noProxy": [ - "10.0.0.0/8", - "127.0.0.1", - "168.63.129.16", - "169.254.169.254", - "azurecr.io", - "konnectivity", - "localhost" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -httpProxyConfig: { - httpProxy: 'http://proxy.contoso.com:8080/' - httpsProxy: 'http://proxy.contoso.com:8080/' - noProxy: [ - '10.0.0.0/8' - '127.0.0.1' - '168.63.129.16' - '169.254.169.254' - 'azurecr.io' - 'konnectivity' - 'localhost' - ] -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md deleted file mode 100644 index 5519e82572..0000000000 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ /dev/null @@ -1,435 +0,0 @@ -# Azure Kubernetes Service (AKS) Managed Cluster Agent Pools `[Microsoft.ContainerService/managedClusters/agentPools]` - -This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the agent pool. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedClusterName`](#parameter-managedclustername) | string | The name of the parent managed cluster. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`availabilityZones`](#parameter-availabilityzones) | array | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". | -| [`count`](#parameter-count) | int | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | -| [`enableAutoScaling`](#parameter-enableautoscaling) | bool | Whether to enable auto-scaler. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableEncryptionAtHost`](#parameter-enableencryptionathost) | bool | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | -| [`enableFIPS`](#parameter-enablefips) | bool | See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | -| [`enableNodePublicIP`](#parameter-enablenodepublicip) | bool | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). | -| [`enableUltraSSD`](#parameter-enableultrassd) | bool | Whether to enable UltraSSD. | -| [`gpuInstanceProfile`](#parameter-gpuinstanceprofile) | string | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | -| [`kubeletDiskType`](#parameter-kubeletdisktype) | string | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | -| [`maxCount`](#parameter-maxcount) | int | The maximum number of nodes for auto-scaling. | -| [`maxPods`](#parameter-maxpods) | int | The maximum number of pods that can run on a node. | -| [`maxSurge`](#parameter-maxsurge) | string | This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. | -| [`minCount`](#parameter-mincount) | int | The minimum number of nodes for auto-scaling. | -| [`mode`](#parameter-mode) | string | A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. | -| [`nodeLabels`](#parameter-nodelabels) | object | The node labels to be persisted across all nodes in agent pool. | -| [`nodePublicIpPrefixId`](#parameter-nodepublicipprefixid) | string | ResourceId of the node PublicIPPrefix. | -| [`nodeTaints`](#parameter-nodetaints) | array | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | -| [`orchestratorVersion`](#parameter-orchestratorversion) | string | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). | -| [`osDiskSizeGB`](#parameter-osdisksizegb) | int | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | -| [`osDiskType`](#parameter-osdisktype) | string | The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). | -| [`osSku`](#parameter-ossku) | string | Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. | -| [`osType`](#parameter-ostype) | string | The operating system type. The default is Linux. | -| [`podSubnetId`](#parameter-podsubnetid) | string | Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | -| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | The ID for the Proximity Placement Group. | -| [`scaleDownMode`](#parameter-scaledownmode) | string | Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). | -| [`scaleSetEvictionPolicy`](#parameter-scalesetevictionpolicy) | string | The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. | -| [`scaleSetPriority`](#parameter-scalesetpriority) | string | The Virtual Machine Scale Set priority. | -| [`sourceResourceId`](#parameter-sourceresourceid) | string | This is the ARM ID of the source object to be used to create the target object. | -| [`spotMaxPrice`](#parameter-spotmaxprice) | int | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`type`](#parameter-type) | string | The type of Agent Pool. | -| [`vmSize`](#parameter-vmsize) | string | VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. | -| [`vnetSubnetId`](#parameter-vnetsubnetid) | string | Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | -| [`workloadRuntime`](#parameter-workloadruntime) | string | Determines the type of workload a node can run. | - -### Parameter: `name` - -Name of the agent pool. - -- Required: Yes -- Type: string - -### Parameter: `managedClusterName` - -The name of the parent managed cluster. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `availabilityZones` - -The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `count` - -Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `enableAutoScaling` - -Whether to enable auto-scaler. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableEncryptionAtHost` - -This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableFIPS` - -See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableNodePublicIP` - -Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableUltraSSD` - -Whether to enable UltraSSD. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `gpuInstanceProfile` - -GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'MIG1g' - 'MIG2g' - 'MIG3g' - 'MIG4g' - 'MIG7g' - ] - ``` - -### Parameter: `kubeletDiskType` - -Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `maxCount` - -The maximum number of nodes for auto-scaling. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `maxPods` - -The maximum number of pods that can run on a node. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `maxSurge` - -This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `minCount` - -The minimum number of nodes for auto-scaling. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `mode` - -A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `nodeLabels` - -The node labels to be persisted across all nodes in agent pool. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nodePublicIpPrefixId` - -ResourceId of the node PublicIPPrefix. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `nodeTaints` - -The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `orchestratorVersion` - -As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `osDiskSizeGB` - -OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `osDiskType` - -The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Ephemeral' - 'Managed' - ] - ``` - -### Parameter: `osSku` - -Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AzureLinux' - 'CBLMariner' - 'Ubuntu' - 'Windows2019' - 'Windows2022' - ] - ``` - -### Parameter: `osType` - -The operating system type. The default is Linux. - -- Required: No -- Type: string -- Default: `'Linux'` -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `podSubnetId` - -Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `proximityPlacementGroupResourceId` - -The ID for the Proximity Placement Group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `scaleDownMode` - -Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). - -- Required: No -- Type: string -- Default: `'Delete'` -- Allowed: - ```Bicep - [ - 'Deallocate' - 'Delete' - ] - ``` - -### Parameter: `scaleSetEvictionPolicy` - -The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. - -- Required: No -- Type: string -- Default: `'Delete'` -- Allowed: - ```Bicep - [ - 'Deallocate' - 'Delete' - ] - ``` - -### Parameter: `scaleSetPriority` - -The Virtual Machine Scale Set priority. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Regular' - 'Spot' - ] - ``` - -### Parameter: `sourceResourceId` - -This is the ARM ID of the source object to be used to create the target object. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `spotMaxPrice` - -Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `type` - -The type of Agent Pool. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vmSize` - -VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. - -- Required: No -- Type: string -- Default: `'Standard_D2s_v3'` - -### Parameter: `vnetSubnetId` - -Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `workloadRuntime` - -Determines the type of workload a node can run. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the agent pool. | -| `resourceGroupName` | string | The resource group the agent pool was deployed into. | -| `resourceId` | string | The resource ID of the agent pool. | - -## Cross-referenced modules - -_None_ diff --git a/modules/container-service/managed-cluster/agent-pool/main.bicep b/modules/container-service/managed-cluster/agent-pool/main.bicep deleted file mode 100644 index aae427dcdc..0000000000 --- a/modules/container-service/managed-cluster/agent-pool/main.bicep +++ /dev/null @@ -1,228 +0,0 @@ -metadata name = 'Azure Kubernetes Service (AKS) Managed Cluster Agent Pools' -metadata description = 'This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent managed cluster. Required if the template is used in a standalone deployment.') -param managedClusterName string - -@description('Required. Name of the agent pool.') -param name string - -@description('Optional. The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets".') -param availabilityZones array = [] - -@description('Optional. Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.') -@minValue(0) -@maxValue(1000) -param count int = 1 - -@description('Optional. This is the ARM ID of the source object to be used to create the target object.') -param sourceResourceId string = '' - -@description('Optional. Whether to enable auto-scaler.') -param enableAutoScaling bool = false - -@description('Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled.') -param enableEncryptionAtHost bool = false - -@description('Optional. See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details.') -param enableFIPS bool = false - -@description('Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools).') -param enableNodePublicIP bool = false - -@description('Optional. Whether to enable UltraSSD.') -param enableUltraSSD bool = false - -@description('Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.') -@allowed([ - 'MIG1g' - 'MIG2g' - 'MIG3g' - 'MIG4g' - 'MIG7g' - '' -]) -param gpuInstanceProfile string = '' - -@description('Optional. Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.') -param kubeletDiskType string = '' - -@description('Optional. The maximum number of nodes for auto-scaling.') -param maxCount int = -1 - -@description('Optional. The maximum number of pods that can run on a node.') -param maxPods int = -1 - -@description('Optional. The minimum number of nodes for auto-scaling.') -param minCount int = -1 - -@description('Optional. A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools.') -param mode string = '' - -@description('Optional. The node labels to be persisted across all nodes in agent pool.') -param nodeLabels object = {} - -@description('Optional. ResourceId of the node PublicIPPrefix.') -param nodePublicIpPrefixId string = '' - -@description('Optional. The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.') -param nodeTaints array = [] - -@description('Optional. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool).') -param orchestratorVersion string = '' - -@description('Optional. OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.') -param osDiskSizeGB int = 0 - -@description('Optional. The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os).') -@allowed([ - 'Ephemeral' - 'Managed' - '' -]) -param osDiskType string = '' - -@description('Optional. Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows.') -@allowed([ - 'AzureLinux' - 'CBLMariner' - 'Ubuntu' - 'Windows2019' - 'Windows2022' - '' -]) -param osSku string = '' - -@description('Optional. The operating system type. The default is Linux.') -@allowed([ - 'Linux' - 'Windows' -]) -param osType string = 'Linux' - -@description('Optional. Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}.') -param podSubnetId string = '' - -@description('Optional. The ID for the Proximity Placement Group.') -param proximityPlacementGroupResourceId string = '' - -@description('Optional. Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing).') -@allowed([ - 'Deallocate' - 'Delete' -]) -param scaleDownMode string = 'Delete' - -@description('Optional. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs.') -@allowed([ - 'Deallocate' - 'Delete' -]) -param scaleSetEvictionPolicy string = 'Delete' - -@description('Optional. The Virtual Machine Scale Set priority.') -@allowed([ - 'Regular' - 'Spot' - '' -]) -param scaleSetPriority string = '' - -@description('Optional. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing).') -param spotMaxPrice int = -1 - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The type of Agent Pool.') -param type string = '' - -@description('Optional. This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade.') -param maxSurge string = '' - -@description('Optional. VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions.') -param vmSize string = 'Standard_D2s_v3' - -@description('Optional. Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}.') -param vnetSubnetId string = '' - -@description('Optional. Determines the type of workload a node can run.') -param workloadRuntime string = '' - -var creationData = { - sourceResourceId: !empty(sourceResourceId) ? sourceResourceId : null -} - -var upgradeSettings = { - maxSurge: maxSurge -} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-preview' existing = { - name: managedClusterName -} - -resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2023-07-02-preview' = { - name: name - parent: managedCluster - properties: { - availabilityZones: availabilityZones - count: count - creationData: !empty(sourceResourceId) ? creationData : null - enableAutoScaling: enableAutoScaling - enableEncryptionAtHost: enableEncryptionAtHost - enableFIPS: enableFIPS - enableNodePublicIP: enableNodePublicIP - enableUltraSSD: enableUltraSSD - gpuInstanceProfile: !empty(gpuInstanceProfile) ? any(gpuInstanceProfile) : null - kubeletDiskType: kubeletDiskType - maxCount: maxCount != -1 ? maxCount : null - maxPods: maxPods != -1 ? maxPods : null - minCount: minCount != -1 ? minCount : null - mode: !empty(mode) ? mode : null - nodeLabels: nodeLabels - nodePublicIPPrefixID: !empty(nodePublicIpPrefixId) ? nodePublicIpPrefixId : null - nodeTaints: nodeTaints - orchestratorVersion: orchestratorVersion - osDiskSizeGB: osDiskSizeGB != -1 ? osDiskSizeGB : null - osDiskType: !empty(osDiskType) ? any(osDiskType) : null - osSKU: !empty(osSku) ? any(osSku) : null - osType: osType - podSubnetID: !empty(podSubnetId) ? podSubnetId : null - proximityPlacementGroupID: !empty(proximityPlacementGroupResourceId) ? proximityPlacementGroupResourceId : null - scaleDownMode: scaleDownMode - scaleSetEvictionPolicy: scaleSetEvictionPolicy - scaleSetPriority: !empty(scaleSetPriority) ? any(scaleSetPriority) : null - spotMaxPrice: spotMaxPrice - tags: tags - type: type - upgradeSettings: upgradeSettings - vmSize: vmSize - vnetSubnetID: vnetSubnetId - workloadRuntime: workloadRuntime - } -} - -@description('The name of the agent pool.') -output name string = agentPool.name - -@description('The resource ID of the agent pool.') -output resourceId string = agentPool.id - -@description('The resource group the agent pool was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/container-service/managed-cluster/agent-pool/main.json b/modules/container-service/managed-cluster/agent-pool/main.json deleted file mode 100644 index cf0f53629b..0000000000 --- a/modules/container-service/managed-cluster/agent-pool/main.json +++ /dev/null @@ -1,411 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13811832596066396545" - }, - "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", - "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedClusterName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed cluster. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the agent pool." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is \"VirtualMachineScaleSets\"." - } - }, - "count": { - "type": "int", - "defaultValue": 1, - "minValue": 0, - "maxValue": 1000, - "metadata": { - "description": "Optional. Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This is the ARM ID of the source object to be used to create the target object." - } - }, - "enableAutoScaling": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable auto-scaler." - } - }, - "enableEncryptionAtHost": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled." - } - }, - "enableFIPS": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details." - } - }, - "enableNodePublicIP": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools)." - } - }, - "enableUltraSSD": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable UltraSSD." - } - }, - "gpuInstanceProfile": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "MIG1g", - "MIG2g", - "MIG3g", - "MIG4g", - "MIG7g", - "" - ], - "metadata": { - "description": "Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU." - } - }, - "kubeletDiskType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." - } - }, - "maxCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of nodes for auto-scaling." - } - }, - "maxPods": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of pods that can run on a node." - } - }, - "minCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The minimum number of nodes for auto-scaling." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A cluster must have at least one \"System\" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools." - } - }, - "nodeLabels": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The node labels to be persisted across all nodes in agent pool." - } - }, - "nodePublicIpPrefixId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ResourceId of the node PublicIPPrefix." - } - }, - "nodeTaints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." - } - }, - "orchestratorVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool)." - } - }, - "osDiskSizeGB": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." - } - }, - "osDiskType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Ephemeral", - "Managed", - "" - ], - "metadata": { - "description": "Optional. The default is \"Ephemeral\" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to \"Managed\". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os)." - } - }, - "osSku": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureLinux", - "CBLMariner", - "Ubuntu", - "Windows2019", - "Windows2022", - "" - ], - "metadata": { - "description": "Optional. Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows." - } - }, - "osType": { - "type": "string", - "defaultValue": "Linux", - "allowedValues": [ - "Linux", - "Windows" - ], - "metadata": { - "description": "Optional. The operating system type. The default is Linux." - } - }, - "podSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ID for the Proximity Placement Group." - } - }, - "scaleDownMode": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing)." - } - }, - "scaleSetEvictionPolicy": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs." - } - }, - "scaleSetPriority": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Regular", - "Spot", - "" - ], - "metadata": { - "description": "Optional. The Virtual Machine Scale Set priority." - } - }, - "spotMaxPrice": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The type of Agent Pool." - } - }, - "maxSurge": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This can either be set to an integer (e.g. \"5\") or a percentage (e.g. \"50%\"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3", - "metadata": { - "description": "Optional. VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions." - } - }, - "vnetSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "workloadRuntime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the type of workload a node can run." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "creationData": { - "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]" - }, - "upgradeSettings": { - "maxSurge": "[parameters('maxSurge')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedCluster": { - "existing": true, - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-07-02-preview", - "name": "[parameters('managedClusterName')]" - }, - "agentPool": { - "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-07-02-preview", - "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", - "properties": { - "availabilityZones": "[parameters('availabilityZones')]", - "count": "[parameters('count')]", - "creationData": "[if(not(empty(parameters('sourceResourceId'))), variables('creationData'), null())]", - "enableAutoScaling": "[parameters('enableAutoScaling')]", - "enableEncryptionAtHost": "[parameters('enableEncryptionAtHost')]", - "enableFIPS": "[parameters('enableFIPS')]", - "enableNodePublicIP": "[parameters('enableNodePublicIP')]", - "enableUltraSSD": "[parameters('enableUltraSSD')]", - "gpuInstanceProfile": "[if(not(empty(parameters('gpuInstanceProfile'))), parameters('gpuInstanceProfile'), null())]", - "kubeletDiskType": "[parameters('kubeletDiskType')]", - "maxCount": "[if(not(equals(parameters('maxCount'), -1)), parameters('maxCount'), null())]", - "maxPods": "[if(not(equals(parameters('maxPods'), -1)), parameters('maxPods'), null())]", - "minCount": "[if(not(equals(parameters('minCount'), -1)), parameters('minCount'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "nodeLabels": "[parameters('nodeLabels')]", - "nodePublicIPPrefixID": "[if(not(empty(parameters('nodePublicIpPrefixId'))), parameters('nodePublicIpPrefixId'), null())]", - "nodeTaints": "[parameters('nodeTaints')]", - "orchestratorVersion": "[parameters('orchestratorVersion')]", - "osDiskSizeGB": "[if(not(equals(parameters('osDiskSizeGB'), -1)), parameters('osDiskSizeGB'), null())]", - "osDiskType": "[if(not(empty(parameters('osDiskType'))), parameters('osDiskType'), null())]", - "osSKU": "[if(not(empty(parameters('osSku'))), parameters('osSku'), null())]", - "osType": "[parameters('osType')]", - "podSubnetID": "[if(not(empty(parameters('podSubnetId'))), parameters('podSubnetId'), null())]", - "proximityPlacementGroupID": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), parameters('proximityPlacementGroupResourceId'), null())]", - "scaleDownMode": "[parameters('scaleDownMode')]", - "scaleSetEvictionPolicy": "[parameters('scaleSetEvictionPolicy')]", - "scaleSetPriority": "[if(not(empty(parameters('scaleSetPriority'))), parameters('scaleSetPriority'), null())]", - "spotMaxPrice": "[parameters('spotMaxPrice')]", - "tags": "[parameters('tags')]", - "type": "[parameters('type')]", - "upgradeSettings": "[variables('upgradeSettings')]", - "vmSize": "[parameters('vmSize')]", - "vnetSubnetID": "[parameters('vnetSubnetId')]", - "workloadRuntime": "[parameters('workloadRuntime')]" - }, - "dependsOn": [ - "managedCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the agent pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the agent pool." - }, - "value": "[resourceId('Microsoft.ContainerService/managedClusters/agentPools', parameters('managedClusterName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the agent pool was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/container-service/managed-cluster/agent-pool/version.json b/modules/container-service/managed-cluster/agent-pool/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/container-service/managed-cluster/agent-pool/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep deleted file mode 100644 index ea5c89b3af..0000000000 --- a/modules/container-service/managed-cluster/main.bicep +++ /dev/null @@ -1,864 +0,0 @@ -metadata name = 'Azure Kubernetes Service (AKS) Managed Clusters' -metadata description = 'This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Specifies the name of the AKS cluster.') -param name string - -@description('Optional. Specifies the location of AKS cluster. It picks up Resource Group\'s location by default.') -param location string = resourceGroup().location - -@description('Optional. Specifies the DNS prefix specified when creating the managed cluster.') -param dnsPrefix string = name - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -@description('Optional. Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin.') -@allowed([ - '' - 'azure' - 'cilium' -]) -param networkDataplane string = '' - -@description('Optional. Specifies the network plugin used for building Kubernetes network.') -@allowed([ - '' - 'azure' - 'kubenet' -]) -param networkPlugin string = '' - -@description('Optional. Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin.') -@allowed([ - '' - 'overlay' -]) -param networkPluginMode string = '' - -@description('Optional. Specifies the network policy used for building Kubernetes network. - calico or azure.') -@allowed([ - '' - 'azure' - 'calico' -]) -param networkPolicy string = '' - -@description('Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used.') -param podCidr string = '' - -@description('Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.') -param serviceCidr string = '' - -@description('Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.') -param dnsServiceIP string = '' - -@description('Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools.') -@allowed([ - 'basic' - 'standard' -]) -param loadBalancerSku string = 'standard' - -@description('Optional. Outbound IP Count for the Load balancer.') -param managedOutboundIPCount int = 0 - -@description('Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting.') -@allowed([ - 'loadBalancer' - 'userDefinedRouting' -]) -param outboundType string = 'loadBalancer' - -@description('Optional. Tier of a managed cluster SKU. - Free or Standard.') -@allowed([ - 'Free' - 'Premium' - 'Standard' -]) -param skuTier string = 'Free' - -@description('Optional. Version of Kubernetes specified when creating the managed cluster.') -param kubernetesVersion string = '' - -@description('Optional. Specifies the administrator username of Linux virtual machines.') -param adminUsername string = 'azureuser' - -@description('Optional. Specifies the SSH RSA public key string for the Linux nodes.') -param sshPublicKey string = '' - -@description('Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster.') -param aksServicePrincipalProfile object = {} - -@description('Optional. The client AAD application ID.') -param aadProfileClientAppID string = '' - -@description('Optional. The server AAD application ID.') -param aadProfileServerAppID string = '' - -@description('Optional. The server AAD application secret.') -#disable-next-line secure-secrets-in-params // Not a secret -param aadProfileServerAppSecret string = '' - -@description('Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication.') -param aadProfileTenantId string = subscription().tenantId - -@description('Optional. Specifies the AAD group object IDs that will have admin role of the cluster.') -param aadProfileAdminGroupObjectIDs array = [] - -@description('Optional. Specifies whether to enable managed AAD integration.') -param aadProfileManaged bool = true - -@description('Optional. Whether to enable Kubernetes Role-Based Access Control.') -param enableRBAC bool = true - -@description('Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization.') -param aadProfileEnableAzureRBAC bool = enableRBAC - -@description('Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled.') -param disableLocalAccounts bool = false - -@description('Optional. Name of the resource group containing agent pool nodes.') -param nodeResourceGroup string = '${resourceGroup().name}_aks_${name}_nodes' - -@description('Optional. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer.') -param authorizedIPRanges array = [] - -@description('Optional. Whether to disable run command for the cluster or not.') -param disableRunCommand bool = false - -@description('Optional. Specifies whether to create the cluster as a private cluster or not.') -param enablePrivateCluster bool = false - -@description('Optional. Whether to create additional public FQDN for private cluster or not.') -param enablePrivateClusterPublicFQDN bool = false - -@description('Optional. Private DNS Zone configuration. Set to \'system\' and AKS will create a private DNS zone in the node resource group. Set to \'\' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone.') -param privateDNSZone string = '' - -@description('Required. Properties of the primary agent pool.') -param primaryAgentPoolProfile array - -@description('Optional. Define one or more secondary/additional agent pools.') -param agentPools array = [] - -@description('Optional. Specifies whether the httpApplicationRouting add-on is enabled or not.') -param httpApplicationRoutingEnabled bool = false - -@description('Optional. Specifies whether the webApplicationRoutingEnabled add-on is enabled or not.') -param webApplicationRoutingEnabled bool = false - -@description('Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`.') -param dnsZoneResourceId string = '' - -@description('Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided.') -param enableDnsZoneContributorRoleAssignment bool = true - -@description('Optional. Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not.') -param ingressApplicationGatewayEnabled bool = false - -@description('Conditional. Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`.') -param appGatewayResourceId string = '' - -@description('Optional. Specifies whether the aciConnectorLinux add-on is enabled or not.') -param aciConnectorLinuxEnabled bool = false - -@description('Optional. Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled.') -param azurePolicyEnabled bool = true - -@description('Optional. Specifies whether the openServiceMesh add-on is enabled or not.') -param openServiceMeshEnabled bool = false - -@description('Optional. Specifies the azure policy version to use.') -param azurePolicyVersion string = 'v2' - -@description('Optional. Specifies whether the kubeDashboard add-on is enabled or not.') -param kubeDashboardEnabled bool = false - -@description('Optional. Specifies whether the KeyvaultSecretsProvider add-on is enabled or not.') -#disable-next-line secure-secrets-in-params // Not a secret -param enableKeyvaultSecretsProvider bool = false - -@allowed([ - 'false' - 'true' -]) -@description('Optional. Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation.') -#disable-next-line secure-secrets-in-params // Not a secret -param enableSecretRotation string = 'false' - -@description('Optional. Specifies the scan interval of the auto-scaler of the AKS cluster.') -param autoScalerProfileScanInterval string = '10s' - -@description('Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster.') -param autoScalerProfileScaleDownDelayAfterAdd string = '10m' - -@description('Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster.') -param autoScalerProfileScaleDownDelayAfterDelete string = '20s' - -@description('Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster.') -param autoScalerProfileScaleDownDelayAfterFailure string = '3m' - -@description('Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster.') -param autoScalerProfileScaleDownUnneededTime string = '10m' - -@description('Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster.') -param autoScalerProfileScaleDownUnreadyTime string = '20m' - -@description('Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster.') -param autoScalerProfileUtilizationThreshold string = '0.5' - -@description('Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster.') -param autoScalerProfileMaxGracefulTerminationSec string = '600' - -@allowed([ - 'false' - 'true' -]) -@description('Optional. Specifies the balance of similar node groups for the auto-scaler of the AKS cluster.') -param autoScalerProfileBalanceSimilarNodeGroups string = 'false' - -@allowed([ - 'least-waste' - 'most-pods' - 'priority' - 'random' -]) -@description('Optional. Specifies the expand strategy for the auto-scaler of the AKS cluster.') -param autoScalerProfileExpander string = 'random' - -@description('Optional. Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster.') -param autoScalerProfileMaxEmptyBulkDelete string = '10' - -@description('Optional. Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported.') -param autoScalerProfileMaxNodeProvisionTime string = '15m' - -@description('Optional. Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0.') -param autoScalerProfileMaxTotalUnreadyPercentage string = '45' - -@description('Optional. For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc).') -param autoScalerProfileNewPodScaleUpDelay string = '0s' - -@description('Optional. Specifies the OK total unready count for the auto-scaler of the AKS cluster.') -param autoScalerProfileOkTotalUnreadyCount string = '3' - -@allowed([ - 'false' - 'true' -]) -@description('Optional. Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster.') -param autoScalerProfileSkipNodesWithLocalStorage string = 'true' - -@allowed([ - 'false' - 'true' -]) -@description('Optional. Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster.') -param autoScalerProfileSkipNodesWithSystemPods string = 'true' - -@allowed([ - 'node-image' - 'none' - 'patch' - 'rapid' - 'stable' - '' -]) -@description('Optional. Auto-upgrade channel on the AKS cluster.') -param autoUpgradeProfileUpgradeChannel string = '' - -@description('Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing.') -param podIdentityProfileAllowNetworkPluginKubenet bool = false - -@description('Optional. Whether the pod identity addon is enabled.') -param podIdentityProfileEnable bool = false - -@description('Optional. The pod identities to use in the cluster.') -param podIdentityProfileUserAssignedIdentities array = [] - -@description('Optional. The pod identity exceptions to allow.') -param podIdentityProfileUserAssignedIdentityExceptions array = [] - -@description('Optional. Whether the The OIDC issuer profile of the Managed Cluster is enabled.') -param enableOidcIssuerProfile bool = false - -@description('Optional. Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled.') -param enableWorkloadIdentity bool = false - -@description('Optional. Whether to enable Azure Defender.') -param enableAzureDefender bool = false - -@description('Optional. Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription.') -param enablePodSecurityPolicy bool = false - -@description('Optional. Whether the AzureBlob CSI Driver for the storage profile is enabled.') -param enableStorageProfileBlobCSIDriver bool = false - -@description('Optional. Whether the AzureDisk CSI Driver for the storage profile is enabled.') -param enableStorageProfileDiskCSIDriver bool = false - -@description('Optional. Whether the AzureFile CSI Driver for the storage profile is enabled.') -param enableStorageProfileFileCSIDriver bool = false - -@description('Optional. Whether the snapshot controller for the storage profile is enabled.') -param enableStorageProfileSnapshotController bool = false - -@allowed([ - 'AKSLongTermSupport' - 'KubernetesOfficial' -]) -@description('Optional. The support plan for the Managed Cluster.') -param supportPlan string = 'KubernetesOfficial' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Specifies whether the OMS agent is enabled.') -param omsAgentEnabled bool = true - -@description('Optional. Resource ID of the monitoring log analytics workspace.') -param monitoringWorkspaceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided.') -param diskEncryptionSetID string = '' - -@description('Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension.') -@secure() -param fluxConfigurationProtectedSettings object = {} - -@description('Optional. Settings and configurations for the flux extension.') -param fluxExtension object = {} - -@description('Optional. Configurations for provisioning the cluster with HTTP proxy servers.') -param httpProxyConfig object = {} - -@description('Optional. Identities associated with the cluster.') -param identityProfile object = {} - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled.') -param enableAzureMonitorProfileMetrics bool = false - -@description('Optional. A comma-separated list of additional Kubernetes label keys.') -param metricLabelsAllowlist string = '' - -@description('Optional. A comma-separated list of Kubernetes annotation keys.') -param metricAnnotationsAllowList string = '' - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var linuxProfile = { - adminUsername: adminUsername - ssh: { - publicKeys: [ - { - keyData: sshPublicKey - } - ] - } -} - -var lbProfile = { - managedOutboundIPs: { - count: managedOutboundIPCount - } - effectiveOutboundIPs: [] -} - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Kubernetes Fleet Manager Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf') - 'Azure Kubernetes Fleet Manager RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba') - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69') - 'Azure Kubernetes Fleet Manager RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80') - 'Azure Kubernetes Fleet Manager RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683') - 'Azure Kubernetes Service Cluster Admin Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8') - 'Azure Kubernetes Service Cluster Monitoring User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6') - 'Azure Kubernetes Service Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f') - 'Azure Kubernetes Service Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8') - 'Azure Kubernetes Service RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7') - 'Azure Kubernetes Service RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b') - 'Azure Kubernetes Service RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db') - 'Azure Kubernetes Service RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Kubernetes Agentless Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-preview' = { - name: name - location: location - tags: tags - identity: identity - sku: { - name: 'Base' - tier: skuTier - } - properties: { - httpProxyConfig: !empty(httpProxyConfig) ? httpProxyConfig : null - identityProfile: !empty(identityProfile) ? identityProfile : null - diskEncryptionSetID: !empty(diskEncryptionSetID) ? diskEncryptionSetID : null - kubernetesVersion: (empty(kubernetesVersion) ? null : kubernetesVersion) - dnsPrefix: dnsPrefix - agentPoolProfiles: primaryAgentPoolProfile - linuxProfile: (empty(sshPublicKey) ? null : linuxProfile) - servicePrincipalProfile: (empty(aksServicePrincipalProfile) ? null : aksServicePrincipalProfile) - ingressProfile: { - webAppRouting: { - enabled: webApplicationRoutingEnabled - dnsZoneResourceIds: !empty(dnsZoneResourceId) ? [ - dnsZoneResourceId - ] : null - } - } - addonProfiles: { - httpApplicationRouting: { - enabled: httpApplicationRoutingEnabled - } - ingressApplicationGateway: { - enabled: ingressApplicationGatewayEnabled && !empty(appGatewayResourceId) - config: ingressApplicationGatewayEnabled && !empty(appGatewayResourceId) ? { - applicationGatewayId: !empty(appGatewayResourceId) ? any(appGatewayResourceId) : null - effectiveApplicationGatewayId: !empty(appGatewayResourceId) ? any(appGatewayResourceId) : null - } : null - } - omsagent: { - enabled: omsAgentEnabled && !empty(monitoringWorkspaceId) - config: omsAgentEnabled && !empty(monitoringWorkspaceId) ? { - logAnalyticsWorkspaceResourceID: !empty(monitoringWorkspaceId) ? any(monitoringWorkspaceId) : null - } : null - } - aciConnectorLinux: { - enabled: aciConnectorLinuxEnabled - } - azurepolicy: { - enabled: azurePolicyEnabled - config: azurePolicyEnabled ? { - version: azurePolicyVersion - } : null - } - openServiceMesh: { - enabled: openServiceMeshEnabled - config: openServiceMeshEnabled ? {} : null - } - kubeDashboard: { - enabled: kubeDashboardEnabled - } - azureKeyvaultSecretsProvider: { - enabled: enableKeyvaultSecretsProvider - config: enableKeyvaultSecretsProvider ? { - enableSecretRotation: enableSecretRotation - } : null - } - } - oidcIssuerProfile: enableOidcIssuerProfile ? { - enabled: enableOidcIssuerProfile - } : null - enableRBAC: enableRBAC - disableLocalAccounts: disableLocalAccounts - nodeResourceGroup: nodeResourceGroup - enablePodSecurityPolicy: enablePodSecurityPolicy - networkProfile: { - networkDataplane: !empty(networkDataplane) ? any(networkDataplane) : null - networkPlugin: !empty(networkPlugin) ? any(networkPlugin) : null - networkPluginMode: !empty(networkPluginMode) ? any(networkPluginMode) : null - networkPolicy: !empty(networkPolicy) ? any(networkPolicy) : null - podCidr: !empty(podCidr) ? podCidr : null - serviceCidr: !empty(serviceCidr) ? serviceCidr : null - dnsServiceIP: !empty(dnsServiceIP) ? dnsServiceIP : null - outboundType: outboundType - loadBalancerSku: loadBalancerSku - loadBalancerProfile: managedOutboundIPCount != 0 ? lbProfile : null - } - aadProfile: { - clientAppID: aadProfileClientAppID - serverAppID: aadProfileServerAppID - serverAppSecret: aadProfileServerAppSecret - managed: aadProfileManaged - enableAzureRBAC: aadProfileEnableAzureRBAC - adminGroupObjectIDs: aadProfileAdminGroupObjectIDs - tenantID: aadProfileTenantId - } - autoScalerProfile: { - 'balance-similar-node-groups': autoScalerProfileBalanceSimilarNodeGroups - expander: autoScalerProfileExpander - 'max-empty-bulk-delete': autoScalerProfileMaxEmptyBulkDelete - 'max-graceful-termination-sec': autoScalerProfileMaxGracefulTerminationSec - 'max-node-provision-time': autoScalerProfileMaxNodeProvisionTime - 'max-total-unready-percentage': autoScalerProfileMaxTotalUnreadyPercentage - 'new-pod-scale-up-delay': autoScalerProfileNewPodScaleUpDelay - 'ok-total-unready-count': autoScalerProfileOkTotalUnreadyCount - 'scale-down-delay-after-add': autoScalerProfileScaleDownDelayAfterAdd - 'scale-down-delay-after-delete': autoScalerProfileScaleDownDelayAfterDelete - 'scale-down-delay-after-failure': autoScalerProfileScaleDownDelayAfterFailure - 'scale-down-unneeded-time': autoScalerProfileScaleDownUnneededTime - 'scale-down-unready-time': autoScalerProfileScaleDownUnreadyTime - 'scale-down-utilization-threshold': autoScalerProfileUtilizationThreshold - 'scan-interval': autoScalerProfileScanInterval - 'skip-nodes-with-local-storage': autoScalerProfileSkipNodesWithLocalStorage - 'skip-nodes-with-system-pods': autoScalerProfileSkipNodesWithSystemPods - } - autoUpgradeProfile: { - upgradeChannel: !empty(autoUpgradeProfileUpgradeChannel) ? autoUpgradeProfileUpgradeChannel : null - } - apiServerAccessProfile: { - authorizedIPRanges: authorizedIPRanges - disableRunCommand: disableRunCommand - enablePrivateCluster: enablePrivateCluster - enablePrivateClusterPublicFQDN: enablePrivateClusterPublicFQDN - privateDNSZone: privateDNSZone - } - azureMonitorProfile: { - metrics: enableAzureMonitorProfileMetrics ? { - enabled: true - kubeStateMetrics: { - metricAnnotationsAllowList: metricAnnotationsAllowList - metricLabelsAllowlist: metricLabelsAllowlist - } - } : null - } - podIdentityProfile: { - allowNetworkPluginKubenet: podIdentityProfileAllowNetworkPluginKubenet - enabled: podIdentityProfileEnable - userAssignedIdentities: podIdentityProfileUserAssignedIdentities - userAssignedIdentityExceptions: podIdentityProfileUserAssignedIdentityExceptions - } - securityProfile: { - azureKeyVaultKms: !empty(customerManagedKey) ? { - enabled: true - keyId: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - keyVaultNetworkAccess: customerManagedKey!.keyVaultNetworkAccess - keyVaultResourceId: customerManagedKey!.keyVaultNetworkAccess == 'Private' ? cMKKeyVault.id : null - } : null - defender: enableAzureDefender ? { - securityMonitoring: { - enabled: enableAzureDefender - } - logAnalyticsWorkspaceResourceId: !empty(monitoringWorkspaceId) ? monitoringWorkspaceId : null - } : null - workloadIdentity: enableWorkloadIdentity ? { - enabled: enableWorkloadIdentity - } : null - } - storageProfile: { - blobCSIDriver: { - enabled: enableStorageProfileBlobCSIDriver - } - diskCSIDriver: { - enabled: enableStorageProfileDiskCSIDriver - } - fileCSIDriver: { - enabled: enableStorageProfileFileCSIDriver - } - snapshotController: { - enabled: enableStorageProfileSnapshotController - } - } - supportPlan: supportPlan - } -} - -module managedCluster_agentPools 'agent-pool/main.bicep' = [for (agentPool, index) in agentPools: { - name: '${uniqueString(deployment().name, location)}-ManagedCluster-AgentPool-${index}' - params: { - managedClusterName: managedCluster.name - name: agentPool.name - availabilityZones: contains(agentPool, 'availabilityZones') ? agentPool.availabilityZones : [] - count: contains(agentPool, 'count') ? agentPool.count : 1 - sourceResourceId: contains(agentPool, 'sourceResourceId') ? agentPool.sourceResourceId : '' - enableAutoScaling: contains(agentPool, 'enableAutoScaling') ? agentPool.enableAutoScaling : false - enableEncryptionAtHost: contains(agentPool, 'enableEncryptionAtHost') ? agentPool.enableEncryptionAtHost : false - enableFIPS: contains(agentPool, 'enableFIPS') ? agentPool.enableFIPS : false - enableNodePublicIP: contains(agentPool, 'enableNodePublicIP') ? agentPool.enableNodePublicIP : false - enableUltraSSD: contains(agentPool, 'enableUltraSSD') ? agentPool.enableUltraSSD : false - gpuInstanceProfile: contains(agentPool, 'gpuInstanceProfile') ? agentPool.gpuInstanceProfile : '' - kubeletDiskType: contains(agentPool, 'kubeletDiskType') ? agentPool.kubeletDiskType : '' - maxCount: contains(agentPool, 'maxCount') ? agentPool.maxCount : -1 - maxPods: contains(agentPool, 'maxPods') ? agentPool.maxPods : -1 - minCount: contains(agentPool, 'minCount') ? agentPool.minCount : -1 - mode: contains(agentPool, 'mode') ? agentPool.mode : '' - nodeLabels: contains(agentPool, 'nodeLabels') ? agentPool.nodeLabels : {} - nodePublicIpPrefixId: contains(agentPool, 'nodePublicIpPrefixId') ? agentPool.nodePublicIpPrefixId : '' - nodeTaints: contains(agentPool, 'nodeTaints') ? agentPool.nodeTaints : [] - orchestratorVersion: contains(agentPool, 'orchestratorVersion') ? agentPool.orchestratorVersion : kubernetesVersion - osDiskSizeGB: contains(agentPool, 'osDiskSizeGB') ? agentPool.osDiskSizeGB : -1 - osDiskType: contains(agentPool, 'osDiskType') ? agentPool.osDiskType : '' - osSku: contains(agentPool, 'osSku') ? agentPool.osSku : '' - osType: contains(agentPool, 'osType') ? agentPool.osType : 'Linux' - podSubnetId: contains(agentPool, 'podSubnetId') ? agentPool.podSubnetId : '' - proximityPlacementGroupResourceId: contains(agentPool, 'proximityPlacementGroupResourceId') ? agentPool.proximityPlacementGroupResourceId : '' - scaleDownMode: contains(agentPool, 'scaleDownMode') ? agentPool.scaleDownMode : 'Delete' - scaleSetEvictionPolicy: contains(agentPool, 'scaleSetEvictionPolicy') ? agentPool.scaleSetEvictionPolicy : 'Delete' - scaleSetPriority: contains(agentPool, 'scaleSetPriority') ? agentPool.scaleSetPriority : '' - spotMaxPrice: contains(agentPool, 'spotMaxPrice') ? agentPool.spotMaxPrice : -1 - tags: agentPool.?tags ?? tags - type: contains(agentPool, 'type') ? agentPool.type : '' - maxSurge: contains(agentPool, 'maxSurge') ? agentPool.maxSurge : '' - vmSize: contains(agentPool, 'vmSize') ? agentPool.vmSize : 'Standard_D2s_v3' - vnetSubnetId: contains(agentPool, 'vnetSubnetId') ? agentPool.vnetSubnetId : '' - workloadRuntime: contains(agentPool, 'workloadRuntime') ? agentPool.workloadRuntime : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module managedCluster_extension '../../kubernetes-configuration/extension/main.bicep' = if (!empty(fluxExtension)) { - name: '${uniqueString(deployment().name, location)}-ManagedCluster-FluxExtension' - params: { - clusterName: managedCluster.name - configurationProtectedSettings: !empty(fluxConfigurationProtectedSettings) ? fluxConfigurationProtectedSettings : {} - configurationSettings: contains(fluxExtension, 'configurationSettings') ? fluxExtension.configurationSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - extensionType: 'microsoft.flux' - fluxConfigurations: fluxExtension.configurations - location: location - name: 'flux' - releaseNamespace: 'flux-system' - releaseTrain: contains(fluxExtension, 'releaseTrain') ? fluxExtension.releaseTrain : 'Stable' - version: contains(fluxExtension, 'version') ? fluxExtension.version : '' - } -} - -resource managedCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: managedCluster -} - -resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: managedCluster -}] - -resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(managedCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: managedCluster -}] - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) { - name: last(split((!empty(dnsZoneResourceId) ? dnsZoneResourceId : '/dummmyZone'), '/'))! -} - -resource dnsZone_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) { - name: guid(dnsZoneResourceId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') // 'DNS Zone Contributor' - principalId: managedCluster.properties.ingressProfile.webAppRouting.identity.objectId - principalType: 'ServicePrincipal' - } - scope: dnsZone -} - -@description('The resource ID of the managed cluster.') -output resourceId string = managedCluster.id - -@description('The resource group the managed cluster was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the managed cluster.') -output name string = managedCluster.name - -@description('The control plane FQDN of the managed cluster.') -output controlPlaneFQDN string = enablePrivateCluster ? managedCluster.properties.privateFQDN : managedCluster.properties.fqdn - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(managedCluster.identity, 'principalId') ? managedCluster.identity.principalId : '' - -@description('The Object ID of the AKS identity.') -output kubeletidentityObjectId string = contains(managedCluster.properties, 'identityProfile') ? contains(managedCluster.properties.identityProfile, 'kubeletidentity') ? managedCluster.properties.identityProfile.kubeletidentity.objectId : '' : '' - -@description('The Object ID of the OMS agent identity.') -output omsagentIdentityObjectId string = contains(managedCluster.properties, 'addonProfiles') ? contains(managedCluster.properties.addonProfiles, 'omsagent') ? contains(managedCluster.properties.addonProfiles.omsagent, 'identity') ? managedCluster.properties.addonProfiles.omsagent.identity.objectId : '' : '' : '' - -@description('The Object ID of the Key Vault Secrets Provider identity.') -output keyvaultIdentityObjectId string = contains(managedCluster.properties, 'addonProfiles') ? contains(managedCluster.properties.addonProfiles, 'azureKeyvaultSecretsProvider') ? contains(managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider, 'identity') ? managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId : '' : '' : '' - -@description('The Client ID of the Key Vault Secrets Provider identity.') -output keyvaultIdentityClientId string = contains(managedCluster.properties, 'addonProfiles') ? contains(managedCluster.properties.addonProfiles, 'azureKeyvaultSecretsProvider') ? contains(managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider, 'identity') ? managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.clientId : '' : '' : '' - -@description('The Object ID of Application Gateway Ingress Controller (AGIC) identity.') -output ingressApplicationGatewayIdentityObjectId string = managedCluster.properties.addonProfiles.?ingressApplicationGateway.?identity.?objectId ?? '' - -@description('The location the resource was deployed into.') -output location string = managedCluster.location - -@description('The OIDC token issuer URL.') -output oidcIssuerUrl string = enableOidcIssuerProfile ? managedCluster.properties.oidcIssuerProfile.issuerURL : '' - -@description('The addonProfiles of the Kubernetes cluster.') -output addonProfiles object = contains(managedCluster.properties, 'addonProfiles') ? managedCluster.properties.addonProfiles : {} - -@description('The Object ID of Web Application Routing.') -output webAppRoutingIdentityObjectId string = contains(managedCluster.properties, 'ingressProfile') && contains(managedCluster.properties.ingressProfile, 'webAppRouting') && contains(managedCluster.properties.ingressProfile.webAppRouting, 'identity') && contains(managedCluster.properties.ingressProfile.webAppRouting.identity, 'objectId') ? managedCluster.properties.ingressProfile.webAppRouting.identity.objectId : '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.') - keyVaultNetworkAccess: ('Private' | 'Public') -}? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json deleted file mode 100644 index 341b58c365..0000000000 --- a/modules/container-service/managed-cluster/main.json +++ /dev/null @@ -1,2280 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17801986788893514191" - }, - "name": "Azure Kubernetes Service (AKS) Managed Clusters", - "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "keyVaultNetworkAccess": { - "type": "string", - "allowedValues": [ - "Private", - "Public" - ], - "metadata": { - "description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the AKS cluster." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default." - } - }, - "dnsPrefix": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Specifies the DNS prefix specified when creating the managed cluster." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "networkDataplane": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "cilium" - ], - "metadata": { - "description": "Optional. Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin." - } - }, - "networkPlugin": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "kubenet" - ], - "metadata": { - "description": "Optional. Specifies the network plugin used for building Kubernetes network." - } - }, - "networkPluginMode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "overlay" - ], - "metadata": { - "description": "Optional. Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin." - } - }, - "networkPolicy": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "calico" - ], - "metadata": { - "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure." - } - }, - "podCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." - } - }, - "serviceCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." - } - }, - "dnsServiceIP": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." - } - }, - "loadBalancerSku": { - "type": "string", - "defaultValue": "standard", - "allowedValues": [ - "basic", - "standard" - ], - "metadata": { - "description": "Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." - } - }, - "managedOutboundIPCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Outbound IP Count for the Load balancer." - } - }, - "outboundType": { - "type": "string", - "defaultValue": "loadBalancer", - "allowedValues": [ - "loadBalancer", - "userDefinedRouting" - ], - "metadata": { - "description": "Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Tier of a managed cluster SKU. - Free or Standard." - } - }, - "kubernetesVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of Kubernetes specified when creating the managed cluster." - } - }, - "adminUsername": { - "type": "string", - "defaultValue": "azureuser", - "metadata": { - "description": "Optional. Specifies the administrator username of Linux virtual machines." - } - }, - "sshPublicKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the SSH RSA public key string for the Linux nodes." - } - }, - "aksServicePrincipalProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster." - } - }, - "aadProfileClientAppID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The client AAD application ID." - } - }, - "aadProfileServerAppID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The server AAD application ID." - } - }, - "aadProfileServerAppSecret": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The server AAD application secret." - } - }, - "aadProfileTenantId": { - "type": "string", - "defaultValue": "[subscription().tenantId]", - "metadata": { - "description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication." - } - }, - "aadProfileAdminGroupObjectIDs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster." - } - }, - "aadProfileManaged": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether to enable managed AAD integration." - } - }, - "enableRBAC": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether to enable Kubernetes Role-Based Access Control." - } - }, - "aadProfileEnableAzureRBAC": { - "type": "bool", - "defaultValue": "[parameters('enableRBAC')]", - "metadata": { - "description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization." - } - }, - "disableLocalAccounts": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled." - } - }, - "nodeResourceGroup": { - "type": "string", - "defaultValue": "[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]", - "metadata": { - "description": "Optional. Name of the resource group containing agent pool nodes." - } - }, - "authorizedIPRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer." - } - }, - "disableRunCommand": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to disable run command for the cluster or not." - } - }, - "enablePrivateCluster": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether to create the cluster as a private cluster or not." - } - }, - "enablePrivateClusterPublicFQDN": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to create additional public FQDN for private cluster or not." - } - }, - "privateDNSZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone." - } - }, - "primaryAgentPoolProfile": { - "type": "array", - "metadata": { - "description": "Required. Properties of the primary agent pool." - } - }, - "agentPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Define one or more secondary/additional agent pools." - } - }, - "httpApplicationRoutingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the httpApplicationRouting add-on is enabled or not." - } - }, - "webApplicationRoutingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the webApplicationRoutingEnabled add-on is enabled or not." - } - }, - "dnsZoneResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`." - } - }, - "enableDnsZoneContributorRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided." - } - }, - "ingressApplicationGatewayEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not." - } - }, - "appGatewayResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`." - } - }, - "aciConnectorLinuxEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the aciConnectorLinux add-on is enabled or not." - } - }, - "azurePolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled." - } - }, - "openServiceMeshEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the openServiceMesh add-on is enabled or not." - } - }, - "azurePolicyVersion": { - "type": "string", - "defaultValue": "v2", - "metadata": { - "description": "Optional. Specifies the azure policy version to use." - } - }, - "kubeDashboardEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the kubeDashboard add-on is enabled or not." - } - }, - "enableKeyvaultSecretsProvider": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on is enabled or not." - } - }, - "enableSecretRotation": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation." - } - }, - "autoScalerProfileScanInterval": { - "type": "string", - "defaultValue": "10s", - "metadata": { - "description": "Optional. Specifies the scan interval of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterAdd": { - "type": "string", - "defaultValue": "10m", - "metadata": { - "description": "Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterDelete": { - "type": "string", - "defaultValue": "20s", - "metadata": { - "description": "Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterFailure": { - "type": "string", - "defaultValue": "3m", - "metadata": { - "description": "Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownUnneededTime": { - "type": "string", - "defaultValue": "10m", - "metadata": { - "description": "Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownUnreadyTime": { - "type": "string", - "defaultValue": "20m", - "metadata": { - "description": "Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileUtilizationThreshold": { - "type": "string", - "defaultValue": "0.5", - "metadata": { - "description": "Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxGracefulTerminationSec": { - "type": "string", - "defaultValue": "600", - "metadata": { - "description": "Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileBalanceSimilarNodeGroups": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies the balance of similar node groups for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileExpander": { - "type": "string", - "defaultValue": "random", - "allowedValues": [ - "least-waste", - "most-pods", - "priority", - "random" - ], - "metadata": { - "description": "Optional. Specifies the expand strategy for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxEmptyBulkDelete": { - "type": "string", - "defaultValue": "10", - "metadata": { - "description": "Optional. Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxNodeProvisionTime": { - "type": "string", - "defaultValue": "15m", - "metadata": { - "description": "Optional. Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an \"m\". No unit of time other than minutes (m) is supported." - } - }, - "autoScalerProfileMaxTotalUnreadyPercentage": { - "type": "string", - "defaultValue": "45", - "metadata": { - "description": "Optional. Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0." - } - }, - "autoScalerProfileNewPodScaleUpDelay": { - "type": "string", - "defaultValue": "0s", - "metadata": { - "description": "Optional. For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit (\"s\" for seconds, \"m\" for minutes, \"h\" for hours, etc)." - } - }, - "autoScalerProfileOkTotalUnreadyCount": { - "type": "string", - "defaultValue": "3", - "metadata": { - "description": "Optional. Specifies the OK total unready count for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileSkipNodesWithLocalStorage": { - "type": "string", - "defaultValue": "true", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileSkipNodesWithSystemPods": { - "type": "string", - "defaultValue": "true", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster." - } - }, - "autoUpgradeProfileUpgradeChannel": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "node-image", - "none", - "patch", - "rapid", - "stable", - "" - ], - "metadata": { - "description": "Optional. Auto-upgrade channel on the AKS cluster." - } - }, - "podIdentityProfileAllowNetworkPluginKubenet": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing." - } - }, - "podIdentityProfileEnable": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the pod identity addon is enabled." - } - }, - "podIdentityProfileUserAssignedIdentities": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The pod identities to use in the cluster." - } - }, - "podIdentityProfileUserAssignedIdentityExceptions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The pod identity exceptions to allow." - } - }, - "enableOidcIssuerProfile": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the The OIDC issuer profile of the Managed Cluster is enabled." - } - }, - "enableWorkloadIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled." - } - }, - "enableAzureDefender": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Azure Defender." - } - }, - "enablePodSecurityPolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription." - } - }, - "enableStorageProfileBlobCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureBlob CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileDiskCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureDisk CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileFileCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureFile CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileSnapshotController": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the snapshot controller for the storage profile is enabled." - } - }, - "supportPlan": { - "type": "string", - "defaultValue": "KubernetesOfficial", - "allowedValues": [ - "AKSLongTermSupport", - "KubernetesOfficial" - ], - "metadata": { - "description": "Optional. The support plan for the Managed Cluster." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "omsAgentEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the OMS agent is enabled." - } - }, - "monitoringWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the monitoring log analytics workspace." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "diskEncryptionSetID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided." - } - }, - "fluxConfigurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." - } - }, - "fluxExtension": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Settings and configurations for the flux extension." - } - }, - "httpProxyConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configurations for provisioning the cluster with HTTP proxy servers." - } - }, - "identityProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Identities associated with the cluster." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "enableAzureMonitorProfileMetrics": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled." - } - }, - "metricLabelsAllowlist": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A comma-separated list of additional Kubernetes label keys." - } - }, - "metricAnnotationsAllowList": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A comma-separated list of Kubernetes annotation keys." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "linuxProfile": { - "adminUsername": "[parameters('adminUsername')]", - "ssh": { - "publicKeys": [ - { - "keyData": "[parameters('sshPublicKey')]" - } - ] - } - }, - "lbProfile": { - "managedOutboundIPs": { - "count": "[parameters('managedOutboundIPCount')]" - }, - "effectiveOutboundIPs": [] - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", - "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", - "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", - "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", - "Azure Kubernetes Service Cluster Admin Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster Monitoring User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6')]", - "Azure Kubernetes Service Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", - "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", - "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", - "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Kubernetes Agentless Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedCluster": { - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-07-02-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "Base", - "tier": "[parameters('skuTier')]" - }, - "properties": { - "httpProxyConfig": "[if(not(empty(parameters('httpProxyConfig'))), parameters('httpProxyConfig'), null())]", - "identityProfile": "[if(not(empty(parameters('identityProfile'))), parameters('identityProfile'), null())]", - "diskEncryptionSetID": "[if(not(empty(parameters('diskEncryptionSetID'))), parameters('diskEncryptionSetID'), null())]", - "kubernetesVersion": "[if(empty(parameters('kubernetesVersion')), null(), parameters('kubernetesVersion'))]", - "dnsPrefix": "[parameters('dnsPrefix')]", - "agentPoolProfiles": "[parameters('primaryAgentPoolProfile')]", - "linuxProfile": "[if(empty(parameters('sshPublicKey')), null(), variables('linuxProfile'))]", - "servicePrincipalProfile": "[if(empty(parameters('aksServicePrincipalProfile')), null(), parameters('aksServicePrincipalProfile'))]", - "ingressProfile": { - "webAppRouting": { - "enabled": "[parameters('webApplicationRoutingEnabled')]", - "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]" - } - }, - "addonProfiles": { - "httpApplicationRouting": { - "enabled": "[parameters('httpApplicationRoutingEnabled')]" - }, - "ingressApplicationGateway": { - "enabled": "[and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId'))))]", - "config": "[if(and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId')))), createObject('applicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null()), 'effectiveApplicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null())), null())]" - }, - "omsagent": { - "enabled": "[and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId'))))]", - "config": "[if(and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId')))), createObject('logAnalyticsWorkspaceResourceID', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]" - }, - "aciConnectorLinux": { - "enabled": "[parameters('aciConnectorLinuxEnabled')]" - }, - "azurepolicy": { - "enabled": "[parameters('azurePolicyEnabled')]", - "config": "[if(parameters('azurePolicyEnabled'), createObject('version', parameters('azurePolicyVersion')), null())]" - }, - "openServiceMesh": { - "enabled": "[parameters('openServiceMeshEnabled')]", - "config": "[if(parameters('openServiceMeshEnabled'), createObject(), null())]" - }, - "kubeDashboard": { - "enabled": "[parameters('kubeDashboardEnabled')]" - }, - "azureKeyvaultSecretsProvider": { - "enabled": "[parameters('enableKeyvaultSecretsProvider')]", - "config": "[if(parameters('enableKeyvaultSecretsProvider'), createObject('enableSecretRotation', parameters('enableSecretRotation')), null())]" - } - }, - "oidcIssuerProfile": "[if(parameters('enableOidcIssuerProfile'), createObject('enabled', parameters('enableOidcIssuerProfile')), null())]", - "enableRBAC": "[parameters('enableRBAC')]", - "disableLocalAccounts": "[parameters('disableLocalAccounts')]", - "nodeResourceGroup": "[parameters('nodeResourceGroup')]", - "enablePodSecurityPolicy": "[parameters('enablePodSecurityPolicy')]", - "networkProfile": { - "networkDataplane": "[if(not(empty(parameters('networkDataplane'))), parameters('networkDataplane'), null())]", - "networkPlugin": "[if(not(empty(parameters('networkPlugin'))), parameters('networkPlugin'), null())]", - "networkPluginMode": "[if(not(empty(parameters('networkPluginMode'))), parameters('networkPluginMode'), null())]", - "networkPolicy": "[if(not(empty(parameters('networkPolicy'))), parameters('networkPolicy'), null())]", - "podCidr": "[if(not(empty(parameters('podCidr'))), parameters('podCidr'), null())]", - "serviceCidr": "[if(not(empty(parameters('serviceCidr'))), parameters('serviceCidr'), null())]", - "dnsServiceIP": "[if(not(empty(parameters('dnsServiceIP'))), parameters('dnsServiceIP'), null())]", - "outboundType": "[parameters('outboundType')]", - "loadBalancerSku": "[parameters('loadBalancerSku')]", - "loadBalancerProfile": "[if(not(equals(parameters('managedOutboundIPCount'), 0)), variables('lbProfile'), null())]" - }, - "aadProfile": { - "clientAppID": "[parameters('aadProfileClientAppID')]", - "serverAppID": "[parameters('aadProfileServerAppID')]", - "serverAppSecret": "[parameters('aadProfileServerAppSecret')]", - "managed": "[parameters('aadProfileManaged')]", - "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", - "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", - "tenantID": "[parameters('aadProfileTenantId')]" - }, - "autoScalerProfile": { - "balance-similar-node-groups": "[parameters('autoScalerProfileBalanceSimilarNodeGroups')]", - "expander": "[parameters('autoScalerProfileExpander')]", - "max-empty-bulk-delete": "[parameters('autoScalerProfileMaxEmptyBulkDelete')]", - "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]", - "max-node-provision-time": "[parameters('autoScalerProfileMaxNodeProvisionTime')]", - "max-total-unready-percentage": "[parameters('autoScalerProfileMaxTotalUnreadyPercentage')]", - "new-pod-scale-up-delay": "[parameters('autoScalerProfileNewPodScaleUpDelay')]", - "ok-total-unready-count": "[parameters('autoScalerProfileOkTotalUnreadyCount')]", - "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", - "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", - "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", - "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", - "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", - "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", - "scan-interval": "[parameters('autoScalerProfileScanInterval')]", - "skip-nodes-with-local-storage": "[parameters('autoScalerProfileSkipNodesWithLocalStorage')]", - "skip-nodes-with-system-pods": "[parameters('autoScalerProfileSkipNodesWithSystemPods')]" - }, - "autoUpgradeProfile": { - "upgradeChannel": "[if(not(empty(parameters('autoUpgradeProfileUpgradeChannel'))), parameters('autoUpgradeProfileUpgradeChannel'), null())]" - }, - "apiServerAccessProfile": { - "authorizedIPRanges": "[parameters('authorizedIPRanges')]", - "disableRunCommand": "[parameters('disableRunCommand')]", - "enablePrivateCluster": "[parameters('enablePrivateCluster')]", - "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", - "privateDNSZone": "[parameters('privateDNSZone')]" - }, - "azureMonitorProfile": { - "metrics": "[if(parameters('enableAzureMonitorProfileMetrics'), createObject('enabled', true(), 'kubeStateMetrics', createObject('metricAnnotationsAllowList', parameters('metricAnnotationsAllowList'), 'metricLabelsAllowlist', parameters('metricLabelsAllowlist'))), null())]" - }, - "podIdentityProfile": { - "allowNetworkPluginKubenet": "[parameters('podIdentityProfileAllowNetworkPluginKubenet')]", - "enabled": "[parameters('podIdentityProfileEnable')]", - "userAssignedIdentities": "[parameters('podIdentityProfileUserAssignedIdentities')]", - "userAssignedIdentityExceptions": "[parameters('podIdentityProfileUserAssignedIdentityExceptions')]" - }, - "securityProfile": { - "azureKeyVaultKms": "[if(not(empty(parameters('customerManagedKey'))), createObject('enabled', true(), 'keyId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'keyVaultNetworkAccess', parameters('customerManagedKey').keyVaultNetworkAccess, 'keyVaultResourceId', if(equals(parameters('customerManagedKey').keyVaultNetworkAccess, 'Private'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), null())), null())]", - "defender": "[if(parameters('enableAzureDefender'), createObject('securityMonitoring', createObject('enabled', parameters('enableAzureDefender')), 'logAnalyticsWorkspaceResourceId', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]", - "workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]" - }, - "storageProfile": { - "blobCSIDriver": { - "enabled": "[parameters('enableStorageProfileBlobCSIDriver')]" - }, - "diskCSIDriver": { - "enabled": "[parameters('enableStorageProfileDiskCSIDriver')]" - }, - "fileCSIDriver": { - "enabled": "[parameters('enableStorageProfileFileCSIDriver')]" - }, - "snapshotController": { - "enabled": "[parameters('enableStorageProfileSnapshotController')]" - } - }, - "supportPlan": "[parameters('supportPlan')]" - }, - "dependsOn": [ - "cMKKeyVault" - ] - }, - "managedCluster_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_diagnosticSettings": { - "copy": { - "name": "managedCluster_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_roleAssignments": { - "copy": { - "name": "managedCluster_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "dnsZone": { - "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/'))]" - }, - "dnsZone_roleAssignment": { - "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/')))]", - "name": "[guid(parameters('dnsZoneResourceId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "principalId": "[reference('managedCluster').ingressProfile.webAppRouting.identity.objectId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "dnsZone", - "managedCluster" - ] - }, - "managedCluster_agentPools": { - "copy": { - "name": "managedCluster_agentPools", - "count": "[length(parameters('agentPools'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-AgentPool-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedClusterName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('agentPools')[copyIndex()].name]" - }, - "availabilityZones": "[if(contains(parameters('agentPools')[copyIndex()], 'availabilityZones'), createObject('value', parameters('agentPools')[copyIndex()].availabilityZones), createObject('value', createArray()))]", - "count": "[if(contains(parameters('agentPools')[copyIndex()], 'count'), createObject('value', parameters('agentPools')[copyIndex()].count), createObject('value', 1))]", - "sourceResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'sourceResourceId'), createObject('value', parameters('agentPools')[copyIndex()].sourceResourceId), createObject('value', ''))]", - "enableAutoScaling": "[if(contains(parameters('agentPools')[copyIndex()], 'enableAutoScaling'), createObject('value', parameters('agentPools')[copyIndex()].enableAutoScaling), createObject('value', false()))]", - "enableEncryptionAtHost": "[if(contains(parameters('agentPools')[copyIndex()], 'enableEncryptionAtHost'), createObject('value', parameters('agentPools')[copyIndex()].enableEncryptionAtHost), createObject('value', false()))]", - "enableFIPS": "[if(contains(parameters('agentPools')[copyIndex()], 'enableFIPS'), createObject('value', parameters('agentPools')[copyIndex()].enableFIPS), createObject('value', false()))]", - "enableNodePublicIP": "[if(contains(parameters('agentPools')[copyIndex()], 'enableNodePublicIP'), createObject('value', parameters('agentPools')[copyIndex()].enableNodePublicIP), createObject('value', false()))]", - "enableUltraSSD": "[if(contains(parameters('agentPools')[copyIndex()], 'enableUltraSSD'), createObject('value', parameters('agentPools')[copyIndex()].enableUltraSSD), createObject('value', false()))]", - "gpuInstanceProfile": "[if(contains(parameters('agentPools')[copyIndex()], 'gpuInstanceProfile'), createObject('value', parameters('agentPools')[copyIndex()].gpuInstanceProfile), createObject('value', ''))]", - "kubeletDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'kubeletDiskType'), createObject('value', parameters('agentPools')[copyIndex()].kubeletDiskType), createObject('value', ''))]", - "maxCount": "[if(contains(parameters('agentPools')[copyIndex()], 'maxCount'), createObject('value', parameters('agentPools')[copyIndex()].maxCount), createObject('value', -1))]", - "maxPods": "[if(contains(parameters('agentPools')[copyIndex()], 'maxPods'), createObject('value', parameters('agentPools')[copyIndex()].maxPods), createObject('value', -1))]", - "minCount": "[if(contains(parameters('agentPools')[copyIndex()], 'minCount'), createObject('value', parameters('agentPools')[copyIndex()].minCount), createObject('value', -1))]", - "mode": "[if(contains(parameters('agentPools')[copyIndex()], 'mode'), createObject('value', parameters('agentPools')[copyIndex()].mode), createObject('value', ''))]", - "nodeLabels": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeLabels'), createObject('value', parameters('agentPools')[copyIndex()].nodeLabels), createObject('value', createObject()))]", - "nodePublicIpPrefixId": "[if(contains(parameters('agentPools')[copyIndex()], 'nodePublicIpPrefixId'), createObject('value', parameters('agentPools')[copyIndex()].nodePublicIpPrefixId), createObject('value', ''))]", - "nodeTaints": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeTaints'), createObject('value', parameters('agentPools')[copyIndex()].nodeTaints), createObject('value', createArray()))]", - "orchestratorVersion": "[if(contains(parameters('agentPools')[copyIndex()], 'orchestratorVersion'), createObject('value', parameters('agentPools')[copyIndex()].orchestratorVersion), createObject('value', parameters('kubernetesVersion')))]", - "osDiskSizeGB": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskSizeGB'), createObject('value', parameters('agentPools')[copyIndex()].osDiskSizeGB), createObject('value', -1))]", - "osDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskType'), createObject('value', parameters('agentPools')[copyIndex()].osDiskType), createObject('value', ''))]", - "osSku": "[if(contains(parameters('agentPools')[copyIndex()], 'osSku'), createObject('value', parameters('agentPools')[copyIndex()].osSku), createObject('value', ''))]", - "osType": "[if(contains(parameters('agentPools')[copyIndex()], 'osType'), createObject('value', parameters('agentPools')[copyIndex()].osType), createObject('value', 'Linux'))]", - "podSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'podSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].podSubnetId), createObject('value', ''))]", - "proximityPlacementGroupResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'proximityPlacementGroupResourceId'), createObject('value', parameters('agentPools')[copyIndex()].proximityPlacementGroupResourceId), createObject('value', ''))]", - "scaleDownMode": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleDownMode'), createObject('value', parameters('agentPools')[copyIndex()].scaleDownMode), createObject('value', 'Delete'))]", - "scaleSetEvictionPolicy": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetEvictionPolicy'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetEvictionPolicy), createObject('value', 'Delete'))]", - "scaleSetPriority": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetPriority'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetPriority), createObject('value', ''))]", - "spotMaxPrice": "[if(contains(parameters('agentPools')[copyIndex()], 'spotMaxPrice'), createObject('value', parameters('agentPools')[copyIndex()].spotMaxPrice), createObject('value', -1))]", - "tags": { - "value": "[coalesce(tryGet(parameters('agentPools')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "type": "[if(contains(parameters('agentPools')[copyIndex()], 'type'), createObject('value', parameters('agentPools')[copyIndex()].type), createObject('value', ''))]", - "maxSurge": "[if(contains(parameters('agentPools')[copyIndex()], 'maxSurge'), createObject('value', parameters('agentPools')[copyIndex()].maxSurge), createObject('value', ''))]", - "vmSize": "[if(contains(parameters('agentPools')[copyIndex()], 'vmSize'), createObject('value', parameters('agentPools')[copyIndex()].vmSize), createObject('value', 'Standard_D2s_v3'))]", - "vnetSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'vnetSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].vnetSubnetId), createObject('value', ''))]", - "workloadRuntime": "[if(contains(parameters('agentPools')[copyIndex()], 'workloadRuntime'), createObject('value', parameters('agentPools')[copyIndex()].workloadRuntime), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "13894804167062746913" - }, - "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", - "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedClusterName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed cluster. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the agent pool." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is \"VirtualMachineScaleSets\"." - } - }, - "count": { - "type": "int", - "defaultValue": 1, - "minValue": 0, - "maxValue": 1000, - "metadata": { - "description": "Optional. Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This is the ARM ID of the source object to be used to create the target object." - } - }, - "enableAutoScaling": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable auto-scaler." - } - }, - "enableEncryptionAtHost": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled." - } - }, - "enableFIPS": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details." - } - }, - "enableNodePublicIP": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools)." - } - }, - "enableUltraSSD": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable UltraSSD." - } - }, - "gpuInstanceProfile": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "MIG1g", - "MIG2g", - "MIG3g", - "MIG4g", - "MIG7g", - "" - ], - "metadata": { - "description": "Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU." - } - }, - "kubeletDiskType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." - } - }, - "maxCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of nodes for auto-scaling." - } - }, - "maxPods": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of pods that can run on a node." - } - }, - "minCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The minimum number of nodes for auto-scaling." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A cluster must have at least one \"System\" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools." - } - }, - "nodeLabels": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The node labels to be persisted across all nodes in agent pool." - } - }, - "nodePublicIpPrefixId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ResourceId of the node PublicIPPrefix." - } - }, - "nodeTaints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." - } - }, - "orchestratorVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool)." - } - }, - "osDiskSizeGB": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." - } - }, - "osDiskType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Ephemeral", - "Managed", - "" - ], - "metadata": { - "description": "Optional. The default is \"Ephemeral\" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to \"Managed\". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os)." - } - }, - "osSku": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureLinux", - "CBLMariner", - "Ubuntu", - "Windows2019", - "Windows2022", - "" - ], - "metadata": { - "description": "Optional. Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows." - } - }, - "osType": { - "type": "string", - "defaultValue": "Linux", - "allowedValues": [ - "Linux", - "Windows" - ], - "metadata": { - "description": "Optional. The operating system type. The default is Linux." - } - }, - "podSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ID for the Proximity Placement Group." - } - }, - "scaleDownMode": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing)." - } - }, - "scaleSetEvictionPolicy": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs." - } - }, - "scaleSetPriority": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Regular", - "Spot", - "" - ], - "metadata": { - "description": "Optional. The Virtual Machine Scale Set priority." - } - }, - "spotMaxPrice": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The type of Agent Pool." - } - }, - "maxSurge": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This can either be set to an integer (e.g. \"5\") or a percentage (e.g. \"50%\"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3", - "metadata": { - "description": "Optional. VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions." - } - }, - "vnetSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "workloadRuntime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the type of workload a node can run." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "creationData": { - "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]" - }, - "upgradeSettings": { - "maxSurge": "[parameters('maxSurge')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedCluster": { - "existing": true, - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-07-02-preview", - "name": "[parameters('managedClusterName')]" - }, - "agentPool": { - "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-07-02-preview", - "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", - "properties": { - "availabilityZones": "[parameters('availabilityZones')]", - "count": "[parameters('count')]", - "creationData": "[if(not(empty(parameters('sourceResourceId'))), variables('creationData'), null())]", - "enableAutoScaling": "[parameters('enableAutoScaling')]", - "enableEncryptionAtHost": "[parameters('enableEncryptionAtHost')]", - "enableFIPS": "[parameters('enableFIPS')]", - "enableNodePublicIP": "[parameters('enableNodePublicIP')]", - "enableUltraSSD": "[parameters('enableUltraSSD')]", - "gpuInstanceProfile": "[if(not(empty(parameters('gpuInstanceProfile'))), parameters('gpuInstanceProfile'), null())]", - "kubeletDiskType": "[parameters('kubeletDiskType')]", - "maxCount": "[if(not(equals(parameters('maxCount'), -1)), parameters('maxCount'), null())]", - "maxPods": "[if(not(equals(parameters('maxPods'), -1)), parameters('maxPods'), null())]", - "minCount": "[if(not(equals(parameters('minCount'), -1)), parameters('minCount'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "nodeLabels": "[parameters('nodeLabels')]", - "nodePublicIPPrefixID": "[if(not(empty(parameters('nodePublicIpPrefixId'))), parameters('nodePublicIpPrefixId'), null())]", - "nodeTaints": "[parameters('nodeTaints')]", - "orchestratorVersion": "[parameters('orchestratorVersion')]", - "osDiskSizeGB": "[if(not(equals(parameters('osDiskSizeGB'), -1)), parameters('osDiskSizeGB'), null())]", - "osDiskType": "[if(not(empty(parameters('osDiskType'))), parameters('osDiskType'), null())]", - "osSKU": "[if(not(empty(parameters('osSku'))), parameters('osSku'), null())]", - "osType": "[parameters('osType')]", - "podSubnetID": "[if(not(empty(parameters('podSubnetId'))), parameters('podSubnetId'), null())]", - "proximityPlacementGroupID": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), parameters('proximityPlacementGroupResourceId'), null())]", - "scaleDownMode": "[parameters('scaleDownMode')]", - "scaleSetEvictionPolicy": "[parameters('scaleSetEvictionPolicy')]", - "scaleSetPriority": "[if(not(empty(parameters('scaleSetPriority'))), parameters('scaleSetPriority'), null())]", - "spotMaxPrice": "[parameters('spotMaxPrice')]", - "tags": "[parameters('tags')]", - "type": "[parameters('type')]", - "upgradeSettings": "[variables('upgradeSettings')]", - "vmSize": "[parameters('vmSize')]", - "vnetSubnetID": "[parameters('vnetSubnetId')]", - "workloadRuntime": "[parameters('workloadRuntime')]" - }, - "dependsOn": [ - "managedCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the agent pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the agent pool." - }, - "value": "[resourceId('Microsoft.ContainerService/managedClusters/agentPools', parameters('managedClusterName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the agent pool was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_extension": { - "condition": "[not(empty(parameters('fluxExtension')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-FluxExtension', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "clusterName": { - "value": "[parameters('name')]" - }, - "configurationProtectedSettings": "[if(not(empty(parameters('fluxConfigurationProtectedSettings'))), createObject('value', parameters('fluxConfigurationProtectedSettings')), createObject('value', createObject()))]", - "configurationSettings": "[if(contains(parameters('fluxExtension'), 'configurationSettings'), createObject('value', parameters('fluxExtension').configurationSettings), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "extensionType": { - "value": "microsoft.flux" - }, - "fluxConfigurations": { - "value": "[parameters('fluxExtension').configurations]" - }, - "location": { - "value": "[parameters('location')]" - }, - "name": { - "value": "flux" - }, - "releaseNamespace": { - "value": "flux-system" - }, - "releaseTrain": "[if(contains(parameters('fluxExtension'), 'releaseTrain'), createObject('value', parameters('fluxExtension').releaseTrain), createObject('value', 'Stable'))]", - "version": "[if(contains(parameters('fluxExtension'), 'version'), createObject('value', parameters('fluxExtension').version), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3622584380025042085" - }, - "name": "Kubernetes Configuration Extensions", - "description": "This module deploys a Kubernetes Configuration Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." - } - }, - "configurationSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings, as name-value pairs for configuring this extension." - } - }, - "extensionType": { - "type": "string", - "metadata": { - "description": "Required. Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher." - } - }, - "releaseTrain": { - "type": "string", - "defaultValue": "Stable", - "metadata": { - "description": "Optional. ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is \"true\"." - } - }, - "releaseNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created." - } - }, - "targetNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created." - } - }, - "version": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of the extension for this extension, if it is \"pinned\" to a specific version." - } - }, - "fluxConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of flux configuraitons." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/extensions", - "apiVersion": "2022-03-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "autoUpgradeMinorVersion": "[if(not(empty(parameters('version'))), false(), true())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "configurationSettings": "[if(not(empty(parameters('configurationSettings'))), parameters('configurationSettings'), createObject())]", - "extensionType": "[parameters('extensionType')]", - "releaseTrain": "[if(not(empty(parameters('releaseTrain'))), parameters('releaseTrain'), null())]", - "scope": { - "cluster": "[if(not(empty(parameters('releaseNamespace'))), createObject('releaseNamespace', parameters('releaseNamespace')), null())]", - "namespace": "[if(not(empty(parameters('targetNamespace'))), createObject('targetNamespace', parameters('targetNamespace')), null())]" - }, - "version": "[if(not(empty(parameters('version'))), parameters('version'), null())]" - } - }, - { - "copy": { - "name": "fluxConfiguration", - "count": "[length(parameters('fluxConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-FluxConfiguration{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[parameters('enableDefaultTelemetry')]" - }, - "clusterName": { - "value": "[parameters('clusterName')]" - }, - "scope": { - "value": "[parameters('fluxConfigurations')[copyIndex()].scope]" - }, - "namespace": { - "value": "[parameters('fluxConfigurations')[copyIndex()].namespace]" - }, - "sourceKind": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', 'GitRepository'), createObject('value', 'Bucket'))]", - "name": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'name'), createObject('value', parameters('fluxConfigurations')[copyIndex()].name), createObject('value', toLower(format('{0}-fluxconfiguration{1}', parameters('clusterName'), copyIndex()))))]", - "bucket": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'bucket'), createObject('value', parameters('fluxConfigurations')[copyIndex()].bucket), createObject('value', createObject()))]", - "configurationProtectedSettings": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'configurationProtectedSettings'), createObject('value', parameters('fluxConfigurations')[copyIndex()].configurationProtectedSettings), createObject('value', createObject()))]", - "gitRepository": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', parameters('fluxConfigurations')[copyIndex()].gitRepository), createObject('value', createObject()))]", - "kustomizations": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'kustomizations'), createObject('value', parameters('fluxConfigurations')[copyIndex()].kustomizations), createObject('value', createObject()))]", - "suspend": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'suspend'), createObject('value', parameters('fluxConfigurations')[copyIndex()].suspend), createObject('value', false()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "8976867865582545635" - }, - "name": "Kubernetes Configuration Flux Configurations", - "description": "This module deploys a Kubernetes Configuration Flux Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "bucket": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-value pairs of protected configuration settings for the configuration." - } - }, - "gitRepository": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "kustomizations": { - "type": "object", - "metadata": { - "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." - } - }, - "namespace": { - "type": "string", - "metadata": { - "description": "Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only." - } - }, - "scope": { - "type": "string", - "allowedValues": [ - "cluster", - "namespace" - ], - "metadata": { - "description": "Required. Scope at which the configuration will be installed." - } - }, - "sourceKind": { - "type": "string", - "allowedValues": [ - "Bucket", - "GitRepository" - ], - "metadata": { - "description": "Required. Source Kind to pull the configuration data from." - } - }, - "suspend": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2023-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[parameters('kustomizations')]", - "namespace": "[parameters('namespace')]", - "scope": "[parameters('scope')]", - "sourceKind": "[parameters('sourceKind')]", - "suspend": "[parameters('suspend')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flux configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flux configuration." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/fluxConfigurations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the flux configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the extension was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedCluster" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the managed cluster." - }, - "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the managed cluster was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the managed cluster." - }, - "value": "[parameters('name')]" - }, - "controlPlaneFQDN": { - "type": "string", - "metadata": { - "description": "The control plane FQDN of the managed cluster." - }, - "value": "[if(parameters('enablePrivateCluster'), reference('managedCluster').privateFQDN, reference('managedCluster').fqdn)]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" - }, - "kubeletidentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the AKS identity." - }, - "value": "[if(contains(reference('managedCluster'), 'identityProfile'), if(contains(reference('managedCluster').identityProfile, 'kubeletidentity'), reference('managedCluster').identityProfile.kubeletidentity.objectId, ''), '')]" - }, - "omsagentIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the OMS agent identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'omsagent'), if(contains(reference('managedCluster').addonProfiles.omsagent, 'identity'), reference('managedCluster').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" - }, - "keyvaultIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the Key Vault Secrets Provider identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" - }, - "keyvaultIdentityClientId": { - "type": "string", - "metadata": { - "description": "The Client ID of the Key Vault Secrets Provider identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" - }, - "ingressApplicationGatewayIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of Application Gateway Ingress Controller (AGIC) identity." - }, - "value": "[coalesce(tryGet(tryGet(tryGet(reference('managedCluster').addonProfiles, 'ingressApplicationGateway'), 'identity'), 'objectId'), '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('managedCluster', '2023-07-02-preview', 'full').location]" - }, - "oidcIssuerUrl": { - "type": "string", - "metadata": { - "description": "The OIDC token issuer URL." - }, - "value": "[if(parameters('enableOidcIssuerProfile'), reference('managedCluster').oidcIssuerProfile.issuerURL, '')]" - }, - "addonProfiles": { - "type": "object", - "metadata": { - "description": "The addonProfiles of the Kubernetes cluster." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" - }, - "webAppRoutingIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of Web Application Routing." - }, - "value": "[if(and(and(and(contains(reference('managedCluster'), 'ingressProfile'), contains(reference('managedCluster').ingressProfile, 'webAppRouting')), contains(reference('managedCluster').ingressProfile.webAppRouting, 'identity')), contains(reference('managedCluster').ingressProfile.webAppRouting.identity, 'objectId')), reference('managedCluster').ingressProfile.webAppRouting.identity.objectId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep deleted file mode 100644 index 40834512ba..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep +++ /dev/null @@ -1,187 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Kubelet Identity Managed Identity to create.') -param managedIdentityKubeletIdentityName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Proximity Placement Group to create.') -param proximityPlacementGroupName string - -@description('Required. The name of the DNS Zone to create.') -param dnsZoneName string - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -var addressPrefix = '10.1.0.0/22' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 3), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, i) - } - }) - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by nodepool vmss - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } - - resource kmskey 'keys@2022-07-01' = { - name: 'kmsEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithCustomerKey' - } -} - -resource keyPermissionsKeyVaultCryptoUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Crypto-User-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // KeyVault-Crypto-User - principalType: 'ServicePrincipal' - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault - properties: { - principalId: diskEncryptionSet.identity.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { - name: proximityPlacementGroupName - location: location -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = { - name: dnsZoneName - location: 'global' -} - -resource managedIdentityKubeletIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityKubeletIdentityName - location: location -} - -resource roleAssignmentKubeletIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentityKubeletIdentity.id}-ManagedIdentityOperator-RoleAssignment') - scope: managedIdentityKubeletIdentity - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator Role used for Kubelet identity. - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Kubelet Identity Managed Identity.') -output managedIdentityKubeletIdentityResourceId string = managedIdentityKubeletIdentity.id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id - -@description('The resource ID of the created Proximity Placement Group.') -output proximityPlacementGroupResourceId string = proximityPlacementGroup.id - -@description('The resource ID of the created DNS Zone.') -output dnsZoneResourceId string = dnsZone.id - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Virtual Network System Agent Pool Subnet.') -output systemPoolSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Virtual Network Agent Pool 1 Subnet.') -output agentPool1SubnetResourceId string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created Virtual Network Agent Pool 2 Subnet.') -output agentPool2SubnetResourceId string = virtualNetwork.properties.subnets[2].id diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep deleted file mode 100644 index 11eeb9f2ff..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ /dev/null @@ -1,283 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmaz' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - managedIdentityKubeletIdentityName: 'dep-${namePrefix}-msiki-${serviceShort}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.systemPoolSubnetResourceId - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.agentPool1SubnetResourceId - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.agentPool2SubnetResourceId - } - ] - autoUpgradeProfileUpgradeChannel: 'stable' - enableWorkloadIdentity: true - enableOidcIssuerProfile: true - networkPlugin: 'azure' - networkDataplane: 'azure' - networkPluginMode: 'overlay' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId - openServiceMeshEnabled: true - enableStorageProfileBlobCSIDriver: true - enableStorageProfileDiskCSIDriver: true - enableStorageProfileFileCSIDriver: true - enableStorageProfileSnapshotController: true - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - identityProfile: { - kubeletidentity: { - resourceId: nestedDependencies.outputs.managedIdentityKubeletIdentityResourceId - } - } - omsAgentEnabled: true - monitoringWorkspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - enableAzureDefender: true - enableKeyvaultSecretsProvider: true - enablePodSecurityPolicy: false - enableAzureMonitorProfileMetrics: true - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultNetworkAccess: 'Public' - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - fluxExtension: { - configurationSettings: { - 'helm-controller.enabled': 'true' - 'source-controller.enabled': 'true' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'true' - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - } - configurations: [ - { - namespace: 'flux-system' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } - { - namespace: 'flux-system-helm' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' - } - kustomizations: { - infra: { - path: './infrastructure' - dependsOn: [] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - validation: 'none' - prune: true - } - apps: { - path: './apps/staging' - dependsOn: [ - 'infra' - ] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - retryIntervalInSeconds: 120 - prune: true - } - } - } - ] - } - } -} diff --git a/modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 833719b5e2..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,55 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: '${namePrefix}${serviceShort}001' - enableDefaultTelemetry: enableDefaultTelemetry - managedIdentities: { - systemAssigned: true - } - primaryAgentPoolProfile: [ - { - name: 'systempool' - count: 1 - vmSize: 'Standard_DS2_v2' - mode: 'System' - } - ] - } -} diff --git a/modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep deleted file mode 100644 index bcd58414ee..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the DNS Zone to create.') -param dnsZoneName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = { - name: dnsZoneName - location: 'global' -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created DNS Zone.') -output dnsZoneResourceId string = dnsZone.id diff --git a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep deleted file mode 100644 index cede954b18..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep +++ /dev/null @@ -1,180 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmkube' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - networkPlugin: 'kubenet' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep deleted file mode 100644 index 3a7d3e9d62..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep +++ /dev/null @@ -1,91 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The Private DNS Zone Name to create for Private AKS Cluster.') -param privateDnsZoneName string - -@description('Required. The Name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: privateDnsZoneName - location: 'global' -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, i) - } - }) - } -} - -resource privateDNSZoneVNetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { - name: 'pDnsLink-${virtualNetworkName}-${privateDnsZoneName}' - location: 'global' - parent: privateDnsZone - properties: { - registrationEnabled: true - virtualNetwork: { - id: virtualNetwork.id - } - } -} - -resource msiVnetRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'NetworkContributor', managedIdentity.id) - scope: virtualNetwork - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') // Network Contributor - principalType: 'ServicePrincipal' - } -} - -resource msiPrivDnsZoneRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'PrivateDNSZoneContributor', managedIdentity.id) - scope: privateDnsZone - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') // Private DNS Zone Contributor - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the private DNS Zone created.') -output privateDnsZoneResourceId string = privateDnsZone.id - -@description('The resource ID of the VirtualNetwork created.') -output vNetResourceId string = virtualNetwork.id - -@description('The resource ID of the created Virtual Network System Agent Pool Subnet.') -output systemPoolSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Virtual Network Agent Pool 1 Subnet.') -output agentPoolSubnetResourceId string = virtualNetwork.properties.subnets[1].id diff --git a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep deleted file mode 100644 index 078372cab4..0000000000 --- a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep +++ /dev/null @@ -1,171 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmpriv' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - privateDnsZoneName: 'privatelink.${location}.azmk8s.io' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - enablePrivateCluster: true - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.systemPoolSubnetResourceId - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.agentPoolSubnetResourceId - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - networkPlugin: 'azure' - skuTier: 'Standard' - dnsServiceIP: '10.10.200.10' - serviceCidr: '10.10.200.0/24' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateDNSZone: nestedDependencies.outputs.privateDnsZoneResourceId - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/container-service/managed-cluster/version.json b/modules/container-service/managed-cluster/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/container-service/managed-cluster/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-factory/factory/MOVED-TO-AVM.md b/modules/data-factory/factory/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/data-factory/factory/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index dd236c95ca..9f746c1358 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -1,1383 +1,7 @@ -# Data Factories `[Microsoft.DataFactory/factories]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/data-factory/factory](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/data-factory/factory).** -This module deploys a Data Factory. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/data-factory/factory). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DataFactory/factories` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories) | -| `Microsoft.DataFactory/factories/integrationRuntimes` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/integrationRuntimes) | -| `Microsoft.DataFactory/factories/managedVirtualNetworks` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks) | -| `Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks/managedPrivateEndpoints) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-factory.factory:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dffmin' - params: { - // Required parameters - name: 'dffmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dffmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dffmax' - params: { - // Required parameters - name: 'dffmax001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - managedPrivateEndpoints: [ - { - fqdns: [ - '' - ] - groupId: 'blob' - name: '' - privateLinkResourceId: '' - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - application: 'CARML' - 'hidden-title': 'This is visible in the resource name' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dffmax001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gitConfigureLater": { - "value": true - }, - "globalParameters": { - "value": { - "testParameter1": { - "type": "String", - "value": "testValue1" - } - } - }, - "integrationRuntimes": { - "value": [ - { - "managedVirtualNetworkName": "default", - "name": "AutoResolveIntegrationRuntime", - "type": "Managed", - "typeProperties": { - "computeProperties": { - "location": "AutoResolve" - } - } - }, - { - "name": "TestRuntime", - "type": "SelfHosted" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedPrivateEndpoints": { - "value": [ - { - "fqdns": [ - "" - ], - "groupId": "blob", - "name": "", - "privateLinkResourceId": "" - } - ] - }, - "managedVirtualNetworkName": { - "value": "default" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "application": "CARML", - "hidden-title": "This is visible in the resource name" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dffwaf' - params: { - // Required parameters - name: 'dffwaf001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - managedPrivateEndpoints: [ - { - fqdns: [ - '' - ] - groupId: 'blob' - name: '' - privateLinkResourceId: '' - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - application: 'CARML' - 'hidden-title': 'This is visible in the resource name' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dffwaf001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gitConfigureLater": { - "value": true - }, - "globalParameters": { - "value": { - "testParameter1": { - "type": "String", - "value": "testValue1" - } - } - }, - "integrationRuntimes": { - "value": [ - { - "managedVirtualNetworkName": "default", - "name": "AutoResolveIntegrationRuntime", - "type": "Managed", - "typeProperties": { - "computeProperties": { - "location": "AutoResolve" - } - } - }, - { - "name": "TestRuntime", - "type": "SelfHosted" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedPrivateEndpoints": { - "value": [ - { - "fqdns": [ - "" - ], - "groupId": "blob", - "name": "", - "privateLinkResourceId": "" - } - ] - }, - "managedVirtualNetworkName": { - "value": "default" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "application": "CARML", - "hidden-title": "This is visible in the resource name" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Azure Factory to create. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`gitAccountName`](#parameter-gitaccountname) | string | The account name. | -| [`gitCollaborationBranch`](#parameter-gitcollaborationbranch) | string | The collaboration branch name. Default is 'main'. | -| [`gitConfigureLater`](#parameter-gitconfigurelater) | bool | Boolean to define whether or not to configure git during template deployment. | -| [`gitDisablePublish`](#parameter-gitdisablepublish) | bool | Disable manual publish operation in ADF studio to favor automated publish. | -| [`gitHostName`](#parameter-githostname) | string | The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. | -| [`gitProjectName`](#parameter-gitprojectname) | string | The project name. Only relevant for 'FactoryVSTSConfiguration'. | -| [`gitRepositoryName`](#parameter-gitrepositoryname) | string | The repository name. | -| [`gitRepoType`](#parameter-gitrepotype) | string | Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | -| [`gitRootFolder`](#parameter-gitrootfolder) | string | The root folder path name. Default is '/'. | -| [`globalParameters`](#parameter-globalparameters) | object | List of Global Parameters for the factory. | -| [`integrationRuntimes`](#parameter-integrationruntimes) | array | An array of objects for the configuration of an Integration Runtime. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | -| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Azure Factory to create. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gitAccountName` - -The account name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `gitCollaborationBranch` - -The collaboration branch name. Default is 'main'. - -- Required: No -- Type: string -- Default: `'main'` - -### Parameter: `gitConfigureLater` - -Boolean to define whether or not to configure git during template deployment. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gitDisablePublish` - -Disable manual publish operation in ADF studio to favor automated publish. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `gitHostName` - -The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `gitProjectName` - -The project name. Only relevant for 'FactoryVSTSConfiguration'. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `gitRepositoryName` - -The repository name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `gitRepoType` - -Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. - -- Required: No -- Type: string -- Default: `'FactoryVSTSConfiguration'` - -### Parameter: `gitRootFolder` - -The root folder path name. Default is '/'. - -- Required: No -- Type: string -- Default: `'/'` - -### Parameter: `globalParameters` - -List of Global Parameters for the factory. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `integrationRuntimes` - -An array of objects for the configuration of an Integration Runtime. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `managedPrivateEndpoints` - -An array of managed private endpoints objects created in the Data Factory managed virtual network. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `managedVirtualNetworkName` - -The name of the Managed Virtual Network. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `privateEndpoints` - -Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the Azure Data Factory instance. | -| `resourceGroupName` | string | The name of the Resource Group with the Data factory. | -| `resourceId` | string | The Resource ID of the Data factory. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `managedPrivateEndpoints` - -To use Managed Private Endpoints the following dependencies must be deployed: - -- The `managedVirtualNetworkName` property must be set to allow provisioning of a managed virtual network in Azure Data Factory. -- Destination private link resource must be created before and permissions allow requesting a private link connection to that resource. - -

- -Parameter JSON format - -```json -"managedPrivateEndpoints": { - "value": [ - { - "name": "mystorageaccount-managed-privateEndpoint", // Required: The managed private endpoint resource name - "groupId": "blob", // Required: The groupId to which the managed private endpoint is created - "fqdns": [ - "mystorageaccount.blob.core.windows.net" // Required: Fully qualified domain names - ], - "privateLinkResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount" - // Required: The ARM resource ID of the resource to which the managed private endpoint is created. - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -managedPrivateEndpoints: [ - // Example showing all available fields - { - name: 'mystorageaccount-managed-privateEndpoint' // Required: The managed private endpoint resource name - groupId: 'blob' // Required: The groupId to which the managed private endpoint is created - fqdns: [ - 'mystorageaccount.blob.core.windows.net' // Required: Fully qualified domain names - ] - privateLinkResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount' - } // Required: The ARM resource ID of the resource to which the managed private endpoint is created. -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/data-factory/factory/integration-runtime/README.md b/modules/data-factory/factory/integration-runtime/README.md deleted file mode 100644 index 1db7d93a4e..0000000000 --- a/modules/data-factory/factory/integration-runtime/README.md +++ /dev/null @@ -1,138 +0,0 @@ -# Data Factory Integration RunTimes `[Microsoft.DataFactory/factories/integrationRuntimes]` - -This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DataFactory/factories/integrationRuntimes` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/integrationRuntimes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Integration Runtime. | -| [`type`](#parameter-type) | string | The type of Integration Runtime. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network if using type "Managed" . | -| [`typeProperties`](#parameter-typeproperties) | object | Integration Runtime type properties. Required if type is "Managed". | - -### Parameter: `name` - -The name of the Integration Runtime. - -- Required: Yes -- Type: string - -### Parameter: `type` - -The type of Integration Runtime. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Managed' - 'SelfHosted' - ] - ``` - -### Parameter: `dataFactoryName` - -The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `managedVirtualNetworkName` - -The name of the Managed Virtual Network if using type "Managed" . - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `typeProperties` - -Integration Runtime type properties. Required if type is "Managed". - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Integration Runtime. | -| `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | -| `resourceId` | string | The resource ID of the Integration Runtime. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `typeProperties` - -

- -Parameter JSON format - -```json -"typeProperties": { - "value": { - "computeProperties": { - "location": "AutoResolve" - } - } -} -``` - -
- -Bicep format - -```bicep -typeProperties: { - computeProperties: { - location: 'AutoResolve' - } -} -``` - -
-

diff --git a/modules/data-factory/factory/integration-runtime/main.bicep b/modules/data-factory/factory/integration-runtime/main.bicep deleted file mode 100644 index 2f92186588..0000000000 --- a/modules/data-factory/factory/integration-runtime/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Data Factory Integration RunTimes' -metadata description = 'This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment.') -param dataFactoryName string - -@description('Required. The name of the Integration Runtime.') -param name string - -@allowed([ - 'Managed' - 'SelfHosted' -]) -@description('Required. The type of Integration Runtime.') -param type string - -@description('Optional. The name of the Managed Virtual Network if using type "Managed" .') -param managedVirtualNetworkName string = '' - -@description('Optional. Integration Runtime type properties. Required if type is "Managed".') -param typeProperties object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -var managedVirtualNetworkVar = { - referenceName: type == 'Managed' ? managedVirtualNetworkName : null - type: type == 'Managed' ? 'ManagedVirtualNetworkReference' : null -} - -resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' existing = { - name: dataFactoryName -} - -resource integrationRuntime 'Microsoft.DataFactory/factories/integrationRuntimes@2018-06-01' = { - name: name - parent: dataFactory - properties: type == 'Managed' ? { - type: type - managedVirtualNetwork: managedVirtualNetworkVar - typeProperties: typeProperties - } : { - type: type - } -} - -@description('The name of the Resource Group the Integration Runtime was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Integration Runtime.') -output name string = integrationRuntime.name - -@description('The resource ID of the Integration Runtime.') -output resourceId string = integrationRuntime.id diff --git a/modules/data-factory/factory/integration-runtime/main.json b/modules/data-factory/factory/integration-runtime/main.json deleted file mode 100644 index 41d273d0e1..0000000000 --- a/modules/data-factory/factory/integration-runtime/main.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10377382264693749693" - }, - "name": "Data Factory Integration RunTimes", - "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Integration Runtime." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Managed", - "SelfHosted" - ], - "metadata": { - "description": "Required. The type of Integration Runtime." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the Managed Virtual Network if using type \"Managed\" ." - } - }, - "typeProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Integration Runtime type properties. Required if type is \"Managed\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "managedVirtualNetworkVar": { - "referenceName": "[if(equals(parameters('type'), 'Managed'), parameters('managedVirtualNetworkName'), null())]", - "type": "[if(equals(parameters('type'), 'Managed'), 'ManagedVirtualNetworkReference', null())]" - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/integrationRuntimes", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}', parameters('dataFactoryName'), parameters('name'))]", - "properties": "[if(equals(parameters('type'), 'Managed'), createObject('type', parameters('type'), 'managedVirtualNetwork', variables('managedVirtualNetworkVar'), 'typeProperties', parameters('typeProperties')), createObject('type', parameters('type')))]" - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Integration Runtime was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Integration Runtime." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Integration Runtime." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/integrationRuntimes', parameters('dataFactoryName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/data-factory/factory/integration-runtime/version.json b/modules/data-factory/factory/integration-runtime/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-factory/factory/integration-runtime/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep deleted file mode 100644 index f0718db857..0000000000 --- a/modules/data-factory/factory/main.bicep +++ /dev/null @@ -1,430 +0,0 @@ -metadata name = 'Data Factories' -metadata description = 'This module deploys a Data Factory.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Azure Factory to create.') -param name string - -@description('Optional. The name of the Managed Virtual Network.') -param managedVirtualNetworkName string = '' - -@description('Optional. An array of managed private endpoints objects created in the Data Factory managed virtual network.') -param managedPrivateEndpoints array = [] - -@description('Optional. An array of objects for the configuration of an Integration Runtime.') -param integrationRuntimes array = [] - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Boolean to define whether or not to configure git during template deployment.') -param gitConfigureLater bool = true - -@description('Optional. Repository type - can be \'FactoryVSTSConfiguration\' or \'FactoryGitHubConfiguration\'. Default is \'FactoryVSTSConfiguration\'.') -param gitRepoType string = 'FactoryVSTSConfiguration' - -@description('Optional. The account name.') -param gitAccountName string = '' - -@description('Optional. The project name. Only relevant for \'FactoryVSTSConfiguration\'.') -param gitProjectName string = '' - -@description('Optional. The repository name.') -param gitRepositoryName string = '' - -@description('Optional. The collaboration branch name. Default is \'main\'.') -param gitCollaborationBranch string = 'main' - -@description('Optional. Disable manual publish operation in ADF studio to favor automated publish.') -param gitDisablePublish bool = false - -@description('Optional. The root folder path name. Default is \'/\'.') -param gitRootFolder string = '/' - -@description('Optional. The GitHub Enterprise Server host (prefixed with \'https://\'). Only relevant for \'FactoryGitHubConfiguration\'.') -param gitHostName string = '' - -@description('Optional. List of Global Parameters for the factory.') -param globalParameters object = {} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - repoConfiguration: bool(gitConfigureLater) ? null : union({ - type: gitRepoType - hostName: gitHostName - accountName: gitAccountName - repositoryName: gitRepositoryName - collaborationBranch: gitCollaborationBranch - rootFolder: gitRootFolder - disablePublish: gitDisablePublish - }, (gitRepoType == 'FactoryVSTSConfiguration' ? { - projectName: gitProjectName - } : {}), {}) - globalParameters: !empty(globalParameters) ? globalParameters : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) - encryption: !empty(customerManagedKey) ? { - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - keyName: customerManagedKey!.keyName - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - vaultBaseUrl: cMKKeyVault.properties.vaultUri - } : null - } -} - -module dataFactory_managedVirtualNetwork 'managed-virtual-network/main.bicep' = if (!empty(managedVirtualNetworkName)) { - name: '${uniqueString(deployment().name, location)}-DataFactory-ManagedVNet' - params: { - name: managedVirtualNetworkName - dataFactoryName: dataFactory.name - managedPrivateEndpoints: managedPrivateEndpoints - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module dataFactory_integrationRuntimes 'integration-runtime/main.bicep' = [for (integrationRuntime, index) in integrationRuntimes: { - name: '${uniqueString(deployment().name, location)}-DataFactory-IntegrationRuntime-${index}' - params: { - dataFactoryName: dataFactory.name - name: integrationRuntime.name - type: integrationRuntime.type - managedVirtualNetworkName: contains(integrationRuntime, 'managedVirtualNetworkName') ? integrationRuntime.managedVirtualNetworkName : '' - typeProperties: contains(integrationRuntime, 'typeProperties') ? integrationRuntime.typeProperties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - dataFactory_managedVirtualNetwork - ] -}] - -resource dataFactory_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dataFactory -} - -resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: dataFactory -}] - -resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dataFactory.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dataFactory -}] - -module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-dataFactory-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'dataFactory' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(dataFactory.id, '/'))}-${privateEndpoint.?service ?? 'dataFactory'}-${index}' - serviceResourceId: dataFactory.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The Name of the Azure Data Factory instance.') -output name string = dataFactory.name - -@description('The Resource ID of the Data factory.') -output resourceId string = dataFactory.id - -@description('The name of the Resource Group with the Data factory.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(dataFactory.identity, 'principalId') ? dataFactory.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = dataFactory.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json deleted file mode 100644 index 2c237602dc..0000000000 --- a/modules/data-factory/factory/main.json +++ /dev/null @@ -1,1811 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13040115678809105758" - }, - "name": "Data Factories", - "description": "This module deploys a Data Factory.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Azure Factory to create." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the Managed Virtual Network." - } - }, - "managedPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of managed private endpoints objects created in the Data Factory managed virtual network." - } - }, - "integrationRuntimes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of objects for the configuration of an Integration Runtime." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "gitConfigureLater": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Boolean to define whether or not to configure git during template deployment." - } - }, - "gitRepoType": { - "type": "string", - "defaultValue": "FactoryVSTSConfiguration", - "metadata": { - "description": "Optional. Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'." - } - }, - "gitAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The account name." - } - }, - "gitProjectName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The project name. Only relevant for 'FactoryVSTSConfiguration'." - } - }, - "gitRepositoryName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The repository name." - } - }, - "gitCollaborationBranch": { - "type": "string", - "defaultValue": "main", - "metadata": { - "description": "Optional. The collaboration branch name. Default is 'main'." - } - }, - "gitDisablePublish": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Disable manual publish operation in ADF studio to favor automated publish." - } - }, - "gitRootFolder": { - "type": "string", - "defaultValue": "/", - "metadata": { - "description": "Optional. The root folder path name. Default is '/'." - } - }, - "gitHostName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'." - } - }, - "globalParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. List of Global Parameters for the factory." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dataFactory": { - "type": "Microsoft.DataFactory/factories", - "apiVersion": "2018-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "repoConfiguration": "[if(bool(parameters('gitConfigureLater')), null(), union(createObject('type', parameters('gitRepoType'), 'hostName', parameters('gitHostName'), 'accountName', parameters('gitAccountName'), 'repositoryName', parameters('gitRepositoryName'), 'collaborationBranch', parameters('gitCollaborationBranch'), 'rootFolder', parameters('gitRootFolder'), 'disablePublish', parameters('gitDisablePublish')), if(equals(parameters('gitRepoType'), 'FactoryVSTSConfiguration'), createObject('projectName', parameters('gitProjectName')), createObject()), createObject()))]", - "globalParameters": "[if(not(empty(parameters('globalParameters'))), parameters('globalParameters'), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', null()))]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null())]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "dataFactory_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dataFactory" - ] - }, - "dataFactory_diagnosticSettings": { - "copy": { - "name": "dataFactory_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "dataFactory" - ] - }, - "dataFactory_roleAssignments": { - "copy": { - "name": "dataFactory_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DataFactory/factories', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dataFactory" - ] - }, - "dataFactory_managedVirtualNetwork": { - "condition": "[not(empty(parameters('managedVirtualNetworkName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DataFactory-ManagedVNet', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('managedVirtualNetworkName')]" - }, - "dataFactoryName": { - "value": "[parameters('name')]" - }, - "managedPrivateEndpoints": { - "value": "[parameters('managedPrivateEndpoints')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7086724603457879213" - }, - "name": "Data Factory Managed Virtual Networks", - "description": "This module deploys a Data Factory Managed Virtual Network.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Managed Virtual Network." - } - }, - "managedPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of managed private endpoints objects created in the Data Factory managed virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/managedVirtualNetworks", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}', parameters('dataFactoryName'), parameters('name'))]", - "properties": {} - }, - { - "copy": { - "name": "managedVirtualNetwork_managedPrivateEndpoint", - "count": "[length(parameters('managedPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-managedPrivateEndpoint-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dataFactoryName": { - "value": "[parameters('dataFactoryName')]" - }, - "managedVirtualNetworkName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].name]" - }, - "fqdns": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].fqdns]" - }, - "groupId": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].groupId]" - }, - "privateLinkResourceId": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].privateLinkResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6951739479886220769" - }, - "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", - "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent data factory. Required if the template is used in a standalone deployment." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent managed virtual network." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The managed private endpoint resource name." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The groupId to which the managed private endpoint is created." - } - }, - "fqdns": { - "type": "array", - "metadata": { - "description": "Required. Fully qualified domain names." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The ARM resource ID of the resource to which the managed private endpoint is created." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}/{2}', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]", - "properties": { - "fqdns": "[parameters('fqdns')]", - "groupId": "[parameters('groupId')]", - "privateLinkResourceId": "[parameters('privateLinkResourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed private endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed private endpoint." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed private endpoint." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Managed Virtual Network was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Managed Virtual Network." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Managed Virtual Network." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/managedVirtualNetworks', parameters('dataFactoryName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "dataFactory" - ] - }, - "dataFactory_integrationRuntimes": { - "copy": { - "name": "dataFactory_integrationRuntimes", - "count": "[length(parameters('integrationRuntimes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DataFactory-IntegrationRuntime-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dataFactoryName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('integrationRuntimes')[copyIndex()].name]" - }, - "type": { - "value": "[parameters('integrationRuntimes')[copyIndex()].type]" - }, - "managedVirtualNetworkName": "[if(contains(parameters('integrationRuntimes')[copyIndex()], 'managedVirtualNetworkName'), createObject('value', parameters('integrationRuntimes')[copyIndex()].managedVirtualNetworkName), createObject('value', ''))]", - "typeProperties": "[if(contains(parameters('integrationRuntimes')[copyIndex()], 'typeProperties'), createObject('value', parameters('integrationRuntimes')[copyIndex()].typeProperties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10377382264693749693" - }, - "name": "Data Factory Integration RunTimes", - "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Integration Runtime." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Managed", - "SelfHosted" - ], - "metadata": { - "description": "Required. The type of Integration Runtime." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the Managed Virtual Network if using type \"Managed\" ." - } - }, - "typeProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Integration Runtime type properties. Required if type is \"Managed\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "managedVirtualNetworkVar": { - "referenceName": "[if(equals(parameters('type'), 'Managed'), parameters('managedVirtualNetworkName'), null())]", - "type": "[if(equals(parameters('type'), 'Managed'), 'ManagedVirtualNetworkReference', null())]" - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/integrationRuntimes", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}', parameters('dataFactoryName'), parameters('name'))]", - "properties": "[if(equals(parameters('type'), 'Managed'), createObject('type', parameters('type'), 'managedVirtualNetwork', variables('managedVirtualNetworkVar'), 'typeProperties', parameters('typeProperties')), createObject('type', parameters('type')))]" - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Integration Runtime was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Integration Runtime." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Integration Runtime." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/integrationRuntimes', parameters('dataFactoryName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "dataFactory", - "dataFactory_managedVirtualNetwork" - ] - }, - "dataFactory_privateEndpoints": { - "copy": { - "name": "dataFactory_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dataFactory-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'dataFactory')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DataFactory/factories', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'dataFactory'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "dataFactory" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Azure Data Factory instance." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the Data factory." - }, - "value": "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group with the Data factory." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dataFactory', '2018-06-01', 'full').identity, 'principalId')), reference('dataFactory', '2018-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dataFactory', '2018-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/data-factory/factory/managed-virtual-network/README.md b/modules/data-factory/factory/managed-virtual-network/README.md deleted file mode 100644 index a22063ff97..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# Data Factory Managed Virtual Networks `[Microsoft.DataFactory/factories/managedVirtualNetworks]` - -This module deploys a Data Factory Managed Virtual Network. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DataFactory/factories/managedVirtualNetworks` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks) | -| `Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks/managedPrivateEndpoints) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Managed Virtual Network. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | - -### Parameter: `name` - -The name of the Managed Virtual Network. - -- Required: Yes -- Type: string - -### Parameter: `dataFactoryName` - -The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `managedPrivateEndpoints` - -An array of managed private endpoints objects created in the Data Factory managed virtual network. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Managed Virtual Network. | -| `resourceGroupName` | string | The name of the Resource Group the Managed Virtual Network was created in. | -| `resourceId` | string | The resource ID of the Managed Virtual Network. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `managedPrivateEndpoints` - -To use Managed Private Endpoints the following dependencies must be deployed: - -- Destination private link resource must be created before and permissions allow requesting a private link connection to that resource. - -

- -Parameter JSON format - -```json -"managedPrivateEndpoints": { - "value": [ - { - "name": "mystorageaccount-managed-privateEndpoint", // Required: The managed private endpoint resource name - "groupId": "blob", // Required: The groupId to which the managed private endpoint is created - "fqdns": [ - "mystorageaccount.blob.core.windows.net" // Required: Fully qualified domain names - ], - "privateLinkResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount" - // Required: The ARM resource ID of the resource to which the managed private endpoint is created. - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -managedPrivateEndpoints: [ - // Example showing all available fields - { - name: 'mystorageaccount-managed-privateEndpoint' // Required: The managed private endpoint resource name - groupId: 'blob' // Required: The groupId to which the managed private endpoint is created - fqdns: [ - 'mystorageaccount.blob.core.windows.net' // Required: Fully qualified domain names - ] - privateLinkResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount' - } // Required: The ARM resource ID of the resource to which the managed private endpoint is created. -] -``` - -
-

diff --git a/modules/data-factory/factory/managed-virtual-network/main.bicep b/modules/data-factory/factory/managed-virtual-network/main.bicep deleted file mode 100644 index 61e71c1ea7..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/main.bicep +++ /dev/null @@ -1,61 +0,0 @@ -metadata name = 'Data Factory Managed Virtual Networks' -metadata description = 'This module deploys a Data Factory Managed Virtual Network.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment.') -param dataFactoryName string - -@description('Required. The name of the Managed Virtual Network.') -param name string - -@description('Optional. An array of managed private endpoints objects created in the Data Factory managed virtual network.') -param managedPrivateEndpoints array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' existing = { - name: dataFactoryName -} - -resource managedVirtualNetwork 'Microsoft.DataFactory/factories/managedVirtualNetworks@2018-06-01' = { - name: name - parent: dataFactory - properties: {} -} - -module managedVirtualNetwork_managedPrivateEndpoint 'managed-private-endpoint/main.bicep' = [for (managedPrivateEndpoint, index) in managedPrivateEndpoints: { - name: '${deployment().name}-managedPrivateEndpoint-${index}' - params: { - dataFactoryName: dataFactoryName - managedVirtualNetworkName: name - name: managedPrivateEndpoint.name - fqdns: managedPrivateEndpoint.fqdns - groupId: managedPrivateEndpoint.groupId - privateLinkResourceId: managedPrivateEndpoint.privateLinkResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the Resource Group the Managed Virtual Network was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Managed Virtual Network.') -output name string = managedVirtualNetwork.name - -@description('The resource ID of the Managed Virtual Network.') -output resourceId string = managedVirtualNetwork.id diff --git a/modules/data-factory/factory/managed-virtual-network/main.json b/modules/data-factory/factory/managed-virtual-network/main.json deleted file mode 100644 index cc3de35985..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/main.json +++ /dev/null @@ -1,236 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7086724603457879213" - }, - "name": "Data Factory Managed Virtual Networks", - "description": "This module deploys a Data Factory Managed Virtual Network.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Managed Virtual Network." - } - }, - "managedPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of managed private endpoints objects created in the Data Factory managed virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/managedVirtualNetworks", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}', parameters('dataFactoryName'), parameters('name'))]", - "properties": {} - }, - { - "copy": { - "name": "managedVirtualNetwork_managedPrivateEndpoint", - "count": "[length(parameters('managedPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-managedPrivateEndpoint-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dataFactoryName": { - "value": "[parameters('dataFactoryName')]" - }, - "managedVirtualNetworkName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].name]" - }, - "fqdns": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].fqdns]" - }, - "groupId": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].groupId]" - }, - "privateLinkResourceId": { - "value": "[parameters('managedPrivateEndpoints')[copyIndex()].privateLinkResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6951739479886220769" - }, - "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", - "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent data factory. Required if the template is used in a standalone deployment." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent managed virtual network." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The managed private endpoint resource name." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The groupId to which the managed private endpoint is created." - } - }, - "fqdns": { - "type": "array", - "metadata": { - "description": "Required. Fully qualified domain names." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The ARM resource ID of the resource to which the managed private endpoint is created." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}/{2}', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]", - "properties": { - "fqdns": "[parameters('fqdns')]", - "groupId": "[parameters('groupId')]", - "privateLinkResourceId": "[parameters('privateLinkResourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed private endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed private endpoint." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed private endpoint." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Managed Virtual Network was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Managed Virtual Network." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Managed Virtual Network." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/managedVirtualNetworks', parameters('dataFactoryName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md deleted file mode 100644 index dbffcad961..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md +++ /dev/null @@ -1,103 +0,0 @@ -# Data Factory Managed Virtual Network Managed PrivateEndpoints `[Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints]` - -This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks/managedPrivateEndpoints) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`fqdns`](#parameter-fqdns) | array | Fully qualified domain names. | -| [`groupId`](#parameter-groupid) | string | The groupId to which the managed private endpoint is created. | -| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the parent managed virtual network. | -| [`name`](#parameter-name) | string | The managed private endpoint resource name. | -| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The ARM resource ID of the resource to which the managed private endpoint is created. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent data factory. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `fqdns` - -Fully qualified domain names. - -- Required: Yes -- Type: array - -### Parameter: `groupId` - -The groupId to which the managed private endpoint is created. - -- Required: Yes -- Type: string - -### Parameter: `managedVirtualNetworkName` - -The name of the parent managed virtual network. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The managed private endpoint resource name. - -- Required: Yes -- Type: string - -### Parameter: `privateLinkResourceId` - -The ARM resource ID of the resource to which the managed private endpoint is created. - -- Required: Yes -- Type: string - -### Parameter: `dataFactoryName` - -The name of the parent data factory. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed managed private endpoint. | -| `resourceGroupName` | string | The resource group of the deployed managed private endpoint. | -| `resourceId` | string | The resource ID of the deployed managed private endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.bicep b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.bicep deleted file mode 100644 index f3e0b958b9..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.bicep +++ /dev/null @@ -1,63 +0,0 @@ -metadata name = 'Data Factory Managed Virtual Network Managed PrivateEndpoints' -metadata description = 'This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent data factory. Required if the template is used in a standalone deployment.') -param dataFactoryName string - -@description('Required. The name of the parent managed virtual network.') -param managedVirtualNetworkName string - -@description('Required. The managed private endpoint resource name.') -param name string - -@description('Required. The groupId to which the managed private endpoint is created.') -param groupId string - -@description('Required. Fully qualified domain names.') -param fqdns array - -@description('Required. The ARM resource ID of the resource to which the managed private endpoint is created.') -param privateLinkResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource datafactory 'Microsoft.DataFactory/factories@2018-06-01' existing = { - name: dataFactoryName - - resource managedVirtualNetwork 'managedVirtualNetworks@2018-06-01' existing = { - name: managedVirtualNetworkName - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedPrivateEndpoint 'Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints@2018-06-01' = { - name: name - parent: datafactory::managedVirtualNetwork - properties: { - fqdns: fqdns - groupId: groupId - privateLinkResourceId: privateLinkResourceId - } -} - -@description('The name of the deployed managed private endpoint.') -output name string = managedPrivateEndpoint.name - -@description('The resource ID of the deployed managed private endpoint.') -output resourceId string = managedPrivateEndpoint.id - -@description('The resource group of the deployed managed private endpoint.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json deleted file mode 100644 index 371ba2b3d2..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6951739479886220769" - }, - "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", - "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dataFactoryName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent data factory. Required if the template is used in a standalone deployment." - } - }, - "managedVirtualNetworkName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent managed virtual network." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The managed private endpoint resource name." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The groupId to which the managed private endpoint is created." - } - }, - "fqdns": { - "type": "array", - "metadata": { - "description": "Required. Fully qualified domain names." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The ARM resource ID of the resource to which the managed private endpoint is created." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints", - "apiVersion": "2018-06-01", - "name": "[format('{0}/{1}/{2}', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]", - "properties": { - "fqdns": "[parameters('fqdns')]", - "groupId": "[parameters('groupId')]", - "privateLinkResourceId": "[parameters('privateLinkResourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed private endpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed private endpoint." - }, - "value": "[resourceId('Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints', parameters('dataFactoryName'), parameters('managedVirtualNetworkName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed private endpoint." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/version.json b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-factory/factory/managed-virtual-network/version.json b/modules/data-factory/factory/managed-virtual-network/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-factory/factory/managed-virtual-network/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep b/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f4ffda85f6..0000000000 --- a/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/data-factory/factory/tests/e2e/max/dependencies.bicep b/modules/data-factory/factory/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a6ab43ad7a..0000000000 --- a/modules/data-factory/factory/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,135 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.datafactory.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetworkName}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - // Key Vault Crypto User - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalType: 'ServicePrincipal' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The Blob Endpoint of the created Storage Account.') -output storageAccountBlobEndpoint string = storageAccount.properties.primaryEndpoints.blob diff --git a/modules/data-factory/factory/tests/e2e/max/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7134060c90..0000000000 --- a/modules/data-factory/factory/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,172 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedPrivateEndpoints: [ - { - fqdns: [ - nestedDependencies.outputs.storageAccountBlobEndpoint - ] - groupId: 'blob' - name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' - privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - application: 'CARML' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a6ab43ad7a..0000000000 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,135 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.datafactory.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetworkName}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - // Key Vault Crypto User - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalType: 'ServicePrincipal' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The URL of the created Key Vault.') -output keyVaultUrl string = keyVault.properties.vaultUri - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name - -@description('The Blob Endpoint of the created Storage Account.') -output storageAccountBlobEndpoint string = storageAccount.properties.primaryEndpoints.blob diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 1a7cb59527..0000000000 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,155 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedPrivateEndpoints: [ - { - fqdns: [ - nestedDependencies.outputs.storageAccountBlobEndpoint - ] - groupId: 'blob' - name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' - privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - application: 'CARML' - } - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/data-factory/factory/version.json b/modules/data-factory/factory/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-factory/factory/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-protection/backup-vault/MOVED-TO-AVM.md b/modules/data-protection/backup-vault/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/data-protection/backup-vault/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index d250385d99..5a021dd769 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -1,971 +1,7 @@ -# Data Protection Backup Vaults `[Microsoft.DataProtection/backupVaults]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/data-protection/backup-vault](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/data-protection/backup-vault).** -This module deploys a Data Protection Backup Vault. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/data-protection/backup-vault). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DataProtection/backupVaults` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/backupVaults) | -| `Microsoft.DataProtection/backupVaults/backupPolicies` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/backupVaults/backupPolicies) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-protection.backup-vault:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dpbvmin' - params: { - // Required parameters - name: 'dpbvmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dpbvmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dpbvmax' - params: { - // Required parameters - name: 'dpbvmax001' - // Non-required parameters - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dpbvmax001" - }, - // Non-required parameters - "azureMonitorAlertSettingsAlertsForAllJobFailures": { - "value": "Disabled" - }, - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy", - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule", - "trigger": { - "objectType": "ScheduleBasedTriggerContext", - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "isDefault": true, - "taggingPriority": 99, - "tagInfo": { - "id": "Default_", - "tagName": "Default" - } - } - ] - } - }, - { - "isDefault": true, - "lifecycles": [ - { - "deleteAfter": { - "duration": "P7D", - "objectType": "AbsoluteDeleteOption" - }, - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "targetDataStoreCopySettings": [] - } - ], - "name": "Default", - "objectType": "AzureRetentionRule" - } - ] - } - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dpbvwaf' - params: { - // Required parameters - name: 'dpbvwaf001' - // Non-required parameters - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dpbvwaf001" - }, - // Non-required parameters - "azureMonitorAlertSettingsAlertsForAllJobFailures": { - "value": "Disabled" - }, - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy", - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule", - "trigger": { - "objectType": "ScheduleBasedTriggerContext", - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "isDefault": true, - "taggingPriority": 99, - "tagInfo": { - "id": "Default_", - "tagName": "Default" - } - } - ] - } - }, - { - "isDefault": true, - "lifecycles": [ - { - "deleteAfter": { - "duration": "P7D", - "objectType": "AbsoluteDeleteOption" - }, - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "targetDataStoreCopySettings": [] - } - ], - "name": "Default", - "objectType": "AzureRetentionRule" - } - ] - } - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Backup Vault. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`azureMonitorAlertSettingsAlertsForAllJobFailures`](#parameter-azuremonitoralertsettingsalertsforalljobfailures) | string | Settings for Azure Monitor based alerts for job failures. | -| [`backupPolicies`](#parameter-backuppolicies) | array | List of all backup policies. | -| [`dataStoreType`](#parameter-datastoretype) | string | The datastore type to use. ArchiveStore does not support ZoneRedundancy. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`featureSettings`](#parameter-featuresettings) | object | Feature settings for the backup vault. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | -| [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | -| [`type`](#parameter-type) | string | The vault redundancy level to use. | - -### Parameter: `name` - -Name of the Backup Vault. - -- Required: Yes -- Type: string - -### Parameter: `azureMonitorAlertSettingsAlertsForAllJobFailures` - -Settings for Azure Monitor based alerts for job failures. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `backupPolicies` - -List of all backup policies. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dataStoreType` - -The datastore type to use. ArchiveStore does not support ZoneRedundancy. - -- Required: No -- Type: string -- Default: `'VaultStore'` -- Allowed: - ```Bicep - [ - 'ArchiveStore' - 'OperationalStore' - 'VaultStore' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `featureSettings` - -Feature settings for the backup vault. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securitySettings` - -Security settings for the backup vault. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Tags of the Recovery Service Vault resource. - -- Required: No -- Type: object - -### Parameter: `type` - -The vault redundancy level to use. - -- Required: No -- Type: string -- Default: `'GeoRedundant'` -- Allowed: - ```Bicep - [ - 'GeoRedundant' - 'LocallyRedundant' - 'ZoneRedundant' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the backup vault. | -| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | -| `resourceId` | string | The resource ID of the backup vault. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `backupPolicies` - -Create backup policies in the backupvault. - -

- -Parameter JSON format -```json - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - } - } -] -``` - -
+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/data-protection/backup-vault/backup-policy/README.md b/modules/data-protection/backup-vault/backup-policy/README.md deleted file mode 100644 index 990af9e3de..0000000000 --- a/modules/data-protection/backup-vault/backup-policy/README.md +++ /dev/null @@ -1,217 +0,0 @@ -# Data Protection Backup Vault Backup Policies `[Microsoft.DataProtection/backupVaults/backupPolicies]` - -This module deploys a Data Protection Backup Vault Backup Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DataProtection/backupVaults/backupPolicies` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/backupVaults/backupPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backupVaultName`](#parameter-backupvaultname) | string | The name of the backup vault. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the backup policy. | -| [`properties`](#parameter-properties) | object | The properties of the backup policy. | - -### Parameter: `backupVaultName` - -The name of the backup vault. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the backup policy. - -- Required: No -- Type: string -- Default: `'DefaultPolicy'` - -### Parameter: `properties` - -The properties of the backup policy. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup policy. | -| `resourceGroupName` | string | The name of the resource group the backup policy was created in. | -| `resourceId` | string | The resource ID of the backup policy. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `properties` - -Create a backup policy. - -
- -Parameter JSON format - -```json - "properties": { - "value": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } -} -``` - -
- -
- -Bicep format - -```bicep -properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' -} -``` - -
diff --git a/modules/data-protection/backup-vault/backup-policy/main.bicep b/modules/data-protection/backup-vault/backup-policy/main.bicep deleted file mode 100644 index b3b28ca62a..0000000000 --- a/modules/data-protection/backup-vault/backup-policy/main.bicep +++ /dev/null @@ -1,46 +0,0 @@ -metadata name = 'Data Protection Backup Vault Backup Policies' -metadata description = 'This module deploys a Data Protection Backup Vault Backup Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the backup vault.') -param backupVaultName string - -@description('Optional. The name of the backup policy.') -param name string = 'DefaultPolicy' - -@description('Optional. The properties of the backup policy.') -param properties object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource backupVault 'Microsoft.DataProtection/backupVaults@2023-05-01' existing = { - name: backupVaultName -} - -resource backupPolicy 'Microsoft.DataProtection/backupVaults/backupPolicies@2023-05-01' = { - name: name - parent: backupVault - properties: properties -} - -@description('The name of the backup policy.') -output name string = backupPolicy.name - -@description('The resource ID of the backup policy.') -output resourceId string = backupPolicy.id - -@description('The name of the resource group the backup policy was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/data-protection/backup-vault/backup-policy/main.json b/modules/data-protection/backup-vault/backup-policy/main.json deleted file mode 100644 index f3a79705fc..0000000000 --- a/modules/data-protection/backup-vault/backup-policy/main.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3378438498887899064" - }, - "name": "Data Protection Backup Vault Backup Policies", - "description": "This module deploys a Data Protection Backup Vault Backup Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "backupVaultName": { - "type": "string", - "metadata": { - "description": "Required. The name of the backup vault." - } - }, - "name": { - "type": "string", - "defaultValue": "DefaultPolicy", - "metadata": { - "description": "Optional. The name of the backup policy." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the backup policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataProtection/backupVaults/backupPolicies", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('backupVaultName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup policy." - }, - "value": "[resourceId('Microsoft.DataProtection/backupVaults/backupPolicies', parameters('backupVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup policy was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/data-protection/backup-vault/backup-policy/version.json b/modules/data-protection/backup-vault/backup-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-protection/backup-vault/backup-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep deleted file mode 100644 index f337814938..0000000000 --- a/modules/data-protection/backup-vault/main.bicep +++ /dev/null @@ -1,195 +0,0 @@ -metadata name = 'Data Protection Backup Vaults' -metadata description = 'This module deploys a Data Protection Backup Vault.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Backup Vault.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the Recovery Service Vault resource.') -param tags object? - -@description('Optional. The datastore type to use. ArchiveStore does not support ZoneRedundancy.') -@allowed([ - 'ArchiveStore' - 'VaultStore' - 'OperationalStore' -]) -param dataStoreType string = 'VaultStore' - -@description('Optional. The vault redundancy level to use.') -@allowed([ - 'LocallyRedundant' - 'GeoRedundant' - 'ZoneRedundant' -]) -param type string = 'GeoRedundant' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Settings for Azure Monitor based alerts for job failures.') -param azureMonitorAlertSettingsAlertsForAllJobFailures string = 'Enabled' - -@description('Optional. List of all backup policies.') -param backupPolicies array = [] - -@description('Optional. Security settings for the backup vault.') -param securitySettings object = {} - -@description('Optional. Feature settings for the backup vault.') -param featureSettings object = {} - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource backupVault 'Microsoft.DataProtection/backupVaults@2023-05-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - monitoringSettings: { - azureMonitorAlertSettings: { - alertsForAllJobFailures: azureMonitorAlertSettingsAlertsForAllJobFailures - } - } - storageSettings: [ - { - type: type - datastoreType: dataStoreType - } - ] - featureSettings: featureSettings - securitySettings: securitySettings - } -} - -module backupVault_backupPolicies 'backup-policy/main.bicep' = [for (backupPolicy, index) in backupPolicies: { - name: '${uniqueString(deployment().name, location)}-BV-BackupPolicy-${index}' - params: { - backupVaultName: backupVault.name - name: backupPolicy.name - properties: backupPolicy.properties - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: backupVault -} - -resource backupVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(backupVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: backupVault -}] - -@description('The resource ID of the backup vault.') -output resourceId string = backupVault.id - -@description('The name of the resource group the recovery services vault was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The Name of the backup vault.') -output name string = backupVault.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(backupVault.identity, 'principalId') ? backupVault.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = backupVault.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json deleted file mode 100644 index 487583bb38..0000000000 --- a/modules/data-protection/backup-vault/main.json +++ /dev/null @@ -1,470 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11737453267233569722" - }, - "name": "Data Protection Backup Vaults", - "description": "This module deploys a Data Protection Backup Vault.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Backup Vault." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Recovery Service Vault resource." - } - }, - "dataStoreType": { - "type": "string", - "defaultValue": "VaultStore", - "allowedValues": [ - "ArchiveStore", - "VaultStore", - "OperationalStore" - ], - "metadata": { - "description": "Optional. The datastore type to use. ArchiveStore does not support ZoneRedundancy." - } - }, - "type": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "LocallyRedundant", - "GeoRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. The vault redundancy level to use." - } - }, - "azureMonitorAlertSettingsAlertsForAllJobFailures": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Settings for Azure Monitor based alerts for job failures." - } - }, - "backupPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all backup policies." - } - }, - "securitySettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Security settings for the backup vault." - } - }, - "featureSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Feature settings for the backup vault." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "backupVault": { - "type": "Microsoft.DataProtection/backupVaults", - "apiVersion": "2023-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "monitoringSettings": { - "azureMonitorAlertSettings": { - "alertsForAllJobFailures": "[parameters('azureMonitorAlertSettingsAlertsForAllJobFailures')]" - } - }, - "storageSettings": [ - { - "type": "[parameters('type')]", - "datastoreType": "[parameters('dataStoreType')]" - } - ], - "featureSettings": "[parameters('featureSettings')]", - "securitySettings": "[parameters('securitySettings')]" - } - }, - "backupVault_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "backupVault" - ] - }, - "backupVault_roleAssignments": { - "copy": { - "name": "backupVault_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "backupVault" - ] - }, - "backupVault_backupPolicies": { - "copy": { - "name": "backupVault_backupPolicies", - "count": "[length(parameters('backupPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-BV-BackupPolicy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "backupVaultName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('backupPolicies')[copyIndex()].name]" - }, - "properties": { - "value": "[parameters('backupPolicies')[copyIndex()].properties]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3378438498887899064" - }, - "name": "Data Protection Backup Vault Backup Policies", - "description": "This module deploys a Data Protection Backup Vault Backup Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "backupVaultName": { - "type": "string", - "metadata": { - "description": "Required. The name of the backup vault." - } - }, - "name": { - "type": "string", - "defaultValue": "DefaultPolicy", - "metadata": { - "description": "Optional. The name of the backup policy." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the backup policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DataProtection/backupVaults/backupPolicies", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', parameters('backupVaultName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup policy." - }, - "value": "[resourceId('Microsoft.DataProtection/backupVaults/backupPolicies', parameters('backupVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup policy was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "backupVault" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup vault." - }, - "value": "[resourceId('Microsoft.DataProtection/backupVaults', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the recovery services vault was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the backup vault." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('backupVault', '2023-05-01', 'full').identity, 'principalId')), reference('backupVault', '2023-05-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('backupVault', '2023-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index eb6dd485a2..0000000000 --- a/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 0f0755a6f4..0000000000 --- a/modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep deleted file mode 100644 index 588b2e0c20..0000000000 --- a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,149 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - managedIdentities: { - systemAssigned: true - } - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 0f0755a6f4..0000000000 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 1bcb119964..0000000000 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,132 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - managedIdentities: { - systemAssigned: true - } - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/data-protection/backup-vault/version.json b/modules/data-protection/backup-vault/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/data-protection/backup-vault/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/databricks/access-connector/MOVED-TO-AVM.md b/modules/databricks/access-connector/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/databricks/access-connector/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index fd2adfea71..f28ed2a35b 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -1,511 +1,7 @@ -# Azure Databricks Access Connectors `[Microsoft.Databricks/accessConnectors]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/databricks/access-connector](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/databricks/access-connector).** -This module deploys an Azure Databricks Access Connector. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/databricks/access-connector). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Databricks/accessConnectors` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2022-10-01-preview/accessConnectors) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.access-connector:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dacmin' - params: { - // Required parameters - name: 'dacmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dacmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dacmax' - params: { - // Required parameters - name: 'dacmax001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dacmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dacwaf' - params: { - // Required parameters - name: 'dacwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dacwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Azure Databricks access connector to create. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Azure Databricks access connector to create. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed access connector. | -| `resourceGroupName` | string | The resource group of the deployed access connector. | -| `resourceId` | string | The resource ID of the deployed access connector. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep deleted file mode 100644 index 53ba92c2c2..0000000000 --- a/modules/databricks/access-connector/main.bicep +++ /dev/null @@ -1,140 +0,0 @@ -metadata name = 'Azure Databricks Access Connectors' -metadata description = 'This module deploys an Azure Databricks Access Connector.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Azure Databricks access connector to create.') -param name string - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-10-01-preview' = { - name: name - location: location - tags: tags - identity: identity - properties: {} -} - -resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: accessConnector -} - -resource accessConnector_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(accessConnector.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: accessConnector -}] - -@description('The name of the deployed access connector.') -output name string = accessConnector.name - -@description('The resource ID of the deployed access connector.') -output resourceId string = accessConnector.id - -@description('The resource group of the deployed access connector.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(accessConnector.identity, 'principalId') ? accessConnector.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = accessConnector.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json deleted file mode 100644 index dce724ef4b..0000000000 --- a/modules/databricks/access-connector/main.json +++ /dev/null @@ -1,287 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3245638906962144809" - }, - "name": "Azure Databricks Access Connectors", - "description": "This module deploys an Azure Databricks Access Connector.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Azure Databricks access connector to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "accessConnector": { - "type": "Microsoft.Databricks/accessConnectors", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": {} - }, - "accessConnector_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "accessConnector" - ] - }, - "accessConnector_roleAssignments": { - "copy": { - "name": "accessConnector_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "accessConnector" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed access connector." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed access connector." - }, - "value": "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed access connector." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('accessConnector', '2022-10-01-preview', 'full').identity, 'principalId')), reference('accessConnector', '2022-10-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('accessConnector', '2022-10-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep b/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 17bf07d2fc..0000000000 --- a/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dacmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/databricks/access-connector/tests/e2e/max/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/max/dependencies.bicep deleted file mode 100644 index b20bc53e8f..0000000000 --- a/modules/databricks/access-connector/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep deleted file mode 100644 index 586cd17f0c..0000000000 --- a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,90 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dacmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - location: resourceGroup.location - } -}] diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index b20bc53e8f..0000000000 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 64b4f1b6ab..0000000000 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dacwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - location: resourceGroup.location - } -}] diff --git a/modules/databricks/access-connector/version.json b/modules/databricks/access-connector/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/databricks/access-connector/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/databricks/workspace/MOVED-TO-AVM.md b/modules/databricks/workspace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/databricks/workspace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 8591909a40..c102614656 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -1,1465 +1,7 @@ -# Azure Databricks Workspaces `[Microsoft.Databricks/workspaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/databricks/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/databricks/workspace).** -This module deploys an Azure Databricks Workspace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/databricks/workspace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Databricks/workspaces` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2023-02-01/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.workspace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dwmin' - params: { - // Required parameters - name: 'dwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dwmax' - params: { - // Required parameters - name: 'dwmax001' - // Non-required parameters - amlWorkspaceResourceId: '' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - } - customerManagedKeyManagedDisk: { - keyName: '' - keyVaultResourceId: '' - rotationToLatestKeyVersionEnabled: true - } - customPrivateSubnetName: '' - customPublicSubnetName: '' - customVirtualNetworkResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'jobs' - } - { - category: 'notebook' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disablePublicIp: true - enableDefaultTelemetry: '' - loadBalancerBackendPoolName: '' - loadBalancerResourceId: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedResourceGroupResourceId: '' - natGatewayName: 'nat-gateway' - prepareEncryption: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - publicIpName: 'nat-gw-public-ip' - publicNetworkAccess: 'Disabled' - requiredNsgRules: 'NoAzureDatabricksRules' - requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuName: 'premium' - storageAccountName: 'sadwmax001' - storageAccountSkuName: 'Standard_ZRS' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vnetAddressPrefix: '10.100' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dwmax001" - }, - // Non-required parameters - "amlWorkspaceResourceId": { - "value": "" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "" - } - }, - "customerManagedKeyManagedDisk": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "rotationToLatestKeyVersionEnabled": true - } - }, - "customPrivateSubnetName": { - "value": "" - }, - "customPublicSubnetName": { - "value": "" - }, - "customVirtualNetworkResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "jobs" - }, - { - "category": "notebook" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disablePublicIp": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "loadBalancerBackendPoolName": { - "value": "" - }, - "loadBalancerResourceId": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedResourceGroupResourceId": { - "value": "" - }, - "natGatewayName": { - "value": "nat-gateway" - }, - "prepareEncryption": { - "value": true - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicIpName": { - "value": "nat-gw-public-ip" - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "requiredNsgRules": { - "value": "NoAzureDatabricksRules" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuName": { - "value": "premium" - }, - "storageAccountName": { - "value": "sadwmax001" - }, - "storageAccountSkuName": { - "value": "Standard_ZRS" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vnetAddressPrefix": { - "value": "10.100" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dwwaf' - params: { - // Required parameters - name: 'dwwaf001' - // Non-required parameters - amlWorkspaceResourceId: '' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - } - customerManagedKeyManagedDisk: { - keyName: '' - keyVaultResourceId: '' - rotationToLatestKeyVersionEnabled: true - } - customPrivateSubnetName: '' - customPublicSubnetName: '' - customVirtualNetworkResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'jobs' - } - { - category: 'notebook' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disablePublicIp: true - enableDefaultTelemetry: '' - loadBalancerBackendPoolName: '' - loadBalancerResourceId: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedResourceGroupResourceId: '' - natGatewayName: 'nat-gateway' - prepareEncryption: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - publicIpName: 'nat-gw-public-ip' - publicNetworkAccess: 'Disabled' - requiredNsgRules: 'NoAzureDatabricksRules' - requireInfrastructureEncryption: true - skuName: 'premium' - storageAccountName: 'sadwwaf001' - storageAccountSkuName: 'Standard_ZRS' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vnetAddressPrefix: '10.100' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dwwaf001" - }, - // Non-required parameters - "amlWorkspaceResourceId": { - "value": "" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "" - } - }, - "customerManagedKeyManagedDisk": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "rotationToLatestKeyVersionEnabled": true - } - }, - "customPrivateSubnetName": { - "value": "" - }, - "customPublicSubnetName": { - "value": "" - }, - "customVirtualNetworkResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "jobs" - }, - { - "category": "notebook" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disablePublicIp": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "loadBalancerBackendPoolName": { - "value": "" - }, - "loadBalancerResourceId": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedResourceGroupResourceId": { - "value": "" - }, - "natGatewayName": { - "value": "nat-gateway" - }, - "prepareEncryption": { - "value": true - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicIpName": { - "value": "nat-gw-public-ip" - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "requiredNsgRules": { - "value": "NoAzureDatabricksRules" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "skuName": { - "value": "premium" - }, - "storageAccountName": { - "value": "sadwwaf001" - }, - "storageAccountSkuName": { - "value": "Standard_ZRS" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vnetAddressPrefix": { - "value": "10.100" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Azure Databricks workspace to create. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`amlWorkspaceResourceId`](#parameter-amlworkspaceresourceid) | string | The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition to use for the managed service. | -| [`customerManagedKeyManagedDisk`](#parameter-customermanagedkeymanageddisk) | object | The customer managed key definition to use for the managed disk. | -| [`customPrivateSubnetName`](#parameter-customprivatesubnetname) | string | The name of the Private Subnet within the Virtual Network. | -| [`customPublicSubnetName`](#parameter-custompublicsubnetname) | string | The name of a Public Subnet within the Virtual Network. | -| [`customVirtualNetworkResourceId`](#parameter-customvirtualnetworkresourceid) | string | The resource ID of a Virtual Network where this Databricks Cluster should be created. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disablePublicIp`](#parameter-disablepublicip) | bool | Disable Public IP. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`loadBalancerBackendPoolName`](#parameter-loadbalancerbackendpoolname) | string | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | -| [`loadBalancerResourceId`](#parameter-loadbalancerresourceid) | string | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedResourceGroupResourceId`](#parameter-managedresourcegroupresourceid) | string | The managed resource group ID. It is created by the module as per the to-be resource ID you provide. | -| [`natGatewayName`](#parameter-natgatewayname) | string | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | -| [`prepareEncryption`](#parameter-prepareencryption) | bool | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicIpName`](#parameter-publicipname) | string | Name of the Public IP for No Public IP workspace with managed vNet. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | -| [`requiredNsgRules`](#parameter-requirednsgrules) | string | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. | -| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuName`](#parameter-skuname) | string | The pricing tier of workspace. | -| [`storageAccountName`](#parameter-storageaccountname) | string | Default DBFS storage account name. | -| [`storageAccountSkuName`](#parameter-storageaccountskuname) | string | Storage account SKU name. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vnetAddressPrefix`](#parameter-vnetaddressprefix) | string | Address prefix for Managed virtual network. | - -### Parameter: `name` - -The name of the Azure Databricks workspace to create. - -- Required: Yes -- Type: string - -### Parameter: `amlWorkspaceResourceId` - -The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customerManagedKey` - -The customer managed key definition to use for the managed service. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `customerManagedKeyManagedDisk` - -The customer managed key definition to use for the managed disk. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeymanageddiskkeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeymanageddiskkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeymanageddiskkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`rotationToLatestKeyVersionEnabled`](#parameter-customermanagedkeymanageddiskrotationtolatestkeyversionenabled) | bool | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeymanageddiskuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKeyManagedDisk.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKeyManagedDisk.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKeyManagedDisk.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKeyManagedDisk.rotationToLatestKeyVersionEnabled` - -Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. - -- Required: No -- Type: bool - -### Parameter: `customerManagedKeyManagedDisk.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `customPrivateSubnetName` - -The name of the Private Subnet within the Virtual Network. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customPublicSubnetName` - -The name of a Public Subnet within the Virtual Network. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customVirtualNetworkResourceId` - -The resource ID of a Virtual Network where this Databricks Cluster should be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disablePublicIp` - -Disable Public IP. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `loadBalancerBackendPoolName` - -Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `loadBalancerResourceId` - -Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedResourceGroupResourceId` - -The managed resource group ID. It is created by the module as per the to-be resource ID you provide. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `natGatewayName` - -Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `prepareEncryption` - -Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicIpName` - -Name of the Public IP for No Public IP workspace with managed vNet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `publicNetworkAccess` - - The network access type for accessing workspace. Set value to disabled to access workspace only via private link. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `requiredNsgRules` - -Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. - -- Required: No -- Type: string -- Default: `'AllRules'` -- Allowed: - ```Bicep - [ - 'AllRules' - 'NoAzureDatabricksRules' - ] - ``` - -### Parameter: `requireInfrastructureEncryption` - -A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -The pricing tier of workspace. - -- Required: No -- Type: string -- Default: `'premium'` -- Allowed: - ```Bicep - [ - 'premium' - 'standard' - 'trial' - ] - ``` - -### Parameter: `storageAccountName` - -Default DBFS storage account name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageAccountSkuName` - -Storage account SKU name. - -- Required: No -- Type: string -- Default: `'Standard_GRS'` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vnetAddressPrefix` - -Address prefix for Managed virtual network. - -- Required: No -- Type: string -- Default: `'10.139'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed databricks workspace. | -| `resourceGroupName` | string | The resource group of the deployed databricks workspace. | -| `resourceId` | string | The resource ID of the deployed databricks workspace. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `customPublicSubnetName` and `customPrivateSubnetName` - -- Require Network Security Groups attached to the subnets (Note: Rule don't have to be set, they are set through the deployment) - -- The two subnets also need the delegation to service `Microsoft.Databricks/workspaces` - -### Parameter Usage: `parameters` - -- Include only those elements (e.g. amlWorkspaceId) as object if specified, otherwise remove it. - -

- -Parameter JSON format - -```json -"parameters": { - "value": { - "amlWorkspaceId": { - "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx" - }, - "customVirtualNetworkId": { - "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx" - }, - "customPublicSubnetName": { - "value": "xxx" - }, - "customPrivateSubnetName": { - "value": "xxx" - }, - "enableNoPublicIp": { - "value": true - } - } -} -``` - -
- -
- -Bicep format - -```bicep -parameters: { - amlWorkspaceId: { - value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx' - } - customVirtualNetworkId: { - value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx' - } - customPublicSubnetName: { - value: 'xxx' - } - customPrivateSubnetName: { - value: 'xxx' - } - enableNoPublicIp: { - value: true - } -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep deleted file mode 100644 index 0d7e6cdb19..0000000000 --- a/modules/databricks/workspace/main.bicep +++ /dev/null @@ -1,487 +0,0 @@ -metadata name = 'Azure Databricks Workspaces' -metadata description = 'This module deploys an Azure Databricks Workspace.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Azure Databricks workspace to create.') -param name string - -@description('Optional. The managed resource group ID. It is created by the module as per the to-be resource ID you provide.') -param managedResourceGroupResourceId string = '' - -@description('Optional. The pricing tier of workspace.') -@allowed([ - 'trial' - 'standard' - 'premium' -]) -param skuName string = 'premium' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The resource ID of a Virtual Network where this Databricks Cluster should be created.') -param customVirtualNetworkResourceId string = '' - -@description('Optional. The resource ID of a Azure Machine Learning workspace to link with Databricks workspace.') -param amlWorkspaceResourceId string = '' - -@description('Optional. The name of the Private Subnet within the Virtual Network.') -param customPrivateSubnetName string = '' - -@description('Optional. The name of a Public Subnet within the Virtual Network.') -param customPublicSubnetName string = '' - -@description('Optional. Disable Public IP.') -param disablePublicIp bool = false - -@description('Optional. The customer managed key definition to use for the managed service.') -param customerManagedKey customerManagedKeyType - -@description('Optional. The customer managed key definition to use for the managed disk.') -param customerManagedKeyManagedDisk customerManagedKeyManagedDiskType - -@description('Optional. Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP).') -param loadBalancerBackendPoolName string = '' - -@description('Optional. Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace.') -param loadBalancerResourceId string = '' - -@description('Optional. Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets.') -param natGatewayName string = '' - -@description('Optional. Prepare the workspace for encryption. Enables the Managed Identity for managed storage account.') -param prepareEncryption bool = false - -@description('Optional. Name of the Public IP for No Public IP workspace with managed vNet.') -param publicIpName string = '' - -@description('Optional. A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest.') -param requireInfrastructureEncryption bool = false - -@description('Optional. Default DBFS storage account name.') -param storageAccountName string = '' - -@description('Optional. Storage account SKU name.') -param storageAccountSkuName string = 'Standard_GRS' - -@description('Optional. Address prefix for Managed virtual network.') -param vnetAddressPrefix string = '10.139' - -@description('Optional. The network access type for accessing workspace. Set value to disabled to access workspace only via private link.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param publicNetworkAccess string = 'Enabled' - -@description('Optional. Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint.') -@allowed([ - 'AllRules' - 'NoAzureDatabricksRules' -]) -param requiredNsgRules string = 'AllRules' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKManagedDiskKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId)) { - name: last(split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId) && !empty(customerManagedKeyManagedDisk.?keyName)) { - name: customerManagedKeyManagedDisk.?keyName ?? 'dummyKey' - } -} - -resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - } - properties: { - managedResourceGroupId: !empty(managedResourceGroupResourceId) ? managedResourceGroupResourceId : '${subscription().id}/resourceGroups/${name}-rg' - parameters: union( - // Always added parameters - { - enableNoPublicIp: { - value: disablePublicIp - } - prepareEncryption: { - value: prepareEncryption - } - vnetAddressPrefix: { - value: vnetAddressPrefix - } - requireInfrastructureEncryption: { - value: requireInfrastructureEncryption - } - }, - // Parameters only added if not empty - !empty(customVirtualNetworkResourceId) ? { - customVirtualNetworkId: { - value: customVirtualNetworkResourceId - } - } : {}, - !empty(amlWorkspaceResourceId) ? { - amlWorkspaceId: { - value: amlWorkspaceResourceId - } - } : {}, - !empty(customPrivateSubnetName) ? { - customPrivateSubnetName: { - value: customPrivateSubnetName - } - } : {}, - !empty(customPublicSubnetName) ? { - customPublicSubnetName: { - value: customPublicSubnetName - } - } : {}, - !empty(loadBalancerBackendPoolName) ? { - loadBalancerBackendPoolName: { - value: loadBalancerBackendPoolName - } - } : {}, - !empty(loadBalancerResourceId) ? { - loadBalancerId: { - value: loadBalancerResourceId - } - } : {}, - !empty(natGatewayName) ? { - natGatewayName: { - value: natGatewayName - } - } : {}, - !empty(publicIpName) ? { - publicIpName: { - value: publicIpName - } - } : {}, - !empty(storageAccountName) ? { - storageAccountName: { - value: storageAccountName - } - } : {}, - !empty(storageAccountSkuName) ? { - storageAccountSkuName: { - value: storageAccountSkuName - } - } : {}) - publicNetworkAccess: publicNetworkAccess - requiredNsgRules: requiredNsgRules - encryption: !empty(customerManagedKey) || !empty(customerManagedKeyManagedDisk) ? { - entities: { - managedServices: !empty(customerManagedKey) ? { - keySource: 'Microsoft.Keyvault' - keyVaultProperties: { - keyVaultUri: cMKKeyVault.properties.vaultUri - keyName: customerManagedKey!.keyName - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - } : null - managedDisk: !empty(customerManagedKeyManagedDisk) ? { - keySource: 'Microsoft.Keyvault' - keyVaultProperties: { - keyVaultUri: cMKManagedDiskKeyVault.properties.vaultUri - keyName: customerManagedKeyManagedDisk!.keyName - keyVersion: !empty(customerManagedKeyManagedDisk.?keyVersion ?? '') ? customerManagedKeyManagedDisk!.keyVersion : last(split(cMKManagedDiskKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - rotationToLatestKeyVersionEnabled: customerManagedKeyManagedDisk.?rotationToLatestKeyVersionEnabled ?? true - } : null - } - } : null - } -} - -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace -} - -// Note: Diagnostic Settings are only supported by the premium tier -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: workspace -}] - -resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: workspace -}] - -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'databricks_ui_api' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? 'databricks_ui_api'}-${index}' - serviceResourceId: workspace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the deployed databricks workspace.') -output name string = workspace.name - -@description('The resource ID of the deployed databricks workspace.') -output resourceId string = workspace.id - -@description('The resource group of the deployed databricks workspace.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = workspace.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? - -type customerManagedKeyManagedDiskType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? - - @description('Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default.') - rotationToLatestKeyVersionEnabled: bool? -}? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json deleted file mode 100644 index 47a19aa465..0000000000 --- a/modules/databricks/workspace/main.json +++ /dev/null @@ -1,1439 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17678709403904494263" - }, - "name": "Azure Databricks Workspaces", - "description": "This module deploys an Azure Databricks Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - }, - "customerManagedKeyManagedDiskType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - }, - "rotationToLatestKeyVersionEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Azure Databricks workspace to create." - } - }, - "managedResourceGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The managed resource group ID. It is created by the module as per the to-be resource ID you provide." - } - }, - "skuName": { - "type": "string", - "defaultValue": "premium", - "allowedValues": [ - "trial", - "standard", - "premium" - ], - "metadata": { - "description": "Optional. The pricing tier of workspace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "customVirtualNetworkResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of a Virtual Network where this Databricks Cluster should be created." - } - }, - "amlWorkspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of a Azure Machine Learning workspace to link with Databricks workspace." - } - }, - "customPrivateSubnetName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the Private Subnet within the Virtual Network." - } - }, - "customPublicSubnetName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of a Public Subnet within the Virtual Network." - } - }, - "disablePublicIp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Disable Public IP." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition to use for the managed service." - } - }, - "customerManagedKeyManagedDisk": { - "$ref": "#/definitions/customerManagedKeyManagedDiskType", - "metadata": { - "description": "Optional. The customer managed key definition to use for the managed disk." - } - }, - "loadBalancerBackendPoolName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP)." - } - }, - "loadBalancerResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace." - } - }, - "natGatewayName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets." - } - }, - "prepareEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Prepare the workspace for encryption. Enables the Managed Identity for managed storage account." - } - }, - "publicIpName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Public IP for No Public IP workspace with managed vNet." - } - }, - "requireInfrastructureEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest." - } - }, - "storageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Default DBFS storage account name." - } - }, - "storageAccountSkuName": { - "type": "string", - "defaultValue": "Standard_GRS", - "metadata": { - "description": "Optional. Storage account SKU name." - } - }, - "vnetAddressPrefix": { - "type": "string", - "defaultValue": "10.139", - "metadata": { - "description": "Optional. Address prefix for Managed virtual network." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. \tThe network access type for accessing workspace. Set value to disabled to access workspace only via private link." - } - }, - "requiredNsgRules": { - "type": "string", - "defaultValue": "AllRules", - "allowedValues": [ - "AllRules", - "NoAzureDatabricksRules" - ], - "metadata": { - "description": "Optional. Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKManagedDiskKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKManagedDiskKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKManagedDiskKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "workspace": { - "type": "Microsoft.Databricks/workspaces", - "apiVersion": "2023-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "managedResourceGroupId": "[if(not(empty(parameters('managedResourceGroupResourceId'))), parameters('managedResourceGroupResourceId'), format('{0}/resourceGroups/{1}-rg', subscription().id, parameters('name')))]", - "parameters": "[union(createObject('enableNoPublicIp', createObject('value', parameters('disablePublicIp')), 'prepareEncryption', createObject('value', parameters('prepareEncryption')), 'vnetAddressPrefix', createObject('value', parameters('vnetAddressPrefix')), 'requireInfrastructureEncryption', createObject('value', parameters('requireInfrastructureEncryption'))), if(not(empty(parameters('customVirtualNetworkResourceId'))), createObject('customVirtualNetworkId', createObject('value', parameters('customVirtualNetworkResourceId'))), createObject()), if(not(empty(parameters('amlWorkspaceResourceId'))), createObject('amlWorkspaceId', createObject('value', parameters('amlWorkspaceResourceId'))), createObject()), if(not(empty(parameters('customPrivateSubnetName'))), createObject('customPrivateSubnetName', createObject('value', parameters('customPrivateSubnetName'))), createObject()), if(not(empty(parameters('customPublicSubnetName'))), createObject('customPublicSubnetName', createObject('value', parameters('customPublicSubnetName'))), createObject()), if(not(empty(parameters('loadBalancerBackendPoolName'))), createObject('loadBalancerBackendPoolName', createObject('value', parameters('loadBalancerBackendPoolName'))), createObject()), if(not(empty(parameters('loadBalancerResourceId'))), createObject('loadBalancerId', createObject('value', parameters('loadBalancerResourceId'))), createObject()), if(not(empty(parameters('natGatewayName'))), createObject('natGatewayName', createObject('value', parameters('natGatewayName'))), createObject()), if(not(empty(parameters('publicIpName'))), createObject('publicIpName', createObject('value', parameters('publicIpName'))), createObject()), if(not(empty(parameters('storageAccountName'))), createObject('storageAccountName', createObject('value', parameters('storageAccountName'))), createObject()), if(not(empty(parameters('storageAccountSkuName'))), createObject('storageAccountSkuName', createObject('value', parameters('storageAccountSkuName'))), createObject()))]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "requiredNsgRules": "[parameters('requiredNsgRules')]", - "encryption": "[if(or(not(empty(parameters('customerManagedKey'))), not(empty(parameters('customerManagedKeyManagedDisk')))), createObject('entities', createObject('managedServices', if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null()), 'managedDisk', if(not(empty(parameters('customerManagedKeyManagedDisk'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedDiskKeyVault').vaultUri, 'keyName', parameters('customerManagedKeyManagedDisk').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVersion'), ''))), parameters('customerManagedKeyManagedDisk').keyVersion, last(split(reference('cMKManagedDiskKeyVault::cMKKey').keyUriWithVersion, '/')))), 'rotationToLatestKeyVersionEnabled', coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'rotationToLatestKeyVersionEnabled'), true())), null()))), null())]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKManagedDiskKeyVault" - ] - }, - "workspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_diagnosticSettings": { - "copy": { - "name": "workspace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Databricks/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_privateEndpoints": { - "copy": { - "name": "workspace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'databricks_ui_api')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Databricks/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'databricks_ui_api'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed databricks workspace." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed databricks workspace." - }, - "value": "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed databricks workspace." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('workspace', '2023-02-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep b/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 8c3002937e..0000000000 --- a/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/databricks/workspace/tests/e2e/max/dependencies.bicep b/modules/databricks/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 4c074d6ae8..0000000000 --- a/modules/databricks/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,368 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Key Vault for Disk Encryption to create.') -param keyVaultDiskName string - -@description('Required. The name of the Azure Machine Learning Workspace to create.') -param amlWorkspaceName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Application Insights Instanec to create.') -param applicationInsightsName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyVaultDisk 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultDiskName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKeyDisk' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') - scope: keyVault::key - properties: { - principalId: '5167ea7a-355a-466f-ae8b-8ea60f718b35' // AzureDatabricks Enterprise Application Object Id - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource amlPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-Key-Vault-Contributor') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_ZRS' - } - kind: 'StorageV2' - properties: {} -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: 'web' - properties: { - Application_Type: 'web' - } -} - -resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = { - name: amlWorkspaceName - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - storageAccount: storageAccount.id - keyVault: keyVault.id - applicationInsights: applicationInsights.id - primaryUserAssignedIdentity: managedIdentity.id - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - properties: { - backendAddressPools: [ - { - name: 'default' - } - ] - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound' - properties: { - description: 'Required for worker nodes communication within a cluster.' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'VirtualNetwork' - access: 'Allow' - priority: 100 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp' - properties: { - description: 'Required for workers communication with Databricks Webapp.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'AzureDatabricks' - access: 'Allow' - priority: 100 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql' - properties: { - description: 'Required for workers communication with Azure SQL services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '3306' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'Sql' - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage' - properties: { - description: 'Required for workers communication with Azure Storage services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'Storage' - access: 'Allow' - priority: 102 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound' - properties: { - description: 'Required for worker nodes communication within a cluster.' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'VirtualNetwork' - access: 'Allow' - priority: 103 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub' - properties: { - description: 'Required for worker communication with Azure Eventhub services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '9093' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'EventHub' - access: 'Allow' - priority: 104 - direction: 'Outbound' - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 0) - } - } - { - name: 'custom-public-subnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 1) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'databricksDelegation' - properties: { - serviceName: 'Microsoft.Databricks/workspaces' - } - } - ] - } - } - { - name: 'custom-private-subnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 2) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'databricksDelegation' - properties: { - serviceName: 'Microsoft.Databricks/workspaces' - } - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azuredatabricks.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Default Subnet.') -output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The name of the created Virtual Network Public Subnet.') -output customPublicSubnetName string = virtualNetwork.properties.subnets[1].name - -@description('The name of the created Virtual Network Private Subnet.') -output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].name - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Azure Machine Learning Workspace.') -output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The resource ID of the created Disk Key Vault.') -output keyVaultDiskResourceId string = keyVaultDisk.id - -@description('The resource ID of the created Load Balancer.') -output loadBalancerResourceId string = loadBalancer.id - -@description('The name of the created Load Balancer Backend Pool.') -output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddressPools[0].name - -@description('The name of the created Key Vault encryption key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault Disk encryption key.') -output keyVaultDiskKeyName string = keyVaultDisk::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/databricks/workspace/tests/e2e/max/main.test.bicep b/modules/databricks/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5656e772da..0000000000 --- a/modules/databricks/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,167 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - logCategoriesAndGroups: [ - { - category: 'jobs' - } - { - category: 'notebook' - - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - } - customerManagedKeyManagedDisk: { - keyName: nestedDependencies.outputs.keyVaultDiskKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId - rotationToLatestKeyVersionEnabled: true - } - storageAccountName: 'sa${namePrefix}${serviceShort}001' - storageAccountSkuName: 'Standard_ZRS' - publicIpName: 'nat-gw-public-ip' - natGatewayName: 'nat-gateway' - prepareEncryption: true - requiredNsgRules: 'NoAzureDatabricksRules' - skuName: 'premium' - amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId - customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName - customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName - publicNetworkAccess: 'Disabled' - disablePublicIp: true - loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId - loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName - customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' - requireInfrastructureEncryption: true - vnetAddressPrefix: '10.100' - location: resourceGroup.location - } -}] diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 4c074d6ae8..0000000000 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,368 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Key Vault for Disk Encryption to create.') -param keyVaultDiskName string - -@description('Required. The name of the Azure Machine Learning Workspace to create.') -param amlWorkspaceName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Application Insights Instanec to create.') -param applicationInsightsName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyVaultDisk 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultDiskName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKeyDisk' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') - scope: keyVault::key - properties: { - principalId: '5167ea7a-355a-466f-ae8b-8ea60f718b35' // AzureDatabricks Enterprise Application Object Id - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource amlPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-Key-Vault-Contributor') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_ZRS' - } - kind: 'StorageV2' - properties: {} -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: 'web' - properties: { - Application_Type: 'web' - } -} - -resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = { - name: amlWorkspaceName - location: location - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - storageAccount: storageAccount.id - keyVault: keyVault.id - applicationInsights: applicationInsights.id - primaryUserAssignedIdentity: managedIdentity.id - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - properties: { - backendAddressPools: [ - { - name: 'default' - } - ] - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound' - properties: { - description: 'Required for worker nodes communication within a cluster.' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'VirtualNetwork' - access: 'Allow' - priority: 100 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp' - properties: { - description: 'Required for workers communication with Databricks Webapp.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'AzureDatabricks' - access: 'Allow' - priority: 100 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql' - properties: { - description: 'Required for workers communication with Azure SQL services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '3306' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'Sql' - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage' - properties: { - description: 'Required for workers communication with Azure Storage services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'Storage' - access: 'Allow' - priority: 102 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound' - properties: { - description: 'Required for worker nodes communication within a cluster.' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'VirtualNetwork' - access: 'Allow' - priority: 103 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub' - properties: { - description: 'Required for worker communication with Azure Eventhub services.' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '9093' - sourceAddressPrefix: 'VirtualNetwork' - destinationAddressPrefix: 'EventHub' - access: 'Allow' - priority: 104 - direction: 'Outbound' - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 0) - } - } - { - name: 'custom-public-subnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 1) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'databricksDelegation' - properties: { - serviceName: 'Microsoft.Databricks/workspaces' - } - } - ] - } - } - { - name: 'custom-private-subnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 2) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'databricksDelegation' - properties: { - serviceName: 'Microsoft.Databricks/workspaces' - } - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azuredatabricks.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Default Subnet.') -output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The name of the created Virtual Network Public Subnet.') -output customPublicSubnetName string = virtualNetwork.properties.subnets[1].name - -@description('The name of the created Virtual Network Private Subnet.') -output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].name - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Azure Machine Learning Workspace.') -output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The resource ID of the created Disk Key Vault.') -output keyVaultDiskResourceId string = keyVaultDisk.id - -@description('The resource ID of the created Load Balancer.') -output loadBalancerResourceId string = loadBalancer.id - -@description('The name of the created Load Balancer Backend Pool.') -output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddressPools[0].name - -@description('The name of the created Key Vault encryption key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault Disk encryption key.') -output keyVaultDiskKeyName string = keyVaultDisk::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 66928e1121..0000000000 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,150 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - logCategoriesAndGroups: [ - { - category: 'jobs' - } - { - category: 'notebook' - - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - } - customerManagedKeyManagedDisk: { - keyName: nestedDependencies.outputs.keyVaultDiskKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId - rotationToLatestKeyVersionEnabled: true - } - storageAccountName: 'sa${namePrefix}${serviceShort}001' - storageAccountSkuName: 'Standard_ZRS' - publicIpName: 'nat-gw-public-ip' - natGatewayName: 'nat-gateway' - prepareEncryption: true - requiredNsgRules: 'NoAzureDatabricksRules' - skuName: 'premium' - amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId - customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName - customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName - publicNetworkAccess: 'Disabled' - disablePublicIp: true - loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId - loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName - customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' - requireInfrastructureEncryption: true - vnetAddressPrefix: '10.100' - location: resourceGroup.location - } -}] diff --git a/modules/databricks/workspace/version.json b/modules/databricks/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/databricks/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-my-sql/flexible-server/MOVED-TO-AVM.md b/modules/db-for-my-sql/flexible-server/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/db-for-my-sql/flexible-server/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index db86ab4811..e07b9d744a 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -1,1288 +1,7 @@ -# DBforMySQL Flexible Servers `[Microsoft.DBforMySQL/flexibleServers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/db-for-my-sql/flexible-server](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/db-for-my-sql/flexible-server).** -This module deploys a DBforMySQL Flexible Server. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/db-for-my-sql/flexible-server). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DBforMySQL/flexibleServers` | [2022-09-30-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-09-30-preview/flexibleServers) | -| `Microsoft.DBforMySQL/flexibleServers/administrators` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/administrators) | -| `Microsoft.DBforMySQL/flexibleServers/databases` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/databases) | -| `Microsoft.DBforMySQL/flexibleServers/firewallRules` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/firewallRules) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/db-for-my-sql.flexible-server:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Private](#example-2-private) -- [Public](#example-3-public) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfmsfsmin' - params: { - // Required parameters - name: 'dfmsfsmin001' - skuName: 'Standard_B1ms' - tier: 'Burstable' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfmsfsmin001" - }, - "skuName": { - "value": "Standard_B1ms" - }, - "tier": { - "value": "Burstable" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Private_ - -

- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfmsfspvt' - params: { - // Required parameters - name: 'dfmsfspvt001' - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - administrators: [ - { - identityResourceId: '' - login: '' - sid: '' - } - ] - backupRetentionDays: 10 - databases: [ - { - name: 'testdb1' - } - ] - delegatedSubnetResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - highAvailability: 'SameZone' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - privateDnsZoneResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - storageAutoGrow: 'Enabled' - storageAutoIoScaling: 'Enabled' - storageIOPS: 400 - storageSizeGB: 64 - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: 'dfmsfspvt001' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfmsfspvt001" - }, - "skuName": { - "value": "Standard_D2ds_v4" - }, - "tier": { - "value": "GeneralPurpose" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "administrators": { - "value": [ - { - "identityResourceId": "", - "login": "", - "sid": "" - } - ] - }, - "backupRetentionDays": { - "value": 10 - }, - "databases": { - "value": [ - { - "name": "testdb1" - } - ] - }, - "delegatedSubnetResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "highAvailability": { - "value": "SameZone" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateDnsZoneResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "storageAutoGrow": { - "value": "Enabled" - }, - "storageAutoIoScaling": { - "value": "Enabled" - }, - "storageIOPS": { - "value": 400 - }, - "storageSizeGB": { - "value": 64 - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "MySQL Flexible Server", - "serverName": "dfmsfspvt001" - } - } - } -} -``` - -
-

- -### Example 3: _Public_ - -

- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfmsfsp' - params: { - // Required parameters - name: 'dfmsfsp001' - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - availabilityZone: '1' - backupRetentionDays: 20 - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - customerManagedKeyGeo: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - databases: [ - { - name: 'testdb1' - } - { - charset: 'ascii' - collation: 'ascii_general_ci' - name: 'testdb2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - geoRedundantBackup: 'Enabled' - highAvailability: 'SameZone' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - storageAutoGrow: 'Enabled' - storageAutoIoScaling: 'Enabled' - storageIOPS: 400 - storageSizeGB: 32 - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: 'dfmsfsp001' - } - version: '8.0.21' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfmsfsp001" - }, - "skuName": { - "value": "Standard_D2ds_v4" - }, - "tier": { - "value": "GeneralPurpose" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "availabilityZone": { - "value": "1" - }, - "backupRetentionDays": { - "value": 20 - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "customerManagedKeyGeo": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "databases": { - "value": [ - { - "name": "testdb1" - }, - { - "charset": "ascii", - "collation": "ascii_general_ci", - "name": "testdb2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallRules": { - "value": [ - { - "endIpAddress": "0.0.0.0", - "name": "AllowAllWindowsAzureIps", - "startIpAddress": "0.0.0.0" - }, - { - "endIpAddress": "10.10.10.10", - "name": "test-rule1", - "startIpAddress": "10.10.10.1" - }, - { - "endIpAddress": "100.100.100.10", - "name": "test-rule2", - "startIpAddress": "100.100.100.1" - } - ] - }, - "geoRedundantBackup": { - "value": "Enabled" - }, - "highAvailability": { - "value": "SameZone" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "", - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "storageAutoGrow": { - "value": "Enabled" - }, - "storageAutoIoScaling": { - "value": "Enabled" - }, - "storageIOPS": { - "value": 400 - }, - "storageSizeGB": { - "value": 32 - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "MySQL Flexible Server", - "serverName": "dfmsfsp001" - } - }, - "version": { - "value": "8.0.21" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the MySQL flexible server. | -| [`skuName`](#parameter-skuname) | string | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | -| [`tier`](#parameter-tier) | string | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. | -| [`privateDnsZoneResourceId`](#parameter-privatednszoneresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. | -| [`restorePointInTime`](#parameter-restorepointintime) | string | Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". | -| [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". | -| [`storageAutoGrow`](#parameter-storageautogrow) | string | Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the MySQL server is being created. | -| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | -| [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | -| [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | -| [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | -| [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition to use for the managed service. | -| [`customerManagedKeyGeo`](#parameter-customermanagedkeygeo) | object | The customer managed key definition to use when geoRedundantBackup is "Enabled". | -| [`databases`](#parameter-databases) | array | The databases to create in the server. | -| [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the MySQL flexible server. | -| [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. | -| [`highAvailability`](#parameter-highavailability) | string | The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | -| [`replicationRole`](#parameter-replicationrole) | string | The replication role. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". | -| [`storageAutoIoScaling`](#parameter-storageautoioscaling) | string | Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. | -| [`storageIOPS`](#parameter-storageiops) | int | Storage IOPS for a server. Max IOPS are determined by compute size. | -| [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`version`](#parameter-version) | string | MySQL Server version. | - -### Parameter: `name` - -The name of the MySQL flexible server. - -- Required: Yes -- Type: string - -### Parameter: `skuName` - -The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. - -- Required: Yes -- Type: string - -### Parameter: `tier` - -The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Burstable' - 'GeneralPurpose' - 'MemoryOptimized' - ] - ``` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `privateDnsZoneResourceId` - -Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `restorePointInTime` - -Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceServerResourceId` - -The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageAutoGrow` - -Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `administratorLogin` - -The administrator login name of a server. Can only be specified when the MySQL server is being created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `administratorLoginPassword` - -The administrator login password. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `administrators` - -The Azure AD administrators when AAD authentication enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `availabilityZone` - -Availability zone information of the server. Default will have no preference set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '1' - '2' - '3' - ] - ``` - -### Parameter: `backupRetentionDays` - -Backup retention days for the server. - -- Required: No -- Type: int -- Default: `7` - -### Parameter: `createMode` - -The mode to create a new MySQL server. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'GeoRestore' - 'PointInTimeRestore' - 'Replica' - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition to use for the managed service. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKeyGeo` - -The customer managed key definition to use when geoRedundantBackup is "Enabled". - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeygeokeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeygeokeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeygeouserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeygeokeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | - -### Parameter: `customerManagedKeyGeo.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKeyGeo.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKeyGeo.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKeyGeo.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `databases` - -The databases to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `delegatedSubnetResourceId` - -Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `firewallRules` - -The firewall rules to create in the MySQL flexible server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `geoRedundantBackup` - -A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `highAvailability` - -The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'SameZone' - 'ZoneRedundant' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maintenanceWindow` - -Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `replicationRole` - -The replication role. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'None' - 'Replica' - 'Source' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `storageAutoIoScaling` - -Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `storageIOPS` - -Storage IOPS for a server. Max IOPS are determined by compute size. - -- Required: No -- Type: int -- Default: `1000` - -### Parameter: `storageSizeGB` - -Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. - -- Required: No -- Type: int -- Default: `64` -- Allowed: - ```Bicep - [ - 20 - 32 - 64 - 128 - 256 - 512 - 1024 - 2048 - 4096 - 8192 - 16384 - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `version` - -MySQL Server version. - -- Required: No -- Type: string -- Default: `'5.7'` -- Allowed: - ```Bicep - [ - '5.7' - '8.0.21' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed MySQL Flexible server. | -| `resourceGroupName` | string | The resource group of the deployed MySQL Flexible server. | -| `resourceId` | string | The resource ID of the deployed MySQL Flexible server. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/db-for-my-sql/flexible-server/administrator/README.md b/modules/db-for-my-sql/flexible-server/administrator/README.md deleted file mode 100644 index 827b434ef7..0000000000 --- a/modules/db-for-my-sql/flexible-server/administrator/README.md +++ /dev/null @@ -1,105 +0,0 @@ -# DBforMySQL Flexible Server Administrators `[Microsoft.DBforMySQL/flexibleServers/administrators]` - -This module deploys a DBforMySQL Flexible Server Administrator. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforMySQL/flexibleServers/administrators` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/administrators) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`identityResourceId`](#parameter-identityresourceid) | string | The resource ID of the identity used for AAD Authentication. | -| [`login`](#parameter-login) | string | Login name of the server administrator. | -| [`sid`](#parameter-sid) | string | SID (object ID) of the server administrator. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | - -### Parameter: `identityResourceId` - -The resource ID of the identity used for AAD Authentication. - -- Required: Yes -- Type: string - -### Parameter: `login` - -Login name of the server administrator. - -- Required: Yes -- Type: string - -### Parameter: `sid` - -SID (object ID) of the server administrator. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `tenantId` - -The tenantId of the Active Directory administrator. - -- Required: No -- Type: string -- Default: `[tenant().tenantId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed administrator. | -| `resourceGroupName` | string | The resource group of the deployed administrator. | -| `resourceId` | string | The resource ID of the deployed administrator. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-my-sql/flexible-server/administrator/main.bicep b/modules/db-for-my-sql/flexible-server/administrator/main.bicep deleted file mode 100644 index c5442f24ea..0000000000 --- a/modules/db-for-my-sql/flexible-server/administrator/main.bicep +++ /dev/null @@ -1,61 +0,0 @@ -metadata name = 'DBforMySQL Flexible Server Administrators' -metadata description = 'This module deploys a DBforMySQL Flexible Server Administrator.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Required. SID (object ID) of the server administrator.') -param sid string - -@description('Required. The resource ID of the identity used for AAD Authentication.') -param identityResourceId string - -@description('Required. Login name of the server administrator.') -param login string - -@description('Optional. The tenantId of the Active Directory administrator.') -param tenantId string = tenant().tenantId - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-01-01' existing = { - name: flexibleServerName -} - -resource administrator 'Microsoft.DBforMySQL/flexibleServers/administrators@2022-01-01' = { - name: 'ActiveDirectory' - parent: flexibleServer - properties: { - administratorType: 'ActiveDirectory' - identityResourceId: identityResourceId - login: login - sid: sid - tenantId: tenantId - } -} - -@description('The name of the deployed administrator.') -output name string = administrator.name - -@description('The resource ID of the deployed administrator.') -output resourceId string = administrator.id - -@description('The resource group of the deployed administrator.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-my-sql/flexible-server/administrator/main.json b/modules/db-for-my-sql/flexible-server/administrator/main.json deleted file mode 100644 index 347c0a171f..0000000000 --- a/modules/db-for-my-sql/flexible-server/administrator/main.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8863151548145849170" - }, - "name": "DBforMySQL Flexible Server Administrators", - "description": "This module deploys a DBforMySQL Flexible Server Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "sid": { - "type": "string", - "metadata": { - "description": "Required. SID (object ID) of the server administrator." - } - }, - "identityResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the identity used for AAD Authentication." - } - }, - "login": { - "type": "string", - "metadata": { - "description": "Required. Login name of the server administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "[tenant().tenantId]", - "metadata": { - "description": "Optional. The tenantId of the Active Directory administrator." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/administrators", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'ActiveDirectory')]", - "properties": { - "administratorType": "ActiveDirectory", - "identityResourceId": "[parameters('identityResourceId')]", - "login": "[parameters('login')]", - "sid": "[parameters('sid')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed administrator." - }, - "value": "ActiveDirectory" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed administrator." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/administrators', parameters('flexibleServerName'), 'ActiveDirectory')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed administrator." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-my-sql/flexible-server/administrator/version.json b/modules/db-for-my-sql/flexible-server/administrator/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/db-for-my-sql/flexible-server/administrator/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-my-sql/flexible-server/database/README.md b/modules/db-for-my-sql/flexible-server/database/README.md deleted file mode 100644 index 4bcb034a0b..0000000000 --- a/modules/db-for-my-sql/flexible-server/database/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# DBforMySQL Flexible Server Databases `[Microsoft.DBforMySQL/flexibleServers/databases]` - -This module deploys a DBforMySQL Flexible Server Database. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforMySQL/flexibleServers/databases` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/databases) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`charset`](#parameter-charset) | string | The charset of the database. | -| [`collation`](#parameter-collation) | string | The collation of the database. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | - -### Parameter: `name` - -The name of the database. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `charset` - -The charset of the database. - -- Required: No -- Type: string -- Default: `'utf8_general_ci'` - -### Parameter: `collation` - -The collation of the database. - -- Required: No -- Type: string -- Default: `'utf8'` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group of the deployed database. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-my-sql/flexible-server/database/main.bicep b/modules/db-for-my-sql/flexible-server/database/main.bicep deleted file mode 100644 index 2c4fd62547..0000000000 --- a/modules/db-for-my-sql/flexible-server/database/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'DBforMySQL Flexible Server Databases' -metadata description = 'This module deploys a DBforMySQL Flexible Server Database.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the database.') -param name string - -@description('Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Optional. The collation of the database.') -param collation string = 'utf8' - -@description('Optional. The charset of the database.') -param charset string = 'utf8_general_ci' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview' existing = { - name: flexibleServerName -} - -resource database 'Microsoft.DBforMySQL/flexibleServers/databases@2022-01-01' = { - name: name - parent: flexibleServer - properties: { - collation: !empty(collation) ? collation : null - charset: !empty(charset) ? charset : null - } -} - -@description('The name of the deployed database.') -output name string = database.name - -@description('The resource ID of the deployed database.') -output resourceId string = database.id - -@description('The resource group of the deployed database.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-my-sql/flexible-server/database/main.json b/modules/db-for-my-sql/flexible-server/database/main.json deleted file mode 100644 index c7747c6684..0000000000 --- a/modules/db-for-my-sql/flexible-server/database/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7585808247826533259" - }, - "name": "DBforMySQL Flexible Server Databases", - "description": "This module deploys a DBforMySQL Flexible Server Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "utf8", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "charset": { - "type": "string", - "defaultValue": "utf8_general_ci", - "metadata": { - "description": "Optional. The charset of the database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/databases", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "collation": "[if(not(empty(parameters('collation'))), parameters('collation'), null())]", - "charset": "[if(not(empty(parameters('charset'))), parameters('charset'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/databases', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-my-sql/flexible-server/database/version.json b/modules/db-for-my-sql/flexible-server/database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-my-sql/flexible-server/database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md b/modules/db-for-my-sql/flexible-server/firewall-rule/README.md deleted file mode 100644 index 593969aa25..0000000000 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md +++ /dev/null @@ -1,87 +0,0 @@ -# DBforMySQL Flexible Server Firewall Rules `[Microsoft.DBforMySQL/flexibleServers/firewallRules]` - -This module deploys a DBforMySQL Flexible Server Firewall Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforMySQL/flexibleServers/firewallRules` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/firewallRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| [`name`](#parameter-name) | string | The name of the MySQL flexible server Firewall Rule. | -| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `endIpAddress` - -The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the MySQL flexible server Firewall Rule. - -- Required: Yes -- Type: string - -### Parameter: `startIpAddress` - -The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed firewall rule. | -| `resourceGroupName` | string | The resource group of the deployed firewall rule. | -| `resourceId` | string | The resource ID of the deployed firewall rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/main.bicep b/modules/db-for-my-sql/flexible-server/firewall-rule/main.bicep deleted file mode 100644 index cba30a70e3..0000000000 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'DBforMySQL Flexible Server Firewall Rules' -metadata description = 'This module deploys a DBforMySQL Flexible Server Firewall Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the MySQL flexible server Firewall Rule.') -param name string - -@description('Required. The start IP address of the firewall rule. Must be IPv4 format. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param startIpAddress string - -@description('Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param endIpAddress string - -@description('Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview' existing = { - name: flexibleServerName -} - -resource firewallRule 'Microsoft.DBforMySQL/flexibleServers/firewallRules@2022-01-01' = { - name: name - parent: flexibleServer - properties: { - endIpAddress: endIpAddress - startIpAddress: startIpAddress - } -} - -@description('The name of the deployed firewall rule.') -output name string = firewallRule.name - -@description('The resource ID of the deployed firewall rule.') -output resourceId string = firewallRule.id - -@description('The resource group of the deployed firewall rule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json b/modules/db-for-my-sql/flexible-server/firewall-rule/main.json deleted file mode 100644 index c86c3c1a46..0000000000 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9889972221731602451" - }, - "name": "DBforMySQL Flexible Server Firewall Rules", - "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MySQL flexible server Firewall Rule." - } - }, - "startIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "endIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/firewallRules', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/version.json b/modules/db-for-my-sql/flexible-server/firewall-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep deleted file mode 100644 index d89c29094a..0000000000 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ /dev/null @@ -1,459 +0,0 @@ -metadata name = 'DBforMySQL Flexible Servers' -metadata description = 'This module deploys a DBforMySQL Flexible Server.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the MySQL flexible server.') -param name string - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The administrator login name of a server. Can only be specified when the MySQL server is being created.') -param administratorLogin string = '' - -@description('Optional. The administrator login password.') -@secure() -param administratorLoginPassword string = '' - -@description('Optional. The Azure AD administrators when AAD authentication enabled.') -param administrators array = [] - -@description('Required. The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3.') -param skuName string - -@allowed([ - 'GeneralPurpose' - 'Burstable' - 'MemoryOptimized' -]) -@description('Required. The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3".') -param tier string - -@allowed([ - '' - '1' - '2' - '3' -]) -@description('Optional. Availability zone information of the server. Default will have no preference set.') -param availabilityZone string = '' - -@minValue(1) -@maxValue(35) -@description('Optional. Backup retention days for the server.') -param backupRetentionDays int = 7 - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required.') -param geoRedundantBackup string = 'Disabled' - -@allowed([ - 'Default' - 'GeoRestore' - 'PointInTimeRestore' - 'Replica' -]) -@description('Optional. The mode to create a new MySQL server.') -param createMode string = 'Default' - -@description('Conditional. The managed identity definition for this resource. Required if \'customerManagedKey\' is not empty.') -param managedIdentities managedIdentitiesType - -@description('Optional. The customer managed key definition to use for the managed service.') -param customerManagedKey customerManagedKeyType - -@description('Optional. The customer managed key definition to use when geoRedundantBackup is "Enabled".') -param customerManagedKeyGeo customerManagedKeyType - -@allowed([ - 'Disabled' - 'SameZone' - 'ZoneRedundant' -]) -@description('Optional. The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning.') -param highAvailability string = 'Disabled' - -@description('Optional. Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled".') -param maintenanceWindow object = {} - -@description('Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29.') -param delegatedSubnetResourceId string = '' - -@description('Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server.') -param privateDnsZoneResourceId string = '' - -@description('Conditional. Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore".') -param restorePointInTime string = '' - -@allowed([ - 'None' - 'Replica' - 'Source' -]) -@description('Optional. The replication role.') -param replicationRole string = 'None' - -@description('Conditional. The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore".') -param sourceServerResourceId string = '' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Conditional. Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled".') -param storageAutoGrow string = 'Disabled' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs.') -param storageAutoIoScaling string = 'Disabled' - -@minValue(360) -@maxValue(48000) -@description('Optional. Storage IOPS for a server. Max IOPS are determined by compute size.') -param storageIOPS int = 1000 - -@allowed([ - 20 - 32 - 64 - 128 - 256 - 512 - 1024 - 2048 - 4096 - 8192 - 16384 -]) -@description('Optional. Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB.') -param storageSizeGB int = 64 - -@allowed([ - '5.7' - '8.0.21' -]) -@description('Optional. MySQL Server version.') -param version string = '5.7' - -@description('Optional. The databases to create in the server.') -param databases array = [] - -@description('Optional. The firewall rules to create in the MySQL flexible server.') -param firewallRules array = [] - -@description('Optional. Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11".') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'MySQL Backup And Export Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource cMKGeoKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKeyGeo.?keyVaultResourceId)) { - name: last(split((customerManagedKeyGeo.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKeyGeo.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKeyGeo.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKeyGeo.?keyVaultResourceId) && !empty(customerManagedKeyGeo.?keyName)) { - name: customerManagedKeyGeo.?keyName ?? 'dummyKey' - } -} - -resource cMKGeoUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKeyGeo.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKeyGeo.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKeyGeo.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKeyGeo.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview' = { - name: name - location: location - tags: tags - sku: { - name: skuName - tier: tier - } - identity: identity - properties: { - administratorLogin: !empty(administratorLogin) ? administratorLogin : null - administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null - availabilityZone: availabilityZone - backup: { - backupRetentionDays: backupRetentionDays - geoRedundantBackup: geoRedundantBackup - } - createMode: createMode - dataEncryption: !empty(customerManagedKey) ? { - type: 'AzureKeyVault' - geoBackupKeyURI: geoRedundantBackup == 'Enabled' ? (!empty(customerManagedKeyGeo.?keyVersion ?? '') ? '${cMKGeoKeyVault::cMKKey.properties.keyUri}/${customerManagedKeyGeo!.keyVersion}' : cMKGeoKeyVault::cMKKey.properties.keyUriWithVersion) : null - geoBackupUserAssignedIdentityId: geoRedundantBackup == 'Enabled' ? cMKGeoUserAssignedIdentity.id : null - primaryKeyURI: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - primaryUserAssignedIdentityId: cMKUserAssignedIdentity.id - } : null - highAvailability: { - mode: highAvailability - standbyAvailabilityZone: highAvailability == 'SameZone' ? availabilityZone : null - } - maintenanceWindow: !empty(maintenanceWindow) ? { - customWindow: maintenanceWindow.customWindow - dayOfWeek: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.dayOfWeek : 0 - startHour: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.startHour : 0 - startMinute: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.startMinute : 0 - } : null - network: !empty(delegatedSubnetResourceId) && empty(firewallRules) ? { - delegatedSubnetResourceId: delegatedSubnetResourceId - privateDnsZoneResourceId: privateDnsZoneResourceId - } : null - replicationRole: replicationRole - restorePointInTime: restorePointInTime - sourceServerResourceId: !empty(sourceServerResourceId) ? sourceServerResourceId : null - storage: { - autoGrow: storageAutoGrow - autoIoScaling: storageAutoIoScaling - iops: storageIOPS - storageSizeGB: storageSizeGB - } - version: version - } -} - -resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: flexibleServer -} - -resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: flexibleServer -}] - -module flexibleServer_databases 'database/main.bicep' = [for (database, index) in databases: { - name: '${uniqueString(deployment().name, location)}-MySQL-DB-${index}' - params: { - name: database.name - flexibleServerName: flexibleServer.name - collation: contains(database, 'collation') ? database.collation : '' - charset: contains(database, 'charset') ? database.charset : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module flexibleServer_firewallRules 'firewall-rule/main.bicep' = [for (firewallRule, index) in firewallRules: { - name: '${uniqueString(deployment().name, location)}-MySQL-FirewallRules-${index}' - params: { - name: firewallRule.name - flexibleServerName: flexibleServer.name - startIpAddress: firewallRule.startIpAddress - endIpAddress: firewallRule.endIpAddress - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module flexibleServer_administrators 'administrator/main.bicep' = [for (administrator, index) in administrators: { - name: '${uniqueString(deployment().name, location)}-MySQL-Administrators-${index}' - params: { - flexibleServerName: flexibleServer.name - login: administrator.login - sid: administrator.sid - identityResourceId: administrator.identityResourceId - tenantId: contains(administrator, 'tenantId') ? administrator.tenantId : tenant().tenantId - } -}] - -resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: flexibleServer -}] - -@description('The name of the deployed MySQL Flexible server.') -output name string = flexibleServer.name - -@description('The resource ID of the deployed MySQL Flexible server.') -output resourceId string = flexibleServer.id - -@description('The resource group of the deployed MySQL Flexible server.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = flexibleServer.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Required. User assigned identity to use when fetching the customer managed key.') - userAssignedIdentityResourceId: string -}? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json deleted file mode 100644 index 5d63ee48ca..0000000000 --- a/modules/db-for-my-sql/flexible-server/main.json +++ /dev/null @@ -1,1177 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13509958318011769977" - }, - "name": "DBforMySQL Flexible Servers", - "description": "This module deploys a DBforMySQL Flexible Server.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "metadata": { - "description": "Required. User assigned identity to use when fetching the customer managed key." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MySQL flexible server." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "administratorLogin": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The administrator login name of a server. Can only be specified when the MySQL server is being created." - } - }, - "administratorLoginPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The administrator login password." - } - }, - "administrators": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The Azure AD administrators when AAD authentication enabled." - } - }, - "skuName": { - "type": "string", - "metadata": { - "description": "Required. The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3." - } - }, - "tier": { - "type": "string", - "allowedValues": [ - "GeneralPurpose", - "Burstable", - "MemoryOptimized" - ], - "metadata": { - "description": "Required. The tier of the particular SKU. Tier must align with the \"skuName\" property. Example, tier cannot be \"Burstable\" if skuName is \"Standard_D4s_v3\"." - } - }, - "availabilityZone": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "1", - "2", - "3" - ], - "metadata": { - "description": "Optional. Availability zone information of the server. Default will have no preference set." - } - }, - "backupRetentionDays": { - "type": "int", - "defaultValue": 7, - "minValue": 1, - "maxValue": 35, - "metadata": { - "description": "Optional. Backup retention days for the server." - } - }, - "geoRedundantBackup": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. A value indicating whether Geo-Redundant backup is enabled on the server. If \"Enabled\" and \"cMKKeyName\" is not empty, then \"geoBackupCMKKeyVaultResourceId\" and \"cMKUserAssignedIdentityResourceId\" are also required." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "GeoRestore", - "PointInTimeRestore", - "Replica" - ], - "metadata": { - "description": "Optional. The mode to create a new MySQL server." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Conditional. The managed identity definition for this resource. Required if 'customerManagedKey' is not empty." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition to use for the managed service." - } - }, - "customerManagedKeyGeo": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition to use when geoRedundantBackup is \"Enabled\"." - } - }, - "highAvailability": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "SameZone", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning." - } - }, - "maintenanceWindow": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Properties for the maintenence window. If provided, \"customWindow\" property must exist and set to \"Enabled\"." - } - }, - "delegatedSubnetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is \"Private Access\" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is \"Private Access\". Required if \"delegatedSubnetResourceId\" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Restore point creation time (ISO8601 format), specifying the time to restore from. Required if \"createMode\" is set to \"PointInTimeRestore\"." - } - }, - "replicationRole": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "None", - "Replica", - "Source" - ], - "metadata": { - "description": "Optional. The replication role." - } - }, - "sourceServerResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The source MySQL server ID. Required if \"createMode\" is set to \"PointInTimeRestore\"." - } - }, - "storageAutoGrow": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Conditional. Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if \"highAvailability\" is not \"Disabled\"." - } - }, - "storageAutoIoScaling": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs." - } - }, - "storageIOPS": { - "type": "int", - "defaultValue": 1000, - "minValue": 360, - "maxValue": 48000, - "metadata": { - "description": "Optional. Storage IOPS for a server. Max IOPS are determined by compute size." - } - }, - "storageSizeGB": { - "type": "int", - "defaultValue": 64, - "allowedValues": [ - 20, - 32, - 64, - 128, - 256, - 512, - 1024, - 2048, - 4096, - 8192, - 16384 - ], - "metadata": { - "description": "Optional. Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB." - } - }, - "version": { - "type": "string", - "defaultValue": "5.7", - "allowedValues": [ - "5.7", - "8.0.21" - ], - "metadata": { - "description": "Optional. MySQL Server version." - } - }, - "databases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The databases to create in the server." - } - }, - "firewallRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The firewall rules to create in the MySQL flexible server." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the \"roleDefinitionIdOrName\" and \"principalId\" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \"/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\"." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "MySQL Backup And Export Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKGeoKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKGeoKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "cMKGeoKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKGeoUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "flexibleServer": { - "type": "Microsoft.DBforMySQL/flexibleServers", - "apiVersion": "2022-09-30-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('tier')]" - }, - "identity": "[variables('identity')]", - "properties": { - "administratorLogin": "[if(not(empty(parameters('administratorLogin'))), parameters('administratorLogin'), null())]", - "administratorLoginPassword": "[if(not(empty(parameters('administratorLoginPassword'))), parameters('administratorLoginPassword'), null())]", - "availabilityZone": "[parameters('availabilityZone')]", - "backup": { - "backupRetentionDays": "[parameters('backupRetentionDays')]", - "geoRedundantBackup": "[parameters('geoRedundantBackup')]" - }, - "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('type', 'AzureKeyVault', 'geoBackupKeyURI', if(equals(parameters('geoRedundantBackup'), 'Enabled'), if(not(empty(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKGeoKeyVault::cMKKey').keyUri, parameters('customerManagedKeyGeo').keyVersion), reference('cMKGeoKeyVault::cMKKey').keyUriWithVersion), null()), 'geoBackupUserAssignedIdentityId', if(equals(parameters('geoRedundantBackup'), 'Enabled'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()), 'primaryKeyURI', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null())]", - "highAvailability": { - "mode": "[parameters('highAvailability')]", - "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" - }, - "maintenanceWindow": "[if(not(empty(parameters('maintenanceWindow'))), createObject('customWindow', parameters('maintenanceWindow').customWindow, 'dayOfWeek', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').dayOfWeek, 0), 'startHour', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startHour, 0), 'startMinute', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startMinute, 0)), null())]", - "network": "[if(and(not(empty(parameters('delegatedSubnetResourceId'))), empty(parameters('firewallRules'))), createObject('delegatedSubnetResourceId', parameters('delegatedSubnetResourceId'), 'privateDnsZoneResourceId', parameters('privateDnsZoneResourceId')), null())]", - "replicationRole": "[parameters('replicationRole')]", - "restorePointInTime": "[parameters('restorePointInTime')]", - "sourceServerResourceId": "[if(not(empty(parameters('sourceServerResourceId'))), parameters('sourceServerResourceId'), null())]", - "storage": { - "autoGrow": "[parameters('storageAutoGrow')]", - "autoIoScaling": "[parameters('storageAutoIoScaling')]", - "iops": "[parameters('storageIOPS')]", - "storageSizeGB": "[parameters('storageSizeGB')]" - }, - "version": "[parameters('version')]" - }, - "dependsOn": [ - "cMKGeoKeyVault", - "cMKGeoUserAssignedIdentity", - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "flexibleServer_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_roleAssignments": { - "copy": { - "name": "flexibleServer_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_diagnosticSettings": { - "copy": { - "name": "flexibleServer_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_databases": { - "copy": { - "name": "flexibleServer_databases", - "count": "[length(parameters('databases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MySQL-DB-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('databases')[copyIndex()].name]" - }, - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', ''))]", - "charset": "[if(contains(parameters('databases')[copyIndex()], 'charset'), createObject('value', parameters('databases')[copyIndex()].charset), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7585808247826533259" - }, - "name": "DBforMySQL Flexible Server Databases", - "description": "This module deploys a DBforMySQL Flexible Server Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "utf8", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "charset": { - "type": "string", - "defaultValue": "utf8_general_ci", - "metadata": { - "description": "Optional. The charset of the database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/databases", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "collation": "[if(not(empty(parameters('collation'))), parameters('collation'), null())]", - "charset": "[if(not(empty(parameters('charset'))), parameters('charset'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/databases', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_firewallRules": { - "copy": { - "name": "flexibleServer_firewallRules", - "count": "[length(parameters('firewallRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MySQL-FirewallRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallRules')[copyIndex()].name]" - }, - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "startIpAddress": { - "value": "[parameters('firewallRules')[copyIndex()].startIpAddress]" - }, - "endIpAddress": { - "value": "[parameters('firewallRules')[copyIndex()].endIpAddress]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9889972221731602451" - }, - "name": "DBforMySQL Flexible Server Firewall Rules", - "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MySQL flexible server Firewall Rule." - } - }, - "startIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "endIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/firewallRules', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_administrators": { - "copy": { - "name": "flexibleServer_administrators", - "count": "[length(parameters('administrators'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MySQL-Administrators-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "login": { - "value": "[parameters('administrators')[copyIndex()].login]" - }, - "sid": { - "value": "[parameters('administrators')[copyIndex()].sid]" - }, - "identityResourceId": { - "value": "[parameters('administrators')[copyIndex()].identityResourceId]" - }, - "tenantId": "[if(contains(parameters('administrators')[copyIndex()], 'tenantId'), createObject('value', parameters('administrators')[copyIndex()].tenantId), createObject('value', tenant().tenantId))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8863151548145849170" - }, - "name": "DBforMySQL Flexible Server Administrators", - "description": "This module deploys a DBforMySQL Flexible Server Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "sid": { - "type": "string", - "metadata": { - "description": "Required. SID (object ID) of the server administrator." - } - }, - "identityResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the identity used for AAD Authentication." - } - }, - "login": { - "type": "string", - "metadata": { - "description": "Required. Login name of the server administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "[tenant().tenantId]", - "metadata": { - "description": "Optional. The tenantId of the Active Directory administrator." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforMySQL/flexibleServers/administrators", - "apiVersion": "2022-01-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'ActiveDirectory')]", - "properties": { - "administratorType": "ActiveDirectory", - "identityResourceId": "[parameters('identityResourceId')]", - "login": "[parameters('login')]", - "sid": "[parameters('sid')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed administrator." - }, - "value": "ActiveDirectory" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed administrator." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/administrators', parameters('flexibleServerName'), 'ActiveDirectory')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed administrator." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MySQL Flexible server." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MySQL Flexible server." - }, - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MySQL Flexible server." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('flexibleServer', '2022-09-30-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 60b6289226..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfsmin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_B1ms' - tier: 'Burstable' - } -}] diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep deleted file mode 100644 index ca3c6ceec6..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'Microsoft.DBforMySQL.flexibleServers' - properties: { - serviceName: 'Microsoft.DBforMySQL/flexibleServers' - } - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'private.mysql.database.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The name of the created Managed Identity.') -output managedIdentityName string = managedIdentity.name - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep deleted file mode 100644 index 46a67b9445..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ /dev/null @@ -1,144 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfspvt' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId - storageAutoIoScaling: 'Enabled' - storageSizeGB: 64 - storageIOPS: 400 - backupRetentionDays: 10 - databases: [ - { - - name: 'testdb1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - administrators: [ - { - identityResourceId: nestedDependencies.outputs.managedIdentityResourceId - login: nestedDependencies.outputs.managedIdentityName - sid: nestedDependencies.outputs.managedIdentityPrincipalId - } - ] - } -}] diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep deleted file mode 100644 index 82fbab799d..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep +++ /dev/null @@ -1,46 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep deleted file mode 100644 index 258d087ade..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep +++ /dev/null @@ -1,120 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the geo backup Key Vault to create.') -param geoBackupKeyVaultName string - -@description('Required. The name of the geo backup Managed Identity to create.') -param geoBackupManagedIdentityName string - -@description('Required. The location to deploy geo backup resources to.') -param geoBackupLocation string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 90 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2023-02-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource geoBackupManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: geoBackupManagedIdentityName - location: geoBackupLocation -} - -resource geoBackupKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { - name: geoBackupKeyVaultName - location: geoBackupLocation - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 90 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2023-02-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource geoBackupKeyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${geoBackupKeyVault::key.id}-${geoBackupLocation}-${geoBackupManagedIdentity.id}-Key-Reader-RoleAssignment') - scope: geoBackupKeyVault::key - properties: { - principalId: geoBackupManagedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The resource ID of the created geo backup Managed Identity.') -output geoBackupManagedIdentityResourceId string = geoBackupManagedIdentity.id - -@description('The resource ID of the created geo backup Key Vault.') -output geoBackupKeyVaultResourceId string = geoBackupKeyVault.id - -@description('The name of the created geo backup encryption key.') -output geoBackupKeyName string = geoBackupKeyVault::key.name diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep deleted file mode 100644 index 7f522933c1..0000000000 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep +++ /dev/null @@ -1,179 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfsp' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies1 'dependencies1.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies1' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -module nestedDependencies2 'dependencies2.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies2' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - geoBackupKeyVaultName: 'dep-${namePrefix}-kvp-${serviceShort}-${substring(uniqueString(baseTime), 0, 2)}' - geoBackupManagedIdentityName: 'dep-${namePrefix}-msip-${serviceShort}' - geoBackupLocation: nestedDependencies1.outputs.pairedRegionName - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies2.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - storageAutoIoScaling: 'Enabled' - storageSizeGB: 32 - storageIOPS: 400 - backupRetentionDays: 20 - availabilityZone: '1' - databases: [ - { - - name: 'testdb1' - } - { - name: 'testdb2' - charset: 'ascii' - collation: 'ascii_general_ci' - } - ] - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - version: '8.0.21' - customerManagedKey: { - keyName: nestedDependencies2.outputs.keyName - keyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId - } - geoRedundantBackup: 'Enabled' - customerManagedKeyGeo: { - keyName: nestedDependencies2.outputs.geoBackupKeyName - keyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies2.outputs.managedIdentityResourceId - nestedDependencies2.outputs.geoBackupManagedIdentityResourceId - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } -}] diff --git a/modules/db-for-my-sql/flexible-server/version.json b/modules/db-for-my-sql/flexible-server/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-my-sql/flexible-server/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md b/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 9fd7665d16..03646bb4cb 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -1,1143 +1,7 @@ -# DBforPostgreSQL Flexible Servers `[Microsoft.DBforPostgreSQL/flexibleServers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/db-for-postgre-sql/flexible-server](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/db-for-postgre-sql/flexible-server).** -This module deploys a DBforPostgreSQL Flexible Server. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/db-for-postgre-sql/flexible-server). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DBforPostgreSQL/flexibleServers` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers) | -| `Microsoft.DBforPostgreSQL/flexibleServers/administrators` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/administrators) | -| `Microsoft.DBforPostgreSQL/flexibleServers/configurations` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/configurations) | -| `Microsoft.DBforPostgreSQL/flexibleServers/databases` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/databases) | -| `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/firewallRules) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Private](#example-2-private) -- [Public](#example-3-public) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfpsfsmin' - params: { - // Required parameters - name: 'dfpsfsmin001' - skuName: 'Standard_B2s' - tier: 'Burstable' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfpsfsmin001" - }, - "skuName": { - "value": "Standard_B2s" - }, - "tier": { - "value": "Burstable" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Private_ - -

- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfpsfspvt' - params: { - // Required parameters - name: 'dfpsfspvt001' - skuName: 'Standard_D2s_v3' - tier: 'GeneralPurpose' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - configurations: [ - { - name: 'log_min_messages' - source: 'user-override' - value: 'INFO' - } - { - name: 'autovacuum_naptime' - source: 'user-override' - value: '80' - } - ] - databases: [ - { - charset: 'UTF8' - collation: 'en_US.utf8' - name: 'testdb1' - } - { - name: 'testdb2' - } - ] - delegatedSubnetResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - geoRedundantBackup: 'Enabled' - privateDnsZoneArmResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfpsfspvt001" - }, - "skuName": { - "value": "Standard_D2s_v3" - }, - "tier": { - "value": "GeneralPurpose" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "configurations": { - "value": [ - { - "name": "log_min_messages", - "source": "user-override", - "value": "INFO" - }, - { - "name": "autovacuum_naptime", - "source": "user-override", - "value": "80" - } - ] - }, - "databases": { - "value": [ - { - "charset": "UTF8", - "collation": "en_US.utf8", - "name": "testdb1" - }, - { - "name": "testdb2" - } - ] - }, - "delegatedSubnetResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "geoRedundantBackup": { - "value": "Enabled" - }, - "privateDnsZoneArmResourceId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Public_ - -

- -via Bicep module - -```bicep -module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dfpsfsp' - params: { - // Required parameters - name: 'dfpsfsp001' - skuName: 'Standard_D2s_v3' - tier: 'GeneralPurpose' - // Non-required parameters - administrators: [ - { - objectId: '' - principalName: '' - principalType: 'ServicePrincipal' - } - ] - availabilityZone: '1' - backupRetentionDays: 20 - configurations: [ - { - name: 'log_min_messages' - source: 'user-override' - value: 'INFO' - } - ] - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - databases: [ - { - charset: 'UTF8' - collation: 'en_US.utf8' - name: 'testdb1' - } - { - name: 'testdb2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - geoRedundantBackup: 'Disabled' - highAvailability: 'SameZone' - location: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - storageSizeGB: 1024 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - version: '14' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dfpsfsp001" - }, - "skuName": { - "value": "Standard_D2s_v3" - }, - "tier": { - "value": "GeneralPurpose" - }, - // Non-required parameters - "administrators": { - "value": [ - { - "objectId": "", - "principalName": "", - "principalType": "ServicePrincipal" - } - ] - }, - "availabilityZone": { - "value": "1" - }, - "backupRetentionDays": { - "value": 20 - }, - "configurations": { - "value": [ - { - "name": "log_min_messages", - "source": "user-override", - "value": "INFO" - } - ] - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "databases": { - "value": [ - { - "charset": "UTF8", - "collation": "en_US.utf8", - "name": "testdb1" - }, - { - "name": "testdb2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallRules": { - "value": [ - { - "endIpAddress": "0.0.0.0", - "name": "AllowAllWindowsAzureIps", - "startIpAddress": "0.0.0.0" - }, - { - "endIpAddress": "10.10.10.10", - "name": "test-rule1", - "startIpAddress": "10.10.10.1" - }, - { - "endIpAddress": "100.100.100.10", - "name": "test-rule2", - "startIpAddress": "100.100.100.1" - } - ] - }, - "geoRedundantBackup": { - "value": "Disabled" - }, - "highAvailability": { - "value": "SameZone" - }, - "location": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "storageSizeGB": { - "value": 1024 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "version": { - "value": "14" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the PostgreSQL flexible server. | -| [`skuName`](#parameter-skuname) | string | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | -| [`tier`](#parameter-tier) | string | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. | -| [`pointInTimeUTC`](#parameter-pointintimeutc) | string | Required if "createMode" is set to "PointInTimeRestore". | -| [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | Required if "createMode" is set to "PointInTimeRestore". | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`activeDirectoryAuth`](#parameter-activedirectoryauth) | string | If Enabled, Azure Active Directory authentication is enabled. | -| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. | -| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | -| [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | -| [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | -| [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | -| [`configurations`](#parameter-configurations) | array | The configurations to create in the server. | -| [`createMode`](#parameter-createmode) | string | The mode to create a new PostgreSQL server. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`databases`](#parameter-databases) | array | The databases to create in the server. | -| [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the PostgreSQL flexible server. | -| [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. | -| [`highAvailability`](#parameter-highavailability) | string | The mode for high availability. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | -| [`passwordAuth`](#parameter-passwordauth) | string | If Enabled, password authentication is enabled. | -| [`privateDnsZoneArmResourceId`](#parameter-privatednszonearmresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`tenantId`](#parameter-tenantid) | string | Tenant id of the server. | -| [`version`](#parameter-version) | string | PostgreSQL Server version. | - -### Parameter: `name` - -The name of the PostgreSQL flexible server. - -- Required: Yes -- Type: string - -### Parameter: `skuName` - -The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. - -- Required: Yes -- Type: string - -### Parameter: `tier` - -The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Burstable' - 'GeneralPurpose' - 'MemoryOptimized' - ] - ``` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `pointInTimeUTC` - -Required if "createMode" is set to "PointInTimeRestore". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceServerResourceId` - -Required if "createMode" is set to "PointInTimeRestore". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `activeDirectoryAuth` - -If Enabled, Azure Active Directory authentication is enabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `administratorLogin` - -The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `administratorLoginPassword` - -The administrator login password. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `administrators` - -The Azure AD administrators when AAD authentication enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `availabilityZone` - -Availability zone information of the server. Default will have no preference set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '1' - '2' - '3' - ] - ``` - -### Parameter: `backupRetentionDays` - -Backup retention days for the server. - -- Required: No -- Type: int -- Default: `7` - -### Parameter: `configurations` - -The configurations to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `createMode` - -The mode to create a new PostgreSQL server. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Create' - 'Default' - 'PointInTimeRestore' - 'Update' - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `databases` - -The databases to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `delegatedSubnetResourceId` - -Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `firewallRules` - -The firewall rules to create in the PostgreSQL flexible server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `geoRedundantBackup` - -A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `highAvailability` - -The mode for high availability. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'SameZone' - 'ZoneRedundant' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maintenanceWindow` - -Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `passwordAuth` - -If Enabled, password authentication is enabled. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `privateDnsZoneArmResourceId` - -Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `storageSizeGB` - -Max storage allowed for a server. - -- Required: No -- Type: int -- Default: `32` -- Allowed: - ```Bicep - [ - 32 - 64 - 128 - 256 - 512 - 1024 - 2048 - 4096 - 8192 - 16384 - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `tenantId` - -Tenant id of the server. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `version` - -PostgreSQL Server version. - -- Required: No -- Type: string -- Default: `'15'` -- Allowed: - ```Bicep - [ - '11' - '12' - '13' - '14' - '15' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed PostgreSQL Flexible server. | -| `resourceGroupName` | string | The resource group of the deployed PostgreSQL Flexible server. | -| `resourceId` | string | The resource ID of the deployed PostgreSQL Flexible server. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/README.md b/modules/db-for-postgre-sql/flexible-server/administrator/README.md deleted file mode 100644 index c0f2f4352f..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/administrator/README.md +++ /dev/null @@ -1,114 +0,0 @@ -# DBforPostgreSQL Flexible Server Administrators `[Microsoft.DBforPostgreSQL/flexibleServers/administrators]` - -This module deploys a DBforPostgreSQL Flexible Server Administrator. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforPostgreSQL/flexibleServers/administrators` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/administrators) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`objectId`](#parameter-objectid) | string | The objectId of the Active Directory administrator. | -| [`principalName`](#parameter-principalname) | string | Active Directory administrator principal name. | -| [`principalType`](#parameter-principaltype) | string | The principal type used to represent the type of Active Directory Administrator. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | - -### Parameter: `objectId` - -The objectId of the Active Directory administrator. - -- Required: Yes -- Type: string - -### Parameter: `principalName` - -Active Directory administrator principal name. - -- Required: Yes -- Type: string - -### Parameter: `principalType` - -The principal type used to represent the type of Active Directory Administrator. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Group' - 'ServicePrincipal' - 'Unknown' - 'User' - ] - ``` - -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `tenantId` - -The tenantId of the Active Directory administrator. - -- Required: No -- Type: string -- Default: `[tenant().tenantId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed administrator. | -| `resourceGroupName` | string | The resource group of the deployed administrator. | -| `resourceId` | string | The resource ID of the deployed administrator. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/main.bicep b/modules/db-for-postgre-sql/flexible-server/administrator/main.bicep deleted file mode 100644 index 5e4b8a19f7..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/administrator/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'DBforPostgreSQL Flexible Server Administrators' -metadata description = 'This module deploys a DBforPostgreSQL Flexible Server Administrator.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Required. The objectId of the Active Directory administrator.') -param objectId string - -@description('Required. Active Directory administrator principal name.') -param principalName string - -@allowed([ - 'Group' - 'ServicePrincipal' - 'Unknown' - 'User' -]) -@description('Required. The principal type used to represent the type of Active Directory Administrator.') -param principalType string - -@description('Optional. The tenantId of the Active Directory administrator.') -param tenantId string = tenant().tenantId - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = { - name: flexibleServerName -} - -resource administrator 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = { - name: objectId - parent: flexibleServer - properties: { - principalName: principalName - principalType: principalType - tenantId: tenantId - } -} - -@description('The name of the deployed administrator.') -output name string = administrator.name - -@description('The resource ID of the deployed administrator.') -output resourceId string = administrator.id - -@description('The resource group of the deployed administrator.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/main.json b/modules/db-for-postgre-sql/flexible-server/administrator/main.json deleted file mode 100644 index b44df7bf9d..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/administrator/main.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13863840477045657155" - }, - "name": "DBforPostgreSQL Flexible Server Administrators", - "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "objectId": { - "type": "string", - "metadata": { - "description": "Required. The objectId of the Active Directory administrator." - } - }, - "principalName": { - "type": "string", - "metadata": { - "description": "Required. Active Directory administrator principal name." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Group", - "ServicePrincipal", - "Unknown", - "User" - ], - "metadata": { - "description": "Required. The principal type used to represent the type of Active Directory Administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "[tenant().tenantId]", - "metadata": { - "description": "Optional. The tenantId of the Active Directory administrator." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('objectId'))]", - "properties": { - "principalName": "[parameters('principalName')]", - "principalType": "[parameters('principalType')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed administrator." - }, - "value": "[parameters('objectId')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed administrator." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/administrators', parameters('flexibleServerName'), parameters('objectId'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed administrator." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/version.json b/modules/db-for-postgre-sql/flexible-server/administrator/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/administrator/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/README.md b/modules/db-for-postgre-sql/flexible-server/configuration/README.md deleted file mode 100644 index fc940f2120..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/configuration/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# DBforPostgreSQL Flexible Server Configurations `[Microsoft.DBforPostgreSQL/flexibleServers/configurations]` - -This module deploys a DBforPostgreSQL Flexible Server Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforPostgreSQL/flexibleServers/configurations` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/configurations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the configuration. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`source`](#parameter-source) | string | Source of the configuration. | -| [`value`](#parameter-value) | string | Value of the configuration. | - -### Parameter: `name` - -The name of the configuration. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `source` - -Source of the configuration. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `value` - -Value of the configuration. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed configuration. | -| `resourceGroupName` | string | The resource group of the deployed configuration. | -| `resourceId` | string | The resource ID of the deployed configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/main.bicep b/modules/db-for-postgre-sql/flexible-server/configuration/main.bicep deleted file mode 100644 index b85020fcf8..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/configuration/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'DBforPostgreSQL Flexible Server Configurations' -metadata description = 'This module deploys a DBforPostgreSQL Flexible Server Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the configuration.') -param name string - -@description('Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Optional. Source of the configuration.') -param source string = '' - -@description('Optional. Value of the configuration.') -param value string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = { - name: flexibleServerName -} - -resource configuration 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = { - name: name - parent: flexibleServer - properties: { - source: !empty(source) ? source : null - value: !empty(value) ? value : null - } -} - -@description('The name of the deployed configuration.') -output name string = configuration.name - -@description('The resource ID of the deployed configuration.') -output resourceId string = configuration.id - -@description('The resource group of the deployed configuration.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/main.json b/modules/db-for-postgre-sql/flexible-server/configuration/main.json deleted file mode 100644 index a928b33bd9..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/configuration/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16469307943232243904" - }, - "name": "DBforPostgreSQL Flexible Server Configurations", - "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the configuration." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "source": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Source of the configuration." - } - }, - "value": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Value of the configuration." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "source": "[if(not(empty(parameters('source'))), parameters('source'), null())]", - "value": "[if(not(empty(parameters('value'))), parameters('value'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/configurations', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/version.json b/modules/db-for-postgre-sql/flexible-server/configuration/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-postgre-sql/flexible-server/database/README.md b/modules/db-for-postgre-sql/flexible-server/database/README.md deleted file mode 100644 index 7e2b9c3c0d..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/database/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# DBforPostgreSQL Flexible Server Databases `[Microsoft.DBforPostgreSQL/flexibleServers/databases]` - -This module deploys a DBforPostgreSQL Flexible Server Database. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforPostgreSQL/flexibleServers/databases` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/databases) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`charset`](#parameter-charset) | string | The charset of the database. | -| [`collation`](#parameter-collation) | string | The collation of the database. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | - -### Parameter: `name` - -The name of the database. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `charset` - -The charset of the database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `collation` - -The collation of the database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group of the deployed database. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-postgre-sql/flexible-server/database/main.bicep b/modules/db-for-postgre-sql/flexible-server/database/main.bicep deleted file mode 100644 index ec2c185504..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/database/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'DBforPostgreSQL Flexible Server Databases' -metadata description = 'This module deploys a DBforPostgreSQL Flexible Server Database.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the database.') -param name string - -@description('Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Optional. The collation of the database.') -param collation string = '' - -@description('Optional. The charset of the database.') -param charset string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = { - name: flexibleServerName -} - -resource database 'Microsoft.DBforPostgreSQL/flexibleServers/databases@2022-12-01' = { - name: name - parent: flexibleServer - properties: { - collation: !empty(collation) ? collation : null - charset: !empty(charset) ? charset : null - } -} - -@description('The name of the deployed database.') -output name string = database.name - -@description('The resource ID of the deployed database.') -output resourceId string = database.id - -@description('The resource group of the deployed database.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-postgre-sql/flexible-server/database/main.json b/modules/db-for-postgre-sql/flexible-server/database/main.json deleted file mode 100644 index b65e7e4697..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/database/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16111012435403700897" - }, - "name": "DBforPostgreSQL Flexible Server Databases", - "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "charset": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The charset of the database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/databases", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "collation": "[if(not(empty(parameters('collation'))), parameters('collation'), null())]", - "charset": "[if(not(empty(parameters('charset'))), parameters('charset'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/databases', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/database/version.json b/modules/db-for-postgre-sql/flexible-server/database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md b/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md deleted file mode 100644 index db3b0df266..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md +++ /dev/null @@ -1,87 +0,0 @@ -# DBforPostgreSQL Flexible Server Firewall Rules `[Microsoft.DBforPostgreSQL/flexibleServers/firewallRules]` - -This module deploys a DBforPostgreSQL Flexible Server Firewall Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/firewallRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| [`name`](#parameter-name) | string | The name of the PostgreSQL flexible server Firewall Rule. | -| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `endIpAddress` - -The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the PostgreSQL flexible server Firewall Rule. - -- Required: Yes -- Type: string - -### Parameter: `startIpAddress` - -The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed firewall rule. | -| `resourceGroupName` | string | The resource group of the deployed firewall rule. | -| `resourceId` | string | The resource ID of the deployed firewall rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.bicep b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.bicep deleted file mode 100644 index 5618c9d038..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'DBforPostgreSQL Flexible Server Firewall Rules' -metadata description = 'This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the PostgreSQL flexible server Firewall Rule.') -param name string - -@description('Required. The start IP address of the firewall rule. Must be IPv4 format. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param startIpAddress string - -@description('Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param endIpAddress string - -@description('Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment.') -param flexibleServerName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = { - name: flexibleServerName -} - -resource firewallRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2022-12-01' = { - name: name - parent: flexibleServer - properties: { - endIpAddress: endIpAddress - startIpAddress: startIpAddress - } -} - -@description('The name of the deployed firewall rule.') -output name string = firewallRule.name - -@description('The resource ID of the deployed firewall rule.') -output resourceId string = firewallRule.id - -@description('The resource group of the deployed firewall rule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json deleted file mode 100644 index 81090c398e..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12680201884935036782" - }, - "name": "DBforPostgreSQL Flexible Server Firewall Rules", - "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PostgreSQL flexible server Firewall Rule." - } - }, - "startIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "endIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/firewallRules', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/version.json b/modules/db-for-postgre-sql/flexible-server/firewall-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep deleted file mode 100644 index c6d1b75d5c..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ /dev/null @@ -1,454 +0,0 @@ -metadata name = 'DBforPostgreSQL Flexible Servers' -metadata description = 'This module deploys a DBforPostgreSQL Flexible Server.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the PostgreSQL flexible server.') -param name string - -@description('Optional. The administrator login name of a server. Can only be specified when the PostgreSQL server is being created.') -param administratorLogin string = '' - -@description('Optional. The administrator login password.') -@secure() -param administratorLoginPassword string = '' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. If Enabled, Azure Active Directory authentication is enabled.') -param activeDirectoryAuth string = 'Enabled' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. If Enabled, password authentication is enabled.') -#disable-next-line secure-secrets-in-params -param passwordAuth string = 'Disabled' - -@description('Optional. Tenant id of the server.') -param tenantId string = '' - -@description('Optional. The Azure AD administrators when AAD authentication enabled.') -param administrators array = [] - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3.') -param skuName string - -@allowed([ - 'GeneralPurpose' - 'Burstable' - 'MemoryOptimized' -]) -@description('Required. The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3".') -param tier string - -@allowed([ - '' - '1' - '2' - '3' -]) -@description('Optional. Availability zone information of the server. Default will have no preference set.') -param availabilityZone string = '' - -@minValue(7) -@maxValue(35) -@description('Optional. Backup retention days for the server.') -param backupRetentionDays int = 7 - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if \'cMKKeyName\' is not empty.') -param geoRedundantBackup string = 'Disabled' - -@allowed([ - 32 - 64 - 128 - 256 - 512 - 1024 - 2048 - 4096 - 8192 - 16384 -]) -@description('Optional. Max storage allowed for a server.') -param storageSizeGB int = 32 - -@allowed([ - '11' - '12' - '13' - '14' - '15' -]) -@description('Optional. PostgreSQL Server version.') -param version string = '15' - -@allowed([ - 'Disabled' - 'SameZone' - 'ZoneRedundant' -]) -@description('Optional. The mode for high availability.') -param highAvailability string = 'Disabled' - -@allowed([ - 'Create' - 'Default' - 'PointInTimeRestore' - 'Update' -]) -@description('Optional. The mode to create a new PostgreSQL server.') -param createMode string = 'Default' - -@description('Conditional. The managed identity definition for this resource. Required if \'cMKKeyName\' is not empty.') -param managedIdentities managedIdentitiesType - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled".') -param maintenanceWindow object = {} - -@description('Conditional. Required if "createMode" is set to "PointInTimeRestore".') -param pointInTimeUTC string = '' - -@description('Conditional. Required if "createMode" is set to "PointInTimeRestore".') -param sourceServerResourceId string = '' - -@description('Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration.') -param delegatedSubnetResourceId string = '' - -@description('Optional. Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId".') -param privateDnsZoneArmResourceId string = '' - -@description('Optional. The firewall rules to create in the PostgreSQL flexible server.') -param firewallRules array = [] - -@description('Optional. The databases to create in the server.') -param databases array = [] - -@description('Optional. The configurations to create in the server.') -param configurations array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - tier: tier - } - identity: identity - properties: { - administratorLogin: !empty(administratorLogin) ? administratorLogin : null - administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null - authConfig: { - activeDirectoryAuth: activeDirectoryAuth - passwordAuth: passwordAuth - tenantId: !empty(tenantId) ? tenantId : null - } - availabilityZone: availabilityZone - backup: { - backupRetentionDays: backupRetentionDays - geoRedundantBackup: geoRedundantBackup - } - createMode: createMode - dataEncryption: !empty(customerManagedKey) ? { - primaryKeyURI: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - primaryUserAssignedIdentityId: cMKUserAssignedIdentity.id - type: 'AzureKeyVault' - } : null - highAvailability: { - mode: highAvailability - standbyAvailabilityZone: highAvailability == 'SameZone' ? availabilityZone : null - } - maintenanceWindow: !empty(maintenanceWindow) ? { - customWindow: maintenanceWindow.customWindow - dayOfWeek: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.dayOfWeek : 0 - startHour: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.startHour : 0 - startMinute: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.startMinute : 0 - } : null - network: !empty(delegatedSubnetResourceId) && empty(firewallRules) ? { - delegatedSubnetResourceId: delegatedSubnetResourceId - privateDnsZoneArmResourceId: privateDnsZoneArmResourceId - } : null - pointInTimeUTC: createMode == 'PointInTimeRestore' ? pointInTimeUTC : null - sourceServerResourceId: createMode == 'PointInTimeRestore' ? sourceServerResourceId : null - storage: { - storageSizeGB: storageSizeGB - } - version: version - } -} - -resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: flexibleServer -} - -resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: flexibleServer -}] - -module flexibleServer_databases 'database/main.bicep' = [for (database, index) in databases: { - name: '${uniqueString(deployment().name, location)}-PostgreSQL-DB-${index}' - params: { - name: database.name - flexibleServerName: flexibleServer.name - collation: contains(database, 'collation') ? database.collation : '' - charset: contains(database, 'charset') ? database.charset : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module flexibleServer_firewallRules 'firewall-rule/main.bicep' = [for (firewallRule, index) in firewallRules: { - name: '${uniqueString(deployment().name, location)}-PostgreSQL-FirewallRules-${index}' - params: { - name: firewallRule.name - flexibleServerName: flexibleServer.name - startIpAddress: firewallRule.startIpAddress - endIpAddress: firewallRule.endIpAddress - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - flexibleServer_databases - ] -}] - -@batchSize(1) -module flexibleServer_configurations 'configuration/main.bicep' = [for (configuration, index) in configurations: { - name: '${uniqueString(deployment().name, location)}-PostgreSQL-Configurations-${index}' - params: { - name: configuration.name - flexibleServerName: flexibleServer.name - source: contains(configuration, 'source') ? configuration.source : '' - value: contains(configuration, 'value') ? configuration.value : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - flexibleServer_firewallRules - ] -}] - -module flexibleServer_administrators 'administrator/main.bicep' = [for (administrator, index) in administrators: { - name: '${uniqueString(deployment().name, location)}-PostgreSQL-Administrators-${index}' - params: { - flexibleServerName: flexibleServer.name - objectId: administrator.objectId - principalName: administrator.principalName - principalType: administrator.principalType - tenantId: contains(administrator, 'tenantId') ? administrator.tenantId : tenant().tenantId - } -}] - -resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: flexibleServer -}] - -@description('The name of the deployed PostgreSQL Flexible server.') -output name string = flexibleServer.name - -@description('The resource ID of the deployed PostgreSQL Flexible server.') -output resourceId string = flexibleServer.id - -@description('The resource group of the deployed PostgreSQL Flexible server.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = flexibleServer.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Required. User assigned identity to use when fetching the customer managed key.') - userAssignedIdentityResourceId: string -}? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json deleted file mode 100644 index 25dcb199a2..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ /dev/null @@ -1,1277 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10058986332950368920" - }, - "name": "DBforPostgreSQL Flexible Servers", - "description": "This module deploys a DBforPostgreSQL Flexible Server.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "metadata": { - "description": "Required. User assigned identity to use when fetching the customer managed key." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PostgreSQL flexible server." - } - }, - "administratorLogin": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The administrator login name of a server. Can only be specified when the PostgreSQL server is being created." - } - }, - "administratorLoginPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The administrator login password." - } - }, - "activeDirectoryAuth": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. If Enabled, Azure Active Directory authentication is enabled." - } - }, - "passwordAuth": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. If Enabled, password authentication is enabled." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Tenant id of the server." - } - }, - "administrators": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The Azure AD administrators when AAD authentication enabled." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "metadata": { - "description": "Required. The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3." - } - }, - "tier": { - "type": "string", - "allowedValues": [ - "GeneralPurpose", - "Burstable", - "MemoryOptimized" - ], - "metadata": { - "description": "Required. The tier of the particular SKU. Tier must align with the \"skuName\" property. Example, tier cannot be \"Burstable\" if skuName is \"Standard_D4s_v3\"." - } - }, - "availabilityZone": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "1", - "2", - "3" - ], - "metadata": { - "description": "Optional. Availability zone information of the server. Default will have no preference set." - } - }, - "backupRetentionDays": { - "type": "int", - "defaultValue": 7, - "minValue": 7, - "maxValue": 35, - "metadata": { - "description": "Optional. Backup retention days for the server." - } - }, - "geoRedundantBackup": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty." - } - }, - "storageSizeGB": { - "type": "int", - "defaultValue": 32, - "allowedValues": [ - 32, - 64, - 128, - 256, - 512, - 1024, - 2048, - 4096, - 8192, - 16384 - ], - "metadata": { - "description": "Optional. Max storage allowed for a server." - } - }, - "version": { - "type": "string", - "defaultValue": "15", - "allowedValues": [ - "11", - "12", - "13", - "14", - "15" - ], - "metadata": { - "description": "Optional. PostgreSQL Server version." - } - }, - "highAvailability": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "SameZone", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. The mode for high availability." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Create", - "Default", - "PointInTimeRestore", - "Update" - ], - "metadata": { - "description": "Optional. The mode to create a new PostgreSQL server." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Conditional. The managed identity definition for this resource. Required if 'cMKKeyName' is not empty." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "maintenanceWindow": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Properties for the maintenence window. If provided, \"customWindow\" property must exist and set to \"Enabled\"." - } - }, - "pointInTimeUTC": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Required if \"createMode\" is set to \"PointInTimeRestore\"." - } - }, - "sourceServerResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Required if \"createMode\" is set to \"PointInTimeRestore\"." - } - }, - "delegatedSubnetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is \"Private Access\" - virtual network integration." - } - }, - "privateDnsZoneArmResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Private dns zone arm resource ID. Used when the desired connectivity mode is \"Private Access\" and required when \"delegatedSubnetResourceId\" is used. The Private DNS Zone must be lined to the Virtual Network referenced in \"delegatedSubnetResourceId\"." - } - }, - "firewallRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The firewall rules to create in the PostgreSQL flexible server." - } - }, - "databases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The databases to create in the server." - } - }, - "configurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The configurations to create in the server." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "flexibleServer": { - "type": "Microsoft.DBforPostgreSQL/flexibleServers", - "apiVersion": "2022-12-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('tier')]" - }, - "identity": "[variables('identity')]", - "properties": { - "administratorLogin": "[if(not(empty(parameters('administratorLogin'))), parameters('administratorLogin'), null())]", - "administratorLoginPassword": "[if(not(empty(parameters('administratorLoginPassword'))), parameters('administratorLoginPassword'), null())]", - "authConfig": { - "activeDirectoryAuth": "[parameters('activeDirectoryAuth')]", - "passwordAuth": "[parameters('passwordAuth')]", - "tenantId": "[if(not(empty(parameters('tenantId'))), parameters('tenantId'), null())]" - }, - "availabilityZone": "[parameters('availabilityZone')]", - "backup": { - "backupRetentionDays": "[parameters('backupRetentionDays')]", - "geoRedundantBackup": "[parameters('geoRedundantBackup')]" - }, - "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('primaryKeyURI', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), 'type', 'AzureKeyVault'), null())]", - "highAvailability": { - "mode": "[parameters('highAvailability')]", - "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" - }, - "maintenanceWindow": "[if(not(empty(parameters('maintenanceWindow'))), createObject('customWindow', parameters('maintenanceWindow').customWindow, 'dayOfWeek', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').dayOfWeek, 0), 'startHour', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startHour, 0), 'startMinute', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startMinute, 0)), null())]", - "network": "[if(and(not(empty(parameters('delegatedSubnetResourceId'))), empty(parameters('firewallRules'))), createObject('delegatedSubnetResourceId', parameters('delegatedSubnetResourceId'), 'privateDnsZoneArmResourceId', parameters('privateDnsZoneArmResourceId')), null())]", - "pointInTimeUTC": "[if(equals(parameters('createMode'), 'PointInTimeRestore'), parameters('pointInTimeUTC'), null())]", - "sourceServerResourceId": "[if(equals(parameters('createMode'), 'PointInTimeRestore'), parameters('sourceServerResourceId'), null())]", - "storage": { - "storageSizeGB": "[parameters('storageSizeGB')]" - }, - "version": "[parameters('version')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "flexibleServer_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_roleAssignments": { - "copy": { - "name": "flexibleServer_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_diagnosticSettings": { - "copy": { - "name": "flexibleServer_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_databases": { - "copy": { - "name": "flexibleServer_databases", - "count": "[length(parameters('databases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PostgreSQL-DB-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('databases')[copyIndex()].name]" - }, - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', ''))]", - "charset": "[if(contains(parameters('databases')[copyIndex()], 'charset'), createObject('value', parameters('databases')[copyIndex()].charset), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16111012435403700897" - }, - "name": "DBforPostgreSQL Flexible Server Databases", - "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "charset": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The charset of the database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/databases", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "collation": "[if(not(empty(parameters('collation'))), parameters('collation'), null())]", - "charset": "[if(not(empty(parameters('charset'))), parameters('charset'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/databases', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer" - ] - }, - "flexibleServer_firewallRules": { - "copy": { - "name": "flexibleServer_firewallRules", - "count": "[length(parameters('firewallRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PostgreSQL-FirewallRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallRules')[copyIndex()].name]" - }, - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "startIpAddress": { - "value": "[parameters('firewallRules')[copyIndex()].startIpAddress]" - }, - "endIpAddress": { - "value": "[parameters('firewallRules')[copyIndex()].endIpAddress]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12680201884935036782" - }, - "name": "DBforPostgreSQL Flexible Server Firewall Rules", - "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PostgreSQL flexible server Firewall Rule." - } - }, - "startIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "endIpAddress": { - "type": "string", - "metadata": { - "description": "Required. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/firewallRules', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer", - "flexibleServer_databases" - ] - }, - "flexibleServer_configurations": { - "copy": { - "name": "flexibleServer_configurations", - "count": "[length(parameters('configurations'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PostgreSQL-Configurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('configurations')[copyIndex()].name]" - }, - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "source": "[if(contains(parameters('configurations')[copyIndex()], 'source'), createObject('value', parameters('configurations')[copyIndex()].source), createObject('value', ''))]", - "value": "[if(contains(parameters('configurations')[copyIndex()], 'value'), createObject('value', parameters('configurations')[copyIndex()].value), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16469307943232243904" - }, - "name": "DBforPostgreSQL Flexible Server Configurations", - "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the configuration." - } - }, - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "source": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Source of the configuration." - } - }, - "value": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Value of the configuration." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('name'))]", - "properties": { - "source": "[if(not(empty(parameters('source'))), parameters('source'), null())]", - "value": "[if(not(empty(parameters('value'))), parameters('value'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/configurations', parameters('flexibleServerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer", - "flexibleServer_firewallRules" - ] - }, - "flexibleServer_administrators": { - "copy": { - "name": "flexibleServer_administrators", - "count": "[length(parameters('administrators'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PostgreSQL-Administrators-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "flexibleServerName": { - "value": "[parameters('name')]" - }, - "objectId": { - "value": "[parameters('administrators')[copyIndex()].objectId]" - }, - "principalName": { - "value": "[parameters('administrators')[copyIndex()].principalName]" - }, - "principalType": { - "value": "[parameters('administrators')[copyIndex()].principalType]" - }, - "tenantId": "[if(contains(parameters('administrators')[copyIndex()], 'tenantId'), createObject('value', parameters('administrators')[copyIndex()].tenantId), createObject('value', tenant().tenantId))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13863840477045657155" - }, - "name": "DBforPostgreSQL Flexible Server Administrators", - "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "flexibleServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment." - } - }, - "objectId": { - "type": "string", - "metadata": { - "description": "Required. The objectId of the Active Directory administrator." - } - }, - "principalName": { - "type": "string", - "metadata": { - "description": "Required. Active Directory administrator principal name." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Group", - "ServicePrincipal", - "Unknown", - "User" - ], - "metadata": { - "description": "Required. The principal type used to represent the type of Active Directory Administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "[tenant().tenantId]", - "metadata": { - "description": "Optional. The tenantId of the Active Directory administrator." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators", - "apiVersion": "2022-12-01", - "name": "[format('{0}/{1}', parameters('flexibleServerName'), parameters('objectId'))]", - "properties": { - "principalName": "[parameters('principalName')]", - "principalType": "[parameters('principalType')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed administrator." - }, - "value": "[parameters('objectId')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed administrator." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers/administrators', parameters('flexibleServerName'), parameters('objectId'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed administrator." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "flexibleServer" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PostgreSQL Flexible server." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PostgreSQL Flexible server." - }, - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PostgreSQL Flexible server." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('flexibleServer', '2022-12-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f3177dd795..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfpsfsmin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_B2s' - tier: 'Burstable' - } -}] diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep deleted file mode 100644 index 45875179d8..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'Microsoft.DBforPostgreSQL.flexibleServers' - properties: { - serviceName: 'Microsoft.DBforPostgreSQL/flexibleServers' - } - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: '${split(virtualNetworkName, '-')[1]}.postgres.database.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep deleted file mode 100644 index fcc65d67d8..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep +++ /dev/null @@ -1,121 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfpsfspvt' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2s_v3' - tier: 'GeneralPurpose' - configurations: [ - { - name: 'log_min_messages' - source: 'user-override' - value: 'INFO' - } - { - name: 'autovacuum_naptime' - source: 'user-override' - value: '80' - } - ] - databases: [ - { - charset: 'UTF8' - collation: 'en_US.utf8' - name: 'testdb1' - } - { - name: 'testdb2' - } - ] - delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - geoRedundantBackup: 'Enabled' - privateDnsZoneArmResourceId: nestedDependencies.outputs.privateDNSZoneResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep deleted file mode 100644 index e54b2767fc..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep +++ /dev/null @@ -1,64 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The client ID of the created Managed Identity.') -output managedIdentityClientId string = managedIdentity.properties.clientId - -@description('The name of the created Managed Identity.') -output managedIdentityName string = managedIdentity.name - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep deleted file mode 100644 index 26bda3bd05..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep +++ /dev/null @@ -1,152 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfpsfsp' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - administrators: [ - { - objectId: nestedDependencies.outputs.managedIdentityClientId - principalName: nestedDependencies.outputs.managedIdentityName - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard_D2s_v3' - tier: 'GeneralPurpose' - availabilityZone: '1' - backupRetentionDays: 20 - configurations: [ - { - name: 'log_min_messages' - source: 'user-override' - value: 'INFO' - } - ] - databases: [ - { - charset: 'UTF8' - collation: 'en_US.utf8' - name: 'testdb1' - } - { - name: 'testdb2' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - geoRedundantBackup: 'Disabled' - highAvailability: 'SameZone' - location: location - storageSizeGB: 1024 - version: '14' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/db-for-postgre-sql/flexible-server/version.json b/modules/db-for-postgre-sql/flexible-server/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/desktop-virtualization/application-group/MOVED-TO-AVM.md b/modules/desktop-virtualization/application-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/desktop-virtualization/application-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 4447cc5e3b..a9870f4842 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -1,745 +1,7 @@ -# Azure Virtual Desktop (AVD) Application Groups `[Microsoft.DesktopVirtualization/applicationGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/desktop-virtualization/application-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/desktop-virtualization/application-group).** -This module deploys an Azure Virtual Desktop (AVD) Application Group. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/desktop-virtualization/application-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DesktopVirtualization/applicationGroups` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/applicationGroups) | -| `Microsoft.DesktopVirtualization/applicationGroups/applications` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/applicationGroups/applications) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.application-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvagmin' - params: { - // Required parameters - applicationGroupType: 'RemoteApp' - hostpoolName: '' - name: 'dvagmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "applicationGroupType": { - "value": "RemoteApp" - }, - "hostpoolName": { - "value": "" - }, - "name": { - "value": "dvagmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvagmax' - params: { - // Required parameters - applicationGroupType: 'RemoteApp' - hostpoolName: '' - name: 'dvagmax001' - // Non-required parameters - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'Remote Applications 1' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "applicationGroupType": { - "value": "RemoteApp" - }, - "hostpoolName": { - "value": "" - }, - "name": { - "value": "dvagmax001" - }, - // Non-required parameters - "applications": { - "value": [ - { - "commandLineArguments": "", - "commandLineSetting": "DoNotAllow", - "description": "Notepad by ARM template", - "filePath": "C:\\Windows\\System32\\notepad.exe", - "friendlyName": "Notepad", - "iconIndex": 0, - "iconPath": "C:\\Windows\\System32\\notepad.exe", - "name": "notepad", - "showInPortal": true - }, - { - "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", - "friendlyName": "Wordpad", - "name": "wordpad" - } - ] - }, - "description": { - "value": "This is my first Remote Applications bundle" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "Remote Applications 1" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvagwaf' - params: { - // Required parameters - applicationGroupType: 'RemoteApp' - hostpoolName: '' - name: 'dvagwaf001' - // Non-required parameters - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'Remote Applications 1' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "applicationGroupType": { - "value": "RemoteApp" - }, - "hostpoolName": { - "value": "" - }, - "name": { - "value": "dvagwaf001" - }, - // Non-required parameters - "applications": { - "value": [ - { - "commandLineArguments": "", - "commandLineSetting": "DoNotAllow", - "description": "Notepad by ARM template", - "filePath": "C:\\Windows\\System32\\notepad.exe", - "friendlyName": "Notepad", - "iconIndex": 0, - "iconPath": "C:\\Windows\\System32\\notepad.exe", - "name": "notepad", - "showInPortal": true - }, - { - "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", - "friendlyName": "Wordpad", - "name": "wordpad" - } - ] - }, - "description": { - "value": "This is my first Remote Applications bundle" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "Remote Applications 1" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationGroupType`](#parameter-applicationgrouptype) | string | The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. | -| [`hostpoolName`](#parameter-hostpoolname) | string | Name of the Host Pool to be linked to this Application Group. | -| [`name`](#parameter-name) | string | Name of the Application Group to create this application in. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applications`](#parameter-applications) | array | List of applications to be created in the Application Group. | -| [`description`](#parameter-description) | string | The description of the Application Group to be created. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Application Group to be created. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `applicationGroupType` - -The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Desktop' - 'RemoteApp' - ] - ``` - -### Parameter: `hostpoolName` - -Name of the Host Pool to be linked to this Application Group. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Application Group to create this application in. - -- Required: Yes -- Type: string - -### Parameter: `applications` - -List of applications to be created in the Application Group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -The description of the Application Group to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `friendlyName` - -The friendly name of the Application Group to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD application group. | -| `resourceGroupName` | string | The resource group the AVD application group was deployed into. | -| `resourceId` | string | The resource ID of the AVD application group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/desktop-virtualization/application-group/application/README.md b/modules/desktop-virtualization/application-group/application/README.md deleted file mode 100644 index 816f676251..0000000000 --- a/modules/desktop-virtualization/application-group/application/README.md +++ /dev/null @@ -1,149 +0,0 @@ -# Azure Virtual Desktop (AVD) Application Group Applications `[Microsoft.DesktopVirtualization/applicationGroups/applications]` - -This module deploys an Azure Virtual Desktop (AVD) Application Group Application. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DesktopVirtualization/applicationGroups/applications` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/applicationGroups/applications) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`filePath`](#parameter-filepath) | string | Specifies a path for the executable file for the application. | -| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of Application.. | -| [`name`](#parameter-name) | string | Name of the Application to be created in the Application Group. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appGroupName`](#parameter-appgroupname) | string | The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`commandLineArguments`](#parameter-commandlinearguments) | string | Command-Line Arguments for Application. | -| [`commandLineSetting`](#parameter-commandlinesetting) | string | Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. | -| [`description`](#parameter-description) | string | Description of Application.. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`iconIndex`](#parameter-iconindex) | int | Index of the icon. | -| [`iconPath`](#parameter-iconpath) | string | Path to icon. | -| [`showInPortal`](#parameter-showinportal) | bool | Specifies whether to show the RemoteApp program in the RD Web Access server. | - -### Parameter: `filePath` - -Specifies a path for the executable file for the application. - -- Required: Yes -- Type: string - -### Parameter: `friendlyName` - -Friendly name of Application.. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Application to be created in the Application Group. - -- Required: Yes -- Type: string - -### Parameter: `appGroupName` - -The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `commandLineArguments` - -Command-Line Arguments for Application. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `commandLineSetting` - -Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. - -- Required: No -- Type: string -- Default: `'DoNotAllow'` -- Allowed: - ```Bicep - [ - 'Allow' - 'DoNotAllow' - 'Require' - ] - ``` - -### Parameter: `description` - -Description of Application.. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `iconIndex` - -Index of the icon. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `iconPath` - -Path to icon. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `showInPortal` - -Specifies whether to show the RemoteApp program in the RD Web Access server. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Name of the Application Group to register the Application in. | -| `resourceGroupName` | string | The name of the Resource Group the AVD Application was created in. | -| `resourceId` | string | The resource ID of the deployed Application. | - -## Cross-referenced modules - -_None_ diff --git a/modules/desktop-virtualization/application-group/application/main.bicep b/modules/desktop-virtualization/application-group/application/main.bicep deleted file mode 100644 index 92b4c090d2..0000000000 --- a/modules/desktop-virtualization/application-group/application/main.bicep +++ /dev/null @@ -1,81 +0,0 @@ -metadata name = 'Azure Virtual Desktop (AVD) Application Group Applications' -metadata description = 'This module deploys an Azure Virtual Desktop (AVD) Application Group Application.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment.') -param appGroupName string - -@sys.description('Required. Name of the Application to be created in the Application Group.') -param name string - -@sys.description('Optional. Description of Application..') -param description string = '' - -@sys.description('Required. Friendly name of Application..') -param friendlyName string - -@sys.description('Required. Specifies a path for the executable file for the application.') -param filePath string - -@allowed([ - 'Allow' - 'DoNotAllow' - 'Require' -]) -@sys.description('Optional. Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all.') -param commandLineSetting string = 'DoNotAllow' - -@sys.description('Optional. Command-Line Arguments for Application.') -param commandLineArguments string = '' - -@sys.description('Optional. Specifies whether to show the RemoteApp program in the RD Web Access server.') -param showInPortal bool = false - -@sys.description('Optional. Path to icon.') -param iconPath string = '' - -@sys.description('Optional. Index of the icon.') -param iconIndex int = 0 - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' existing = { - name: appGroupName -} - -resource application 'Microsoft.DesktopVirtualization/applicationGroups/applications@2022-09-09' = { - name: name - parent: applicationGroup - properties: { - description: description - friendlyName: friendlyName - filePath: filePath - commandLineSetting: commandLineSetting - commandLineArguments: commandLineArguments - showInPortal: showInPortal - iconPath: iconPath - iconIndex: iconIndex - } -} - -@sys.description('The resource ID of the deployed Application.') -output resourceId string = application.id - -@sys.description('The name of the Resource Group the AVD Application was created in.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The Name of the Application Group to register the Application in.') -output name string = appGroupName diff --git a/modules/desktop-virtualization/application-group/application/main.json b/modules/desktop-virtualization/application-group/application/main.json deleted file mode 100644 index d71d7dc90c..0000000000 --- a/modules/desktop-virtualization/application-group/application/main.json +++ /dev/null @@ -1,148 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "7589932805110524859" - }, - "name": "Azure Virtual Desktop (AVD) Application Group Applications", - "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application to be created in the Application Group." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of Application.." - } - }, - "friendlyName": { - "type": "string", - "metadata": { - "description": "Required. Friendly name of Application.." - } - }, - "filePath": { - "type": "string", - "metadata": { - "description": "Required. Specifies a path for the executable file for the application." - } - }, - "commandLineSetting": { - "type": "string", - "defaultValue": "DoNotAllow", - "allowedValues": [ - "Allow", - "DoNotAllow", - "Require" - ], - "metadata": { - "description": "Optional. Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all." - } - }, - "commandLineArguments": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Command-Line Arguments for Application." - } - }, - "showInPortal": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether to show the RemoteApp program in the RD Web Access server." - } - }, - "iconPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Path to icon." - } - }, - "iconIndex": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Index of the icon." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/applicationGroups/applications", - "apiVersion": "2022-09-09", - "name": "[format('{0}/{1}', parameters('appGroupName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "friendlyName": "[parameters('friendlyName')]", - "filePath": "[parameters('filePath')]", - "commandLineSetting": "[parameters('commandLineSetting')]", - "commandLineArguments": "[parameters('commandLineArguments')]", - "showInPortal": "[parameters('showInPortal')]", - "iconPath": "[parameters('iconPath')]", - "iconIndex": "[parameters('iconIndex')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Application." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups/applications', parameters('appGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the AVD Application was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Application Group to register the Application in." - }, - "value": "[parameters('appGroupName')]" - } - } -} \ No newline at end of file diff --git a/modules/desktop-virtualization/application-group/application/version.json b/modules/desktop-virtualization/application-group/application/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/desktop-virtualization/application-group/application/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep deleted file mode 100644 index 55bd2d0ee3..0000000000 --- a/modules/desktop-virtualization/application-group/main.bicep +++ /dev/null @@ -1,234 +0,0 @@ -metadata name = 'Azure Virtual Desktop (AVD) Application Groups' -metadata description = 'This module deploys an Azure Virtual Desktop (AVD) Application Group.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the Application Group to create this application in.') -@minLength(1) -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop.') -@allowed([ - 'RemoteApp' - 'Desktop' -]) -param applicationGroupType string - -@sys.description('Required. Name of the Host Pool to be linked to this Application Group.') -param hostpoolName string - -@sys.description('Optional. The friendly name of the Application Group to be created.') -param friendlyName string = '' - -@sys.description('Optional. The description of the Application Group to be created.') -param description string = '' - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. List of applications to be created in the Application Group.') -param applications array = [] - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appGroup_hostpool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' existing = { - name: hostpoolName -} - -resource appGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' = { - name: name - location: location - tags: tags - properties: { - hostPoolArmPath: appGroup_hostpool.id - friendlyName: friendlyName - description: description - applicationGroupType: applicationGroupType - } -} - -resource appGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: appGroup -} - -resource appGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: appGroup -}] - -module appGroup_applications 'application/main.bicep' = [for (application, index) in applications: { - name: '${uniqueString(deployment().name, location)}-AppGroup-App-${index}' - params: { - name: application.name - appGroupName: appGroup.name - description: contains(application, 'description') ? application.description : '' - friendlyName: contains(application, 'friendlyName') ? application.friendlyName : appGroup.name - filePath: application.filePath - commandLineSetting: contains(application, 'commandLineSetting') ? application.commandLineSetting : 'DoNotAllow' - commandLineArguments: contains(application, 'commandLineArguments') ? application.commandLineArguments : '' - showInPortal: contains(application, 'showInPortal') ? application.showInPortal : false - iconPath: contains(application, 'iconPath') ? application.iconPath : application.filePath - iconIndex: contains(application, 'iconIndex') ? application.iconIndex : 0 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource appGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(appGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: appGroup -}] - -@sys.description('The resource ID of the AVD application group.') -output resourceId string = appGroup.id - -@sys.description('The resource group the AVD application group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the AVD application group.') -output name string = appGroup.name - -@sys.description('The location the resource was deployed into.') -output location string = appGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json deleted file mode 100644 index 8f821d9242..0000000000 --- a/modules/desktop-virtualization/application-group/main.json +++ /dev/null @@ -1,618 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17909877610324536400" - }, - "name": "Azure Virtual Desktop (AVD) Application Groups", - "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Application Group to create this application in." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "applicationGroupType": { - "type": "string", - "allowedValues": [ - "RemoteApp", - "Desktop" - ], - "metadata": { - "description": "Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop." - } - }, - "hostpoolName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Host Pool to be linked to this Application Group." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The friendly name of the Application Group to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the Application Group to be created." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "applications": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of applications to be created in the Application Group." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appGroup_hostpool": { - "existing": true, - "type": "Microsoft.DesktopVirtualization/hostPools", - "apiVersion": "2022-09-09", - "name": "[parameters('hostpoolName')]" - }, - "appGroup": { - "type": "Microsoft.DesktopVirtualization/applicationGroups", - "apiVersion": "2022-09-09", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "hostPoolArmPath": "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('hostpoolName'))]", - "friendlyName": "[parameters('friendlyName')]", - "description": "[parameters('description')]", - "applicationGroupType": "[parameters('applicationGroupType')]" - }, - "dependsOn": [ - "appGroup_hostpool" - ] - }, - "appGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "appGroup" - ] - }, - "appGroup_diagnosticSettings": { - "copy": { - "name": "appGroup_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "appGroup" - ] - }, - "appGroup_roleAssignments": { - "copy": { - "name": "appGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "appGroup" - ] - }, - "appGroup_applications": { - "copy": { - "name": "appGroup_applications", - "count": "[length(parameters('applications'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppGroup-App-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('applications')[copyIndex()].name]" - }, - "appGroupName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('applications')[copyIndex()], 'description'), createObject('value', parameters('applications')[copyIndex()].description), createObject('value', ''))]", - "friendlyName": "[if(contains(parameters('applications')[copyIndex()], 'friendlyName'), createObject('value', parameters('applications')[copyIndex()].friendlyName), createObject('value', parameters('name')))]", - "filePath": { - "value": "[parameters('applications')[copyIndex()].filePath]" - }, - "commandLineSetting": "[if(contains(parameters('applications')[copyIndex()], 'commandLineSetting'), createObject('value', parameters('applications')[copyIndex()].commandLineSetting), createObject('value', 'DoNotAllow'))]", - "commandLineArguments": "[if(contains(parameters('applications')[copyIndex()], 'commandLineArguments'), createObject('value', parameters('applications')[copyIndex()].commandLineArguments), createObject('value', ''))]", - "showInPortal": "[if(contains(parameters('applications')[copyIndex()], 'showInPortal'), createObject('value', parameters('applications')[copyIndex()].showInPortal), createObject('value', false()))]", - "iconPath": "[if(contains(parameters('applications')[copyIndex()], 'iconPath'), createObject('value', parameters('applications')[copyIndex()].iconPath), createObject('value', parameters('applications')[copyIndex()].filePath))]", - "iconIndex": "[if(contains(parameters('applications')[copyIndex()], 'iconIndex'), createObject('value', parameters('applications')[copyIndex()].iconIndex), createObject('value', 0))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "7589932805110524859" - }, - "name": "Azure Virtual Desktop (AVD) Application Group Applications", - "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application to be created in the Application Group." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of Application.." - } - }, - "friendlyName": { - "type": "string", - "metadata": { - "description": "Required. Friendly name of Application.." - } - }, - "filePath": { - "type": "string", - "metadata": { - "description": "Required. Specifies a path for the executable file for the application." - } - }, - "commandLineSetting": { - "type": "string", - "defaultValue": "DoNotAllow", - "allowedValues": [ - "Allow", - "DoNotAllow", - "Require" - ], - "metadata": { - "description": "Optional. Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all." - } - }, - "commandLineArguments": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Command-Line Arguments for Application." - } - }, - "showInPortal": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether to show the RemoteApp program in the RD Web Access server." - } - }, - "iconPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Path to icon." - } - }, - "iconIndex": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Index of the icon." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/applicationGroups/applications", - "apiVersion": "2022-09-09", - "name": "[format('{0}/{1}', parameters('appGroupName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "friendlyName": "[parameters('friendlyName')]", - "filePath": "[parameters('filePath')]", - "commandLineSetting": "[parameters('commandLineSetting')]", - "commandLineArguments": "[parameters('commandLineArguments')]", - "showInPortal": "[parameters('showInPortal')]", - "iconPath": "[parameters('iconPath')]", - "iconIndex": "[parameters('iconIndex')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Application." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups/applications', parameters('appGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the AVD Application was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Application Group to register the Application in." - }, - "value": "[parameters('appGroupName')]" - } - } - } - }, - "dependsOn": [ - "appGroup" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the AVD application group." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the AVD application group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the AVD application group." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('appGroup', '2022-09-09', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index c97eeab034..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,18 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Host Pool to create.') -param hostPoolName string - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: hostPoolName - location: location - properties: { - hostPoolType: 'Pooled' - loadBalancerType: 'BreadthFirst' - preferredAppGroupType: 'Desktop' - } -} - -@description('The name of the created Host Pool.') -output hostPoolName string = hostPool.name diff --git a/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 54746b0764..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,59 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - applicationGroupType: 'RemoteApp' - hostpoolName: nestedDependencies.outputs.hostPoolName - } -}] diff --git a/modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 41ca94022b..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,29 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Host Pool to create.') -param hostPoolName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: hostPoolName - location: location - properties: { - hostPoolType: 'Pooled' - loadBalancerType: 'BreadthFirst' - preferredAppGroupType: 'Desktop' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Host Pool.') -output hostPoolName string = hostPool.name diff --git a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index 3529748317..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - applicationGroupType: 'RemoteApp' - hostpoolName: nestedDependencies.outputs.hostPoolName - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - friendlyName: 'Remote Applications 1' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 41ca94022b..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,29 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Host Pool to create.') -param hostPoolName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: hostPoolName - location: location - properties: { - hostPoolType: 'Pooled' - loadBalancerType: 'BreadthFirst' - preferredAppGroupType: 'Desktop' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Host Pool.') -output hostPoolName string = hostPool.name diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 8bfb658ff8..0000000000 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,113 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - applicationGroupType: 'RemoteApp' - hostpoolName: nestedDependencies.outputs.hostPoolName - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - friendlyName: 'Remote Applications 1' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/desktop-virtualization/application-group/version.json b/modules/desktop-virtualization/application-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/desktop-virtualization/application-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/desktop-virtualization/host-pool/MOVED-TO-AVM.md b/modules/desktop-virtualization/host-pool/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/desktop-virtualization/host-pool/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index de8e9bb52b..18d08b6806 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -1,1077 +1,7 @@ -# Azure Virtual Desktop (AVD) Host Pools `[Microsoft.DesktopVirtualization/hostPools]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/desktop-virtualization/host-pool](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/desktop-virtualization/host-pool).** -This module deploys an Azure Virtual Desktop (AVD) Host Pool. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/desktop-virtualization/host-pool). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DesktopVirtualization/hostPools` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/hostPools) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.host-pool:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvhpmin' - params: { - // Required parameters - name: 'dvhpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvhpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvhpmax' - params: { - // Required parameters - name: 'dvhpmax001' - // Non-required parameters - agentUpdate: { - maintenanceWindows: [ - { - dayOfWeek: 'Friday' - hour: 7 - } - { - dayOfWeek: 'Saturday' - hour: 8 - } - ] - maintenanceWindowTimeZone: 'Alaskan Standard Time' - type: 'Scheduled' - useSessionHostLocalTime: false - } - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - description: 'My first AVD Host Pool' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'AVDv2' - loadBalancerType: 'BreadthFirst' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - type: 'Pooled' - vmTemplate: { - customImageId: '' - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: '' - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvhpmax001" - }, - // Non-required parameters - "agentUpdate": { - "value": { - "maintenanceWindows": [ - { - "dayOfWeek": "Friday", - "hour": 7 - }, - { - "dayOfWeek": "Saturday", - "hour": 8 - } - ], - "maintenanceWindowTimeZone": "Alaskan Standard Time", - "type": "Scheduled", - "useSessionHostLocalTime": false - } - }, - "customRdpProperty": { - "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" - }, - "description": { - "value": "My first AVD Host Pool" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "AVDv2" - }, - "loadBalancerType": { - "value": "BreadthFirst" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maxSessionLimit": { - "value": 99999 - }, - "personalDesktopAssignmentType": { - "value": "Automatic" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "type": { - "value": "Pooled" - }, - "vmTemplate": { - "value": { - "customImageId": "", - "domain": "domainname.onmicrosoft.com", - "galleryImageOffer": "office-365", - "galleryImagePublisher": "microsoftwindowsdesktop", - "galleryImageSKU": "20h1-evd-o365pp", - "imageType": "Gallery", - "imageUri": "", - "namePrefix": "avdv2", - "osDiskType": "StandardSSD_LRS", - "useManagedDisks": true, - "vmSize": { - "cores": 2, - "id": "Standard_D2s_v3", - "ram": 8 - } - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvhpwaf' - params: { - // Required parameters - name: 'dvhpwaf001' - // Non-required parameters - agentUpdate: { - maintenanceWindows: [ - { - dayOfWeek: 'Friday' - hour: 7 - } - { - dayOfWeek: 'Saturday' - hour: 8 - } - ] - maintenanceWindowTimeZone: 'Alaskan Standard Time' - type: 'Scheduled' - useSessionHostLocalTime: false - } - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - description: 'My first AVD Host Pool' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'AVDv2' - loadBalancerType: 'BreadthFirst' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - type: 'Pooled' - vmTemplate: { - customImageId: '' - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: '' - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvhpwaf001" - }, - // Non-required parameters - "agentUpdate": { - "value": { - "maintenanceWindows": [ - { - "dayOfWeek": "Friday", - "hour": 7 - }, - { - "dayOfWeek": "Saturday", - "hour": 8 - } - ], - "maintenanceWindowTimeZone": "Alaskan Standard Time", - "type": "Scheduled", - "useSessionHostLocalTime": false - } - }, - "customRdpProperty": { - "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" - }, - "description": { - "value": "My first AVD Host Pool" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "AVDv2" - }, - "loadBalancerType": { - "value": "BreadthFirst" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maxSessionLimit": { - "value": 99999 - }, - "personalDesktopAssignmentType": { - "value": "Automatic" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "type": { - "value": "Pooled" - }, - "vmTemplate": { - "value": { - "customImageId": "", - "domain": "domainname.onmicrosoft.com", - "galleryImageOffer": "office-365", - "galleryImagePublisher": "microsoftwindowsdesktop", - "galleryImageSKU": "20h1-evd-o365pp", - "imageType": "Gallery", - "imageUri": "", - "namePrefix": "avdv2", - "osDiskType": "StandardSSD_LRS", - "useManagedDisks": true, - "vmSize": { - "cores": 2, - "id": "Standard_D2s_v3", - "ram": 8 - } - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Host Pool. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`agentUpdate`](#parameter-agentupdate) | object | The session host configuration for updating agent, monitoring agent, and stack component. | -| [`agentUpdateMaintenanceWindowDayOfWeek`](#parameter-agentupdatemaintenancewindowdayofweek) | string | Update day for scheduled agent updates. | -| [`agentUpdateMaintenanceWindowHour`](#parameter-agentupdatemaintenancewindowhour) | int | Update hour for scheduled agent updates. | -| [`agentUpdateMaintenanceWindows`](#parameter-agentupdatemaintenancewindows) | array | List of maintenance windows for scheduled agent updates. | -| [`agentUpdateMaintenanceWindowTimeZone`](#parameter-agentupdatemaintenancewindowtimezone) | string | Time zone for scheduled agent updates. | -| [`agentUpdateType`](#parameter-agentupdatetype) | string | Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. | -| [`agentUpdateUseSessionHostLocalTime`](#parameter-agentupdateusesessionhostlocaltime) | bool | Whether to use localTime of the virtual machine for scheduled agent updates. | -| [`customRdpProperty`](#parameter-customrdpproperty) | string | Host Pool RDP properties. | -| [`description`](#parameter-description) | string | The description of the Host Pool to be created. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Host Pool to be created. | -| [`loadBalancerType`](#parameter-loadbalancertype) | string | Type of load balancer algorithm. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maxSessionLimit`](#parameter-maxsessionlimit) | int | Maximum number of sessions. | -| [`personalDesktopAssignmentType`](#parameter-personaldesktopassignmenttype) | string | Set the type of assignment for a Personal Host Pool type. | -| [`preferredAppGroupType`](#parameter-preferredappgrouptype) | string | The type of preferred application group type, default to Desktop Application Group. | -| [`ring`](#parameter-ring) | int | The ring number of HostPool. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ssoadfsAuthority`](#parameter-ssoadfsauthority) | string | URL to customer ADFS server for signing WVD SSO certificates. | -| [`ssoClientId`](#parameter-ssoclientid) | string | ClientId for the registered Relying Party used to issue WVD SSO certificates. | -| [`ssoClientSecretKeyVaultPath`](#parameter-ssoclientsecretkeyvaultpath) | string | Path to Azure KeyVault storing the secret used for communication to ADFS. | -| [`ssoSecretType`](#parameter-ssosecrettype) | string | The type of single sign on Secret Type. | -| [`startVMOnConnect`](#parameter-startvmonconnect) | bool | Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`tokenValidityLength`](#parameter-tokenvaliditylength) | string | Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | -| [`type`](#parameter-type) | string | Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | -| [`validationEnvironment`](#parameter-validationenvironment) | bool | Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. | -| [`vmTemplate`](#parameter-vmtemplate) | object | The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | - -### Parameter: `name` - -Name of the Host Pool. - -- Required: Yes -- Type: string - -### Parameter: `agentUpdate` - -The session host configuration for updating agent, monitoring agent, and stack component. - -- Required: No -- Type: object -- Default: - ```Bicep - { - maintenanceWindows: '[parameters(\'agentUpdateMaintenanceWindows\')]' - maintenanceWindowTimeZone: '[parameters(\'agentUpdateMaintenanceWindowTimeZone\')]' - type: '[parameters(\'agentUpdateType\')]' - useSessionHostLocalTime: '[parameters(\'agentUpdateUseSessionHostLocalTime\')]' - } - ``` - -### Parameter: `agentUpdateMaintenanceWindowDayOfWeek` - -Update day for scheduled agent updates. - -- Required: No -- Type: string -- Default: `'Sunday'` -- Allowed: - ```Bicep - [ - 'Friday' - 'Monday' - 'Saturday' - 'Sunday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - ``` - -### Parameter: `agentUpdateMaintenanceWindowHour` - -Update hour for scheduled agent updates. - -- Required: No -- Type: int -- Default: `22` - -### Parameter: `agentUpdateMaintenanceWindows` - -List of maintenance windows for scheduled agent updates. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - dayOfWeek: '[parameters(\'agentUpdateMaintenanceWindowDayOfWeek\')]' - hour: '[parameters(\'agentUpdateMaintenanceWindowHour\')]' - } - ] - ``` - -### Parameter: `agentUpdateMaintenanceWindowTimeZone` - -Time zone for scheduled agent updates. - -- Required: No -- Type: string -- Default: `'Central Standard Time'` - -### Parameter: `agentUpdateType` - -Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'Scheduled' - ] - ``` - -### Parameter: `agentUpdateUseSessionHostLocalTime` - -Whether to use localTime of the virtual machine for scheduled agent updates. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `customRdpProperty` - -Host Pool RDP properties. - -- Required: No -- Type: string -- Default: `'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;'` - -### Parameter: `description` - -The description of the Host Pool to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `friendlyName` - -The friendly name of the Host Pool to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `loadBalancerType` - -Type of load balancer algorithm. - -- Required: No -- Type: string -- Default: `'BreadthFirst'` -- Allowed: - ```Bicep - [ - 'BreadthFirst' - 'DepthFirst' - 'Persistent' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maxSessionLimit` - -Maximum number of sessions. - -- Required: No -- Type: int -- Default: `99999` - -### Parameter: `personalDesktopAssignmentType` - -Set the type of assignment for a Personal Host Pool type. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Automatic' - 'Direct' - ] - ``` - -### Parameter: `preferredAppGroupType` - -The type of preferred application group type, default to Desktop Application Group. - -- Required: No -- Type: string -- Default: `'Desktop'` -- Allowed: - ```Bicep - [ - 'Desktop' - 'None' - 'RailApplications' - ] - ``` - -### Parameter: `ring` - -The ring number of HostPool. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ssoadfsAuthority` - -URL to customer ADFS server for signing WVD SSO certificates. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ssoClientId` - -ClientId for the registered Relying Party used to issue WVD SSO certificates. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ssoClientSecretKeyVaultPath` - -Path to Azure KeyVault storing the secret used for communication to ADFS. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ssoSecretType` - -The type of single sign on Secret Type. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Certificate' - 'CertificateInKeyVault' - 'SharedKey' - 'SharedKeyInKeyVault' - ] - ``` - -### Parameter: `startVMOnConnect` - -Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `tokenValidityLength` - -Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. - -- Required: No -- Type: string -- Default: `'PT8H'` - -### Parameter: `type` - -Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. - -- Required: No -- Type: string -- Default: `'Pooled'` -- Allowed: - ```Bicep - [ - 'Personal' - 'Pooled' - ] - ``` - -### Parameter: `validationEnvironment` - -Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vmTemplate` - -The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a registration token. - -- Required: No -- Type: string -- Default: `[utcNow('u')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD host pool. | -| `resourceGroupName` | string | The resource group the AVD host pool was deployed into. | -| `resourceId` | string | The resource ID of the AVD host pool. | -| `tokenExpirationTime` | string | The expiration time for the registration token. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep deleted file mode 100644 index 1af44b1e15..0000000000 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ /dev/null @@ -1,343 +0,0 @@ -metadata name = 'Azure Virtual Desktop (AVD) Host Pools' -metadata description = 'This module deploys an Azure Virtual Desktop (AVD) Host Pool.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the Host Pool.') -@minLength(1) -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. The friendly name of the Host Pool to be created.') -param friendlyName string = '' - -@sys.description('Optional. The description of the Host Pool to be created.') -param description string = '' - -@sys.description('Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled.') -@allowed([ - 'Personal' - 'Pooled' -]) -param type string = 'Pooled' - -@sys.description('Optional. Set the type of assignment for a Personal Host Pool type.') -@allowed([ - 'Automatic' - 'Direct' - '' -]) -param personalDesktopAssignmentType string = '' - -@sys.description('Optional. Type of load balancer algorithm.') -@allowed([ - 'BreadthFirst' - 'DepthFirst' - 'Persistent' -]) -param loadBalancerType string = 'BreadthFirst' - -@sys.description('Optional. Maximum number of sessions.') -param maxSessionLimit int = 99999 - -@sys.description('Optional. Host Pool RDP properties.') -param customRdpProperty string = 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - -@sys.description('Optional. Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation \'ring\' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment.') -param validationEnvironment bool = false - -@sys.description('Optional. The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings.') -param vmTemplate object = {} - -@sys.description('Optional. Host Pool token validity length. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the token will be valid for 8 hours.') -param tokenValidityLength string = 'PT8H' - -@sys.description('Generated. Do not provide a value! This date value is used to generate a registration token.') -param baseTime string = utcNow('u') - -@sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. The type of preferred application group type, default to Desktop Application Group.') -@allowed([ - 'Desktop' - 'None' - 'RailApplications' -]) -param preferredAppGroupType string = 'Desktop' - -@sys.description('Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs.') -param startVMOnConnect bool = false - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available.') -@allowed([ - 'Default' - 'Scheduled' -]) -param agentUpdateType string = 'Default' - -@sys.description('Optional. Update hour for scheduled agent updates.') -@minValue(1) -@maxValue(23) -param agentUpdateMaintenanceWindowHour int = 22 - -@sys.description('Optional. Update day for scheduled agent updates.') -@allowed([ - 'Sunday' - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - 'Saturday' -]) -param agentUpdateMaintenanceWindowDayOfWeek string = 'Sunday' - -@sys.description('Optional. List of maintenance windows for scheduled agent updates.') -param agentUpdateMaintenanceWindows array = [ - { - hour: agentUpdateMaintenanceWindowHour - dayOfWeek: agentUpdateMaintenanceWindowDayOfWeek - } -] - -@sys.description('Optional. Time zone for scheduled agent updates.') -param agentUpdateMaintenanceWindowTimeZone string = 'Central Standard Time' - -@sys.description('Optional. Whether to use localTime of the virtual machine for scheduled agent updates.') -param agentUpdateUseSessionHostLocalTime bool = false - -@sys.description('Optional. The session host configuration for updating agent, monitoring agent, and stack component.') -param agentUpdate object = { - type: agentUpdateType - maintenanceWindows: agentUpdateMaintenanceWindows - maintenanceWindowTimeZone: agentUpdateMaintenanceWindowTimeZone - useSessionHostLocalTime: agentUpdateUseSessionHostLocalTime -} - -@sys.description('Optional. The ring number of HostPool.') -param ring int = -1 - -@sys.description('Optional. URL to customer ADFS server for signing WVD SSO certificates.') -param ssoadfsAuthority string = '' - -@sys.description('Optional. ClientId for the registered Relying Party used to issue WVD SSO certificates.') -param ssoClientId string = '' - -@sys.description('Optional. Path to Azure KeyVault storing the secret used for communication to ADFS.') -#disable-next-line secure-secrets-in-params -param ssoClientSecretKeyVaultPath string = '' - -@sys.description('Optional. The type of single sign on Secret Type.') -@allowed([ - '' - 'Certificate' - 'CertificateInKeyVault' - 'SharedKey' - 'SharedKeyInKeyVault' -]) -#disable-next-line secure-secrets-in-params -param ssoSecretType string = '' - -var tokenExpirationTime = dateTimeAdd(baseTime, tokenValidityLength) - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: name - location: location - tags: tags - properties: { - friendlyName: friendlyName - description: description - hostPoolType: type - customRdpProperty: customRdpProperty - personalDesktopAssignmentType: any(personalDesktopAssignmentType) - preferredAppGroupType: preferredAppGroupType - maxSessionLimit: maxSessionLimit - loadBalancerType: loadBalancerType - startVMOnConnect: startVMOnConnect - validationEnvironment: validationEnvironment - registrationInfo: { - expirationTime: tokenExpirationTime - token: null - registrationTokenOperation: 'Update' - } - vmTemplate: ((!empty(vmTemplate)) ? null : string(vmTemplate)) - agentUpdate: (agentUpdateType == 'Scheduled') ? agentUpdate : null - ring: ring != -1 ? ring : null - ssoadfsAuthority: ssoadfsAuthority - ssoClientId: ssoClientId - ssoClientSecretKeyVaultPath: ssoClientSecretKeyVaultPath - ssoSecretType: !empty(ssoSecretType) ? ssoSecretType : null - } -} - -resource hostPool_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: hostPool -} - -resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: hostPool -}] - -resource hostPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(hostPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: hostPool -}] - -@sys.description('The resource ID of the AVD host pool.') -output resourceId string = hostPool.id - -@sys.description('The resource group the AVD host pool was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the AVD host pool.') -output name string = hostPool.name - -@sys.description('The expiration time for the registration token.') -output tokenExpirationTime string = dateTimeAdd(baseTime, tokenValidityLength) - -@sys.description('The location the resource was deployed into.') -output location string = hostPool.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json deleted file mode 100644 index 47c3a09ecc..0000000000 --- a/modules/desktop-virtualization/host-pool/main.json +++ /dev/null @@ -1,636 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14527076707665890247" - }, - "name": "Azure Virtual Desktop (AVD) Host Pools", - "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Host Pool." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The friendly name of the Host Pool to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the Host Pool to be created." - } - }, - "type": { - "type": "string", - "defaultValue": "Pooled", - "allowedValues": [ - "Personal", - "Pooled" - ], - "metadata": { - "description": "Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled." - } - }, - "personalDesktopAssignmentType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Automatic", - "Direct", - "" - ], - "metadata": { - "description": "Optional. Set the type of assignment for a Personal Host Pool type." - } - }, - "loadBalancerType": { - "type": "string", - "defaultValue": "BreadthFirst", - "allowedValues": [ - "BreadthFirst", - "DepthFirst", - "Persistent" - ], - "metadata": { - "description": "Optional. Type of load balancer algorithm." - } - }, - "maxSessionLimit": { - "type": "int", - "defaultValue": 99999, - "metadata": { - "description": "Optional. Maximum number of sessions." - } - }, - "customRdpProperty": { - "type": "string", - "defaultValue": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;", - "metadata": { - "description": "Optional. Host Pool RDP properties." - } - }, - "validationEnvironment": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment." - } - }, - "vmTemplate": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings." - } - }, - "tokenValidityLength": { - "type": "string", - "defaultValue": "PT8H", - "metadata": { - "description": "Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a registration token." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "preferredAppGroupType": { - "type": "string", - "defaultValue": "Desktop", - "allowedValues": [ - "Desktop", - "None", - "RailApplications" - ], - "metadata": { - "description": "Optional. The type of preferred application group type, default to Desktop Application Group." - } - }, - "startVMOnConnect": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "agentUpdateType": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "Scheduled" - ], - "metadata": { - "description": "Optional. Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available." - } - }, - "agentUpdateMaintenanceWindowHour": { - "type": "int", - "defaultValue": 22, - "minValue": 1, - "maxValue": 23, - "metadata": { - "description": "Optional. Update hour for scheduled agent updates." - } - }, - "agentUpdateMaintenanceWindowDayOfWeek": { - "type": "string", - "defaultValue": "Sunday", - "allowedValues": [ - "Sunday", - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday" - ], - "metadata": { - "description": "Optional. Update day for scheduled agent updates." - } - }, - "agentUpdateMaintenanceWindows": { - "type": "array", - "defaultValue": [ - { - "hour": "[parameters('agentUpdateMaintenanceWindowHour')]", - "dayOfWeek": "[parameters('agentUpdateMaintenanceWindowDayOfWeek')]" - } - ], - "metadata": { - "description": "Optional. List of maintenance windows for scheduled agent updates." - } - }, - "agentUpdateMaintenanceWindowTimeZone": { - "type": "string", - "defaultValue": "Central Standard Time", - "metadata": { - "description": "Optional. Time zone for scheduled agent updates." - } - }, - "agentUpdateUseSessionHostLocalTime": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to use localTime of the virtual machine for scheduled agent updates." - } - }, - "agentUpdate": { - "type": "object", - "defaultValue": { - "type": "[parameters('agentUpdateType')]", - "maintenanceWindows": "[parameters('agentUpdateMaintenanceWindows')]", - "maintenanceWindowTimeZone": "[parameters('agentUpdateMaintenanceWindowTimeZone')]", - "useSessionHostLocalTime": "[parameters('agentUpdateUseSessionHostLocalTime')]" - }, - "metadata": { - "description": "Optional. The session host configuration for updating agent, monitoring agent, and stack component." - } - }, - "ring": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The ring number of HostPool." - } - }, - "ssoadfsAuthority": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. URL to customer ADFS server for signing WVD SSO certificates." - } - }, - "ssoClientId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ClientId for the registered Relying Party used to issue WVD SSO certificates." - } - }, - "ssoClientSecretKeyVaultPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Path to Azure KeyVault storing the secret used for communication to ADFS." - } - }, - "ssoSecretType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Certificate", - "CertificateInKeyVault", - "SharedKey", - "SharedKeyInKeyVault" - ], - "metadata": { - "description": "Optional. The type of single sign on Secret Type." - } - } - }, - "variables": { - "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "hostPool": { - "type": "Microsoft.DesktopVirtualization/hostPools", - "apiVersion": "2022-09-09", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "friendlyName": "[parameters('friendlyName')]", - "description": "[parameters('description')]", - "hostPoolType": "[parameters('type')]", - "customRdpProperty": "[parameters('customRdpProperty')]", - "personalDesktopAssignmentType": "[parameters('personalDesktopAssignmentType')]", - "preferredAppGroupType": "[parameters('preferredAppGroupType')]", - "maxSessionLimit": "[parameters('maxSessionLimit')]", - "loadBalancerType": "[parameters('loadBalancerType')]", - "startVMOnConnect": "[parameters('startVMOnConnect')]", - "validationEnvironment": "[parameters('validationEnvironment')]", - "registrationInfo": { - "expirationTime": "[variables('tokenExpirationTime')]", - "token": null, - "registrationTokenOperation": "Update" - }, - "vmTemplate": "[if(not(empty(parameters('vmTemplate'))), null(), string(parameters('vmTemplate')))]", - "agentUpdate": "[if(equals(parameters('agentUpdateType'), 'Scheduled'), parameters('agentUpdate'), null())]", - "ring": "[if(not(equals(parameters('ring'), -1)), parameters('ring'), null())]", - "ssoadfsAuthority": "[parameters('ssoadfsAuthority')]", - "ssoClientId": "[parameters('ssoClientId')]", - "ssoClientSecretKeyVaultPath": "[parameters('ssoClientSecretKeyVaultPath')]", - "ssoSecretType": "[if(not(empty(parameters('ssoSecretType'))), parameters('ssoSecretType'), null())]" - } - }, - "hostPool_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "hostPool" - ] - }, - "hostPool_diagnosticSettings": { - "copy": { - "name": "hostPool_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "hostPool" - ] - }, - "hostPool_roleAssignments": { - "copy": { - "name": "hostPool_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "hostPool" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the AVD host pool." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the AVD host pool was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the AVD host pool." - }, - "value": "[parameters('name')]" - }, - "tokenExpirationTime": { - "type": "string", - "metadata": { - "description": "The expiration time for the registration token." - }, - "value": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('hostPool', '2022-09-09', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index fc3402a8a1..0000000000 --- a/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep deleted file mode 100644 index 07996d49e3..0000000000 --- a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - description: 'My first AVD Host Pool' - friendlyName: 'AVDv2' - type: 'Pooled' - loadBalancerType: 'BreadthFirst' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - vmTemplate: { - customImageId: null - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: null - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - agentUpdate: { - type: 'Scheduled' - useSessionHostLocalTime: false - maintenanceWindowTimeZone: 'Alaskan Standard Time' - maintenanceWindows: [ - { - hour: 7 - dayOfWeek: 'Friday' - } - { - hour: 8 - dayOfWeek: 'Saturday' - } - ] - } - } -}] diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 05123d5d47..0000000000 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,129 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - description: 'My first AVD Host Pool' - friendlyName: 'AVDv2' - type: 'Pooled' - loadBalancerType: 'BreadthFirst' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - vmTemplate: { - customImageId: null - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: null - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - agentUpdate: { - type: 'Scheduled' - useSessionHostLocalTime: false - maintenanceWindowTimeZone: 'Alaskan Standard Time' - maintenanceWindows: [ - { - hour: 7 - dayOfWeek: 'Friday' - } - { - hour: 8 - dayOfWeek: 'Saturday' - } - ] - } - } -}] diff --git a/modules/desktop-virtualization/host-pool/version.json b/modules/desktop-virtualization/host-pool/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/desktop-virtualization/host-pool/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/desktop-virtualization/scaling-plan/MOVED-TO-AVM.md b/modules/desktop-virtualization/scaling-plan/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/desktop-virtualization/scaling-plan/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 62be6687cf..4bc70d39c2 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -1,811 +1,7 @@ -# Azure Virtual Desktop (AVD) Scaling Plans `[Microsoft.DesktopVirtualization/scalingPlans]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/desktop-virtualization/scaling-plan](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/desktop-virtualization/scaling-plan).** -This module deploys an Azure Virtual Desktop (AVD) Scaling Plan. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/desktop-virtualization/scaling-plan). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DesktopVirtualization/scalingPlans` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/scalingPlans) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvspmin' - params: { - // Required parameters - name: 'dvspmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvspmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvspmax' - params: { - // Required parameters - name: 'dvspmax001' - // Non-required parameters - description: 'My Scaling Plan Description' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'My Scaling Plan' - hostPoolType: 'Pooled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - schedules: [ - { - daysOfWeek: [ - 'Friday' - 'Monday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - name: 'weekdays_schedule' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - offPeakStartTime: { - hour: 20 - minute: 0 - } - peakLoadBalancingAlgorithm: 'DepthFirst' - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStartTime: { - hour: 18 - minute: 0 - } - rampDownStopHostsWhen: 'ZeroSessions' - rampDownWaitTimeMinutes: 30 - rampUpCapacityThresholdPct: 60 - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpStartTime: { - hour: 7 - minute: 0 - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvspmax001" - }, - // Non-required parameters - "description": { - "value": "My Scaling Plan Description" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "My Scaling Plan" - }, - "hostPoolType": { - "value": "Pooled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "schedules": { - "value": [ - { - "daysOfWeek": [ - "Friday", - "Monday", - "Thursday", - "Tuesday", - "Wednesday" - ], - "name": "weekdays_schedule", - "offPeakLoadBalancingAlgorithm": "DepthFirst", - "offPeakStartTime": { - "hour": 20, - "minute": 0 - }, - "peakLoadBalancingAlgorithm": "DepthFirst", - "peakStartTime": { - "hour": 9, - "minute": 0 - }, - "rampDownCapacityThresholdPct": 90, - "rampDownForceLogoffUsers": true, - "rampDownLoadBalancingAlgorithm": "DepthFirst", - "rampDownMinimumHostsPct": 10, - "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", - "rampDownStartTime": { - "hour": 18, - "minute": 0 - }, - "rampDownStopHostsWhen": "ZeroSessions", - "rampDownWaitTimeMinutes": 30, - "rampUpCapacityThresholdPct": 60, - "rampUpLoadBalancingAlgorithm": "DepthFirst", - "rampUpMinimumHostsPct": 20, - "rampUpStartTime": { - "hour": 7, - "minute": 0 - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvspwaf' - params: { - // Required parameters - name: 'dvspwaf001' - // Non-required parameters - description: 'My Scaling Plan Description' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'My Scaling Plan' - hostPoolType: 'Pooled' - schedules: [ - { - daysOfWeek: [ - 'Friday' - 'Monday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - name: 'weekdays_schedule' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - offPeakStartTime: { - hour: 20 - minute: 0 - } - peakLoadBalancingAlgorithm: 'DepthFirst' - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStartTime: { - hour: 18 - minute: 0 - } - rampDownStopHostsWhen: 'ZeroSessions' - rampDownWaitTimeMinutes: 30 - rampUpCapacityThresholdPct: 60 - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpStartTime: { - hour: 7 - minute: 0 - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvspwaf001" - }, - // Non-required parameters - "description": { - "value": "My Scaling Plan Description" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "My Scaling Plan" - }, - "hostPoolType": { - "value": "Pooled" - }, - "schedules": { - "value": [ - { - "daysOfWeek": [ - "Friday", - "Monday", - "Thursday", - "Tuesday", - "Wednesday" - ], - "name": "weekdays_schedule", - "offPeakLoadBalancingAlgorithm": "DepthFirst", - "offPeakStartTime": { - "hour": 20, - "minute": 0 - }, - "peakLoadBalancingAlgorithm": "DepthFirst", - "peakStartTime": { - "hour": 9, - "minute": 0 - }, - "rampDownCapacityThresholdPct": 90, - "rampDownForceLogoffUsers": true, - "rampDownLoadBalancingAlgorithm": "DepthFirst", - "rampDownMinimumHostsPct": 10, - "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", - "rampDownStartTime": { - "hour": 18, - "minute": 0 - }, - "rampDownStopHostsWhen": "ZeroSessions", - "rampDownWaitTimeMinutes": 30, - "rampUpCapacityThresholdPct": 60, - "rampUpLoadBalancingAlgorithm": "DepthFirst", - "rampUpMinimumHostsPct": 20, - "rampUpStartTime": { - "hour": 7, - "minute": 0 - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the scaling plan. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | Description of the scaling plan. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exclusionTag`](#parameter-exclusiontag) | string | Provide a tag to be used for hosts that should not be affected by the scaling plan. | -| [`friendlyName`](#parameter-friendlyname) | string | Friendly Name of the scaling plan. | -| [`hostPoolReferences`](#parameter-hostpoolreferences) | array | An array of references to hostpools. | -| [`hostPoolType`](#parameter-hostpooltype) | string | The type of hostpool where this scaling plan should be applied. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`schedules`](#parameter-schedules) | array | The schedules related to this scaling plan. If no value is provided a default schedule will be provided. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`timeZone`](#parameter-timezone) | string | Timezone to be used for the scaling plan. | - -### Parameter: `name` - -Name of the scaling plan. - -- Required: Yes -- Type: string - -### Parameter: `description` - -Description of the scaling plan. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exclusionTag` - -Provide a tag to be used for hosts that should not be affected by the scaling plan. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `friendlyName` - -Friendly Name of the scaling plan. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `hostPoolReferences` - -An array of references to hostpools. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `hostPoolType` - -The type of hostpool where this scaling plan should be applied. - -- Required: No -- Type: string -- Default: `'Pooled'` -- Allowed: - ```Bicep - [ - 'Pooled' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `schedules` - -The schedules related to this scaling plan. If no value is provided a default schedule will be provided. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - daysOfWeek: [ - 'Friday' - 'Monday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - name: 'weekdays_schedule' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - offPeakStartTime: { - hour: 20 - minute: 0 - } - peakLoadBalancingAlgorithm: 'DepthFirst' - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStartTime: { - hour: 18 - minute: 0 - } - rampDownStopHostsWhen: 'ZeroSessions' - rampDownWaitTimeMinutes: 30 - rampUpCapacityThresholdPct: 60 - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpStartTime: { - hour: 7 - minute: 0 - } - } - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `timeZone` - -Timezone to be used for the scaling plan. - -- Required: No -- Type: string -- Default: `'W. Europe Standard Time'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD scaling plan. | -| `resourceGroupName` | string | The resource group the AVD scaling plan was deployed into. | -| `resourceId` | string | The resource ID of the AVD scaling plan. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep deleted file mode 100644 index 69551d44a8..0000000000 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ /dev/null @@ -1,237 +0,0 @@ -metadata name = 'Azure Virtual Desktop (AVD) Scaling Plans' -metadata description = 'This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the scaling plan.') -@minLength(1) -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. Friendly Name of the scaling plan.') -param friendlyName string = name - -@sys.description('Optional. Description of the scaling plan.') -param description string = name - -@sys.description('Optional. Timezone to be used for the scaling plan.') -param timeZone string = 'W. Europe Standard Time' - -@allowed([ - 'Pooled' -]) -@sys.description('Optional. The type of hostpool where this scaling plan should be applied.') -param hostPoolType string = 'Pooled' - -@sys.description('Optional. Provide a tag to be used for hosts that should not be affected by the scaling plan.') -param exclusionTag string = '' - -@sys.description('Optional. The schedules related to this scaling plan. If no value is provided a default schedule will be provided.') -param schedules array = [ - { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } -] - -@sys.description('Optional. An array of references to hostpools.') -param hostPoolReferences array = [] - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource scalingPlan 'Microsoft.DesktopVirtualization/scalingPlans@2022-09-09' = { - name: name - location: location - tags: tags - properties: { - friendlyName: friendlyName - timeZone: timeZone - hostPoolType: hostPoolType - exclusionTag: exclusionTag - schedules: schedules - hostPoolReferences: hostPoolReferences - description: description - } -} - -resource scalingPlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: scalingPlan -}] - -resource scalingplan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(scalingPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: scalingPlan -}] - -@sys.description('The resource ID of the AVD scaling plan.') -output resourceId string = scalingPlan.id - -@sys.description('The resource group the AVD scaling plan was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the AVD scaling plan.') -output name string = scalingPlan.name - -@sys.description('The location the resource was deployed into.') -output location string = scalingPlan.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json deleted file mode 100644 index de65badeec..0000000000 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ /dev/null @@ -1,433 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6071506913049441518" - }, - "name": "Azure Virtual Desktop (AVD) Scaling Plans", - "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the scaling plan." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Friendly Name of the scaling plan." - } - }, - "description": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Description of the scaling plan." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "W. Europe Standard Time", - "metadata": { - "description": "Optional. Timezone to be used for the scaling plan." - } - }, - "hostPoolType": { - "type": "string", - "defaultValue": "Pooled", - "allowedValues": [ - "Pooled" - ], - "metadata": { - "description": "Optional. The type of hostpool where this scaling plan should be applied." - } - }, - "exclusionTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Provide a tag to be used for hosts that should not be affected by the scaling plan." - } - }, - "schedules": { - "type": "array", - "defaultValue": [ - { - "rampUpStartTime": { - "hour": 7, - "minute": 0 - }, - "peakStartTime": { - "hour": 9, - "minute": 0 - }, - "rampDownStartTime": { - "hour": 18, - "minute": 0 - }, - "offPeakStartTime": { - "hour": 20, - "minute": 0 - }, - "name": "weekdays_schedule", - "daysOfWeek": [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday" - ], - "rampUpLoadBalancingAlgorithm": "DepthFirst", - "rampUpMinimumHostsPct": 20, - "rampUpCapacityThresholdPct": 60, - "peakLoadBalancingAlgorithm": "DepthFirst", - "rampDownLoadBalancingAlgorithm": "DepthFirst", - "rampDownMinimumHostsPct": 10, - "rampDownCapacityThresholdPct": 90, - "rampDownForceLogoffUsers": true, - "rampDownWaitTimeMinutes": 30, - "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", - "rampDownStopHostsWhen": "ZeroSessions", - "offPeakLoadBalancingAlgorithm": "DepthFirst" - } - ], - "metadata": { - "description": "Optional. The schedules related to this scaling plan. If no value is provided a default schedule will be provided." - } - }, - "hostPoolReferences": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of references to hostpools." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "scalingPlan": { - "type": "Microsoft.DesktopVirtualization/scalingPlans", - "apiVersion": "2022-09-09", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "friendlyName": "[parameters('friendlyName')]", - "timeZone": "[parameters('timeZone')]", - "hostPoolType": "[parameters('hostPoolType')]", - "exclusionTag": "[parameters('exclusionTag')]", - "schedules": "[parameters('schedules')]", - "hostPoolReferences": "[parameters('hostPoolReferences')]", - "description": "[parameters('description')]" - } - }, - "scalingPlan_diagnosticSettings": { - "copy": { - "name": "scalingPlan_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "scalingPlan" - ] - }, - "scalingplan_roleAssignments": { - "copy": { - "name": "scalingplan_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "scalingPlan" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the AVD scaling plan." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the AVD scaling plan was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the AVD scaling plan." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('scalingPlan', '2022-09-09', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 160a5f13a3..0000000000 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep deleted file mode 100644 index 73f13bcc7f..0000000000 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,144 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - hostPoolType: 'Pooled' - friendlyName: 'My Scaling Plan' - description: 'My Scaling Plan Description' - schedules: [ { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } - ] - } -}] diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 5eedc422fe..0000000000 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,127 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - hostPoolType: 'Pooled' - friendlyName: 'My Scaling Plan' - description: 'My Scaling Plan Description' - schedules: [ { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } - ] - } -}] diff --git a/modules/desktop-virtualization/scaling-plan/version.json b/modules/desktop-virtualization/scaling-plan/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/desktop-virtualization/scaling-plan/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/desktop-virtualization/workspace/MOVED-TO-AVM.md b/modules/desktop-virtualization/workspace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/desktop-virtualization/workspace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 7e560d64b1..60a90e780f 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -1,637 +1,7 @@ -# Azure Virtual Desktop (AVD) Workspaces `[Microsoft.DesktopVirtualization/workspaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/desktop-virtualization/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/desktop-virtualization/workspace).** -This module deploys an Azure Virtual Desktop (AVD) Workspace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/desktop-virtualization/workspace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DesktopVirtualization/workspaces` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.workspace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvwmin' - params: { - // Required parameters - name: 'dvwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvwmax' - params: { - // Required parameters - name: 'dvwmax001' - // Non-required parameters - appGroupResourceIds: [ - '' - ] - description: 'This is my first AVD Workspace' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'My first AVD Workspace' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvwmax001" - }, - // Non-required parameters - "appGroupResourceIds": { - "value": [ - "" - ] - }, - "description": { - "value": "This is my first AVD Workspace" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "My first AVD Workspace" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvwwaf' - params: { - // Required parameters - name: 'dvwwaf001' - // Non-required parameters - appGroupResourceIds: [ - '' - ] - description: 'This is my first AVD Workspace' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - friendlyName: 'My first AVD Workspace' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvwwaf001" - }, - // Non-required parameters - "appGroupResourceIds": { - "value": [ - "" - ] - }, - "description": { - "value": "This is my first AVD Workspace" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "friendlyName": { - "value": "My first AVD Workspace" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the workspace to be attach to new Application Group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appGroupResourceIds`](#parameter-appgroupresourceids) | array | Resource IDs for the existing Application groups this workspace will group together. | -| [`description`](#parameter-description) | string | The description of the Workspace to be created. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Workspace to be created. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the workspace to be attach to new Application Group. - -- Required: Yes -- Type: string - -### Parameter: `appGroupResourceIds` - -Resource IDs for the existing Application groups this workspace will group together. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -The description of the Workspace to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `friendlyName` - -The friendly name of the Workspace to be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD workspace. | -| `resourceGroupName` | string | The resource group the AVD workspace was deployed into. | -| `resourceId` | string | The resource ID of the AVD workspace. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep deleted file mode 100644 index 418a5c72d4..0000000000 --- a/modules/desktop-virtualization/workspace/main.bicep +++ /dev/null @@ -1,199 +0,0 @@ -metadata name = 'Azure Virtual Desktop (AVD) Workspaces' -metadata description = 'This module deploys an Azure Virtual Desktop (AVD) Workspace.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. The name of the workspace to be attach to new Application Group.') -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. Resource IDs for the existing Application groups this workspace will group together.') -param appGroupResourceIds array = [] - -@sys.description('Optional. The friendly name of the Workspace to be created.') -param friendlyName string = '' - -@sys.description('Optional. The description of the Workspace to be created.') -param description string = '' - -@sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.DesktopVirtualization/workspaces@2022-09-09' = { - name: name - location: location - tags: tags - properties: { - applicationGroupReferences: appGroupResourceIds - description: description - friendlyName: friendlyName - } -} - -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace -} - -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: workspace -}] - -resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: workspace -}] - -@sys.description('The resource ID of the AVD workspace.') -output resourceId string = workspace.id - -@sys.description('The resource group the AVD workspace was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the AVD workspace.') -output name string = workspace.name - -@sys.description('The location the resource was deployed into.') -output location string = workspace.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json deleted file mode 100644 index b8d4cd7c89..0000000000 --- a/modules/desktop-virtualization/workspace/main.json +++ /dev/null @@ -1,403 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5531356624680815860" - }, - "name": "Azure Virtual Desktop (AVD) Workspaces", - "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the workspace to be attach to new Application Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "appGroupResourceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Resource IDs for the existing Application groups this workspace will group together." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The friendly name of the Workspace to be created." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the Workspace to be created." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "type": "Microsoft.DesktopVirtualization/workspaces", - "apiVersion": "2022-09-09", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "applicationGroupReferences": "[parameters('appGroupResourceIds')]", - "description": "[parameters('description')]", - "friendlyName": "[parameters('friendlyName')]" - } - }, - "workspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_diagnosticSettings": { - "copy": { - "name": "workspace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the AVD workspace." - }, - "value": "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the AVD workspace was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the AVD workspace." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('workspace', '2022-09-09', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 3eb2840ed1..0000000000 --- a/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8e753087b2..0000000000 --- a/modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Group to create.') -param applicationGroupName string - -@description('Required. The name of the Host Pool to create.') -param hostPoolName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: hostPoolName - location: location - properties: { - hostPoolType: 'Pooled' - loadBalancerType: 'BreadthFirst' - preferredAppGroupType: 'Desktop' - } -} - -resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' = { - name: applicationGroupName - location: location - properties: { - applicationGroupType: 'Desktop' - hostPoolArmPath: hostPool.id - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Group.') -output applicationGroupResourceId string = applicationGroup.id diff --git a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7e08439b65..0000000000 --- a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,114 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - appGroupResourceIds: [ - nestedDependencies.outputs.applicationGroupResourceId - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - description: 'This is my first AVD Workspace' - friendlyName: 'My first AVD Workspace' - } -}] diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8e753087b2..0000000000 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Group to create.') -param applicationGroupName string - -@description('Required. The name of the Host Pool to create.') -param hostPoolName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { - name: hostPoolName - location: location - properties: { - hostPoolType: 'Pooled' - loadBalancerType: 'BreadthFirst' - preferredAppGroupType: 'Desktop' - } -} - -resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' = { - name: applicationGroupName - location: location - properties: { - applicationGroupType: 'Desktop' - hostPoolArmPath: hostPool.id - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Group.') -output applicationGroupResourceId string = applicationGroup.id diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 78a62c1b38..0000000000 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,97 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - appGroupResourceIds: [ - nestedDependencies.outputs.applicationGroupResourceId - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - description: 'This is my first AVD Workspace' - friendlyName: 'My first AVD Workspace' - } -}] diff --git a/modules/desktop-virtualization/workspace/version.json b/modules/desktop-virtualization/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/desktop-virtualization/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/MOVED-TO-AVM.md b/modules/dev-test-lab/lab/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/dev-test-lab/lab/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index bf4dcbf1e3..7780d26c04 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -1,1632 +1,7 @@ -# DevTest Labs `[Microsoft.DevTestLab/labs]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/dev-test-lab/lab](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/dev-test-lab/lab).** -This module deploys a DevTest Lab. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/dev-test-lab/lab). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DevTestLab/labs` | [2018-10-15-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/labs) | -| `Microsoft.DevTestLab/labs/artifactsources` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/artifactsources) | -| `Microsoft.DevTestLab/labs/costs` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/costs) | -| `Microsoft.DevTestLab/labs/notificationchannels` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/notificationchannels) | -| `Microsoft.DevTestLab/labs/policysets/policies` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/policysets/policies) | -| `Microsoft.DevTestLab/labs/schedules` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/schedules) | -| `Microsoft.DevTestLab/labs/virtualnetworks` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/virtualnetworks) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/dev-test-lab.lab:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtllmin' - params: { - // Required parameters - name: 'dtllmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtllmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtllmax' - params: { - // Required parameters - name: 'dtllmax001' - // Non-required parameters - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - artifactsources: [ - { - branchRef: 'master' - displayName: 'Public Artifact Repo' - folderPath: '/Artifacts' - name: 'Public Repo' - sourceType: 'GitHub' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - } - { - armTemplateFolderPath: '/Environments' - branchRef: 'master' - displayName: 'Public Environment Repo' - name: 'Public Environment Repo' - sourceType: 'GitHub' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - } - ] - artifactsStorageAccount: '' - browserConnect: 'Enabled' - costs: { - cycleType: 'CalendarMonth' - status: 'Enabled' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - disableAutoUpgradeCseMinorVersion: true - enableDefaultTelemetry: '' - encryptionDiskEncryptionSetId: '' - encryptionType: 'EncryptionAtRestWithCustomerKey' - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - isolateLabResources: 'Enabled' - labStorageType: 'Premium' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managementIdentitiesResourceIds: [ - '' - ] - notificationchannels: [ - { - description: 'Integration configured for auto-shutdown' - emailRecipient: 'mail@contosodtlmail.com' - events: [ - { - eventName: 'AutoShutdown' - } - ] - name: 'autoShutdown' - notificationLocale: 'en' - webHookUrl: 'https://webhook.contosotest.com' - } - { - events: [ - { - eventName: 'Cost' - } - ] - name: 'costThreshold' - webHookUrl: 'https://webhook.contosotest.com' - } - ] - policies: [ - { - evaluatorType: 'MaxValuePolicy' - factData: '' - factName: 'UserOwnedLabVmCountInSubnet' - name: '' - threshold: '1' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - name: 'MaxVmsAllowedPerUser' - threshold: '2' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - name: 'MaxPremiumVmsAllowedPerUser' - status: 'Disabled' - threshold: '1' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - name: 'MaxVmsAllowedPerLab' - threshold: '3' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - name: 'MaxPremiumVmsAllowedPerLab' - threshold: '2' - } - { - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - name: 'AllowedVmSizesInLab' - status: 'Enabled' - threshold: '' - } - { - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - name: 'ScheduleEditPermission' - threshold: '' - } - { - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - name: 'GalleryImage' - threshold: '' - } - { - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - name: 'EnvironmentTemplate' - threshold: '' - } - ] - premiumDataDisks: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - schedules: [ - { - dailyRecurrence: { - time: '0000' - } - name: 'LabVmsShutdown' - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - status: 'Enabled' - taskType: 'LabVmsShutdownTask' - timeZoneId: 'AUS Eastern Standard Time' - } - { - name: 'LabVmAutoStart' - status: 'Enabled' - taskType: 'LabVmsStartupTask' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Friday' - 'Monday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - } - } - ] - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - labName: 'dtllmax001' - resourceType: 'DevTest Lab' - } - virtualnetworks: [ - { - allowedSubnets: [ - { - allowPublicIp: 'Allow' - labSubnetName: '' - resourceId: '' - } - ] - description: 'lab virtual network description' - externalProviderResourceId: '' - name: '' - subnetOverrides: [ - { - labSubnetName: '' - resourceId: '' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - backendPort: 3389 - transportProtocol: 'Tcp' - } - { - backendPort: 22 - transportProtocol: 'Tcp' - } - ] - } - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - } - ] - } - ] - vmCreationResourceGroupId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtllmax001" - }, - // Non-required parameters - "announcement": { - "value": { - "enabled": "Enabled", - "expirationDate": "2025-12-30T13:00:00Z", - "markdown": "DevTest Lab announcement text.
New line. It also supports Markdown", - "title": "DevTest announcement title" - } - }, - "artifactsources": { - "value": [ - { - "branchRef": "master", - "displayName": "Public Artifact Repo", - "folderPath": "/Artifacts", - "name": "Public Repo", - "sourceType": "GitHub", - "status": "Disabled", - "uri": "https://github.com/Azure/azure-devtestlab.git" - }, - { - "armTemplateFolderPath": "/Environments", - "branchRef": "master", - "displayName": "Public Environment Repo", - "name": "Public Environment Repo", - "sourceType": "GitHub", - "status": "Disabled", - "uri": "https://github.com/Azure/azure-devtestlab.git" - } - ] - }, - "artifactsStorageAccount": { - "value": "" - }, - "browserConnect": { - "value": "Enabled" - }, - "costs": { - "value": { - "cycleType": "CalendarMonth", - "status": "Enabled", - "target": 450, - "thresholdValue100DisplayOnChart": "Enabled", - "thresholdValue100SendNotificationWhenExceeded": "Enabled" - } - }, - "disableAutoUpgradeCseMinorVersion": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionDiskEncryptionSetId": { - "value": "" - }, - "encryptionType": { - "value": "EncryptionAtRestWithCustomerKey" - }, - "environmentPermission": { - "value": "Contributor" - }, - "extendedProperties": { - "value": { - "RdpConnectionType": "7" - } - }, - "isolateLabResources": { - "value": "Enabled" - }, - "labStorageType": { - "value": "Premium" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managementIdentitiesResourceIds": { - "value": [ - "" - ] - }, - "notificationchannels": { - "value": [ - { - "description": "Integration configured for auto-shutdown", - "emailRecipient": "mail@contosodtlmail.com", - "events": [ - { - "eventName": "AutoShutdown" - } - ], - "name": "autoShutdown", - "notificationLocale": "en", - "webHookUrl": "https://webhook.contosotest.com" - }, - { - "events": [ - { - "eventName": "Cost" - } - ], - "name": "costThreshold", - "webHookUrl": "https://webhook.contosotest.com" - } - ] - }, - "policies": { - "value": [ - { - "evaluatorType": "MaxValuePolicy", - "factData": "", - "factName": "UserOwnedLabVmCountInSubnet", - "name": "", - "threshold": "1" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "UserOwnedLabVmCount", - "name": "MaxVmsAllowedPerUser", - "threshold": "2" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "UserOwnedLabPremiumVmCount", - "name": "MaxPremiumVmsAllowedPerUser", - "status": "Disabled", - "threshold": "1" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "LabVmCount", - "name": "MaxVmsAllowedPerLab", - "threshold": "3" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "LabPremiumVmCount", - "name": "MaxPremiumVmsAllowedPerLab", - "threshold": "2" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factData": "", - "factName": "LabVmSize", - "name": "AllowedVmSizesInLab", - "status": "Enabled", - "threshold": "" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factName": "ScheduleEditPermission", - "name": "ScheduleEditPermission", - "threshold": "" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factName": "GalleryImage", - "name": "GalleryImage", - "threshold": "" - }, - { - "description": "Public Environment Policy", - "evaluatorType": "AllowedValuesPolicy", - "factName": "EnvironmentTemplate", - "name": "EnvironmentTemplate", - "threshold": "" - } - ] - }, - "premiumDataDisks": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "schedules": { - "value": [ - { - "dailyRecurrence": { - "time": "0000" - }, - "name": "LabVmsShutdown", - "notificationSettingsStatus": "Enabled", - "notificationSettingsTimeInMinutes": 30, - "status": "Enabled", - "taskType": "LabVmsShutdownTask", - "timeZoneId": "AUS Eastern Standard Time" - }, - { - "name": "LabVmAutoStart", - "status": "Enabled", - "taskType": "LabVmsStartupTask", - "timeZoneId": "AUS Eastern Standard Time", - "weeklyRecurrence": { - "time": "0700", - "weekdays": [ - "Friday", - "Monday", - "Thursday", - "Tuesday", - "Wednesday" - ] - } - } - ] - }, - "support": { - "value": { - "enabled": "Enabled", - "markdown": "DevTest Lab support text.
New line. It also supports Markdown" - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "labName": "dtllmax001", - "resourceType": "DevTest Lab" - } - }, - "virtualnetworks": { - "value": [ - { - "allowedSubnets": [ - { - "allowPublicIp": "Allow", - "labSubnetName": "", - "resourceId": "" - } - ], - "description": "lab virtual network description", - "externalProviderResourceId": "", - "name": "", - "subnetOverrides": [ - { - "labSubnetName": "", - "resourceId": "", - "sharedPublicIpAddressConfiguration": { - "allowedPorts": [ - { - "backendPort": 3389, - "transportProtocol": "Tcp" - }, - { - "backendPort": 22, - "transportProtocol": "Tcp" - } - ] - }, - "useInVmCreationPermission": "Allow", - "usePublicIpAddressPermission": "Allow" - } - ] - } - ] - }, - "vmCreationResourceGroupId": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtllwaf' - params: { - // Required parameters - name: 'dtllwaf001' - // Non-required parameters - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - artifactsources: [ - { - branchRef: 'master' - displayName: 'Public Artifact Repo' - folderPath: '/Artifacts' - name: 'Public Repo' - sourceType: 'GitHub' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - } - { - armTemplateFolderPath: '/Environments' - branchRef: 'master' - displayName: 'Public Environment Repo' - name: 'Public Environment Repo' - sourceType: 'GitHub' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - } - ] - artifactsStorageAccount: '' - browserConnect: 'Enabled' - costs: { - cycleType: 'CalendarMonth' - status: 'Enabled' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - disableAutoUpgradeCseMinorVersion: true - enableDefaultTelemetry: '' - encryptionDiskEncryptionSetId: '' - encryptionType: 'EncryptionAtRestWithCustomerKey' - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - isolateLabResources: 'Enabled' - labStorageType: 'Premium' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managementIdentitiesResourceIds: [ - '' - ] - notificationchannels: [ - { - description: 'Integration configured for auto-shutdown' - emailRecipient: 'mail@contosodtlmail.com' - events: [ - { - eventName: 'AutoShutdown' - } - ] - name: 'autoShutdown' - notificationLocale: 'en' - webHookUrl: 'https://webhook.contosotest.com' - } - { - events: [ - { - eventName: 'Cost' - } - ] - name: 'costThreshold' - webHookUrl: 'https://webhook.contosotest.com' - } - ] - policies: [ - { - evaluatorType: 'MaxValuePolicy' - factData: '' - factName: 'UserOwnedLabVmCountInSubnet' - name: '' - threshold: '1' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - name: 'MaxVmsAllowedPerUser' - threshold: '2' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - name: 'MaxPremiumVmsAllowedPerUser' - status: 'Disabled' - threshold: '1' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - name: 'MaxVmsAllowedPerLab' - threshold: '3' - } - { - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - name: 'MaxPremiumVmsAllowedPerLab' - threshold: '2' - } - { - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - name: 'AllowedVmSizesInLab' - status: 'Enabled' - threshold: '' - } - { - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - name: 'ScheduleEditPermission' - threshold: '' - } - { - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - name: 'GalleryImage' - threshold: '' - } - { - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - name: 'EnvironmentTemplate' - threshold: '' - } - ] - premiumDataDisks: 'Enabled' - schedules: [ - { - dailyRecurrence: { - time: '0000' - } - name: 'LabVmsShutdown' - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - status: 'Enabled' - taskType: 'LabVmsShutdownTask' - timeZoneId: 'AUS Eastern Standard Time' - } - { - name: 'LabVmAutoStart' - status: 'Enabled' - taskType: 'LabVmsStartupTask' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Friday' - 'Monday' - 'Thursday' - 'Tuesday' - 'Wednesday' - ] - } - } - ] - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - labName: 'dtllwaf001' - resourceType: 'DevTest Lab' - } - virtualnetworks: [ - { - allowedSubnets: [ - { - allowPublicIp: 'Allow' - labSubnetName: '' - resourceId: '' - } - ] - description: 'lab virtual network description' - externalProviderResourceId: '' - name: '' - subnetOverrides: [ - { - labSubnetName: '' - resourceId: '' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - backendPort: 3389 - transportProtocol: 'Tcp' - } - { - backendPort: 22 - transportProtocol: 'Tcp' - } - ] - } - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - } - ] - } - ] - vmCreationResourceGroupId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtllwaf001" - }, - // Non-required parameters - "announcement": { - "value": { - "enabled": "Enabled", - "expirationDate": "2025-12-30T13:00:00Z", - "markdown": "DevTest Lab announcement text.
New line. It also supports Markdown", - "title": "DevTest announcement title" - } - }, - "artifactsources": { - "value": [ - { - "branchRef": "master", - "displayName": "Public Artifact Repo", - "folderPath": "/Artifacts", - "name": "Public Repo", - "sourceType": "GitHub", - "status": "Disabled", - "uri": "https://github.com/Azure/azure-devtestlab.git" - }, - { - "armTemplateFolderPath": "/Environments", - "branchRef": "master", - "displayName": "Public Environment Repo", - "name": "Public Environment Repo", - "sourceType": "GitHub", - "status": "Disabled", - "uri": "https://github.com/Azure/azure-devtestlab.git" - } - ] - }, - "artifactsStorageAccount": { - "value": "" - }, - "browserConnect": { - "value": "Enabled" - }, - "costs": { - "value": { - "cycleType": "CalendarMonth", - "status": "Enabled", - "target": 450, - "thresholdValue100DisplayOnChart": "Enabled", - "thresholdValue100SendNotificationWhenExceeded": "Enabled" - } - }, - "disableAutoUpgradeCseMinorVersion": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionDiskEncryptionSetId": { - "value": "" - }, - "encryptionType": { - "value": "EncryptionAtRestWithCustomerKey" - }, - "environmentPermission": { - "value": "Contributor" - }, - "extendedProperties": { - "value": { - "RdpConnectionType": "7" - } - }, - "isolateLabResources": { - "value": "Enabled" - }, - "labStorageType": { - "value": "Premium" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managementIdentitiesResourceIds": { - "value": [ - "" - ] - }, - "notificationchannels": { - "value": [ - { - "description": "Integration configured for auto-shutdown", - "emailRecipient": "mail@contosodtlmail.com", - "events": [ - { - "eventName": "AutoShutdown" - } - ], - "name": "autoShutdown", - "notificationLocale": "en", - "webHookUrl": "https://webhook.contosotest.com" - }, - { - "events": [ - { - "eventName": "Cost" - } - ], - "name": "costThreshold", - "webHookUrl": "https://webhook.contosotest.com" - } - ] - }, - "policies": { - "value": [ - { - "evaluatorType": "MaxValuePolicy", - "factData": "", - "factName": "UserOwnedLabVmCountInSubnet", - "name": "", - "threshold": "1" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "UserOwnedLabVmCount", - "name": "MaxVmsAllowedPerUser", - "threshold": "2" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "UserOwnedLabPremiumVmCount", - "name": "MaxPremiumVmsAllowedPerUser", - "status": "Disabled", - "threshold": "1" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "LabVmCount", - "name": "MaxVmsAllowedPerLab", - "threshold": "3" - }, - { - "evaluatorType": "MaxValuePolicy", - "factName": "LabPremiumVmCount", - "name": "MaxPremiumVmsAllowedPerLab", - "threshold": "2" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factData": "", - "factName": "LabVmSize", - "name": "AllowedVmSizesInLab", - "status": "Enabled", - "threshold": "" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factName": "ScheduleEditPermission", - "name": "ScheduleEditPermission", - "threshold": "" - }, - { - "evaluatorType": "AllowedValuesPolicy", - "factName": "GalleryImage", - "name": "GalleryImage", - "threshold": "" - }, - { - "description": "Public Environment Policy", - "evaluatorType": "AllowedValuesPolicy", - "factName": "EnvironmentTemplate", - "name": "EnvironmentTemplate", - "threshold": "" - } - ] - }, - "premiumDataDisks": { - "value": "Enabled" - }, - "schedules": { - "value": [ - { - "dailyRecurrence": { - "time": "0000" - }, - "name": "LabVmsShutdown", - "notificationSettingsStatus": "Enabled", - "notificationSettingsTimeInMinutes": 30, - "status": "Enabled", - "taskType": "LabVmsShutdownTask", - "timeZoneId": "AUS Eastern Standard Time" - }, - { - "name": "LabVmAutoStart", - "status": "Enabled", - "taskType": "LabVmsStartupTask", - "timeZoneId": "AUS Eastern Standard Time", - "weeklyRecurrence": { - "time": "0700", - "weekdays": [ - "Friday", - "Monday", - "Thursday", - "Tuesday", - "Wednesday" - ] - } - } - ] - }, - "support": { - "value": { - "enabled": "Enabled", - "markdown": "DevTest Lab support text.
New line. It also supports Markdown" - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "labName": "dtllwaf001", - "resourceType": "DevTest Lab" - } - }, - "virtualnetworks": { - "value": [ - { - "allowedSubnets": [ - { - "allowPublicIp": "Allow", - "labSubnetName": "", - "resourceId": "" - } - ], - "description": "lab virtual network description", - "externalProviderResourceId": "", - "name": "", - "subnetOverrides": [ - { - "labSubnetName": "", - "resourceId": "", - "sharedPublicIpAddressConfiguration": { - "allowedPorts": [ - { - "backendPort": 3389, - "transportProtocol": "Tcp" - }, - { - "backendPort": 22, - "transportProtocol": "Tcp" - } - ] - }, - "useInVmCreationPermission": "Allow", - "usePublicIpAddressPermission": "Allow" - } - ] - } - ] - }, - "vmCreationResourceGroupId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the lab. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`encryptionDiskEncryptionSetId`](#parameter-encryptiondiskencryptionsetid) | string | The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". | -| [`notificationchannels`](#parameter-notificationchannels) | array | Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`announcement`](#parameter-announcement) | object | The properties of any lab announcement associated with this lab. | -| [`artifactsources`](#parameter-artifactsources) | array | Artifact sources to create for the lab. | -| [`artifactsStorageAccount`](#parameter-artifactsstorageaccount) | string | The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. | -| [`browserConnect`](#parameter-browserconnect) | string | Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. | -| [`costs`](#parameter-costs) | object | Costs to create for the lab. | -| [`disableAutoUpgradeCseMinorVersion`](#parameter-disableautoupgradecseminorversion) | bool | Disable auto upgrade custom script extension minor version. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionType`](#parameter-encryptiontype) | string | Specify how OS and data disks created as part of the lab are encrypted. | -| [`environmentPermission`](#parameter-environmentpermission) | string | The access rights to be granted to the user when provisioning an environment. | -| [`extendedProperties`](#parameter-extendedproperties) | object | Extended properties of the lab used for experimental features. | -| [`isolateLabResources`](#parameter-isolatelabresources) | string | Enable lab resources isolation from the public internet. | -| [`labStorageType`](#parameter-labstoragetype) | string | Type of storage used by the lab. It can be either Premium or Standard. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managementIdentitiesResourceIds`](#parameter-managementidentitiesresourceids) | array | The resource ID(s) to assign to the virtual machines associated with this lab. | -| [`mandatoryArtifactsResourceIdsLinux`](#parameter-mandatoryartifactsresourceidslinux) | array | The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. | -| [`mandatoryArtifactsResourceIdsWindows`](#parameter-mandatoryartifactsresourceidswindows) | array | The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. | -| [`policies`](#parameter-policies) | array | Policies to create for the lab. | -| [`premiumDataDisks`](#parameter-premiumdatadisks) | string | The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`schedules`](#parameter-schedules) | array | Schedules to create for the lab. | -| [`support`](#parameter-support) | object | The properties of any lab support message associated with this lab. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualnetworks`](#parameter-virtualnetworks) | array | Virtual networks to create for the lab. | -| [`vmCreationResourceGroupId`](#parameter-vmcreationresourcegroupid) | string | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | - -### Parameter: `name` - -The name of the lab. - -- Required: Yes -- Type: string - -### Parameter: `encryptionDiskEncryptionSetId` - -The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `notificationchannels` - -Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `announcement` - -The properties of any lab announcement associated with this lab. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `artifactsources` - -Artifact sources to create for the lab. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `artifactsStorageAccount` - -The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `browserConnect` - -Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `costs` - -Costs to create for the lab. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `disableAutoUpgradeCseMinorVersion` - -Disable auto upgrade custom script extension minor version. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionType` - -Specify how OS and data disks created as part of the lab are encrypted. - -- Required: No -- Type: string -- Default: `'EncryptionAtRestWithPlatformKey'` -- Allowed: - ```Bicep - [ - 'EncryptionAtRestWithCustomerKey' - 'EncryptionAtRestWithPlatformKey' - ] - ``` - -### Parameter: `environmentPermission` - -The access rights to be granted to the user when provisioning an environment. - -- Required: No -- Type: string -- Default: `'Reader'` -- Allowed: - ```Bicep - [ - 'Contributor' - 'Reader' - ] - ``` - -### Parameter: `extendedProperties` - -Extended properties of the lab used for experimental features. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `isolateLabResources` - -Enable lab resources isolation from the public internet. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `labStorageType` - -Type of storage used by the lab. It can be either Premium or Standard. - -- Required: No -- Type: string -- Default: `'Premium'` -- Allowed: - ```Bicep - [ - 'Premium' - 'Standard' - 'StandardSSD' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `managementIdentitiesResourceIds` - -The resource ID(s) to assign to the virtual machines associated with this lab. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `mandatoryArtifactsResourceIdsLinux` - -The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `mandatoryArtifactsResourceIdsWindows` - -The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `policies` - -Policies to create for the lab. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `premiumDataDisks` - -The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `schedules` - -Schedules to create for the lab. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `support` - -The properties of any lab support message associated with this lab. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualnetworks` - -Virtual networks to create for the lab. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `vmCreationResourceGroupId` - -Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. - -- Required: No -- Type: string -- Default: `[resourceGroup().id]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the lab. | -| `resourceGroupName` | string | The resource group the lab was deployed into. | -| `resourceId` | string | The resource ID of the lab. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md deleted file mode 100644 index 0a5d74362c..0000000000 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ /dev/null @@ -1,168 +0,0 @@ -# DevTest Lab Artifact Sources `[Microsoft.DevTestLab/labs/artifactsources]` - -This module deploys a DevTest Lab Artifact Source. - -An artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/artifactsources` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/artifactsources) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the artifact source. | -| [`uri`](#parameter-uri) | string | The artifact source's URI. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`armTemplateFolderPath`](#parameter-armtemplatefolderpath) | string | The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. | -| [`folderPath`](#parameter-folderpath) | string | The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`branchRef`](#parameter-branchref) | string | The artifact source's branch reference (e.g. main or master). | -| [`displayName`](#parameter-displayname) | string | The artifact source's display name. Default is the name of the artifact source. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`securityToken`](#parameter-securitytoken) | securestring | The security token to authenticate to the artifact source. | -| [`sourceType`](#parameter-sourcetype) | string | The artifact source's type. | -| [`status`](#parameter-status) | string | Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the artifact source. - -- Required: Yes -- Type: string - -### Parameter: `uri` - -The artifact source's URI. - -- Required: Yes -- Type: string - -### Parameter: `armTemplateFolderPath` - -The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `folderPath` - -The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `branchRef` - -The artifact source's branch reference (e.g. main or master). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `displayName` - -The artifact source's display name. Default is the name of the artifact source. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `securityToken` - -The security token to authenticate to the artifact source. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `sourceType` - -The artifact source's type. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'GitHub' - 'StorageAccount' - 'VsoGit' - ] - ``` - -### Parameter: `status` - -Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the artifact source. | -| `resourceGroupName` | string | The name of the resource group the artifact source was created in. | -| `resourceId` | string | The resource ID of the artifact source. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/artifactsource/main.bicep b/modules/dev-test-lab/lab/artifactsource/main.bicep deleted file mode 100644 index e2c5e2f540..0000000000 --- a/modules/dev-test-lab/lab/artifactsource/main.bicep +++ /dev/null @@ -1,93 +0,0 @@ -metadata name = 'DevTest Lab Artifact Sources' -metadata description = '''This module deploys a DevTest Lab Artifact Source. - -An artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@sys.description('Required. The name of the artifact source.') -param name string - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. The artifact source\'s display name. Default is the name of the artifact source.') -param displayName string = name - -@sys.description('Optional. The artifact source\'s branch reference (e.g. main or master).') -param branchRef string = '' - -@sys.description('Conditional. The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty.') -param folderPath string = '' - -@sys.description('Conditional. The folder containing Azure Resource Manager templates. Required if "folderPath" is empty.') -param armTemplateFolderPath string = '' - -@sys.description('Optional. The security token to authenticate to the artifact source.') -@secure() -param securityToken string = '' - -@allowed([ - '' - 'GitHub' - 'StorageAccount' - 'VsoGit' -]) -@sys.description('Optional. The artifact source\'s type.') -param sourceType string = '' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled".') -param status string = 'Enabled' - -@sys.description('Required. The artifact source\'s URI.') -param uri string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName -} - -resource artifactsource 'Microsoft.DevTestLab/labs/artifactsources@2018-09-15' = { - name: name - parent: lab - tags: tags - properties: { - displayName: displayName - branchRef: !empty(branchRef) ? branchRef : null - folderPath: !empty(folderPath) ? folderPath : null - armTemplateFolderPath: !empty(armTemplateFolderPath) ? armTemplateFolderPath : null - securityToken: !empty(securityToken) ? securityToken : null - sourceType: !empty(sourceType) ? sourceType : null - status: status - uri: uri - } -} - -@sys.description('The name of the artifact source.') -output name string = artifactsource.name - -@sys.description('The resource ID of the artifact source.') -output resourceId string = artifactsource.id - -@sys.description('The name of the resource group the artifact source was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/artifactsource/main.json b/modules/dev-test-lab/lab/artifactsource/main.json deleted file mode 100644 index 040a35cf33..0000000000 --- a/modules/dev-test-lab/lab/artifactsource/main.json +++ /dev/null @@ -1,172 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "17690202847641097971" - }, - "name": "DevTest Lab Artifact Sources", - "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the artifact source." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "displayName": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. The artifact source's display name. Default is the name of the artifact source." - } - }, - "branchRef": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The artifact source's branch reference (e.g. main or master)." - } - }, - "folderPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The folder containing artifacts. At least one folder path is required. Required if \"armTemplateFolderPath\" is empty." - } - }, - "armTemplateFolderPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The folder containing Azure Resource Manager templates. Required if \"folderPath\" is empty." - } - }, - "securityToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The security token to authenticate to the artifact source." - } - }, - "sourceType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "GitHub", - "StorageAccount", - "VsoGit" - ], - "metadata": { - "description": "Optional. The artifact source's type." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is \"Enabled\"." - } - }, - "uri": { - "type": "string", - "metadata": { - "description": "Required. The artifact source's URI." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "artifactsource": { - "type": "Microsoft.DevTestLab/labs/artifactsources", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "displayName": "[parameters('displayName')]", - "branchRef": "[if(not(empty(parameters('branchRef'))), parameters('branchRef'), null())]", - "folderPath": "[if(not(empty(parameters('folderPath'))), parameters('folderPath'), null())]", - "armTemplateFolderPath": "[if(not(empty(parameters('armTemplateFolderPath'))), parameters('armTemplateFolderPath'), null())]", - "securityToken": "[if(not(empty(parameters('securityToken'))), parameters('securityToken'), null())]", - "sourceType": "[if(not(empty(parameters('sourceType'))), parameters('sourceType'), null())]", - "status": "[parameters('status')]", - "uri": "[parameters('uri')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the artifact source." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the artifact source." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/artifactsources', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the artifact source was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/artifactsource/version.json b/modules/dev-test-lab/lab/artifactsource/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/artifactsource/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md deleted file mode 100644 index d2950dda2b..0000000000 --- a/modules/dev-test-lab/lab/cost/README.md +++ /dev/null @@ -1,300 +0,0 @@ -# DevTest Lab Costs `[Microsoft.DevTestLab/labs/costs]` - -This module deploys a DevTest Lab Cost. - -Manage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/costs` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/costs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cycleType`](#parameter-cycletype) | string | Reporting cycle type. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cycleEndDateTime`](#parameter-cycleenddatetime) | string | Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | -| [`cycleStartDateTime`](#parameter-cyclestartdatetime) | string | Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`currencyCode`](#parameter-currencycode) | string | The currency code of the cost. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`status`](#parameter-status) | string | Target cost status. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`target`](#parameter-target) | int | Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. | -| [`thresholdValue100DisplayOnChart`](#parameter-thresholdvalue100displayonchart) | string | Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| [`thresholdValue100SendNotificationWhenExceeded`](#parameter-thresholdvalue100sendnotificationwhenexceeded) | string | Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| [`thresholdValue125DisplayOnChart`](#parameter-thresholdvalue125displayonchart) | string | Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| [`thresholdValue125SendNotificationWhenExceeded`](#parameter-thresholdvalue125sendnotificationwhenexceeded) | string | Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| [`thresholdValue25DisplayOnChart`](#parameter-thresholdvalue25displayonchart) | string | Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| [`thresholdValue25SendNotificationWhenExceeded`](#parameter-thresholdvalue25sendnotificationwhenexceeded) | string | Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| [`thresholdValue50DisplayOnChart`](#parameter-thresholdvalue50displayonchart) | string | Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| [`thresholdValue50SendNotificationWhenExceeded`](#parameter-thresholdvalue50sendnotificationwhenexceeded) | string | Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| [`thresholdValue75DisplayOnChart`](#parameter-thresholdvalue75displayonchart) | string | Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| [`thresholdValue75SendNotificationWhenExceeded`](#parameter-thresholdvalue75sendnotificationwhenexceeded) | string | Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | - -### Parameter: `cycleType` - -Reporting cycle type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'CalendarMonth' - 'Custom' - ] - ``` - -### Parameter: `cycleEndDateTime` - -Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cycleStartDateTime` - -Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `currencyCode` - -The currency code of the cost. - -- Required: No -- Type: string -- Default: `'USD'` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `status` - -Target cost status. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `target` - -Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `thresholdValue100DisplayOnChart` - -Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue100SendNotificationWhenExceeded` - -Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue125DisplayOnChart` - -Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue125SendNotificationWhenExceeded` - -Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue25DisplayOnChart` - -Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue25SendNotificationWhenExceeded` - -Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue50DisplayOnChart` - -Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue50SendNotificationWhenExceeded` - -Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue75DisplayOnChart` - -Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `thresholdValue75SendNotificationWhenExceeded` - -Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the cost. | -| `resourceGroupName` | string | The name of the resource group the cost was created in. | -| `resourceId` | string | The resource ID of the cost. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/cost/main.bicep b/modules/dev-test-lab/lab/cost/main.bicep deleted file mode 100644 index c0e7f7cb18..0000000000 --- a/modules/dev-test-lab/lab/cost/main.bicep +++ /dev/null @@ -1,195 +0,0 @@ -metadata name = 'DevTest Lab Costs' -metadata description = '''This module deploys a DevTest Lab Cost. - -Manage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@allowed([ - 'Custom' - 'CalendarMonth' -]) -@sys.description('Required. Reporting cycle type.') -param cycleType string - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Conditional. Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom".') -param cycleStartDateTime string = '' - -@sys.description('Conditional. Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom".') -param cycleEndDateTime string = '' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost status.') -param status string = 'Enabled' - -@sys.description('Optional. Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds.') -param target int = 0 - -@sys.description('Optional. The currency code of the cost.') -param currencyCode string = 'USD' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts.') -param thresholdValue25DisplayOnChart string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded.') -param thresholdValue25SendNotificationWhenExceeded string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts.') -param thresholdValue50DisplayOnChart string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded.') -param thresholdValue50SendNotificationWhenExceeded string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts.') -param thresholdValue75DisplayOnChart string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded.') -param thresholdValue75SendNotificationWhenExceeded string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts.') -param thresholdValue100DisplayOnChart string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded.') -param thresholdValue100SendNotificationWhenExceeded string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts.') -param thresholdValue125DisplayOnChart string = 'Disabled' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded.') -param thresholdValue125SendNotificationWhenExceeded string = 'Disabled' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName -} - -resource cost 'Microsoft.DevTestLab/labs/costs@2018-09-15' = { - name: 'targetCost' - parent: lab - tags: tags - properties: { - currencyCode: currencyCode - startDateTime: cycleStartDateTime - endDateTime: cycleEndDateTime - targetCost: { - target: target - cycleStartDateTime: cycleStartDateTime - cycleEndDateTime: cycleEndDateTime - cycleType: cycleType - status: status - costThresholds: [ - { - thresholdId: '00000000-0000-0000-0000-000000000001' - percentageThreshold: { - thresholdValue: 25 - } - displayOnChart: thresholdValue25DisplayOnChart - sendNotificationWhenExceeded: thresholdValue25SendNotificationWhenExceeded - } - { - thresholdId: '00000000-0000-0000-0000-000000000002' - percentageThreshold: { - thresholdValue: 50 - } - displayOnChart: thresholdValue50DisplayOnChart - sendNotificationWhenExceeded: thresholdValue50SendNotificationWhenExceeded - } - { - thresholdId: '00000000-0000-0000-0000-000000000003' - percentageThreshold: { - thresholdValue: 75 - } - displayOnChart: thresholdValue75DisplayOnChart - sendNotificationWhenExceeded: thresholdValue75SendNotificationWhenExceeded - } - { - thresholdId: '00000000-0000-0000-0000-000000000004' - percentageThreshold: { - thresholdValue: 100 - } - displayOnChart: thresholdValue100DisplayOnChart - sendNotificationWhenExceeded: thresholdValue100SendNotificationWhenExceeded - } - { - thresholdId: '00000000-0000-0000-0000-000000000005' - percentageThreshold: { - thresholdValue: 125 - } - displayOnChart: thresholdValue125DisplayOnChart - sendNotificationWhenExceeded: thresholdValue125SendNotificationWhenExceeded - } - ] - } - } -} - -@sys.description('The name of the cost.') -output name string = cost.name - -@sys.description('The resource ID of the cost.') -output resourceId string = cost.id - -@sys.description('The name of the resource group the cost was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/cost/main.json b/modules/dev-test-lab/lab/cost/main.json deleted file mode 100644 index e6a82e360b..0000000000 --- a/modules/dev-test-lab/lab/cost/main.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "2616589937060104878" - }, - "name": "DevTest Lab Costs", - "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "cycleType": { - "type": "string", - "allowedValues": [ - "Custom", - "CalendarMonth" - ], - "metadata": { - "description": "Required. Reporting cycle type." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cycleStartDateTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to \"Custom\"." - } - }, - "cycleEndDateTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to \"Custom\"." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost status." - } - }, - "target": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Lab target cost (e.g. 100). The target cost will appear in the \"Cost trend\" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds." - } - }, - "currencyCode": { - "type": "string", - "defaultValue": "USD", - "metadata": { - "description": "Optional. The currency code of the cost." - } - }, - "thresholdValue25DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue25SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue50DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue50SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue75DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue75SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue100DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue100SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue125DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue125SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "cost": { - "type": "Microsoft.DevTestLab/labs/costs", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), 'targetCost')]", - "tags": "[parameters('tags')]", - "properties": { - "currencyCode": "[parameters('currencyCode')]", - "startDateTime": "[parameters('cycleStartDateTime')]", - "endDateTime": "[parameters('cycleEndDateTime')]", - "targetCost": { - "target": "[parameters('target')]", - "cycleStartDateTime": "[parameters('cycleStartDateTime')]", - "cycleEndDateTime": "[parameters('cycleEndDateTime')]", - "cycleType": "[parameters('cycleType')]", - "status": "[parameters('status')]", - "costThresholds": [ - { - "thresholdId": "00000000-0000-0000-0000-000000000001", - "percentageThreshold": { - "thresholdValue": 25 - }, - "displayOnChart": "[parameters('thresholdValue25DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue25SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000002", - "percentageThreshold": { - "thresholdValue": 50 - }, - "displayOnChart": "[parameters('thresholdValue50DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue50SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000003", - "percentageThreshold": { - "thresholdValue": 75 - }, - "displayOnChart": "[parameters('thresholdValue75DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue75SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000004", - "percentageThreshold": { - "thresholdValue": 100 - }, - "displayOnChart": "[parameters('thresholdValue100DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue100SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000005", - "percentageThreshold": { - "thresholdValue": 125 - }, - "displayOnChart": "[parameters('thresholdValue125DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue125SendNotificationWhenExceeded')]" - } - ] - } - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the cost." - }, - "value": "targetCost" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the cost." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/costs', parameters('labName'), 'targetCost')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the cost was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/cost/version.json b/modules/dev-test-lab/lab/cost/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/cost/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep deleted file mode 100644 index 75e9e340d9..0000000000 --- a/modules/dev-test-lab/lab/main.bicep +++ /dev/null @@ -1,362 +0,0 @@ -metadata name = 'DevTest Labs' -metadata description = 'This module deploys a DevTest Lab.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the lab.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The properties of any lab announcement associated with this lab.') -param announcement object = {} - -@allowed([ - 'Contributor' - 'Reader' -]) -@description('Optional. The access rights to be granted to the user when provisioning an environment.') -param environmentPermission string = 'Reader' - -@description('Optional. Extended properties of the lab used for experimental features.') -param extendedProperties object = {} - -@allowed([ - 'Standard' - 'StandardSSD' - 'Premium' -]) -@description('Optional. Type of storage used by the lab. It can be either Premium or Standard.') -param labStorageType string = 'Premium' - -@description('Optional. The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used.') -param artifactsStorageAccount string = '' - -@description('Optional. The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user.') -param mandatoryArtifactsResourceIdsLinux array = [] - -@description('Optional. The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user.') -param mandatoryArtifactsResourceIdsWindows array = [] - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled".') -param premiumDataDisks string = 'Disabled' - -@description('Optional. The properties of any lab support message associated with this lab.') -param support object = {} - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The resource ID(s) to assign to the virtual machines associated with this lab.') -param managementIdentitiesResourceIds string[] = [] - -@description('Optional. Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab.') -param vmCreationResourceGroupId string = resourceGroup().id - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. Enable browser connect on virtual machines if the lab\'s VNETs have configured Azure Bastion.') -param browserConnect string = 'Disabled' - -@description('Optional. Disable auto upgrade custom script extension minor version.') -param disableAutoUpgradeCseMinorVersion bool = false - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. Enable lab resources isolation from the public internet.') -param isolateLabResources string = 'Enabled' - -@allowed([ - 'EncryptionAtRestWithPlatformKey' - 'EncryptionAtRestWithCustomerKey' -]) -@description('Optional. Specify how OS and data disks created as part of the lab are encrypted.') -param encryptionType string = 'EncryptionAtRestWithPlatformKey' - -@description('Conditional. The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey".') -param encryptionDiskEncryptionSetId string = '' - -@description('Optional. Virtual networks to create for the lab.') -param virtualnetworks array = [] - -@description('Optional. Policies to create for the lab.') -param policies array = [] - -@description('Optional. Schedules to create for the lab.') -param schedules array = [] - -@description('Conditional. Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled.') -param notificationchannels array = [] - -@description('Optional. Artifact sources to create for the lab.') -param artifactsources array = [] - -@description('Optional. Costs to create for the lab.') -param costs object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : any(null) - -var formattedManagementIdentities = !empty(managementIdentitiesResourceIds) ? reduce(map((managementIdentitiesResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) : {} // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-10-15-preview' = { - name: name - location: location - tags: tags - identity: identity - properties: { - artifactsStorageAccount: artifactsStorageAccount - announcement: announcement - environmentPermission: environmentPermission - extendedProperties: extendedProperties - labStorageType: labStorageType - mandatoryArtifactsResourceIdsLinux: mandatoryArtifactsResourceIdsLinux - mandatoryArtifactsResourceIdsWindows: mandatoryArtifactsResourceIdsWindows - premiumDataDisks: premiumDataDisks - support: support - managementIdentities: formattedManagementIdentities - vmCreationResourceGroupId: vmCreationResourceGroupId - browserConnect: browserConnect - disableAutoUpgradeCseMinorVersion: disableAutoUpgradeCseMinorVersion - isolateLabResources: isolateLabResources - encryption: { - type: encryptionType - diskEncryptionSetId: !empty(encryptionDiskEncryptionSetId) ? encryptionDiskEncryptionSetId : null - } - } -} - -resource lab_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: lab -} - -module lab_virtualNetworks 'virtualnetwork/main.bicep' = [for (virtualNetwork, index) in virtualnetworks: { - name: '${uniqueString(deployment().name, location)}-Lab-VirtualNetwork-${index}' - params: { - labName: lab.name - name: virtualNetwork.name - tags: virtualNetwork.?tags ?? tags - externalProviderResourceId: virtualNetwork.externalProviderResourceId - description: contains(virtualNetwork, 'description') ? virtualNetwork.description : '' - allowedSubnets: contains(virtualNetwork, 'allowedSubnets') ? virtualNetwork.allowedSubnets : [] - subnetOverrides: contains(virtualNetwork, 'subnetOverrides') ? virtualNetwork.subnetOverrides : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module lab_policies 'policyset/policy/main.bicep' = [for (policy, index) in policies: { - name: '${uniqueString(deployment().name, location)}-Lab-PolicySets-Policy-${index}' - params: { - labName: lab.name - name: policy.name - tags: policy.?tags ?? tags - description: contains(policy, 'description') ? policy.description : '' - evaluatorType: policy.evaluatorType - factData: contains(policy, 'factData') ? policy.factData : '' - factName: policy.factName - status: contains(policy, 'status') ? policy.status : 'Enabled' - threshold: policy.threshold - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module lab_schedules 'schedule/main.bicep' = [for (schedule, index) in schedules: { - name: '${uniqueString(deployment().name, location)}-Lab-Schedules-${index}' - params: { - labName: lab.name - name: schedule.name - tags: schedule.?tags ?? tags - taskType: schedule.taskType - dailyRecurrence: contains(schedule, 'dailyRecurrence') ? schedule.dailyRecurrence : {} - hourlyRecurrence: contains(schedule, 'hourlyRecurrence') ? schedule.hourlyRecurrence : {} - weeklyRecurrence: contains(schedule, 'weeklyRecurrence') ? schedule.weeklyRecurrence : {} - status: contains(schedule, 'status') ? schedule.status : 'Enabled' - targetResourceId: contains(schedule, 'targetResourceId') ? schedule.targetResourceId : '' - timeZoneId: contains(schedule, 'timeZoneId') ? schedule.timeZoneId : 'Pacific Standard time' - notificationSettingsStatus: contains(schedule, 'notificationSettingsStatus') ? schedule.notificationSettingsStatus : 'Disabled' - notificationSettingsTimeInMinutes: contains(schedule, 'notificationSettingsTimeInMinutes') ? schedule.notificationSettingsTimeInMinutes : 30 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module lab_notificationChannels 'notificationchannel/main.bicep' = [for (notificationChannel, index) in notificationchannels: { - name: '${uniqueString(deployment().name, location)}-Lab-NotificationChannels-${index}' - params: { - labName: lab.name - name: notificationChannel.name - tags: notificationChannel.?tags ?? tags - description: contains(notificationChannel, 'description') ? notificationChannel.description : '' - events: notificationChannel.events - emailRecipient: contains(notificationChannel, 'emailRecipient') ? notificationChannel.emailRecipient : '' - webHookUrl: contains(notificationChannel, 'webhookUrl') ? notificationChannel.webhookUrl : '' - notificationLocale: contains(notificationChannel, 'notificationLocale') ? notificationChannel.notificationLocale : 'en' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module lab_artifactSources 'artifactsource/main.bicep' = [for (artifactSource, index) in artifactsources: { - name: '${uniqueString(deployment().name, location)}-Lab-ArtifactSources-${index}' - params: { - labName: lab.name - name: artifactSource.name - tags: artifactSource.?tags ?? tags - displayName: contains(artifactSource, 'displayName') ? artifactSource.displayName : artifactSource.name - branchRef: contains(artifactSource, 'branchRef') ? artifactSource.branchRef : '' - folderPath: contains(artifactSource, 'folderPath') ? artifactSource.folderPath : '' - armTemplateFolderPath: contains(artifactSource, 'armTemplateFolderPath') ? artifactSource.armTemplateFolderPath : '' - sourceType: contains(artifactSource, 'sourceType') ? artifactSource.sourceType : '' - status: contains(artifactSource, 'status') ? artifactSource.status : 'Enabled' - uri: artifactSource.uri - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module lab_costs 'cost/main.bicep' = if (!empty(costs)) { - name: '${uniqueString(deployment().name, location)}-Lab-Costs' - params: { - labName: lab.name - tags: costs.?tags ?? tags - currencyCode: contains(costs, 'currencyCode') ? costs.currencyCode : 'USD' - cycleType: costs.cycleType - cycleStartDateTime: contains(costs, 'cycleStartDateTime') ? costs.cycleStartDateTime : '' - cycleEndDateTime: contains(costs, 'cycleEndDateTime') ? costs.cycleEndDateTime : '' - status: contains(costs, 'status') ? costs.status : 'Enabled' - target: contains(costs, 'target') ? costs.target : 0 - thresholdValue25DisplayOnChart: contains(costs, 'thresholdValue25DisplayOnChart') ? costs.thresholdValue25DisplayOnChart : 'Disabled' - thresholdValue25SendNotificationWhenExceeded: contains(costs, 'thresholdValue25SendNotificationWhenExceeded') ? costs.thresholdValue25SendNotificationWhenExceeded : 'Disabled' - thresholdValue50DisplayOnChart: contains(costs, 'thresholdValue50DisplayOnChart') ? costs.thresholdValue50DisplayOnChart : 'Disabled' - thresholdValue50SendNotificationWhenExceeded: contains(costs, 'thresholdValue50SendNotificationWhenExceeded') ? costs.thresholdValue50SendNotificationWhenExceeded : 'Disabled' - thresholdValue75DisplayOnChart: contains(costs, 'thresholdValue75DisplayOnChart') ? costs.thresholdValue75DisplayOnChart : 'Disabled' - thresholdValue75SendNotificationWhenExceeded: contains(costs, 'thresholdValue75SendNotificationWhenExceeded') ? costs.thresholdValue75SendNotificationWhenExceeded : 'Disabled' - thresholdValue100DisplayOnChart: contains(costs, 'thresholdValue100DisplayOnChart') ? costs.thresholdValue100DisplayOnChart : 'Disabled' - thresholdValue100SendNotificationWhenExceeded: contains(costs, 'thresholdValue100SendNotificationWhenExceeded') ? costs.thresholdValue100SendNotificationWhenExceeded : 'Disabled' - thresholdValue125DisplayOnChart: contains(costs, 'thresholdValue125DisplayOnChart') ? costs.thresholdValue125DisplayOnChart : 'Disabled' - thresholdValue125SendNotificationWhenExceeded: contains(costs, 'thresholdValue125SendNotificationWhenExceeded') ? costs.thresholdValue125SendNotificationWhenExceeded : 'Disabled' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(lab.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: lab -}] - -@description('The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates.') -output uniqueIdentifier string = lab.properties.uniqueIdentifier - -@description('The resource group the lab was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the lab.') -output resourceId string = lab.id - -@description('The name of the lab.') -output name string = lab.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = contains(lab.identity, 'principalId') ? lab.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = lab.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json deleted file mode 100644 index 488287e3d8..0000000000 --- a/modules/dev-test-lab/lab/main.json +++ /dev/null @@ -1,1835 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "45252262805377154" - }, - "name": "DevTest Labs", - "description": "This module deploys a DevTest Lab.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the lab." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "announcement": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of any lab announcement associated with this lab." - } - }, - "environmentPermission": { - "type": "string", - "defaultValue": "Reader", - "allowedValues": [ - "Contributor", - "Reader" - ], - "metadata": { - "description": "Optional. The access rights to be granted to the user when provisioning an environment." - } - }, - "extendedProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Extended properties of the lab used for experimental features." - } - }, - "labStorageType": { - "type": "string", - "defaultValue": "Premium", - "allowedValues": [ - "Standard", - "StandardSSD", - "Premium" - ], - "metadata": { - "description": "Optional. Type of storage used by the lab. It can be either Premium or Standard." - } - }, - "artifactsStorageAccount": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used." - } - }, - "mandatoryArtifactsResourceIdsLinux": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user." - } - }, - "mandatoryArtifactsResourceIdsWindows": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user." - } - }, - "premiumDataDisks": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The setting to enable usage of premium data disks. When its value is \"Enabled\", creation of standard or premium data disks is allowed. When its value is \"Disabled\", only creation of standard data disks is allowed. Default is \"Disabled\"." - } - }, - "support": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of any lab support message associated with this lab." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "managementIdentitiesResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "defaultValue": [], - "metadata": { - "description": "Optional. The resource ID(s) to assign to the virtual machines associated with this lab." - } - }, - "vmCreationResourceGroupId": { - "type": "string", - "defaultValue": "[resourceGroup().id]", - "metadata": { - "description": "Optional. Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab." - } - }, - "browserConnect": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion." - } - }, - "disableAutoUpgradeCseMinorVersion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Disable auto upgrade custom script extension minor version." - } - }, - "isolateLabResources": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Enable lab resources isolation from the public internet." - } - }, - "encryptionType": { - "type": "string", - "defaultValue": "EncryptionAtRestWithPlatformKey", - "allowedValues": [ - "EncryptionAtRestWithPlatformKey", - "EncryptionAtRestWithCustomerKey" - ], - "metadata": { - "description": "Optional. Specify how OS and data disks created as part of the lab are encrypted." - } - }, - "encryptionDiskEncryptionSetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to \"EncryptionAtRestWithCustomerKey\"." - } - }, - "virtualnetworks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Virtual networks to create for the lab." - } - }, - "policies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Policies to create for the lab." - } - }, - "schedules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Schedules to create for the lab." - } - }, - "notificationchannels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. Notification Channels to create for the lab. Required if the schedules property \"notificationSettingsStatus\" is set to \"Enabled." - } - }, - "artifactsources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Artifact sources to create for the lab." - } - }, - "costs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Costs to create for the lab." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "formattedManagementIdentities": "[if(not(empty(parameters('managementIdentitiesResourceIds'))), reduce(map(coalesce(parameters('managementIdentitiesResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next')))), createObject())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-10-15-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "artifactsStorageAccount": "[parameters('artifactsStorageAccount')]", - "announcement": "[parameters('announcement')]", - "environmentPermission": "[parameters('environmentPermission')]", - "extendedProperties": "[parameters('extendedProperties')]", - "labStorageType": "[parameters('labStorageType')]", - "mandatoryArtifactsResourceIdsLinux": "[parameters('mandatoryArtifactsResourceIdsLinux')]", - "mandatoryArtifactsResourceIdsWindows": "[parameters('mandatoryArtifactsResourceIdsWindows')]", - "premiumDataDisks": "[parameters('premiumDataDisks')]", - "support": "[parameters('support')]", - "managementIdentities": "[variables('formattedManagementIdentities')]", - "vmCreationResourceGroupId": "[parameters('vmCreationResourceGroupId')]", - "browserConnect": "[parameters('browserConnect')]", - "disableAutoUpgradeCseMinorVersion": "[parameters('disableAutoUpgradeCseMinorVersion')]", - "isolateLabResources": "[parameters('isolateLabResources')]", - "encryption": { - "type": "[parameters('encryptionType')]", - "diskEncryptionSetId": "[if(not(empty(parameters('encryptionDiskEncryptionSetId'))), parameters('encryptionDiskEncryptionSetId'), null())]" - } - } - }, - "lab_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "lab" - ] - }, - "lab_roleAssignments": { - "copy": { - "name": "lab_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DevTestLab/labs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "lab" - ] - }, - "lab_virtualNetworks": { - "copy": { - "name": "lab_virtualNetworks", - "count": "[length(parameters('virtualnetworks'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-VirtualNetwork-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('virtualnetworks')[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('virtualnetworks')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "externalProviderResourceId": { - "value": "[parameters('virtualnetworks')[copyIndex()].externalProviderResourceId]" - }, - "description": "[if(contains(parameters('virtualnetworks')[copyIndex()], 'description'), createObject('value', parameters('virtualnetworks')[copyIndex()].description), createObject('value', ''))]", - "allowedSubnets": "[if(contains(parameters('virtualnetworks')[copyIndex()], 'allowedSubnets'), createObject('value', parameters('virtualnetworks')[copyIndex()].allowedSubnets), createObject('value', createArray()))]", - "subnetOverrides": "[if(contains(parameters('virtualnetworks')[copyIndex()], 'subnetOverrides'), createObject('value', parameters('virtualnetworks')[copyIndex()].subnetOverrides), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "3411178791169282273" - }, - "name": "DevTest Lab Virtual Networks", - "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual network." - } - }, - "externalProviderResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the virtual network." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the virtual network." - } - }, - "allowedSubnets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The allowed subnets of the virtual network." - } - }, - "subnetOverrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The subnet overrides of the virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "virtualNetwork": { - "type": "Microsoft.DevTestLab/labs/virtualnetworks", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "externalProviderResourceId": "[parameters('externalProviderResourceId')]", - "allowedSubnets": "[parameters('allowedSubnets')]", - "subnetOverrides": "[parameters('subnetOverrides')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lab virtual network." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lab virtual network." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the lab virtual network was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - }, - "lab_policies": { - "copy": { - "name": "lab_policies", - "count": "[length(parameters('policies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-PolicySets-Policy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('policies')[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('policies')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "description": "[if(contains(parameters('policies')[copyIndex()], 'description'), createObject('value', parameters('policies')[copyIndex()].description), createObject('value', ''))]", - "evaluatorType": { - "value": "[parameters('policies')[copyIndex()].evaluatorType]" - }, - "factData": "[if(contains(parameters('policies')[copyIndex()], 'factData'), createObject('value', parameters('policies')[copyIndex()].factData), createObject('value', ''))]", - "factName": { - "value": "[parameters('policies')[copyIndex()].factName]" - }, - "status": "[if(contains(parameters('policies')[copyIndex()], 'status'), createObject('value', parameters('policies')[copyIndex()].status), createObject('value', 'Enabled'))]", - "threshold": { - "value": "[parameters('policies')[copyIndex()].threshold]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "4051108641883246191" - }, - "name": "DevTest Lab Policy Sets Policies", - "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "policySetName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the parent policy set." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the policy." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy." - } - }, - "evaluatorType": { - "type": "string", - "allowedValues": [ - "AllowedValuesPolicy", - "MaxValuePolicy" - ], - "metadata": { - "description": "Required. The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy)." - } - }, - "factData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The fact data of the policy." - } - }, - "factName": { - "type": "string", - "allowedValues": [ - "EnvironmentTemplate", - "GalleryImage", - "LabPremiumVmCount", - "LabTargetCost", - "LabVmCount", - "LabVmSize", - "ScheduleEditPermission", - "UserOwnedLabPremiumVmCount", - "UserOwnedLabVmCount", - "UserOwnedLabVmCountInSubnet" - ], - "metadata": { - "description": "Required. The fact name of the policy." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. The status of the policy." - } - }, - "threshold": { - "type": "string", - "metadata": { - "description": "Required. The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DevTestLab/labs/policysets/policies", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}/{2}', parameters('labName'), parameters('policySetName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "evaluatorType": "[parameters('evaluatorType')]", - "factData": "[parameters('factData')]", - "factName": "[parameters('factName')]", - "status": "[parameters('status')]", - "threshold": "[parameters('threshold')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the policy." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/policysets/policies', parameters('labName'), parameters('policySetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - }, - "lab_schedules": { - "copy": { - "name": "lab_schedules", - "count": "[length(parameters('schedules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-Schedules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('schedules')[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('schedules')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "taskType": { - "value": "[parameters('schedules')[copyIndex()].taskType]" - }, - "dailyRecurrence": "[if(contains(parameters('schedules')[copyIndex()], 'dailyRecurrence'), createObject('value', parameters('schedules')[copyIndex()].dailyRecurrence), createObject('value', createObject()))]", - "hourlyRecurrence": "[if(contains(parameters('schedules')[copyIndex()], 'hourlyRecurrence'), createObject('value', parameters('schedules')[copyIndex()].hourlyRecurrence), createObject('value', createObject()))]", - "weeklyRecurrence": "[if(contains(parameters('schedules')[copyIndex()], 'weeklyRecurrence'), createObject('value', parameters('schedules')[copyIndex()].weeklyRecurrence), createObject('value', createObject()))]", - "status": "[if(contains(parameters('schedules')[copyIndex()], 'status'), createObject('value', parameters('schedules')[copyIndex()].status), createObject('value', 'Enabled'))]", - "targetResourceId": "[if(contains(parameters('schedules')[copyIndex()], 'targetResourceId'), createObject('value', parameters('schedules')[copyIndex()].targetResourceId), createObject('value', ''))]", - "timeZoneId": "[if(contains(parameters('schedules')[copyIndex()], 'timeZoneId'), createObject('value', parameters('schedules')[copyIndex()].timeZoneId), createObject('value', 'Pacific Standard time'))]", - "notificationSettingsStatus": "[if(contains(parameters('schedules')[copyIndex()], 'notificationSettingsStatus'), createObject('value', parameters('schedules')[copyIndex()].notificationSettingsStatus), createObject('value', 'Disabled'))]", - "notificationSettingsTimeInMinutes": "[if(contains(parameters('schedules')[copyIndex()], 'notificationSettingsTimeInMinutes'), createObject('value', parameters('schedules')[copyIndex()].notificationSettingsTimeInMinutes), createObject('value', 30))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "6869247020147801213" - }, - "name": "DevTest Lab Schedules", - "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "LabVmsShutdown", - "LabVmAutoStart" - ], - "metadata": { - "description": "Required. The name of the schedule." - } - }, - "taskType": { - "type": "string", - "allowedValues": [ - "LabVmsShutdownTask", - "LabVmsStartupTask" - ], - "metadata": { - "description": "Required. The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "dailyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur once each day of the week, specify the daily recurrence." - } - }, - "hourlyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur multiple times a day, specify the hourly recurrence." - } - }, - "weeklyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur only some days of the week, specify the weekly recurrence." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The status of the schedule (i.e. Enabled, Disabled)." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID to which the schedule belongs." - } - }, - "timeZoneId": { - "type": "string", - "defaultValue": "Pacific Standard time", - "metadata": { - "description": "Optional. The time zone ID (e.g. Pacific Standard time)." - } - }, - "notificationSettingsStatus": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. If notifications are enabled for this schedule (i.e. Enabled, Disabled)." - } - }, - "notificationSettingsTimeInMinutes": { - "type": "int", - "defaultValue": 30, - "metadata": { - "description": "Optional. Time in minutes before event at which notification will be sent. Optional if \"notificationSettingsStatus\" is set to \"Enabled\". Default is 30 minutes." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "schedule": { - "type": "Microsoft.DevTestLab/labs/schedules", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "taskType": "[parameters('taskType')]", - "dailyRecurrence": "[if(not(empty(parameters('dailyRecurrence'))), parameters('dailyRecurrence'), null())]", - "hourlyRecurrence": "[if(not(empty(parameters('hourlyRecurrence'))), parameters('hourlyRecurrence'), null())]", - "weeklyRecurrence": "[if(not(empty(parameters('weeklyRecurrence'))), parameters('weeklyRecurrence'), null())]", - "status": "[parameters('status')]", - "targetResourceId": "[if(not(empty(parameters('targetResourceId'))), parameters('targetResourceId'), null())]", - "timeZoneId": "[parameters('timeZoneId')]", - "notificationSettings": "[if(equals(parameters('notificationSettingsStatus'), 'Enabled'), createObject('status', parameters('notificationSettingsStatus'), 'timeInMinutes', parameters('notificationSettingsTimeInMinutes')), createObject())]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the schedule." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/schedules', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the schedule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - }, - "lab_notificationChannels": { - "copy": { - "name": "lab_notificationChannels", - "count": "[length(parameters('notificationchannels'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-NotificationChannels-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('notificationchannels')[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('notificationchannels')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "description": "[if(contains(parameters('notificationchannels')[copyIndex()], 'description'), createObject('value', parameters('notificationchannels')[copyIndex()].description), createObject('value', ''))]", - "events": { - "value": "[parameters('notificationchannels')[copyIndex()].events]" - }, - "emailRecipient": "[if(contains(parameters('notificationchannels')[copyIndex()], 'emailRecipient'), createObject('value', parameters('notificationchannels')[copyIndex()].emailRecipient), createObject('value', ''))]", - "webHookUrl": "[if(contains(parameters('notificationchannels')[copyIndex()], 'webhookUrl'), createObject('value', parameters('notificationchannels')[copyIndex()].webhookUrl), createObject('value', ''))]", - "notificationLocale": "[if(contains(parameters('notificationchannels')[copyIndex()], 'notificationLocale'), createObject('value', parameters('notificationchannels')[copyIndex()].notificationLocale), createObject('value', 'en'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "13273709159138475693" - }, - "name": "DevTest Lab Notification Channels", - "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "autoShutdown", - "costThreshold" - ], - "metadata": { - "description": "Required. The name of the notification channel." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of notification." - } - }, - "events": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. The list of event for which this notification is enabled." - } - }, - "emailRecipient": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if \"webHookUrl\" is empty." - } - }, - "webHookUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The webhook URL to which the notification will be sent. Required if \"emailRecipient\" is empty." - } - }, - "notificationLocale": { - "type": "string", - "defaultValue": "en", - "metadata": { - "description": "Optional. The locale to use when sending a notification (fallback for unsupported languages is EN)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "notificationChannel": { - "type": "Microsoft.DevTestLab/labs/notificationchannels", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "events": "[parameters('events')]", - "emailRecipient": "[parameters('emailRecipient')]", - "webHookUrl": "[parameters('webHookUrl')]", - "notificationLocale": "[parameters('notificationLocale')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the notification channel." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the notification channel." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/notificationchannels', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the notification channel was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - }, - "lab_artifactSources": { - "copy": { - "name": "lab_artifactSources", - "count": "[length(parameters('artifactsources'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-ArtifactSources-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('artifactsources')[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('artifactsources')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "displayName": "[if(contains(parameters('artifactsources')[copyIndex()], 'displayName'), createObject('value', parameters('artifactsources')[copyIndex()].displayName), createObject('value', parameters('artifactsources')[copyIndex()].name))]", - "branchRef": "[if(contains(parameters('artifactsources')[copyIndex()], 'branchRef'), createObject('value', parameters('artifactsources')[copyIndex()].branchRef), createObject('value', ''))]", - "folderPath": "[if(contains(parameters('artifactsources')[copyIndex()], 'folderPath'), createObject('value', parameters('artifactsources')[copyIndex()].folderPath), createObject('value', ''))]", - "armTemplateFolderPath": "[if(contains(parameters('artifactsources')[copyIndex()], 'armTemplateFolderPath'), createObject('value', parameters('artifactsources')[copyIndex()].armTemplateFolderPath), createObject('value', ''))]", - "sourceType": "[if(contains(parameters('artifactsources')[copyIndex()], 'sourceType'), createObject('value', parameters('artifactsources')[copyIndex()].sourceType), createObject('value', ''))]", - "status": "[if(contains(parameters('artifactsources')[copyIndex()], 'status'), createObject('value', parameters('artifactsources')[copyIndex()].status), createObject('value', 'Enabled'))]", - "uri": { - "value": "[parameters('artifactsources')[copyIndex()].uri]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "17690202847641097971" - }, - "name": "DevTest Lab Artifact Sources", - "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the artifact source." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "displayName": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. The artifact source's display name. Default is the name of the artifact source." - } - }, - "branchRef": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The artifact source's branch reference (e.g. main or master)." - } - }, - "folderPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The folder containing artifacts. At least one folder path is required. Required if \"armTemplateFolderPath\" is empty." - } - }, - "armTemplateFolderPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The folder containing Azure Resource Manager templates. Required if \"folderPath\" is empty." - } - }, - "securityToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The security token to authenticate to the artifact source." - } - }, - "sourceType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "GitHub", - "StorageAccount", - "VsoGit" - ], - "metadata": { - "description": "Optional. The artifact source's type." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is \"Enabled\"." - } - }, - "uri": { - "type": "string", - "metadata": { - "description": "Required. The artifact source's URI." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "artifactsource": { - "type": "Microsoft.DevTestLab/labs/artifactsources", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "displayName": "[parameters('displayName')]", - "branchRef": "[if(not(empty(parameters('branchRef'))), parameters('branchRef'), null())]", - "folderPath": "[if(not(empty(parameters('folderPath'))), parameters('folderPath'), null())]", - "armTemplateFolderPath": "[if(not(empty(parameters('armTemplateFolderPath'))), parameters('armTemplateFolderPath'), null())]", - "securityToken": "[if(not(empty(parameters('securityToken'))), parameters('securityToken'), null())]", - "sourceType": "[if(not(empty(parameters('sourceType'))), parameters('sourceType'), null())]", - "status": "[parameters('status')]", - "uri": "[parameters('uri')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the artifact source." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the artifact source." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/artifactsources', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the artifact source was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - }, - "lab_costs": { - "condition": "[not(empty(parameters('costs')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Lab-Costs', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "labName": { - "value": "[parameters('name')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('costs'), 'tags'), parameters('tags'))]" - }, - "currencyCode": "[if(contains(parameters('costs'), 'currencyCode'), createObject('value', parameters('costs').currencyCode), createObject('value', 'USD'))]", - "cycleType": { - "value": "[parameters('costs').cycleType]" - }, - "cycleStartDateTime": "[if(contains(parameters('costs'), 'cycleStartDateTime'), createObject('value', parameters('costs').cycleStartDateTime), createObject('value', ''))]", - "cycleEndDateTime": "[if(contains(parameters('costs'), 'cycleEndDateTime'), createObject('value', parameters('costs').cycleEndDateTime), createObject('value', ''))]", - "status": "[if(contains(parameters('costs'), 'status'), createObject('value', parameters('costs').status), createObject('value', 'Enabled'))]", - "target": "[if(contains(parameters('costs'), 'target'), createObject('value', parameters('costs').target), createObject('value', 0))]", - "thresholdValue25DisplayOnChart": "[if(contains(parameters('costs'), 'thresholdValue25DisplayOnChart'), createObject('value', parameters('costs').thresholdValue25DisplayOnChart), createObject('value', 'Disabled'))]", - "thresholdValue25SendNotificationWhenExceeded": "[if(contains(parameters('costs'), 'thresholdValue25SendNotificationWhenExceeded'), createObject('value', parameters('costs').thresholdValue25SendNotificationWhenExceeded), createObject('value', 'Disabled'))]", - "thresholdValue50DisplayOnChart": "[if(contains(parameters('costs'), 'thresholdValue50DisplayOnChart'), createObject('value', parameters('costs').thresholdValue50DisplayOnChart), createObject('value', 'Disabled'))]", - "thresholdValue50SendNotificationWhenExceeded": "[if(contains(parameters('costs'), 'thresholdValue50SendNotificationWhenExceeded'), createObject('value', parameters('costs').thresholdValue50SendNotificationWhenExceeded), createObject('value', 'Disabled'))]", - "thresholdValue75DisplayOnChart": "[if(contains(parameters('costs'), 'thresholdValue75DisplayOnChart'), createObject('value', parameters('costs').thresholdValue75DisplayOnChart), createObject('value', 'Disabled'))]", - "thresholdValue75SendNotificationWhenExceeded": "[if(contains(parameters('costs'), 'thresholdValue75SendNotificationWhenExceeded'), createObject('value', parameters('costs').thresholdValue75SendNotificationWhenExceeded), createObject('value', 'Disabled'))]", - "thresholdValue100DisplayOnChart": "[if(contains(parameters('costs'), 'thresholdValue100DisplayOnChart'), createObject('value', parameters('costs').thresholdValue100DisplayOnChart), createObject('value', 'Disabled'))]", - "thresholdValue100SendNotificationWhenExceeded": "[if(contains(parameters('costs'), 'thresholdValue100SendNotificationWhenExceeded'), createObject('value', parameters('costs').thresholdValue100SendNotificationWhenExceeded), createObject('value', 'Disabled'))]", - "thresholdValue125DisplayOnChart": "[if(contains(parameters('costs'), 'thresholdValue125DisplayOnChart'), createObject('value', parameters('costs').thresholdValue125DisplayOnChart), createObject('value', 'Disabled'))]", - "thresholdValue125SendNotificationWhenExceeded": "[if(contains(parameters('costs'), 'thresholdValue125SendNotificationWhenExceeded'), createObject('value', parameters('costs').thresholdValue125SendNotificationWhenExceeded), createObject('value', 'Disabled'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "2616589937060104878" - }, - "name": "DevTest Lab Costs", - "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "cycleType": { - "type": "string", - "allowedValues": [ - "Custom", - "CalendarMonth" - ], - "metadata": { - "description": "Required. Reporting cycle type." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cycleStartDateTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to \"Custom\"." - } - }, - "cycleEndDateTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to \"Custom\"." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost status." - } - }, - "target": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Lab target cost (e.g. 100). The target cost will appear in the \"Cost trend\" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds." - } - }, - "currencyCode": { - "type": "string", - "defaultValue": "USD", - "metadata": { - "description": "Optional. The currency code of the cost." - } - }, - "thresholdValue25DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue25SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue50DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue50SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue75DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue75SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue100DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue100SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "thresholdValue125DisplayOnChart": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts." - } - }, - "thresholdValue125SendNotificationWhenExceeded": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "cost": { - "type": "Microsoft.DevTestLab/labs/costs", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), 'targetCost')]", - "tags": "[parameters('tags')]", - "properties": { - "currencyCode": "[parameters('currencyCode')]", - "startDateTime": "[parameters('cycleStartDateTime')]", - "endDateTime": "[parameters('cycleEndDateTime')]", - "targetCost": { - "target": "[parameters('target')]", - "cycleStartDateTime": "[parameters('cycleStartDateTime')]", - "cycleEndDateTime": "[parameters('cycleEndDateTime')]", - "cycleType": "[parameters('cycleType')]", - "status": "[parameters('status')]", - "costThresholds": [ - { - "thresholdId": "00000000-0000-0000-0000-000000000001", - "percentageThreshold": { - "thresholdValue": 25 - }, - "displayOnChart": "[parameters('thresholdValue25DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue25SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000002", - "percentageThreshold": { - "thresholdValue": 50 - }, - "displayOnChart": "[parameters('thresholdValue50DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue50SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000003", - "percentageThreshold": { - "thresholdValue": 75 - }, - "displayOnChart": "[parameters('thresholdValue75DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue75SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000004", - "percentageThreshold": { - "thresholdValue": 100 - }, - "displayOnChart": "[parameters('thresholdValue100DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue100SendNotificationWhenExceeded')]" - }, - { - "thresholdId": "00000000-0000-0000-0000-000000000005", - "percentageThreshold": { - "thresholdValue": 125 - }, - "displayOnChart": "[parameters('thresholdValue125DisplayOnChart')]", - "sendNotificationWhenExceeded": "[parameters('thresholdValue125SendNotificationWhenExceeded')]" - } - ] - } - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the cost." - }, - "value": "targetCost" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the cost." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/costs', parameters('labName'), 'targetCost')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the cost was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "uniqueIdentifier": { - "type": "string", - "metadata": { - "description": "The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates." - }, - "value": "[reference('lab').uniqueIdentifier]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the lab was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lab." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the lab." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(contains(reference('lab', '2018-10-15-preview', 'full').identity, 'principalId'), reference('lab', '2018-10-15-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('lab', '2018-10-15-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md deleted file mode 100644 index fa378b420e..0000000000 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# DevTest Lab Notification Channels `[Microsoft.DevTestLab/labs/notificationchannels]` - -This module deploys a DevTest Lab Notification Channel. - -Notification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/notificationchannels` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/notificationchannels) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`events`](#parameter-events) | array | The list of event for which this notification is enabled. | -| [`name`](#parameter-name) | string | The name of the notification channel. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`emailRecipient`](#parameter-emailrecipient) | string | The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | -| [`webHookUrl`](#parameter-webhookurl) | string | The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | Description of notification. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`notificationLocale`](#parameter-notificationlocale) | string | The locale to use when sending a notification (fallback for unsupported languages is EN). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `events` - -The list of event for which this notification is enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `name` - -The name of the notification channel. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'autoShutdown' - 'costThreshold' - ] - ``` - -### Parameter: `emailRecipient` - -The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `webHookUrl` - -The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -Description of notification. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `notificationLocale` - -The locale to use when sending a notification (fallback for unsupported languages is EN). - -- Required: No -- Type: string -- Default: `'en'` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the notification channel. | -| `resourceGroupName` | string | The name of the resource group the notification channel was created in. | -| `resourceId` | string | The resource ID of the notification channel. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/notificationchannel/main.bicep b/modules/dev-test-lab/lab/notificationchannel/main.bicep deleted file mode 100644 index cae5615737..0000000000 --- a/modules/dev-test-lab/lab/notificationchannel/main.bicep +++ /dev/null @@ -1,74 +0,0 @@ -metadata name = 'DevTest Lab Notification Channels' -metadata description = '''This module deploys a DevTest Lab Notification Channel. - -Notification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@allowed([ - 'autoShutdown' - 'costThreshold' -]) -@sys.description('Required. The name of the notification channel.') -param name string - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. Description of notification.') -param description string = '' - -@sys.description('Required. The list of event for which this notification is enabled.') -param events array = [] - -@sys.description('Conditional. The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty.') -param emailRecipient string = '' - -@sys.description('Conditional. The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty.') -param webHookUrl string = '' - -@sys.description('Optional. The locale to use when sending a notification (fallback for unsupported languages is EN).') -param notificationLocale string = 'en' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName -} - -resource notificationChannel 'Microsoft.DevTestLab/labs/notificationchannels@2018-09-15' = { - name: name - parent: lab - tags: tags - properties: { - description: description - events: events - emailRecipient: emailRecipient - webHookUrl: webHookUrl - notificationLocale: notificationLocale - } -} - -@sys.description('The name of the notification channel.') -output name string = notificationChannel.name - -@sys.description('The resource ID of the notification channel.') -output resourceId string = notificationChannel.id - -@sys.description('The name of the resource group the notification channel was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/notificationchannel/main.json b/modules/dev-test-lab/lab/notificationchannel/main.json deleted file mode 100644 index 29a8487fda..0000000000 --- a/modules/dev-test-lab/lab/notificationchannel/main.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "13273709159138475693" - }, - "name": "DevTest Lab Notification Channels", - "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "autoShutdown", - "costThreshold" - ], - "metadata": { - "description": "Required. The name of the notification channel." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of notification." - } - }, - "events": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. The list of event for which this notification is enabled." - } - }, - "emailRecipient": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if \"webHookUrl\" is empty." - } - }, - "webHookUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The webhook URL to which the notification will be sent. Required if \"emailRecipient\" is empty." - } - }, - "notificationLocale": { - "type": "string", - "defaultValue": "en", - "metadata": { - "description": "Optional. The locale to use when sending a notification (fallback for unsupported languages is EN)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "notificationChannel": { - "type": "Microsoft.DevTestLab/labs/notificationchannels", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "events": "[parameters('events')]", - "emailRecipient": "[parameters('emailRecipient')]", - "webHookUrl": "[parameters('webHookUrl')]", - "notificationLocale": "[parameters('notificationLocale')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the notification channel." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the notification channel." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/notificationchannels', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the notification channel was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/notificationchannel/version.json b/modules/dev-test-lab/lab/notificationchannel/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/notificationchannel/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/policyset/policy/README.md b/modules/dev-test-lab/lab/policyset/policy/README.md deleted file mode 100644 index 0cc9ece256..0000000000 --- a/modules/dev-test-lab/lab/policyset/policy/README.md +++ /dev/null @@ -1,171 +0,0 @@ -# DevTest Lab Policy Sets Policies `[Microsoft.DevTestLab/labs/policysets/policies]` - -This module deploys a DevTest Lab Policy Sets Policy. - -DevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/policysets/policies` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/policysets/policies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`evaluatorType`](#parameter-evaluatortype) | string | The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). | -| [`factName`](#parameter-factname) | string | The fact name of the policy. | -| [`name`](#parameter-name) | string | The name of the policy. | -| [`threshold`](#parameter-threshold) | string | The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | The description of the policy. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`factData`](#parameter-factdata) | string | The fact data of the policy. | -| [`policySetName`](#parameter-policysetname) | string | The name of the parent policy set. | -| [`status`](#parameter-status) | string | The status of the policy. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `evaluatorType` - -The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'AllowedValuesPolicy' - 'MaxValuePolicy' - ] - ``` - -### Parameter: `factName` - -The fact name of the policy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'EnvironmentTemplate' - 'GalleryImage' - 'LabPremiumVmCount' - 'LabTargetCost' - 'LabVmCount' - 'LabVmSize' - 'ScheduleEditPermission' - 'UserOwnedLabPremiumVmCount' - 'UserOwnedLabVmCount' - 'UserOwnedLabVmCountInSubnet' - ] - ``` - -### Parameter: `name` - -The name of the policy. - -- Required: Yes -- Type: string - -### Parameter: `threshold` - -The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). - -- Required: Yes -- Type: string - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -The description of the policy. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `factData` - -The fact data of the policy. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `policySetName` - -The name of the parent policy set. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `status` - -The status of the policy. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the policy. | -| `resourceGroupName` | string | The name of the resource group the policy was created in. | -| `resourceId` | string | The resource ID of the policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/policyset/policy/main.bicep b/modules/dev-test-lab/lab/policyset/policy/main.bicep deleted file mode 100644 index e76ee76f9b..0000000000 --- a/modules/dev-test-lab/lab/policyset/policy/main.bicep +++ /dev/null @@ -1,101 +0,0 @@ -metadata name = 'DevTest Lab Policy Sets Policies' -metadata description = '''This module deploys a DevTest Lab Policy Sets Policy. - -DevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@sys.description('Optional. The name of the parent policy set.') -param policySetName string = 'default' - -@sys.description('Required. The name of the policy.') -param name string - -@sys.description('Optional. Tags of the resource.') -param tags object = {} - -@sys.description('Optional. The description of the policy.') -param description string = '' - -@allowed([ - 'AllowedValuesPolicy' - 'MaxValuePolicy' -]) -@sys.description('Required. The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy).') -param evaluatorType string - -@sys.description('Optional. The fact data of the policy.') -param factData string = '' - -@allowed([ - 'EnvironmentTemplate' - 'GalleryImage' - 'LabPremiumVmCount' - 'LabTargetCost' - 'LabVmCount' - 'LabVmSize' - 'ScheduleEditPermission' - 'UserOwnedLabPremiumVmCount' - 'UserOwnedLabVmCount' - 'UserOwnedLabVmCountInSubnet' -]) -@sys.description('Required. The fact name of the policy.') -param factName string - -@allowed([ - 'Disabled' - 'Enabled' -]) -@sys.description('Optional. The status of the policy.') -param status string = 'Enabled' - -@sys.description('Required. The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy).') -param threshold string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName - - resource policySets 'policysets@2018-09-15' existing = { - name: policySetName - } -} - -resource policy 'Microsoft.DevTestLab/labs/policysets/policies@2018-09-15' = { - name: name - parent: lab::policySets - tags: tags - properties: { - description: description - evaluatorType: evaluatorType - factData: factData - factName: factName - status: status - threshold: threshold - } -} - -@sys.description('The name of the policy.') -output name string = policy.name - -@sys.description('The resource ID of the policy.') -output resourceId string = policy.id - -@sys.description('The name of the resource group the policy was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/policyset/policy/main.json b/modules/dev-test-lab/lab/policyset/policy/main.json deleted file mode 100644 index efe9fbb853..0000000000 --- a/modules/dev-test-lab/lab/policyset/policy/main.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "4051108641883246191" - }, - "name": "DevTest Lab Policy Sets Policies", - "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "policySetName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the parent policy set." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the policy." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the policy." - } - }, - "evaluatorType": { - "type": "string", - "allowedValues": [ - "AllowedValuesPolicy", - "MaxValuePolicy" - ], - "metadata": { - "description": "Required. The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy)." - } - }, - "factData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The fact data of the policy." - } - }, - "factName": { - "type": "string", - "allowedValues": [ - "EnvironmentTemplate", - "GalleryImage", - "LabPremiumVmCount", - "LabTargetCost", - "LabVmCount", - "LabVmSize", - "ScheduleEditPermission", - "UserOwnedLabPremiumVmCount", - "UserOwnedLabVmCount", - "UserOwnedLabVmCountInSubnet" - ], - "metadata": { - "description": "Required. The fact name of the policy." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. The status of the policy." - } - }, - "threshold": { - "type": "string", - "metadata": { - "description": "Required. The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DevTestLab/labs/policysets/policies", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}/{2}', parameters('labName'), parameters('policySetName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "evaluatorType": "[parameters('evaluatorType')]", - "factData": "[parameters('factData')]", - "factName": "[parameters('factName')]", - "status": "[parameters('status')]", - "threshold": "[parameters('threshold')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the policy." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/policysets/policies', parameters('labName'), parameters('policySetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the policy was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/policyset/policy/version.json b/modules/dev-test-lab/lab/policyset/policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/policyset/policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md deleted file mode 100644 index ba6b6479ba..0000000000 --- a/modules/dev-test-lab/lab/schedule/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# DevTest Lab Schedules `[Microsoft.DevTestLab/labs/schedules]` - -This module deploys a DevTest Lab Schedule. - -Lab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/schedules` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/schedules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the schedule. | -| [`taskType`](#parameter-tasktype) | string | The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dailyRecurrence`](#parameter-dailyrecurrence) | object | If the schedule will occur once each day of the week, specify the daily recurrence. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hourlyRecurrence`](#parameter-hourlyrecurrence) | object | If the schedule will occur multiple times a day, specify the hourly recurrence. | -| [`notificationSettingsStatus`](#parameter-notificationsettingsstatus) | string | If notifications are enabled for this schedule (i.e. Enabled, Disabled). | -| [`notificationSettingsTimeInMinutes`](#parameter-notificationsettingstimeinminutes) | int | Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. | -| [`status`](#parameter-status) | string | The status of the schedule (i.e. Enabled, Disabled). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`targetResourceId`](#parameter-targetresourceid) | string | The resource ID to which the schedule belongs. | -| [`timeZoneId`](#parameter-timezoneid) | string | The time zone ID (e.g. Pacific Standard time). | -| [`weeklyRecurrence`](#parameter-weeklyrecurrence) | object | If the schedule will occur only some days of the week, specify the weekly recurrence. | - -### Parameter: `name` - -The name of the schedule. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'LabVmAutoStart' - 'LabVmsShutdown' - ] - ``` - -### Parameter: `taskType` - -The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'LabVmsShutdownTask' - 'LabVmsStartupTask' - ] - ``` - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `dailyRecurrence` - -If the schedule will occur once each day of the week, specify the daily recurrence. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hourlyRecurrence` - -If the schedule will occur multiple times a day, specify the hourly recurrence. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `notificationSettingsStatus` - -If notifications are enabled for this schedule (i.e. Enabled, Disabled). - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `notificationSettingsTimeInMinutes` - -Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. - -- Required: No -- Type: int -- Default: `30` - -### Parameter: `status` - -The status of the schedule (i.e. Enabled, Disabled). - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `targetResourceId` - -The resource ID to which the schedule belongs. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `timeZoneId` - -The time zone ID (e.g. Pacific Standard time). - -- Required: No -- Type: string -- Default: `'Pacific Standard time'` - -### Parameter: `weeklyRecurrence` - -If the schedule will occur only some days of the week, specify the weekly recurrence. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the schedule. | -| `resourceGroupName` | string | The name of the resource group the schedule was created in. | -| `resourceId` | string | The resource ID of the schedule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/schedule/main.bicep b/modules/dev-test-lab/lab/schedule/main.bicep deleted file mode 100644 index 7b4df85c7b..0000000000 --- a/modules/dev-test-lab/lab/schedule/main.bicep +++ /dev/null @@ -1,104 +0,0 @@ -metadata name = 'DevTest Lab Schedules' -metadata description = '''This module deploys a DevTest Lab Schedule. - -Lab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@allowed([ - 'LabVmsShutdown' - 'LabVmAutoStart' -]) -@sys.description('Required. The name of the schedule.') -param name string - -@allowed([ - 'LabVmsShutdownTask' - 'LabVmsStartupTask' -]) -@sys.description('Required. The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask).') -param taskType string - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. If the schedule will occur once each day of the week, specify the daily recurrence.') -param dailyRecurrence object = {} - -@sys.description('Optional. If the schedule will occur multiple times a day, specify the hourly recurrence.') -param hourlyRecurrence object = {} - -@sys.description('Optional. If the schedule will occur only some days of the week, specify the weekly recurrence.') -param weeklyRecurrence object = {} - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. The status of the schedule (i.e. Enabled, Disabled).') -param status string = 'Enabled' - -@sys.description('Optional. The resource ID to which the schedule belongs.') -param targetResourceId string = '' - -@sys.description('Optional. The time zone ID (e.g. Pacific Standard time).') -param timeZoneId string = 'Pacific Standard time' - -@allowed([ - 'Enabled' - 'Disabled' -]) -@sys.description('Optional. If notifications are enabled for this schedule (i.e. Enabled, Disabled).') -param notificationSettingsStatus string = 'Disabled' - -@sys.description('Optional. Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes.') -param notificationSettingsTimeInMinutes int = 30 - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName -} - -resource schedule 'Microsoft.DevTestLab/labs/schedules@2018-09-15' = { - name: name - parent: lab - tags: tags - properties: { - taskType: taskType - dailyRecurrence: !empty(dailyRecurrence) ? dailyRecurrence : null - hourlyRecurrence: !empty(hourlyRecurrence) ? hourlyRecurrence : null - weeklyRecurrence: !empty(weeklyRecurrence) ? weeklyRecurrence : null - status: status - targetResourceId: !empty(targetResourceId) ? targetResourceId : null - timeZoneId: timeZoneId - notificationSettings: notificationSettingsStatus == 'Enabled' ? { - status: notificationSettingsStatus - timeInMinutes: notificationSettingsTimeInMinutes - } : {} - } -} - -@sys.description('The name of the schedule.') -output name string = schedule.name - -@sys.description('The resource ID of the schedule.') -output resourceId string = schedule.id - -@sys.description('The name of the resource group the schedule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/schedule/main.json b/modules/dev-test-lab/lab/schedule/main.json deleted file mode 100644 index 02888fdced..0000000000 --- a/modules/dev-test-lab/lab/schedule/main.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "6869247020147801213" - }, - "name": "DevTest Lab Schedules", - "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "LabVmsShutdown", - "LabVmAutoStart" - ], - "metadata": { - "description": "Required. The name of the schedule." - } - }, - "taskType": { - "type": "string", - "allowedValues": [ - "LabVmsShutdownTask", - "LabVmsStartupTask" - ], - "metadata": { - "description": "Required. The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "dailyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur once each day of the week, specify the daily recurrence." - } - }, - "hourlyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur multiple times a day, specify the hourly recurrence." - } - }, - "weeklyRecurrence": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If the schedule will occur only some days of the week, specify the weekly recurrence." - } - }, - "status": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The status of the schedule (i.e. Enabled, Disabled)." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID to which the schedule belongs." - } - }, - "timeZoneId": { - "type": "string", - "defaultValue": "Pacific Standard time", - "metadata": { - "description": "Optional. The time zone ID (e.g. Pacific Standard time)." - } - }, - "notificationSettingsStatus": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. If notifications are enabled for this schedule (i.e. Enabled, Disabled)." - } - }, - "notificationSettingsTimeInMinutes": { - "type": "int", - "defaultValue": 30, - "metadata": { - "description": "Optional. Time in minutes before event at which notification will be sent. Optional if \"notificationSettingsStatus\" is set to \"Enabled\". Default is 30 minutes." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "schedule": { - "type": "Microsoft.DevTestLab/labs/schedules", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "taskType": "[parameters('taskType')]", - "dailyRecurrence": "[if(not(empty(parameters('dailyRecurrence'))), parameters('dailyRecurrence'), null())]", - "hourlyRecurrence": "[if(not(empty(parameters('hourlyRecurrence'))), parameters('hourlyRecurrence'), null())]", - "weeklyRecurrence": "[if(not(empty(parameters('weeklyRecurrence'))), parameters('weeklyRecurrence'), null())]", - "status": "[parameters('status')]", - "targetResourceId": "[if(not(empty(parameters('targetResourceId'))), parameters('targetResourceId'), null())]", - "timeZoneId": "[parameters('timeZoneId')]", - "notificationSettings": "[if(equals(parameters('notificationSettingsStatus'), 'Enabled'), createObject('status', parameters('notificationSettingsStatus'), 'timeInMinutes', parameters('notificationSettingsTimeInMinutes')), createObject())]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the schedule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the schedule." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/schedules', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the schedule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/schedule/version.json b/modules/dev-test-lab/lab/schedule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/schedule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 9a583e7a24..0000000000 --- a/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 10d28c8ae6..0000000000 --- a/modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,134 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required for encrption to work - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithCustomerKey' - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${diskEncryptionSet.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault - properties: { - principalId: diskEncryptionSet.identity.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - publicNetworkAccess: 'Disabled' - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The name of the created Virtual Network.') -output virtualNetworkName string = virtualNetwork.name - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The name of the created Virtual Network Subnet.') -output subnetName string = virtualNetwork.properties.subnets[0].name - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep deleted file mode 100644 index 21a1faa4f9..0000000000 --- a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,297 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllmax' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'DevTest Lab' - labName: '${namePrefix}${serviceShort}001' - } - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00.000Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - labStorageType: 'Premium' - artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId - premiumDataDisks: 'Enabled' - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - managementIdentitiesResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - vmCreationResourceGroupId: resourceGroup.id - browserConnect: 'Enabled' - disableAutoUpgradeCseMinorVersion: true - isolateLabResources: 'Enabled' - encryptionType: 'EncryptionAtRestWithCustomerKey' - encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId - virtualnetworks: [ - { - name: nestedDependencies.outputs.virtualNetworkName - externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId - description: 'lab virtual network description' - allowedSubnets: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - allowPublicIp: 'Allow' - } - ] - subnetOverrides: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - transportProtocol: 'Tcp' - backendPort: 3389 - } - { - transportProtocol: 'Tcp' - backendPort: 22 - } - ] - } - } - ] - } - ] - policies: [ - { - name: nestedDependencies.outputs.subnetName - evaluatorType: 'MaxValuePolicy' - factData: nestedDependencies.outputs.subnetResourceId - factName: 'UserOwnedLabVmCountInSubnet' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - threshold: '2' - } - { - name: 'MaxPremiumVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - status: 'Disabled' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - threshold: '3' - } - { - name: 'MaxPremiumVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - threshold: '2' - } - { - name: 'AllowedVmSizesInLab' - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - threshold: ' ${string('["Basic_A0","Basic_A1"]')}' - status: 'Enabled' - } - { - name: 'ScheduleEditPermission' - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - threshold: ' ${string('["None","Modify"]')}' - } - { - name: 'GalleryImage' - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' - } - { - name: 'EnvironmentTemplate' - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - threshold: ' ${string('[""]')}' - } - ] - schedules: [ - { - name: 'LabVmsShutdown' - taskType: 'LabVmsShutdownTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - dailyRecurrence: { - time: '0000' - } - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - } - { - name: 'LabVmAutoStart' - taskType: 'LabVmsStartupTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - } - } - ] - notificationchannels: [ - { - name: 'autoShutdown' - description: 'Integration configured for auto-shutdown' - events: [ - { - eventName: 'AutoShutdown' - } - ] - emailRecipient: 'mail@contosodtlmail.com' - webHookUrl: 'https://webhook.contosotest.com' - notificationLocale: 'en' - } - { - name: 'costThreshold' - events: [ - { - eventName: 'Cost' - } - ] - webHookUrl: 'https://webhook.contosotest.com' - } - ] - artifactsources: [ - { - name: 'Public Repo' - displayName: 'Public Artifact Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - folderPath: '/Artifacts' - } - { - name: 'Public Environment Repo' - displayName: 'Public Environment Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - armTemplateFolderPath: '/Environments' - } - ] - costs: { - status: 'Enabled' - cycleType: 'CalendarMonth' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - } -}] diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 10d28c8ae6..0000000000 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,134 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Disk Encryption Set to create.') -param diskEncryptionSetName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required for encrption to work - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'encryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { - name: diskEncryptionSetName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVault.id - } - keyUrl: keyVault::key.properties.keyUriWithVersion - } - encryptionType: 'EncryptionAtRestWithCustomerKey' - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${diskEncryptionSet.id}-KeyVault-Key-Read-RoleAssignment') - scope: keyVault - properties: { - principalId: diskEncryptionSet.identity.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - publicNetworkAccess: 'Disabled' - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The name of the created Virtual Network.') -output virtualNetworkName string = virtualNetwork.name - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The name of the created Virtual Network Subnet.') -output subnetName string = virtualNetwork.properties.subnets[0].name - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Disk Encryption Set.') -output diskEncryptionSetResourceId string = diskEncryptionSet.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index fb32ba4ed3..0000000000 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,280 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllwaf' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'DevTest Lab' - labName: '${namePrefix}${serviceShort}001' - } - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00.000Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - labStorageType: 'Premium' - artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId - premiumDataDisks: 'Enabled' - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - managementIdentitiesResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - vmCreationResourceGroupId: resourceGroup.id - browserConnect: 'Enabled' - disableAutoUpgradeCseMinorVersion: true - isolateLabResources: 'Enabled' - encryptionType: 'EncryptionAtRestWithCustomerKey' - encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId - virtualnetworks: [ - { - name: nestedDependencies.outputs.virtualNetworkName - externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId - description: 'lab virtual network description' - allowedSubnets: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - allowPublicIp: 'Allow' - } - ] - subnetOverrides: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - transportProtocol: 'Tcp' - backendPort: 3389 - } - { - transportProtocol: 'Tcp' - backendPort: 22 - } - ] - } - } - ] - } - ] - policies: [ - { - name: nestedDependencies.outputs.subnetName - evaluatorType: 'MaxValuePolicy' - factData: nestedDependencies.outputs.subnetResourceId - factName: 'UserOwnedLabVmCountInSubnet' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - threshold: '2' - } - { - name: 'MaxPremiumVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - status: 'Disabled' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - threshold: '3' - } - { - name: 'MaxPremiumVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - threshold: '2' - } - { - name: 'AllowedVmSizesInLab' - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - threshold: ' ${string('["Basic_A0","Basic_A1"]')}' - status: 'Enabled' - } - { - name: 'ScheduleEditPermission' - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - threshold: ' ${string('["None","Modify"]')}' - } - { - name: 'GalleryImage' - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' - } - { - name: 'EnvironmentTemplate' - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - threshold: ' ${string('[""]')}' - } - ] - schedules: [ - { - name: 'LabVmsShutdown' - taskType: 'LabVmsShutdownTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - dailyRecurrence: { - time: '0000' - } - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - } - { - name: 'LabVmAutoStart' - taskType: 'LabVmsStartupTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - } - } - ] - notificationchannels: [ - { - name: 'autoShutdown' - description: 'Integration configured for auto-shutdown' - events: [ - { - eventName: 'AutoShutdown' - } - ] - emailRecipient: 'mail@contosodtlmail.com' - webHookUrl: 'https://webhook.contosotest.com' - notificationLocale: 'en' - } - { - name: 'costThreshold' - events: [ - { - eventName: 'Cost' - } - ] - webHookUrl: 'https://webhook.contosotest.com' - } - ] - artifactsources: [ - { - name: 'Public Repo' - displayName: 'Public Artifact Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - folderPath: '/Artifacts' - } - { - name: 'Public Environment Repo' - displayName: 'Public Environment Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - armTemplateFolderPath: '/Environments' - } - ] - costs: { - status: 'Enabled' - cycleType: 'CalendarMonth' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - } -}] diff --git a/modules/dev-test-lab/lab/version.json b/modules/dev-test-lab/lab/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/dev-test-lab/lab/virtualnetwork/README.md b/modules/dev-test-lab/lab/virtualnetwork/README.md deleted file mode 100644 index 365a071731..0000000000 --- a/modules/dev-test-lab/lab/virtualnetwork/README.md +++ /dev/null @@ -1,116 +0,0 @@ -# DevTest Lab Virtual Networks `[Microsoft.DevTestLab/labs/virtualnetworks]` - -This module deploys a DevTest Lab Virtual Network. - -Lab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DevTestLab/labs/virtualnetworks` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/virtualnetworks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`externalProviderResourceId`](#parameter-externalproviderresourceid) | string | The resource ID of the virtual network. | -| [`name`](#parameter-name) | string | The name of the virtual network. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedSubnets`](#parameter-allowedsubnets) | array | The allowed subnets of the virtual network. | -| [`description`](#parameter-description) | string | The description of the virtual network. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`subnetOverrides`](#parameter-subnetoverrides) | array | The subnet overrides of the virtual network. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `externalProviderResourceId` - -The resource ID of the virtual network. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the virtual network. - -- Required: Yes -- Type: string - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allowedSubnets` - -The allowed subnets of the virtual network. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -The description of the virtual network. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `subnetOverrides` - -The subnet overrides of the virtual network. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lab virtual network. | -| `resourceGroupName` | string | The name of the resource group the lab virtual network was created in. | -| `resourceId` | string | The resource ID of the lab virtual network. | - -## Cross-referenced modules - -_None_ diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.bicep b/modules/dev-test-lab/lab/virtualnetwork/main.bicep deleted file mode 100644 index c4076627d9..0000000000 --- a/modules/dev-test-lab/lab/virtualnetwork/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'DevTest Lab Virtual Networks' -metadata description = '''This module deploys a DevTest Lab Virtual Network. - -Lab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent lab. Required if the template is used in a standalone deployment.') -param labName string - -@sys.description('Required. The name of the virtual network.') -param name string - -@sys.description('Required. The resource ID of the virtual network.') -param externalProviderResourceId string - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@sys.description('Optional. The description of the virtual network.') -param description string = '' - -@sys.description('Optional. The allowed subnets of the virtual network.') -param allowedSubnets array = [] - -@sys.description('Optional. The subnet overrides of the virtual network.') -param subnetOverrides array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: labName -} - -resource virtualNetwork 'Microsoft.DevTestLab/labs/virtualnetworks@2018-09-15' = { - name: name - parent: lab - tags: tags - properties: { - description: description - externalProviderResourceId: externalProviderResourceId - allowedSubnets: allowedSubnets - subnetOverrides: subnetOverrides - } -} - -@sys.description('The name of the lab virtual network.') -output name string = virtualNetwork.name - -@sys.description('The resource ID of the lab virtual network.') -output resourceId string = virtualNetwork.id - -@sys.description('The name of the resource group the lab virtual network was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.json b/modules/dev-test-lab/lab/virtualnetwork/main.json deleted file mode 100644 index ac70650e0d..0000000000 --- a/modules/dev-test-lab/lab/virtualnetwork/main.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "3411178791169282273" - }, - "name": "DevTest Lab Virtual Networks", - "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "labName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent lab. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the virtual network." - } - }, - "externalProviderResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the virtual network." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the virtual network." - } - }, - "allowedSubnets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The allowed subnets of the virtual network." - } - }, - "subnetOverrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The subnet overrides of the virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "lab": { - "existing": true, - "type": "Microsoft.DevTestLab/labs", - "apiVersion": "2018-09-15", - "name": "[parameters('labName')]" - }, - "virtualNetwork": { - "type": "Microsoft.DevTestLab/labs/virtualnetworks", - "apiVersion": "2018-09-15", - "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "externalProviderResourceId": "[parameters('externalProviderResourceId')]", - "allowedSubnets": "[parameters('allowedSubnets')]", - "subnetOverrides": "[parameters('subnetOverrides')]" - }, - "dependsOn": [ - "lab" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lab virtual network." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lab virtual network." - }, - "value": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the lab virtual network was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/dev-test-lab/lab/virtualnetwork/version.json b/modules/dev-test-lab/lab/virtualnetwork/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/dev-test-lab/lab/virtualnetwork/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 6e6d82d64a..ff98ac6161 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -1,1077 +1,7 @@ -# Digital Twins Instances `[Microsoft.DigitalTwins/digitalTwinsInstances]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Azure Digital Twins Instance. +**This module has been evolved into the following AVM module: [avm/res/digital-twins/digital-twins-instance](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/digital-twins/digital-twins-instance).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/digital-twins/digital-twins-instance). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DigitalTwins/digitalTwinsInstances` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances) | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/digital-twins.digital-twins-instance:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtdtimin' - params: { - // Required parameters - name: 'dtdtimin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtdtimin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtdtimax' - params: { - // Required parameters - name: 'dtdtimax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventGridEndpoint: { - eventGridDomainId: '' - topicEndpoint: '' - } - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtdtimax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventGridEndpoint": { - "value": { - "eventGridDomainId": "", - "topicEndpoint": "" - } - }, - "eventHubEndpoint": { - "value": { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" - } - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "serviceBusEndpoint": { - "value": { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtdtiwaf' - params: { - // Required parameters - name: 'dtdtiwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventGridEndpoint: { - eventGridDomainId: '' - topicEndpoint: '' - } - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtdtiwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventGridEndpoint": { - "value": { - "eventGridDomainId": "", - "topicEndpoint": "" - } - }, - "eventHubEndpoint": { - "value": { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" - } - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "serviceBusEndpoint": { - "value": { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Digital Twin Instance. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`eventGridEndpoint`](#parameter-eventgridendpoint) | object | Event Grid Endpoint. | -| [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`serviceBusEndpoint`](#parameter-servicebusendpoint) | object | Service Bus Endpoint. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -The name of the Digital Twin Instance. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventGridEndpoint` - -Event Grid Endpoint. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `eventHubEndpoint` - -Event Hub Endpoint. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceBusEndpoint` - -Service Bus Endpoint. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `hostname` | string | The hostname of the Digital Twins Instance. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Digital Twins Instance. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Digital Twins Instance. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md deleted file mode 100644 index 7c0b4fd0a5..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Digital Twins Instance Event Grid Endpoints `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` - -This module deploys a Digital Twins Instance Event Grid Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventGridDomainResourceId`](#parameter-eventgriddomainresourceid) | string | The resource ID of the Event Grid to get access keys from. | -| [`topicEndpoint`](#parameter-topicendpoint) | string | EventGrid Topic Endpoint. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | - -### Parameter: `eventGridDomainResourceId` - -The resource ID of the Event Grid to get access keys from. - -- Required: Yes -- Type: string - -### Parameter: `topicEndpoint` - -EventGrid Topic Endpoint. - -- Required: Yes -- Type: string - -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'EventGridEndpoint'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Endpoint. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep deleted file mode 100644 index 454d2e5525..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep +++ /dev/null @@ -1,64 +0,0 @@ -metadata name = 'Digital Twins Instance Event Grid Endpoints' -metadata description = 'This module deploys a Digital Twins Instance Event Grid Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'EventGridEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@description('Required. EventGrid Topic Endpoint.') -param topicEndpoint string - -@description('Required. The resource ID of the Event Grid to get access keys from.') -param eventGridDomainResourceId string - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'EventGrid' - authenticationType: 'KeyBased' - TopicEndpoint: topicEndpoint - accessKey1: listkeys(eventGridDomainResourceId, '2022-06-15').key1 - accessKey2: listkeys(eventGridDomainResourceId, '2022-06-15').key2 - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json deleted file mode 100644 index 8490ff9e8a..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17503518990299492663" - }, - "name": "Digital Twins Instance Event Grid Endpoints", - "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventGridEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "topicEndpoint": { - "type": "string", - "metadata": { - "description": "Required. EventGrid Topic Endpoint." - } - }, - "eventGridDomainResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the Event Grid to get access keys from." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventGrid", - "authenticationType": "KeyBased", - "TopicEndpoint": "[parameters('topicEndpoint')]", - "accessKey1": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key1]", - "accessKey2": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key2]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/version.json b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md deleted file mode 100644 index ee717d8aa1..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ /dev/null @@ -1,166 +0,0 @@ -# Digital Twins Instance EventHub Endpoint `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` - -This module deploys a Digital Twins Instance EventHub Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectionStringPrimaryKey`](#parameter-connectionstringprimarykey) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | -| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| [`connectionStringSecondaryKey`](#parameter-connectionstringsecondarykey) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`endpointUri`](#parameter-endpointuri) | string | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | -| [`entityPath`](#parameter-entitypath) | string | The EventHub name in the EventHub namespace for identity-based authentication. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | - -### Parameter: `connectionStringPrimaryKey` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authenticationType` - -Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. - -- Required: No -- Type: string -- Default: `'IdentityBased'` -- Allowed: - ```Bicep - [ - 'IdentityBased' - 'KeyBased' - ] - ``` - -### Parameter: `connectionStringSecondaryKey` - -SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endpointUri` - -The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `entityPath` - -The EventHub name in the EventHub namespace for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceId` - -The resource ID to assign to the resource. - -- Required: No -- Type: string - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'EventHubEndpoint'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Endpoint. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep deleted file mode 100644 index 44a269cc2b..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep +++ /dev/null @@ -1,101 +0,0 @@ -metadata name = 'Digital Twins Instance EventHub Endpoint' -metadata description = 'This module deploys a Digital Twins Instance EventHub Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'EventHubEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@allowed([ - 'IdentityBased' - 'KeyBased' -]) -@description('Optional. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is selected, the endpointUri and entityPath properties must be specified.') -param authenticationType string = 'IdentityBased' - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -@description('Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased".') -@secure() -param connectionStringPrimaryKey string = '' - -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') -@secure() -param connectionStringSecondaryKey string = '' - -@description('Optional. The EventHub name in the EventHub namespace for identity-based authentication.') -param entityPath string = '' - -@description('Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol \'sb://\' (i.e. sb://xyz.servicebus.windows.net).') -param endpointUri string = '' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) - userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null -} : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'EventHub' - authenticationType: authenticationType - connectionStringPrimaryKey: connectionStringPrimaryKey - connectionStringSecondaryKey: connectionStringSecondaryKey - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - endpointUri: endpointUri - entityPath: entityPath - identity: identity - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID to assign to the resource.') - userAssignedResourceId: string? -}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json deleted file mode 100644 index d0299e46f1..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3646158227862088931" - }, - "name": "Digital Twins Instance EventHub Endpoint", - "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventHubEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "connectionStringPrimaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "connectionStringSecondaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The EventHub name in the EventHub namespace for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventHub", - "authenticationType": "[parameters('authenticationType')]", - "connectionStringPrimaryKey": "[parameters('connectionStringPrimaryKey')]", - "connectionStringSecondaryKey": "[parameters('connectionStringSecondaryKey')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "identity": "[variables('identity')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/version.json b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md deleted file mode 100644 index 040d68825a..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ /dev/null @@ -1,166 +0,0 @@ -# Digital Twins Instance ServiceBus Endpoint `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` - -This module deploys a Digital Twins Instance ServiceBus Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | -| [`primaryConnectionString`](#parameter-primaryconnectionstring) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`endpointUri`](#parameter-endpointuri) | string | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | -| [`entityPath`](#parameter-entitypath) | string | The ServiceBus Topic name for identity-based authentication. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | -| [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | - -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `primaryConnectionString` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `authenticationType` - -Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. - -- Required: No -- Type: string -- Default: `'IdentityBased'` -- Allowed: - ```Bicep - [ - 'IdentityBased' - 'KeyBased' - ] - ``` - -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endpointUri` - -The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `entityPath` - -The ServiceBus Topic name for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceId` - -The resource ID to assign to the resource. - -- Required: No -- Type: string - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'ServiceBusEndpoint'` - -### Parameter: `secondaryConnectionString` - -SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Endpoint. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Endpoint. | - -## Cross-referenced modules - -_None_ diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep deleted file mode 100644 index 633cc7ec3d..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep +++ /dev/null @@ -1,101 +0,0 @@ -metadata name = 'Digital Twins Instance ServiceBus Endpoint' -metadata description = 'This module deploys a Digital Twins Instance ServiceBus Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'ServiceBusEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@allowed([ - 'IdentityBased' - 'KeyBased' -]) -@description('Optional. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is selected, the endpointUri and entityPath properties must be specified.') -param authenticationType string = 'IdentityBased' - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -@description('Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol \'sb://\' (e.g. sb://xyz.servicebus.windows.net).') -param endpointUri string = '' - -@description('Optional. The ServiceBus Topic name for identity-based authentication.') -param entityPath string = '' - -@description('Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased".') -@secure() -param primaryConnectionString string = '' - -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') -@secure() -param secondaryConnectionString string = '' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) - userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null -} : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'ServiceBus' - authenticationType: authenticationType - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - endpointUri: endpointUri - entityPath: entityPath - primaryConnectionString: primaryConnectionString - secondaryConnectionString: secondaryConnectionString - identity: identity - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID to assign to the resource.') - userAssignedResourceId: string? -}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json deleted file mode 100644 index 6cd452bec3..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13121115050219114278" - }, - "name": "Digital Twins Instance ServiceBus Endpoint", - "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "ServiceBusEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ServiceBus Topic name for identity-based authentication." - } - }, - "primaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "secondaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "ServiceBus", - "authenticationType": "[parameters('authenticationType')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "primaryConnectionString": "[parameters('primaryConnectionString')]", - "secondaryConnectionString": "[parameters('secondaryConnectionString')]", - "identity": "[variables('identity')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/version.json b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep deleted file mode 100644 index d70d7c7c03..0000000000 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ /dev/null @@ -1,377 +0,0 @@ -metadata name = 'Digital Twins Instances' -metadata description = 'This module deploys an Azure Digital Twins Instance.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Digital Twin Instance.') -@minLength(3) -@maxLength(63) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Event Hub Endpoint.') -param eventHubEndpoint object = {} - -@description('Optional. Event Grid Endpoint.') -param eventGridEndpoint object = {} - -@description('Optional. Service Bus Endpoint.') -param serviceBusEndpoint object = {} - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - 'Azure Digital Twins Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe') - 'Azure Digital Twins Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' = { - name: name - location: location - identity: identity - tags: tags - properties: { - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : 'Enabled') - } -} - -module digitalTwinsInstance_eventHubEndpoint 'endpoint--event-hub/main.bicep' = if (!empty(eventHubEndpoint)) { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-EventHub' - params: { - digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(eventHubEndpoint, 'name') ? eventHubEndpoint.name : 'EventHubEndpoint' - authenticationType: contains(eventHubEndpoint, 'authenticationType') ? eventHubEndpoint.authenticationType : 'KeyBased' - connectionStringPrimaryKey: contains(eventHubEndpoint, 'connectionStringPrimaryKey') ? eventHubEndpoint.connectionStringPrimaryKey : '' - connectionStringSecondaryKey: contains(eventHubEndpoint, 'connectionStringSecondaryKey') ? eventHubEndpoint.connectionStringSecondaryKey : '' - deadLetterSecret: contains(eventHubEndpoint, 'deadLetterSecret') ? eventHubEndpoint.deadLetterSecret : '' - deadLetterUri: contains(eventHubEndpoint, 'deadLetterUri') ? eventHubEndpoint.deadLetterUri : '' - endpointUri: contains(eventHubEndpoint, 'endpointUri') ? eventHubEndpoint.endpointUri : '' - entityPath: contains(eventHubEndpoint, 'entityPath') ? eventHubEndpoint.entityPath : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - managedIdentities: contains(eventHubEndpoint, 'managedIdentities') ? eventHubEndpoint.managedIdentities : {} - } -} - -module digitalTwinsInstance_eventGridEndpoint 'endpoint--event-grid/main.bicep' = if (!empty(eventGridEndpoint)) { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-EventGrid' - params: { - digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(eventGridEndpoint, 'name') ? eventGridEndpoint.name : 'EventGridEndpoint' - topicEndpoint: contains(eventGridEndpoint, 'topicEndpoint') ? eventGridEndpoint.topicEndpoint : '' - deadLetterSecret: contains(eventGridEndpoint, 'deadLetterSecret') ? eventGridEndpoint.deadLetterSecret : '' - deadLetterUri: contains(eventGridEndpoint, 'deadLetterUri') ? eventGridEndpoint.deadLetterUri : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - eventGridDomainResourceId: contains(eventGridEndpoint, 'eventGridDomainId') ? eventGridEndpoint.eventGridDomainId : '' - } -} - -module digitalTwinsInstance_serviceBusEndpoint 'endpoint--service-bus/main.bicep' = if (!empty(serviceBusEndpoint)) { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-ServiceBus' - params: { - digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(serviceBusEndpoint, 'name') ? serviceBusEndpoint.name : 'ServiceBusEndpoint' - authenticationType: contains(serviceBusEndpoint, 'authenticationType') ? serviceBusEndpoint.authenticationType : '' - deadLetterSecret: contains(serviceBusEndpoint, 'deadLetterSecret') ? serviceBusEndpoint.deadLetterSecret : '' - deadLetterUri: contains(serviceBusEndpoint, 'deadLetterUri') ? serviceBusEndpoint.deadLetterUri : '' - endpointUri: contains(serviceBusEndpoint, 'endpointUri') ? serviceBusEndpoint.endpointUri : '' - entityPath: contains(serviceBusEndpoint, 'entityPath') ? serviceBusEndpoint.entityPath : '' - primaryConnectionString: contains(serviceBusEndpoint, 'primaryConnectionString') ? serviceBusEndpoint.primaryConnectionString : '' - secondaryConnectionString: contains(serviceBusEndpoint, 'secondaryConnectionString') ? serviceBusEndpoint.secondaryConnectionString : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - managedIdentities: contains(serviceBusEndpoint, 'managedIdentities') ? serviceBusEndpoint.managedIdentities : {} - } -} - -module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-digitalTwinsInstance-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'API' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(digitalTwinsInstance.id, '/'))}-${privateEndpoint.?service ?? 'API'}-${index}' - serviceResourceId: digitalTwinsInstance.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource digitalTwinsInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: digitalTwinsInstance -} - -resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: digitalTwinsInstance -}] - -resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: digitalTwinsInstance -}] - -@description('The resource ID of the Digital Twins Instance.') -output resourceId string = digitalTwinsInstance.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Digital Twins Instance.') -output name string = digitalTwinsInstance.name - -@description('The hostname of the Digital Twins Instance.') -output hostname string = digitalTwinsInstance.properties.hostName - -@description('The location the resource was deployed into.') -output location string = digitalTwinsInstance.location - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(digitalTwinsInstance.identity, 'principalId') ? digitalTwinsInstance.identity.principalId : '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json deleted file mode 100644 index 418e025eaf..0000000000 --- a/modules/digital-twins/digital-twins-instance/main.json +++ /dev/null @@ -1,1843 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10882496143186980105" - }, - "name": "Digital Twins Instances", - "description": "This module deploys an Azure Digital Twins Instance.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 3, - "maxLength": 63, - "metadata": { - "description": "Required. The name of the Digital Twin Instance." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "eventHubEndpoint": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Event Hub Endpoint." - } - }, - "eventGridEndpoint": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Event Grid Endpoint." - } - }, - "serviceBusEndpoint": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Service Bus Endpoint." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "digitalTwinsInstance": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": { - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]" - } - }, - "digitalTwinsInstance_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_diagnosticSettings": { - "copy": { - "name": "digitalTwinsInstance_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_roleAssignments": { - "copy": { - "name": "digitalTwinsInstance_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_eventHubEndpoint": { - "condition": "[not(empty(parameters('eventHubEndpoint')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-EventHub', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "digitalTwinInstanceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('eventHubEndpoint'), 'name'), createObject('value', parameters('eventHubEndpoint').name), createObject('value', 'EventHubEndpoint'))]", - "authenticationType": "[if(contains(parameters('eventHubEndpoint'), 'authenticationType'), createObject('value', parameters('eventHubEndpoint').authenticationType), createObject('value', 'KeyBased'))]", - "connectionStringPrimaryKey": "[if(contains(parameters('eventHubEndpoint'), 'connectionStringPrimaryKey'), createObject('value', parameters('eventHubEndpoint').connectionStringPrimaryKey), createObject('value', ''))]", - "connectionStringSecondaryKey": "[if(contains(parameters('eventHubEndpoint'), 'connectionStringSecondaryKey'), createObject('value', parameters('eventHubEndpoint').connectionStringSecondaryKey), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(parameters('eventHubEndpoint'), 'deadLetterSecret'), createObject('value', parameters('eventHubEndpoint').deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(parameters('eventHubEndpoint'), 'deadLetterUri'), createObject('value', parameters('eventHubEndpoint').deadLetterUri), createObject('value', ''))]", - "endpointUri": "[if(contains(parameters('eventHubEndpoint'), 'endpointUri'), createObject('value', parameters('eventHubEndpoint').endpointUri), createObject('value', ''))]", - "entityPath": "[if(contains(parameters('eventHubEndpoint'), 'entityPath'), createObject('value', parameters('eventHubEndpoint').entityPath), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "managedIdentities": "[if(contains(parameters('eventHubEndpoint'), 'managedIdentities'), createObject('value', parameters('eventHubEndpoint').managedIdentities), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3646158227862088931" - }, - "name": "Digital Twins Instance EventHub Endpoint", - "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventHubEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "connectionStringPrimaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "connectionStringSecondaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The EventHub name in the EventHub namespace for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventHub", - "authenticationType": "[parameters('authenticationType')]", - "connectionStringPrimaryKey": "[parameters('connectionStringPrimaryKey')]", - "connectionStringSecondaryKey": "[parameters('connectionStringSecondaryKey')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "identity": "[variables('identity')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_eventGridEndpoint": { - "condition": "[not(empty(parameters('eventGridEndpoint')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-EventGrid', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "digitalTwinInstanceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('eventGridEndpoint'), 'name'), createObject('value', parameters('eventGridEndpoint').name), createObject('value', 'EventGridEndpoint'))]", - "topicEndpoint": "[if(contains(parameters('eventGridEndpoint'), 'topicEndpoint'), createObject('value', parameters('eventGridEndpoint').topicEndpoint), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(parameters('eventGridEndpoint'), 'deadLetterSecret'), createObject('value', parameters('eventGridEndpoint').deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(parameters('eventGridEndpoint'), 'deadLetterUri'), createObject('value', parameters('eventGridEndpoint').deadLetterUri), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "eventGridDomainResourceId": "[if(contains(parameters('eventGridEndpoint'), 'eventGridDomainId'), createObject('value', parameters('eventGridEndpoint').eventGridDomainId), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17503518990299492663" - }, - "name": "Digital Twins Instance Event Grid Endpoints", - "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventGridEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "topicEndpoint": { - "type": "string", - "metadata": { - "description": "Required. EventGrid Topic Endpoint." - } - }, - "eventGridDomainResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the Event Grid to get access keys from." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventGrid", - "authenticationType": "KeyBased", - "TopicEndpoint": "[parameters('topicEndpoint')]", - "accessKey1": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key1]", - "accessKey2": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key2]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_serviceBusEndpoint": { - "condition": "[not(empty(parameters('serviceBusEndpoint')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-ServiceBus', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "digitalTwinInstanceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('serviceBusEndpoint'), 'name'), createObject('value', parameters('serviceBusEndpoint').name), createObject('value', 'ServiceBusEndpoint'))]", - "authenticationType": "[if(contains(parameters('serviceBusEndpoint'), 'authenticationType'), createObject('value', parameters('serviceBusEndpoint').authenticationType), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(parameters('serviceBusEndpoint'), 'deadLetterSecret'), createObject('value', parameters('serviceBusEndpoint').deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(parameters('serviceBusEndpoint'), 'deadLetterUri'), createObject('value', parameters('serviceBusEndpoint').deadLetterUri), createObject('value', ''))]", - "endpointUri": "[if(contains(parameters('serviceBusEndpoint'), 'endpointUri'), createObject('value', parameters('serviceBusEndpoint').endpointUri), createObject('value', ''))]", - "entityPath": "[if(contains(parameters('serviceBusEndpoint'), 'entityPath'), createObject('value', parameters('serviceBusEndpoint').entityPath), createObject('value', ''))]", - "primaryConnectionString": "[if(contains(parameters('serviceBusEndpoint'), 'primaryConnectionString'), createObject('value', parameters('serviceBusEndpoint').primaryConnectionString), createObject('value', ''))]", - "secondaryConnectionString": "[if(contains(parameters('serviceBusEndpoint'), 'secondaryConnectionString'), createObject('value', parameters('serviceBusEndpoint').secondaryConnectionString), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "managedIdentities": "[if(contains(parameters('serviceBusEndpoint'), 'managedIdentities'), createObject('value', parameters('serviceBusEndpoint').managedIdentities), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13121115050219114278" - }, - "name": "Digital Twins Instance ServiceBus Endpoint", - "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "ServiceBusEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ServiceBus Topic name for identity-based authentication." - } - }, - "primaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "secondaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "ServiceBus", - "authenticationType": "[parameters('authenticationType')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "primaryConnectionString": "[parameters('primaryConnectionString')]", - "secondaryConnectionString": "[parameters('secondaryConnectionString')]", - "identity": "[variables('identity')]" - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_privateEndpoints": { - "copy": { - "name": "digitalTwinsInstance_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-digitalTwinsInstance-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'API')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'API'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Digital Twins Instance." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Digital Twins Instance." - }, - "value": "[parameters('name')]" - }, - "hostname": { - "type": "string", - "metadata": { - "description": "The hostname of the Digital Twins Instance." - }, - "value": "[reference('digitalTwinsInstance').hostName]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('digitalTwinsInstance', '2023-01-31', 'full').location]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('digitalTwinsInstance', '2023-01-31', 'full').identity, 'principalId')), reference('digitalTwinsInstance', '2023-01-31', 'full').identity.principalId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index e62a489683..0000000000 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdtimin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 87c0cf8a6f..0000000000 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,162 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Event Hub Namespace to create.') -param eventHubNamespaceName string - -@description('Required. The name of the Event Hub to create.') -param eventHubName string - -@description('Required. Service Bus name') -param serviceBusName string - -@description('Required. Event Grid Domain name.') -param eventGridDomainName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.digitaltwins.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { - name: eventHubNamespaceName - location: location - properties: { - zoneRedundant: false - isAutoInflateEnabled: false - maximumThroughputUnits: 0 - } - - resource eventHub 'eventhubs@2022-10-01-preview' = { - name: eventHubName - } -} - -resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { - name: serviceBusName - location: location - properties: { - zoneRedundant: false - } - - resource topic 'topics@2022-10-01-preview' = { - name: 'topic' - } -} - -resource eventGridDomain 'Microsoft.EventGrid/domains@2022-06-15' = { - name: eventGridDomainName - location: location - properties: { - disableLocalAuth: false - } - - resource topic 'topics@2022-06-15' = { - name: 'topic' - } -} - -resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(managedIdentity.id, 'evhrbacAssignment') - scope: eventHubNamespace - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') //Azure Event Hubs Data Sender - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(managedIdentity.id, 'sbrbacAssignment') - scope: serviceBus - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') //Azure Service Bus Data Sender - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalResourceId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The name of the Event Hub Namespace.') -output eventhubNamespaceName string = eventHubNamespace.name - -@description('The resource ID of the created Event Hub Namespace.') -output eventHubResourceId string = eventHubNamespace::eventHub.id - -@description('The name of the Event Hub.') -output eventhubName string = eventHubNamespace::eventHub.name - -@description('The name of the Service Bus Namespace.') -output serviceBusName string = serviceBus.name - -@description('The name of the Service Bus Topic.') -output serviceBusTopicName string = serviceBus::topic.name - -@description('The Event Grid endpoint uri.') -output eventGridEndpoint string = eventGridDomain.properties.endpoint - -@description('The resource ID of the created Event Grid Topic.') -output eventGridTopicResourceId string = eventGridDomain::topic.id - -@description('The resource ID of the created Event Grid Domain.') -output eventGridDomainResourceId string = eventGridDomain.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep deleted file mode 100644 index 1b35dd6068..0000000000 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,140 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdtimax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' - serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' - eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.eventhubName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - } - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - } - eventGridEndpoint: { - eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId - topicEndpoint: nestedDependencies.outputs.eventGridEndpoint - } - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 87c0cf8a6f..0000000000 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,162 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Event Hub Namespace to create.') -param eventHubNamespaceName string - -@description('Required. The name of the Event Hub to create.') -param eventHubName string - -@description('Required. Service Bus name') -param serviceBusName string - -@description('Required. Event Grid Domain name.') -param eventGridDomainName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.digitaltwins.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { - name: eventHubNamespaceName - location: location - properties: { - zoneRedundant: false - isAutoInflateEnabled: false - maximumThroughputUnits: 0 - } - - resource eventHub 'eventhubs@2022-10-01-preview' = { - name: eventHubName - } -} - -resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { - name: serviceBusName - location: location - properties: { - zoneRedundant: false - } - - resource topic 'topics@2022-10-01-preview' = { - name: 'topic' - } -} - -resource eventGridDomain 'Microsoft.EventGrid/domains@2022-06-15' = { - name: eventGridDomainName - location: location - properties: { - disableLocalAuth: false - } - - resource topic 'topics@2022-06-15' = { - name: 'topic' - } -} - -resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(managedIdentity.id, 'evhrbacAssignment') - scope: eventHubNamespace - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') //Azure Event Hubs Data Sender - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(managedIdentity.id, 'sbrbacAssignment') - scope: serviceBus - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') //Azure Service Bus Data Sender - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalResourceId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The name of the Event Hub Namespace.') -output eventhubNamespaceName string = eventHubNamespace.name - -@description('The resource ID of the created Event Hub Namespace.') -output eventHubResourceId string = eventHubNamespace::eventHub.id - -@description('The name of the Event Hub.') -output eventhubName string = eventHubNamespace::eventHub.name - -@description('The name of the Service Bus Namespace.') -output serviceBusName string = serviceBus.name - -@description('The name of the Service Bus Topic.') -output serviceBusTopicName string = serviceBus::topic.name - -@description('The Event Grid endpoint uri.') -output eventGridEndpoint string = eventGridDomain.properties.endpoint - -@description('The resource ID of the created Event Grid Topic.') -output eventGridTopicResourceId string = eventGridDomain::topic.id - -@description('The resource ID of the created Event Grid Domain.') -output eventGridDomainResourceId string = eventGridDomain.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 98f7a003e8..0000000000 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,139 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdtiwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' - serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' - eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.eventhubName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - } - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - } - eventGridEndpoint: { - eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId - topicEndpoint: nestedDependencies.outputs.eventGridEndpoint - } - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/digital-twins/digital-twins-instance/version.json b/modules/digital-twins/digital-twins-instance/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/digital-twins/digital-twins-instance/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/MOVED-TO-AVM.md b/modules/document-db/database-account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/document-db/database-account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index f7db7befdd..0877ff74bd 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1,2122 +1,7 @@ -# DocumentDB Database Accounts `[Microsoft.DocumentDB/databaseAccounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/document-db/database-account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/document-db/database-account).** -This module deploys a DocumentDB Database Account. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/document-db/database-account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.DocumentDB/databaseAccounts` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts) | -| `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/gremlinDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/gremlinDatabases/graphs) | -| `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/mongodbDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/mongodbDatabases/collections) | -| `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/sqlDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/sqlDatabases/containers) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/document-db.database-account:1.0.0`. - -- [Gremlindb](#example-1-gremlindb) -- [Mongodb](#example-2-mongodb) -- [Plain](#example-3-plain) -- [Sqldb](#example-4-sqldb) - -### Example 1: _Gremlindb_ - -
- -via Bicep module - -```bicep -module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dddagrm' - params: { - // Required parameters - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - name: 'dddagrm002' - // Non-required parameters - capabilitiesToAdd: [ - 'EnableGremlin' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gremlinDatabases: [ - { - graphs: [ - { - indexingPolicy: { - automatic: true - } - name: 'car_collection' - partitionKeyPaths: [ - '/car_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'truck_collection' - partitionKeyPaths: [ - '/truck_id' - ] - } - ] - name: 'gdb-dddagrm-001' - } - { - collections: [ - { - indexingPolicy: { - automatic: true - } - name: 'bike_collection' - partitionKeyPaths: [ - '/bike_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'bicycle_collection' - partitionKeyPaths: [ - '/bicycle_id' - ] - } - ] - name: 'gdb-dddagrm-002' - } - ] - location: '' - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "name": { - "value": "dddagrm002" - }, - // Non-required parameters - "capabilitiesToAdd": { - "value": [ - "EnableGremlin" - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gremlinDatabases": { - "value": [ - { - "graphs": [ - { - "indexingPolicy": { - "automatic": true - }, - "name": "car_collection", - "partitionKeyPaths": [ - "/car_id" - ] - }, - { - "indexingPolicy": { - "automatic": true - }, - "name": "truck_collection", - "partitionKeyPaths": [ - "/truck_id" - ] - } - ], - "name": "gdb-dddagrm-001" - }, - { - "collections": [ - { - "indexingPolicy": { - "automatic": true - }, - "name": "bike_collection", - "partitionKeyPaths": [ - "/bike_id" - ] - }, - { - "indexingPolicy": { - "automatic": true - }, - "name": "bicycle_collection", - "partitionKeyPaths": [ - "/bicycle_id" - ] - } - ], - "name": "gdb-dddagrm-002" - } - ] - }, - "location": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Mongodb_ - -

- -via Bicep module - -```bicep -module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dddamng' - params: { - // Required parameters - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - name: 'dddamng001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - location: '' - managedIdentities: { - systemAssigned: true - } - mongodbDatabases: [ - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'car_id' - 'car_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'car_collection' - shardKey: { - car_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'truck_id' - 'truck_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'truck_collection' - shardKey: { - truck_id: 'Hash' - } - } - ] - name: 'mdb-dddamng-001' - } - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bike_id' - 'bike_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bike_collection' - shardKey: { - bike_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bicycle_id' - 'bicycle_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bicycle_collection' - shardKey: { - bicycle_id: 'Hash' - } - } - ] - name: 'mdb-dddamng-002' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "name": { - "value": "dddamng001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "mongodbDatabases": { - "value": [ - { - "collections": [ - { - "indexes": [ - { - "key": { - "keys": [ - "_id" - ] - } - }, - { - "key": { - "keys": [ - "$**" - ] - } - }, - { - "key": { - "keys": [ - "car_id", - "car_model" - ] - }, - "options": { - "unique": true - } - }, - { - "key": { - "keys": [ - "_ts" - ] - }, - "options": { - "expireAfterSeconds": 2629746 - } - } - ], - "name": "car_collection", - "shardKey": { - "car_id": "Hash" - } - }, - { - "indexes": [ - { - "key": { - "keys": [ - "_id" - ] - } - }, - { - "key": { - "keys": [ - "$**" - ] - } - }, - { - "key": { - "keys": [ - "truck_id", - "truck_model" - ] - }, - "options": { - "unique": true - } - }, - { - "key": { - "keys": [ - "_ts" - ] - }, - "options": { - "expireAfterSeconds": 2629746 - } - } - ], - "name": "truck_collection", - "shardKey": { - "truck_id": "Hash" - } - } - ], - "name": "mdb-dddamng-001" - }, - { - "collections": [ - { - "indexes": [ - { - "key": { - "keys": [ - "_id" - ] - } - }, - { - "key": { - "keys": [ - "$**" - ] - } - }, - { - "key": { - "keys": [ - "bike_id", - "bike_model" - ] - }, - "options": { - "unique": true - } - }, - { - "key": { - "keys": [ - "_ts" - ] - }, - "options": { - "expireAfterSeconds": 2629746 - } - } - ], - "name": "bike_collection", - "shardKey": { - "bike_id": "Hash" - } - }, - { - "indexes": [ - { - "key": { - "keys": [ - "_id" - ] - } - }, - { - "key": { - "keys": [ - "$**" - ] - } - }, - { - "key": { - "keys": [ - "bicycle_id", - "bicycle_model" - ] - }, - "options": { - "unique": true - } - }, - { - "key": { - "keys": [ - "_ts" - ] - }, - "options": { - "expireAfterSeconds": 2629746 - } - } - ], - "name": "bicycle_collection", - "shardKey": { - "bicycle_id": "Hash" - } - } - ], - "name": "mdb-dddamng-002" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Plain_ - -

- -via Bicep module - -```bicep -module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dddapln' - params: { - // Required parameters - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - name: 'dddapln001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "name": { - "value": "dddapln001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Sqldb_ - -

- -via Bicep module - -```bicep -module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dddasql' - params: { - // Required parameters - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - name: 'dddasql001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - location: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'Sql' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sqlDatabases: [ - { - containers: [ - { - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - indexingPolicy: { - automatic: true - } - kind: 'Hash' - name: 'container-001' - paths: [ - '/myPartitionKey' - ] - throughput: 600 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - } - ] - name: 'sql-dddasql-001' - throughput: 1000 - } - { - containers: [] - name: 'sql-dddasql-002' - } - { - autoscaleSettingsMaxThroughput: 1000 - containers: [ - { - analyticalStorageTtl: 0 - autoscaleSettingsMaxThroughput: 1000 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - indexingPolicy: { - automatic: true - } - kind: 'Hash' - name: 'container-003' - paths: [ - '/myPartitionKey' - ] - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - } - ] - name: 'sql-dddasql-003' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "name": { - "value": "dddasql001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "Sql", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sqlDatabases": { - "value": [ - { - "containers": [ - { - "analyticalStorageTtl": 0, - "conflictResolutionPolicy": { - "conflictResolutionPath": "/myCustomId", - "mode": "LastWriterWins" - }, - "defaultTtl": 1000, - "indexingPolicy": { - "automatic": true - }, - "kind": "Hash", - "name": "container-001", - "paths": [ - "/myPartitionKey" - ], - "throughput": 600, - "uniqueKeyPolicyKeys": [ - { - "paths": [ - "/firstName" - ] - }, - { - "paths": [ - "/lastName" - ] - } - ] - } - ], - "name": "sql-dddasql-001", - "throughput": 1000 - }, - { - "containers": [], - "name": "sql-dddasql-002" - }, - { - "autoscaleSettingsMaxThroughput": 1000, - "containers": [ - { - "analyticalStorageTtl": 0, - "autoscaleSettingsMaxThroughput": 1000, - "conflictResolutionPolicy": { - "conflictResolutionPath": "/myCustomId", - "mode": "LastWriterWins" - }, - "defaultTtl": 1000, - "indexingPolicy": { - "automatic": true - }, - "kind": "Hash", - "name": "container-003", - "paths": [ - "/myPartitionKey" - ], - "uniqueKeyPolicyKeys": [ - { - "paths": [ - "/firstName" - ] - }, - { - "paths": [ - "/lastName" - ] - } - ] - } - ], - "name": "sql-dddasql-003" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`locations`](#parameter-locations) | array | Locations enabled for the Cosmos DB account. | -| [`name`](#parameter-name) | string | Name of the Database Account. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automaticFailover`](#parameter-automaticfailover) | bool | Enable automatic failover for regions. | -| [`backupIntervalInMinutes`](#parameter-backupintervalinminutes) | int | An integer representing the interval in minutes between two backups. Only applies to periodic backup type. | -| [`backupPolicyContinuousTier`](#parameter-backuppolicycontinuoustier) | string | Configuration values for continuous mode backup. | -| [`backupPolicyType`](#parameter-backuppolicytype) | string | Describes the mode of backups. | -| [`backupRetentionIntervalInHours`](#parameter-backupretentionintervalinhours) | int | An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. | -| [`backupStorageRedundancy`](#parameter-backupstorageredundancy) | string | Enum to indicate type of backup residency. Only applies to periodic backup type. | -| [`capabilitiesToAdd`](#parameter-capabilitiestoadd) | array | List of Cosmos DB capabilities for the account. | -| [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | The offer type for the Cosmos DB database account. | -| [`defaultConsistencyLevel`](#parameter-defaultconsistencylevel) | string | The default consistency level of the Cosmos DB account. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableFreeTier`](#parameter-enablefreetier) | bool | Flag to indicate whether Free Tier is enabled. | -| [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`maxIntervalInSeconds`](#parameter-maxintervalinseconds) | int | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | -| [`maxStalenessPrefix`](#parameter-maxstalenessprefix) | int | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | -| [`mongodbDatabases`](#parameter-mongodbdatabases) | array | MongoDB Databases configurations. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`serverVersion`](#parameter-serverversion) | string | Specifies the MongoDB server version to use. | -| [`sqlDatabases`](#parameter-sqldatabases) | array | SQL Databases configurations. | -| [`tags`](#parameter-tags) | object | Tags of the Database Account resource. | - -### Parameter: `locations` - -Locations enabled for the Cosmos DB account. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name of the Database Account. - -- Required: Yes -- Type: string - -### Parameter: `automaticFailover` - -Enable automatic failover for regions. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `backupIntervalInMinutes` - -An integer representing the interval in minutes between two backups. Only applies to periodic backup type. - -- Required: No -- Type: int -- Default: `240` - -### Parameter: `backupPolicyContinuousTier` - -Configuration values for continuous mode backup. - -- Required: No -- Type: string -- Default: `'Continuous30Days'` -- Allowed: - ```Bicep - [ - 'Continuous30Days' - 'Continuous7Days' - ] - ``` - -### Parameter: `backupPolicyType` - -Describes the mode of backups. - -- Required: No -- Type: string -- Default: `'Continuous'` -- Allowed: - ```Bicep - [ - 'Continuous' - 'Periodic' - ] - ``` - -### Parameter: `backupRetentionIntervalInHours` - -An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. - -- Required: No -- Type: int -- Default: `8` - -### Parameter: `backupStorageRedundancy` - -Enum to indicate type of backup residency. Only applies to periodic backup type. - -- Required: No -- Type: string -- Default: `'Local'` -- Allowed: - ```Bicep - [ - 'Geo' - 'Local' - 'Zone' - ] - ``` - -### Parameter: `capabilitiesToAdd` - -List of Cosmos DB capabilities for the account. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'DisableRateLimitingResponses' - 'EnableCassandra' - 'EnableGremlin' - 'EnableMongo' - 'EnableServerless' - 'EnableTable' - ] - ``` - -### Parameter: `databaseAccountOfferType` - -The offer type for the Cosmos DB database account. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Standard' - ] - ``` - -### Parameter: `defaultConsistencyLevel` - -The default consistency level of the Cosmos DB account. - -- Required: No -- Type: string -- Default: `'Session'` -- Allowed: - ```Bicep - [ - 'BoundedStaleness' - 'ConsistentPrefix' - 'Eventual' - 'Session' - 'Strong' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableFreeTier` - -Flag to indicate whether Free Tier is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `gremlinDatabases` - -Gremlin Databases configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `maxIntervalInSeconds` - -Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. - -- Required: No -- Type: int -- Default: `300` - -### Parameter: `maxStalenessPrefix` - -Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. - -- Required: No -- Type: int -- Default: `100000` - -### Parameter: `mongodbDatabases` - -MongoDB Databases configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serverVersion` - -Specifies the MongoDB server version to use. - -- Required: No -- Type: string -- Default: `'4.2'` -- Allowed: - ```Bicep - [ - '3.2' - '3.6' - '4.0' - '4.2' - ] - ``` - -### Parameter: `sqlDatabases` - -SQL Databases configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the Database Account resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the database account. | -| `resourceGroupName` | string | The name of the resource group the database account was created in. | -| `resourceId` | string | The resource ID of the database account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md deleted file mode 100644 index df1136e3f0..0000000000 --- a/modules/document-db/database-account/gremlin-database/README.md +++ /dev/null @@ -1,166 +0,0 @@ -# DocumentDB Database Account Gremlin Databases `[Microsoft.DocumentDB/databaseAccounts/gremlinDatabases]` - -This module deploys a Gremlin Database within a CosmosDB Account. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/gremlinDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/gremlinDatabases/graphs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Gremlin database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Gremlin database. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`graphs`](#parameter-graphs) | array | Array of graphs to deploy in the Gremlin database. | -| [`maxThroughput`](#parameter-maxthroughput) | int | Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. | -| [`tags`](#parameter-tags) | object | Tags of the Gremlin database resource. | -| [`throughput`](#parameter-throughput) | int | Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. | - -### Parameter: `name` - -Name of the Gremlin database. - -- Required: Yes -- Type: string - -### Parameter: `databaseAccountName` - -The name of the parent Gremlin database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `graphs` - -Array of graphs to deploy in the Gremlin database. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `maxThroughput` - -Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. - -- Required: No -- Type: int -- Default: `4000` - -### Parameter: `tags` - -Tags of the Gremlin database resource. - -- Required: No -- Type: object - -### Parameter: `throughput` - -Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. - -- Required: No -- Type: int -- Default: `-1` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Gremlin database. | -| `resourceGroupName` | string | The name of the resource group the Gremlin database was created in. | -| `resourceId` | string | The resource ID of the Gremlin database. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `graphs` - -List of graph databaseAccounts. - -

- -Parameter JSON format - -```json -"graphs": { - "value": [ - { - "name": "graph01", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - }, - { - "name": "graph02", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -graphs: [ - { - name: 'graph01' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } - { - name: 'graph02' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } -] -``` - -
diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md deleted file mode 100644 index 3127f1d371..0000000000 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ /dev/null @@ -1,139 +0,0 @@ -# DocumentDB Database Accounts Gremlin Databases Graphs `[Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs]` - -This module deploys a DocumentDB Database Accounts Gremlin Database Graph. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/gremlinDatabases/graphs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the graph. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | -| [`gremlinDatabaseName`](#parameter-gremlindatabasename) | string | The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`indexingPolicy`](#parameter-indexingpolicy) | object | Indexing policy of the graph. | -| [`partitionKeyPaths`](#parameter-partitionkeypaths) | array | List of paths using which data within the container can be partitioned. | -| [`tags`](#parameter-tags) | object | Tags of the Gremlin graph resource. | - -### Parameter: `name` - -Name of the graph. - -- Required: Yes -- Type: string - -### Parameter: `databaseAccountName` - -The name of the parent Database Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `gremlinDatabaseName` - -The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `indexingPolicy` - -Indexing policy of the graph. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `partitionKeyPaths` - -List of paths using which data within the container can be partitioned. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the Gremlin graph resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the graph. | -| `resourceGroupName` | string | The name of the resource group the graph was created in. | -| `resourceId` | string | The resource ID of the graph. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `partitionKeyPaths`, `uniqueKeyPaths` - -Different kinds of paths can be provided as array of strings: - -
- -Bicep format - -```bicep -graphs: [ - { - name: 'graph01' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ], - - } - { - name: 'graph02' - automaticIndexing: true - partitionKeyPaths: [ - '/address' - ] - } -] -``` - -
-

diff --git a/modules/document-db/database-account/gremlin-database/graph/main.bicep b/modules/document-db/database-account/gremlin-database/graph/main.bicep deleted file mode 100644 index 2aa31f8ffb..0000000000 --- a/modules/document-db/database-account/gremlin-database/graph/main.bicep +++ /dev/null @@ -1,68 +0,0 @@ -metadata name = 'DocumentDB Database Accounts Gremlin Databases Graphs' -metadata description = 'This module deploys a DocumentDB Database Accounts Gremlin Database Graph.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the graph.') -param name string - -@description('Optional. Tags of the Gremlin graph resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Conditional. The name of the parent Gremlin Database. Required if the template is used in a standalone deployment.') -param gremlinDatabaseName string - -@description('Optional. Indexing policy of the graph.') -param indexingPolicy object = {} - -@description('Optional. List of paths using which data within the container can be partitioned.') -param partitionKeyPaths array = [] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName - - resource gremlinDatabase 'gremlinDatabases@2023-04-15' existing = { - name: gremlinDatabaseName - } -} - -resource gremlinGraph 'Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2023-04-15' = { - name: name - tags: tags - parent: databaseAccount::gremlinDatabase - properties: { - resource: { - id: name - indexingPolicy: !empty(indexingPolicy) ? indexingPolicy : null - partitionKey: { - paths: !empty(partitionKeyPaths) ? partitionKeyPaths : null - } - } - } -} - -@description('The name of the graph.') -output name string = gremlinGraph.name - -@description('The resource ID of the graph.') -output resourceId string = gremlinGraph.id - -@description('The name of the resource group the graph was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/document-db/database-account/gremlin-database/graph/main.json b/modules/document-db/database-account/gremlin-database/graph/main.json deleted file mode 100644 index 8d22d62b8c..0000000000 --- a/modules/document-db/database-account/gremlin-database/graph/main.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4035784770059836359" - }, - "name": "DocumentDB Database Accounts Gremlin Databases Graphs", - "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the graph." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Gremlin graph resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "gremlinDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin Database. Required if the template is used in a standalone deployment." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the graph." - } - }, - "partitionKeyPaths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - } - }, - "resources": { - "databaseAccount::gremlinDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinGraph": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" - } - } - }, - "dependsOn": [ - "databaseAccount::gremlinDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the graph." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the graph." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the graph was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/gremlin-database/graph/version.json b/modules/document-db/database-account/gremlin-database/graph/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/gremlin-database/graph/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/gremlin-database/main.bicep b/modules/document-db/database-account/gremlin-database/main.bicep deleted file mode 100644 index 98cbbdb001..0000000000 --- a/modules/document-db/database-account/gremlin-database/main.bicep +++ /dev/null @@ -1,94 +0,0 @@ -metadata name = 'DocumentDB Database Account Gremlin Databases' -metadata description = 'This module deploys a Gremlin Database within a CosmosDB Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Gremlin database.') -param name string - -@description('Optional. Tags of the Gremlin database resource.') -param tags object? - -@description('Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Optional. Array of graphs to deploy in the Gremlin database.') -param graphs array = [] - -@description('Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored.') -param maxThroughput int = 4000 - -@description('Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`.') -param throughput int = -1 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName -} - -var databaseOptions = contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' }) ? {} : { - autoscaleSettings: throughput == -1 ? { - maxThroughput: maxThroughput - } : null - throughput: throughput != -1 ? throughput : null -} - -resource gremlinDatabase 'Microsoft.DocumentDB/databaseAccounts/gremlinDatabases@2023-04-15' = { - name: name - tags: tags - parent: databaseAccount - properties: { - options: databaseOptions - resource: { - id: name - } - } -} - -module gremlinDatabase_gremlinGraphs 'graph/main.bicep' = [for graph in graphs: { - name: '${uniqueString(deployment().name, gremlinDatabase.name)}-gremlindb-${graph.name}' - params: { - name: graph.name - gremlinDatabaseName: name - databaseAccountName: databaseAccountName - enableDefaultTelemetry: enableReferencedModulesTelemetry - indexingPolicy: contains(graph, 'indexingPolicy') ? graph.indexingPolicy : true - partitionKeyPaths: !empty(graph.partitionKeyPaths) ? graph.partitionKeyPaths : [] - } -}] - -@description('The name of the Gremlin database.') -output name string = gremlinDatabase.name - -@description('The resource ID of the Gremlin database.') -output resourceId string = gremlinDatabase.id - -@description('The name of the resource group the Gremlin database was created in.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json deleted file mode 100644 index 7d63c31282..0000000000 --- a/modules/document-db/database-account/gremlin-database/main.json +++ /dev/null @@ -1,321 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8314710518368415809" - }, - "name": "DocumentDB Database Account Gremlin Databases", - "description": "This module deploys a Gremlin Database within a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Gremlin database." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Gremlin database resource." - } - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment." - } - }, - "graphs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of graphs to deploy in the Gremlin database." - } - }, - "maxThroughput": { - "type": "int", - "defaultValue": 4000, - "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored." - } - }, - "throughput": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", - "resource": { - "id": "[parameters('name')]" - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "gremlinDatabase_gremlinGraphs": { - "copy": { - "name": "gremlinDatabase_gremlinGraphs", - "count": "[length(parameters('graphs'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-gremlindb-{1}', uniqueString(deployment().name, parameters('name')), parameters('graphs')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('graphs')[copyIndex()].name]" - }, - "gremlinDatabaseName": { - "value": "[parameters('name')]" - }, - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "indexingPolicy": "[if(contains(parameters('graphs')[copyIndex()], 'indexingPolicy'), createObject('value', parameters('graphs')[copyIndex()].indexingPolicy), createObject('value', true()))]", - "partitionKeyPaths": "[if(not(empty(parameters('graphs')[copyIndex()].partitionKeyPaths)), createObject('value', parameters('graphs')[copyIndex()].partitionKeyPaths), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4035784770059836359" - }, - "name": "DocumentDB Database Accounts Gremlin Databases Graphs", - "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the graph." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Gremlin graph resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "gremlinDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin Database. Required if the template is used in a standalone deployment." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the graph." - } - }, - "partitionKeyPaths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - } - }, - "resources": { - "databaseAccount::gremlinDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinGraph": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" - } - } - }, - "dependsOn": [ - "databaseAccount::gremlinDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the graph." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the graph." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the graph was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "gremlinDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Gremlin database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Gremlin database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Gremlin database was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/gremlin-database/version.json b/modules/document-db/database-account/gremlin-database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/gremlin-database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep deleted file mode 100644 index 728a5b2274..0000000000 --- a/modules/document-db/database-account/main.bicep +++ /dev/null @@ -1,503 +0,0 @@ -metadata name = 'DocumentDB Database Accounts' -metadata description = 'This module deploys a DocumentDB Database Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Database Account.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the Database Account resource.') -param tags object? - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The offer type for the Cosmos DB database account.') -@allowed([ - 'Standard' -]) -param databaseAccountOfferType string = 'Standard' - -@description('Required. Locations enabled for the Cosmos DB account.') -param locations array - -@allowed([ - 'Eventual' - 'ConsistentPrefix' - 'Session' - 'BoundedStaleness' - 'Strong' -]) -@description('Optional. The default consistency level of the Cosmos DB account.') -param defaultConsistencyLevel string = 'Session' - -@description('Optional. Enable automatic failover for regions.') -param automaticFailover bool = true - -@description('Optional. Flag to indicate whether Free Tier is enabled.') -param enableFreeTier bool = false - -@minValue(10) -@maxValue(2147483647) -@description('Optional. Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000.') -param maxStalenessPrefix int = 100000 - -@minValue(5) -@maxValue(86400) -@description('Optional. Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400.') -param maxIntervalInSeconds int = 300 - -@description('Optional. Specifies the MongoDB server version to use.') -@allowed([ - '3.2' - '3.6' - '4.0' - '4.2' -]) -param serverVersion string = '4.2' - -@description('Optional. SQL Databases configurations.') -param sqlDatabases array = [] - -@description('Optional. MongoDB Databases configurations.') -param mongodbDatabases array = [] - -@description('Optional. Gremlin Databases configurations.') -param gremlinDatabases array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@allowed([ - 'EnableCassandra' - 'EnableTable' - 'EnableGremlin' - 'EnableMongo' - 'DisableRateLimitingResponses' - 'EnableServerless' -]) -@description('Optional. List of Cosmos DB capabilities for the account.') -param capabilitiesToAdd array = [] - -@allowed([ - 'Periodic' - 'Continuous' -]) -@description('Optional. Describes the mode of backups.') -param backupPolicyType string = 'Continuous' - -@allowed([ - 'Continuous30Days' - 'Continuous7Days' -]) -@description('Optional. Configuration values for continuous mode backup.') -param backupPolicyContinuousTier string = 'Continuous30Days' - -@minValue(60) -@maxValue(1440) -@description('Optional. An integer representing the interval in minutes between two backups. Only applies to periodic backup type.') -param backupIntervalInMinutes int = 240 - -@minValue(2) -@maxValue(720) -@description('Optional. An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type.') -param backupRetentionIntervalInHours int = 8 - -@allowed([ - 'Geo' - 'Local' - 'Zone' -]) -@description('Optional. Enum to indicate type of backup residency. Only applies to periodic backup type.') -param backupStorageRedundancy string = 'Local' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var consistencyPolicy = { - Eventual: { - defaultConsistencyLevel: 'Eventual' - } - ConsistentPrefix: { - defaultConsistencyLevel: 'ConsistentPrefix' - } - Session: { - defaultConsistencyLevel: 'Session' - } - BoundedStaleness: { - defaultConsistencyLevel: 'BoundedStaleness' - maxStalenessPrefix: maxStalenessPrefix - maxIntervalInSeconds: maxIntervalInSeconds - } - Strong: { - defaultConsistencyLevel: 'Strong' - } -} - -var databaseAccount_locations = [for location in locations: { - failoverPriority: location.failoverPriority - isZoneRedundant: location.isZoneRedundant - locationName: location.locationName -}] - -var kind = !empty(sqlDatabases) || !empty(gremlinDatabases) ? 'GlobalDocumentDB' : (!empty(mongodbDatabases) ? 'MongoDB' : 'Parse') - -var enableReferencedModulesTelemetry = false - -var capabilities = [for capability in capabilitiesToAdd: { - name: capability -}] - -var backupPolicy = backupPolicyType == 'Continuous' ? { - type: backupPolicyType - continuousModeProperties: { - tier: backupPolicyContinuousTier - } -} : { - type: backupPolicyType - periodicModeProperties: { - backupIntervalInMinutes: backupIntervalInMinutes - backupRetentionIntervalInHours: backupRetentionIntervalInHours - backupStorageRedundancy: backupStorageRedundancy - } -} - -var databaseAccount_properties = union({ - databaseAccountOfferType: databaseAccountOfferType - }, ((!empty(sqlDatabases) || !empty(mongodbDatabases) || !empty(gremlinDatabases)) ? { - // Common properties - consistencyPolicy: consistencyPolicy[defaultConsistencyLevel] - locations: databaseAccount_locations - capabilities: capabilities - enableFreeTier: enableFreeTier - backupPolicy: backupPolicy - } : {}), (!empty(sqlDatabases) ? { - // SQLDB properties - enableAutomaticFailover: automaticFailover - } : {}), (!empty(mongodbDatabases) ? { - // MongoDb properties - apiProperties: { - serverVersion: serverVersion - } - } : {})) - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - CosmosBackupOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb') - CosmosRestoreOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = { - name: name - location: location - tags: tags - identity: identity - kind: kind - properties: databaseAccount_properties -} - -resource databaseAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: databaseAccount -} - -resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: databaseAccount -}] - -resource databaseAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(databaseAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: databaseAccount -}] - -module databaseAccount_sqlDatabases 'sql-database/main.bicep' = [for sqlDatabase in sqlDatabases: { - name: '${uniqueString(deployment().name, location)}-sqldb-${sqlDatabase.name}' - params: { - databaseAccountName: databaseAccount.name - name: sqlDatabase.name - containers: contains(sqlDatabase, 'containers') ? sqlDatabase.containers : [] - throughput: contains(sqlDatabase, 'throughput') ? sqlDatabase.throughput : 400 - autoscaleSettingsMaxThroughput: contains(sqlDatabase, 'autoscaleSettingsMaxThroughput') ? sqlDatabase.autoscaleSettingsMaxThroughput : -1 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module databaseAccount_mongodbDatabases 'mongodb-database/main.bicep' = [for mongodbDatabase in mongodbDatabases: { - name: '${uniqueString(deployment().name, location)}-mongodb-${mongodbDatabase.name}' - params: { - databaseAccountName: databaseAccount.name - name: mongodbDatabase.name - collections: contains(mongodbDatabase, 'collections') ? mongodbDatabase.collections : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module databaseAccount_gremlinDatabases 'gremlin-database/main.bicep' = [for gremlinDatabase in gremlinDatabases: { - name: '${uniqueString(deployment().name, location)}-gremlin-${gremlinDatabase.name}' - params: { - databaseAccountName: databaseAccount.name - name: gremlinDatabase.name - graphs: contains(gremlinDatabase, 'graphs') ? gremlinDatabase.graphs : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module databaseAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-databaseAccount-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(databaseAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: databaseAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the database account.') -output name string = databaseAccount.name - -@description('The resource ID of the database account.') -output resourceId string = databaseAccount.id - -@description('The name of the resource group the database account was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(databaseAccount.identity, 'principalId') ? databaseAccount.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = databaseAccount.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json deleted file mode 100644 index 2b2a72a670..0000000000 --- a/modules/document-db/database-account/main.json +++ /dev/null @@ -1,2477 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17655203248795781813" - }, - "name": "DocumentDB Database Accounts", - "description": "This module deploys a DocumentDB Database Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Database Account." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Database Account resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "databaseAccountOfferType": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard" - ], - "metadata": { - "description": "Optional. The offer type for the Cosmos DB database account." - } - }, - "locations": { - "type": "array", - "metadata": { - "description": "Required. Locations enabled for the Cosmos DB account." - } - }, - "defaultConsistencyLevel": { - "type": "string", - "defaultValue": "Session", - "allowedValues": [ - "Eventual", - "ConsistentPrefix", - "Session", - "BoundedStaleness", - "Strong" - ], - "metadata": { - "description": "Optional. The default consistency level of the Cosmos DB account." - } - }, - "automaticFailover": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable automatic failover for regions." - } - }, - "enableFreeTier": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag to indicate whether Free Tier is enabled." - } - }, - "maxStalenessPrefix": { - "type": "int", - "defaultValue": 100000, - "minValue": 10, - "maxValue": 2147483647, - "metadata": { - "description": "Optional. Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000." - } - }, - "maxIntervalInSeconds": { - "type": "int", - "defaultValue": 300, - "minValue": 5, - "maxValue": 86400, - "metadata": { - "description": "Optional. Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400." - } - }, - "serverVersion": { - "type": "string", - "defaultValue": "4.2", - "allowedValues": [ - "3.2", - "3.6", - "4.0", - "4.2" - ], - "metadata": { - "description": "Optional. Specifies the MongoDB server version to use." - } - }, - "sqlDatabases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. SQL Databases configurations." - } - }, - "mongodbDatabases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. MongoDB Databases configurations." - } - }, - "gremlinDatabases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Gremlin Databases configurations." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "capabilitiesToAdd": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "EnableCassandra", - "EnableTable", - "EnableGremlin", - "EnableMongo", - "DisableRateLimitingResponses", - "EnableServerless" - ], - "metadata": { - "description": "Optional. List of Cosmos DB capabilities for the account." - } - }, - "backupPolicyType": { - "type": "string", - "defaultValue": "Continuous", - "allowedValues": [ - "Periodic", - "Continuous" - ], - "metadata": { - "description": "Optional. Describes the mode of backups." - } - }, - "backupPolicyContinuousTier": { - "type": "string", - "defaultValue": "Continuous30Days", - "allowedValues": [ - "Continuous30Days", - "Continuous7Days" - ], - "metadata": { - "description": "Optional. Configuration values for continuous mode backup." - } - }, - "backupIntervalInMinutes": { - "type": "int", - "defaultValue": 240, - "minValue": 60, - "maxValue": 1440, - "metadata": { - "description": "Optional. An integer representing the interval in minutes between two backups. Only applies to periodic backup type." - } - }, - "backupRetentionIntervalInHours": { - "type": "int", - "defaultValue": 8, - "minValue": 2, - "maxValue": 720, - "metadata": { - "description": "Optional. An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type." - } - }, - "backupStorageRedundancy": { - "type": "string", - "defaultValue": "Local", - "allowedValues": [ - "Geo", - "Local", - "Zone" - ], - "metadata": { - "description": "Optional. Enum to indicate type of backup residency. Only applies to periodic backup type." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - } - }, - "variables": { - "copy": [ - { - "name": "databaseAccount_locations", - "count": "[length(parameters('locations'))]", - "input": { - "failoverPriority": "[parameters('locations')[copyIndex('databaseAccount_locations')].failoverPriority]", - "isZoneRedundant": "[parameters('locations')[copyIndex('databaseAccount_locations')].isZoneRedundant]", - "locationName": "[parameters('locations')[copyIndex('databaseAccount_locations')].locationName]" - } - }, - { - "name": "capabilities", - "count": "[length(parameters('capabilitiesToAdd'))]", - "input": { - "name": "[parameters('capabilitiesToAdd')[copyIndex('capabilities')]]" - } - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "consistencyPolicy": { - "Eventual": { - "defaultConsistencyLevel": "Eventual" - }, - "ConsistentPrefix": { - "defaultConsistencyLevel": "ConsistentPrefix" - }, - "Session": { - "defaultConsistencyLevel": "Session" - }, - "BoundedStaleness": { - "defaultConsistencyLevel": "BoundedStaleness", - "maxStalenessPrefix": "[parameters('maxStalenessPrefix')]", - "maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]" - }, - "Strong": { - "defaultConsistencyLevel": "Strong" - } - }, - "kind": "[if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('gremlinDatabases')))), 'GlobalDocumentDB', if(not(empty(parameters('mongodbDatabases'))), 'MongoDB', 'Parse'))]", - "enableReferencedModulesTelemetry": false, - "backupPolicy": "[if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('type', parameters('backupPolicyType'), 'continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject('type', parameters('backupPolicyType'), 'periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))))]", - "databaseAccount_properties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType')), if(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'locations', variables('databaseAccount_locations'), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'backupPolicy', variables('backupPolicy')), createObject()), if(not(empty(parameters('sqlDatabases'))), createObject('enableAutomaticFailover', parameters('automaticFailover')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "CosmosRestoreOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "kind": "[variables('kind')]", - "properties": "[variables('databaseAccount_properties')]" - }, - "databaseAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_diagnosticSettings": { - "copy": { - "name": "databaseAccount_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_roleAssignments": { - "copy": { - "name": "databaseAccount_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_sqlDatabases": { - "copy": { - "name": "databaseAccount_sqlDatabases", - "count": "[length(parameters('sqlDatabases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sqldb-{1}', uniqueString(deployment().name, parameters('location')), parameters('sqlDatabases')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('sqlDatabases')[copyIndex()].name]" - }, - "containers": "[if(contains(parameters('sqlDatabases')[copyIndex()], 'containers'), createObject('value', parameters('sqlDatabases')[copyIndex()].containers), createObject('value', createArray()))]", - "throughput": "[if(contains(parameters('sqlDatabases')[copyIndex()], 'throughput'), createObject('value', parameters('sqlDatabases')[copyIndex()].throughput), createObject('value', 400))]", - "autoscaleSettingsMaxThroughput": "[if(contains(parameters('sqlDatabases')[copyIndex()], 'autoscaleSettingsMaxThroughput'), createObject('value', parameters('sqlDatabases')[copyIndex()].autoscaleSettingsMaxThroughput), createObject('value', -1))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5236608683863945170" - }, - "name": "DocumentDB Database Account SQL Databases", - "description": "This module deploys a SQL Database in a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the SQL database ." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of containers to deploy in the SQL database." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the SQL database resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "sqlDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "container": { - "copy": { - "name": "container", - "count": "[length(parameters('containers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sqldb-{1}', uniqueString(deployment().name, parameters('name')), parameters('containers')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "sqlDatabaseName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('containers')[copyIndex()].name]" - }, - "analyticalStorageTtl": "[if(contains(parameters('containers')[copyIndex()], 'analyticalStorageTtl'), createObject('value', parameters('containers')[copyIndex()].analyticalStorageTtl), createObject('value', 0))]", - "autoscaleSettingsMaxThroughput": "[if(contains(parameters('containers')[copyIndex()], 'autoscaleSettingsMaxThroughput'), createObject('value', parameters('containers')[copyIndex()].autoscaleSettingsMaxThroughput), createObject('value', -1))]", - "conflictResolutionPolicy": "[if(contains(parameters('containers')[copyIndex()], 'conflictResolutionPolicy'), createObject('value', parameters('containers')[copyIndex()].conflictResolutionPolicy), createObject('value', createObject()))]", - "defaultTtl": "[if(contains(parameters('containers')[copyIndex()], 'defaultTtl'), createObject('value', parameters('containers')[copyIndex()].defaultTtl), createObject('value', -1))]", - "indexingPolicy": "[if(contains(parameters('containers')[copyIndex()], 'indexingPolicy'), createObject('value', parameters('containers')[copyIndex()].indexingPolicy), createObject('value', createObject()))]", - "kind": "[if(contains(parameters('containers')[copyIndex()], 'kind'), createObject('value', parameters('containers')[copyIndex()].kind), createObject('value', 'Hash'))]", - "paths": "[if(contains(parameters('containers')[copyIndex()], 'paths'), createObject('value', parameters('containers')[copyIndex()].paths), createObject('value', createArray()))]", - "throughput": "[if(contains(parameters('containers')[copyIndex()], 'throughput'), createObject('value', parameters('containers')[copyIndex()].throughput), createObject('value', 400))]", - "uniqueKeyPolicyKeys": "[if(contains(parameters('containers')[copyIndex()], 'uniqueKeyPolicyKeys'), createObject('value', parameters('containers')[copyIndex()].uniqueKeyPolicyKeys), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7712060799698135624" - }, - "name": "DocumentDB Database Account SQL Database Containers", - "description": "This module deploys a SQL Database Container in a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "sqlDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the container." - } - }, - "analyticalStorageTtl": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." - } - }, - "conflictResolutionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - } - }, - "defaultTtl": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 2147483647, - "metadata": { - "description": "Optional. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items dont expire by default." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": -1, - "maxValue": 1000000, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the SQL Database resource." - } - }, - "paths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the container." - } - }, - "uniqueKeyPolicyKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - } - }, - "kind": { - "type": "string", - "defaultValue": "Hash", - "allowedValues": [ - "Hash", - "MultiHash", - "Range" - ], - "metadata": { - "description": "Optional. Indicates the kind of algorithm used for partitioning." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "databaseAccount::sqlDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "container": { - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "analyticalStorageTtl": "[parameters('analyticalStorageTtl')]", - "conflictResolutionPolicy": "[parameters('conflictResolutionPolicy')]", - "defaultTtl": "[parameters('defaultTtl')]", - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[parameters('paths')]", - "kind": "[parameters('kind')]" - }, - "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - }, - "dependsOn": [ - "databaseAccount::sqlDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the container." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "sqlDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the SQL database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the SQL database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the SQL database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_mongodbDatabases": { - "copy": { - "name": "databaseAccount_mongodbDatabases", - "count": "[length(parameters('mongodbDatabases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-mongodb-{1}', uniqueString(deployment().name, parameters('location')), parameters('mongodbDatabases')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('mongodbDatabases')[copyIndex()].name]" - }, - "collections": "[if(contains(parameters('mongodbDatabases')[copyIndex()], 'collections'), createObject('value', parameters('mongodbDatabases')[copyIndex()].collections), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10909630292111406683" - }, - "name": "DocumentDB Database Account MongoDB Databases", - "description": "This module deploys a MongoDB Database within a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the mongodb database." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Name of the mongodb database." - } - }, - "collections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collections in the mongodb database." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "mongodbDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "mongodbDatabase_collections": { - "copy": { - "name": "mongodbDatabase_collections", - "count": "[length(parameters('collections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-collection-{1}', uniqueString(deployment().name, parameters('name')), parameters('collections')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "mongodbDatabaseName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('collections')[copyIndex()].name]" - }, - "indexes": { - "value": "[parameters('collections')[copyIndex()].indexes]" - }, - "shardKey": { - "value": "[parameters('collections')[copyIndex()].shardKey]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2460347721734751381" - }, - "name": "DocumentDB Database Account MongoDB Database Collections", - "description": "This module deploys a MongoDB Database Collection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "mongodbDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Name of the mongodb database." - } - }, - "indexes": { - "type": "array", - "metadata": { - "description": "Required. Indexes for the collection." - } - }, - "shardKey": { - "type": "object", - "metadata": { - "description": "Required. ShardKey for the collection." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]", - "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]", - "indexes": "[parameters('indexes')]", - "shardKey": "[parameters('shardKey')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "mongodbDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_gremlinDatabases": { - "copy": { - "name": "databaseAccount_gremlinDatabases", - "count": "[length(parameters('gremlinDatabases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-gremlin-{1}', uniqueString(deployment().name, parameters('location')), parameters('gremlinDatabases')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('gremlinDatabases')[copyIndex()].name]" - }, - "graphs": "[if(contains(parameters('gremlinDatabases')[copyIndex()], 'graphs'), createObject('value', parameters('gremlinDatabases')[copyIndex()].graphs), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8314710518368415809" - }, - "name": "DocumentDB Database Account Gremlin Databases", - "description": "This module deploys a Gremlin Database within a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Gremlin database." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Gremlin database resource." - } - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment." - } - }, - "graphs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of graphs to deploy in the Gremlin database." - } - }, - "maxThroughput": { - "type": "int", - "defaultValue": 4000, - "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored." - } - }, - "throughput": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", - "resource": { - "id": "[parameters('name')]" - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "gremlinDatabase_gremlinGraphs": { - "copy": { - "name": "gremlinDatabase_gremlinGraphs", - "count": "[length(parameters('graphs'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-gremlindb-{1}', uniqueString(deployment().name, parameters('name')), parameters('graphs')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('graphs')[copyIndex()].name]" - }, - "gremlinDatabaseName": { - "value": "[parameters('name')]" - }, - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "indexingPolicy": "[if(contains(parameters('graphs')[copyIndex()], 'indexingPolicy'), createObject('value', parameters('graphs')[copyIndex()].indexingPolicy), createObject('value', true()))]", - "partitionKeyPaths": "[if(not(empty(parameters('graphs')[copyIndex()].partitionKeyPaths)), createObject('value', parameters('graphs')[copyIndex()].partitionKeyPaths), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4035784770059836359" - }, - "name": "DocumentDB Database Accounts Gremlin Databases Graphs", - "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the graph." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Gremlin graph resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "gremlinDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin Database. Required if the template is used in a standalone deployment." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the graph." - } - }, - "partitionKeyPaths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - } - }, - "resources": { - "databaseAccount::gremlinDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinGraph": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" - } - } - }, - "dependsOn": [ - "databaseAccount::gremlinDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the graph." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the graph." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the graph was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "gremlinDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Gremlin database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Gremlin database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Gremlin database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_privateEndpoints": { - "copy": { - "name": "databaseAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-databaseAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the database account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the database account." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the database account was created in." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('databaseAccount', '2023-04-15', 'full').identity, 'principalId')), reference('databaseAccount', '2023-04-15', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('databaseAccount', '2023-04-15', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md deleted file mode 100644 index b20e184e59..0000000000 --- a/modules/document-db/database-account/mongodb-database/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# DocumentDB Database Account MongoDB Databases `[Microsoft.DocumentDB/databaseAccounts/mongodbDatabases]` - -This module deploys a MongoDB Database within a CosmosDB Account. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/mongodbDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/mongodbDatabases/collections) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the mongodb database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`collections`](#parameter-collections) | array | Collections in the mongodb database. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | - -### Parameter: `name` - -Name of the mongodb database. - -- Required: Yes -- Type: string - -### Parameter: `databaseAccountName` - -The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `collections` - -Collections in the mongodb database. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `throughput` - -Name of the mongodb database. - -- Required: No -- Type: int -- Default: `400` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the mongodb database. | -| `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | -| `resourceId` | string | The resource ID of the mongodb database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/document-db/database-account/mongodb-database/collection/README.md b/modules/document-db/database-account/mongodb-database/collection/README.md deleted file mode 100644 index da1fc38cd2..0000000000 --- a/modules/document-db/database-account/mongodb-database/collection/README.md +++ /dev/null @@ -1,237 +0,0 @@ -# DocumentDB Database Account MongoDB Database Collections `[Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections]` - -This module deploys a MongoDB Database Collection. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/mongodbDatabases/collections) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`indexes`](#parameter-indexes) | array | Indexes for the collection. | -| [`name`](#parameter-name) | string | Name of the collection. | -| [`shardKey`](#parameter-shardkey) | object | ShardKey for the collection. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | -| [`mongodbDatabaseName`](#parameter-mongodbdatabasename) | string | The name of the parent mongodb database. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | - -### Parameter: `indexes` - -Indexes for the collection. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name of the collection. - -- Required: Yes -- Type: string - -### Parameter: `shardKey` - -ShardKey for the collection. - -- Required: Yes -- Type: object - -### Parameter: `databaseAccountName` - -The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `mongodbDatabaseName` - -The name of the parent mongodb database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `throughput` - -Name of the mongodb database. - -- Required: No -- Type: int -- Default: `400` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the mongodb database. | -| `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | -| `resourceId` | string | The resource ID of the mongodb database. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `indexes` - -Array of index keys as MongoIndex. The array contains keys for each MongoDB collection in the Azure Cosmos DB service with a collection resource object (as `key`) and collection index options (as `options`). - -

- -Parameter JSON format - -```json -"indexes": { - "value": [ - { - "key": { - "keys": [ - "_id" - ] - } - }, - { - "key": { - "keys": [ - "$**" - ] - } - }, - { - "key": { - "keys": [ - "estate_id", - "estate_address" - ] - }, - "options": { - "unique": true - } - }, - { - "key": { - "keys": [ - "_ts" - ] - }, - "options": { - "expireAfterSeconds": 2629746 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'estate_id' - 'estate_address' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } -] -``` - -
-

- -### Parameter Usage: `shardKey` - -The shard key and partition kind pair, only support "Hash" partition kind. - -

- -Parameter JSON format - -```json -"shardKey": { - "value": { - "estate_id": "Hash" - } -} -``` - -
- -
- -Bicep format - -```bicep -shardKey: { - estate_id: 'Hash' -} -``` - -
-

diff --git a/modules/document-db/database-account/mongodb-database/collection/main.bicep b/modules/document-db/database-account/mongodb-database/collection/main.bicep deleted file mode 100644 index 2c4da8e886..0000000000 --- a/modules/document-db/database-account/mongodb-database/collection/main.bicep +++ /dev/null @@ -1,68 +0,0 @@ -metadata name = 'DocumentDB Database Account MongoDB Database Collections' -metadata description = 'This module deploys a MongoDB Database Collection.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment.') -param mongodbDatabaseName string - -@description('Required. Name of the collection.') -param name string - -@description('Optional. Name of the mongodb database.') -param throughput int = 400 - -@description('Required. Indexes for the collection.') -param indexes array - -@description('Required. ShardKey for the collection.') -param shardKey object - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName - - resource mongodbDatabase 'mongodbDatabases@2023-04-15' existing = { - name: mongodbDatabaseName - } -} - -resource collection 'Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2023-04-15' = { - name: name - parent: databaseAccount::mongodbDatabase - properties: { - options: contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' }) ? null : { - throughput: throughput - } - resource: { - id: name - indexes: indexes - shardKey: shardKey - } - } -} - -@description('The name of the mongodb database.') -output name string = collection.name - -@description('The resource ID of the mongodb database.') -output resourceId string = collection.id - -@description('The name of the resource group the mongodb database was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/document-db/database-account/mongodb-database/collection/main.json b/modules/document-db/database-account/mongodb-database/collection/main.json deleted file mode 100644 index 85cb3ee998..0000000000 --- a/modules/document-db/database-account/mongodb-database/collection/main.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2460347721734751381" - }, - "name": "DocumentDB Database Account MongoDB Database Collections", - "description": "This module deploys a MongoDB Database Collection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "mongodbDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Name of the mongodb database." - } - }, - "indexes": { - "type": "array", - "metadata": { - "description": "Required. Indexes for the collection." - } - }, - "shardKey": { - "type": "object", - "metadata": { - "description": "Required. ShardKey for the collection." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]", - "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]", - "indexes": "[parameters('indexes')]", - "shardKey": "[parameters('shardKey')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/mongodb-database/collection/version.json b/modules/document-db/database-account/mongodb-database/collection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/mongodb-database/collection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/mongodb-database/main.bicep b/modules/document-db/database-account/mongodb-database/main.bicep deleted file mode 100644 index a66e001038..0000000000 --- a/modules/document-db/database-account/mongodb-database/main.bicep +++ /dev/null @@ -1,74 +0,0 @@ -metadata name = 'DocumentDB Database Account MongoDB Databases' -metadata description = 'This module deploys a MongoDB Database within a CosmosDB Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Required. Name of the mongodb database.') -param name string - -@description('Optional. Name of the mongodb database.') -param throughput int = 400 - -@description('Optional. Collections in the mongodb database.') -param collections array = [] - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName -} - -resource mongodbDatabase 'Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2023-04-15' = { - name: name - parent: databaseAccount - tags: tags - properties: { - resource: { - id: name - } - options: contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' }) ? null : { - throughput: throughput - } - } -} - -module mongodbDatabase_collections 'collection/main.bicep' = [for collection in collections: { - name: '${uniqueString(deployment().name, mongodbDatabase.name)}-collection-${collection.name}' - params: { - databaseAccountName: databaseAccountName - mongodbDatabaseName: name - name: collection.name - indexes: collection.indexes - shardKey: collection.shardKey - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the mongodb database.') -output name string = mongodbDatabase.name - -@description('The resource ID of the mongodb database.') -output resourceId string = mongodbDatabase.id - -@description('The name of the resource group the mongodb database was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/document-db/database-account/mongodb-database/main.json b/modules/document-db/database-account/mongodb-database/main.json deleted file mode 100644 index 5c79b10a6c..0000000000 --- a/modules/document-db/database-account/mongodb-database/main.json +++ /dev/null @@ -1,270 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10909630292111406683" - }, - "name": "DocumentDB Database Account MongoDB Databases", - "description": "This module deploys a MongoDB Database within a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the mongodb database." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Name of the mongodb database." - } - }, - "collections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collections in the mongodb database." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "mongodbDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "mongodbDatabase_collections": { - "copy": { - "name": "mongodbDatabase_collections", - "count": "[length(parameters('collections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-collection-{1}', uniqueString(deployment().name, parameters('name')), parameters('collections')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "mongodbDatabaseName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('collections')[copyIndex()].name]" - }, - "indexes": { - "value": "[parameters('collections')[copyIndex()].indexes]" - }, - "shardKey": { - "value": "[parameters('collections')[copyIndex()].shardKey]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2460347721734751381" - }, - "name": "DocumentDB Database Account MongoDB Database Collections", - "description": "This module deploys a MongoDB Database Collection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "mongodbDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Name of the mongodb database." - } - }, - "indexes": { - "type": "array", - "metadata": { - "description": "Required. Indexes for the collection." - } - }, - "shardKey": { - "type": "object", - "metadata": { - "description": "Required. ShardKey for the collection." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]", - "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]", - "indexes": "[parameters('indexes')]", - "shardKey": "[parameters('shardKey')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "mongodbDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/mongodb-database/version.json b/modules/document-db/database-account/mongodb-database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/mongodb-database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/sql-database/README.md b/modules/document-db/database-account/sql-database/README.md deleted file mode 100644 index 96ae778d2c..0000000000 --- a/modules/document-db/database-account/sql-database/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# DocumentDB Database Account SQL Databases `[Microsoft.DocumentDB/databaseAccounts/sqlDatabases]` - -This module deploys a SQL Database in a CosmosDB Account. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/sqlDatabases) | -| `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/sqlDatabases/containers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the SQL database . | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoscaleSettingsMaxThroughput`](#parameter-autoscalesettingsmaxthroughput) | int | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | -| [`containers`](#parameter-containers) | array | Array of containers to deploy in the SQL database. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tags`](#parameter-tags) | object | Tags of the SQL database resource. | -| [`throughput`](#parameter-throughput) | int | Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | - -### Parameter: `name` - -Name of the SQL database . - -- Required: Yes -- Type: string - -### Parameter: `databaseAccountName` - -The name of the parent Database Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `autoscaleSettingsMaxThroughput` - -Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `containers` - -Array of containers to deploy in the SQL database. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tags` - -Tags of the SQL database resource. - -- Required: No -- Type: object - -### Parameter: `throughput` - -Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. - -- Required: No -- Type: int -- Default: `400` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the SQL database. | -| `resourceGroupName` | string | The name of the resource group the SQL database was created in. | -| `resourceId` | string | The resource ID of the SQL database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md deleted file mode 100644 index 8876592f85..0000000000 --- a/modules/document-db/database-account/sql-database/container/README.md +++ /dev/null @@ -1,221 +0,0 @@ -# DocumentDB Database Account SQL Database Containers `[Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers]` - -This module deploys a SQL Database Container in a CosmosDB Account. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers` | [2023-04-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DocumentDB/2023-04-15/databaseAccounts/sqlDatabases/containers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the container. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | -| [`sqlDatabaseName`](#parameter-sqldatabasename) | string | The name of the parent SQL Database. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`analyticalStorageTtl`](#parameter-analyticalstoragettl) | int | Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. | -| [`autoscaleSettingsMaxThroughput`](#parameter-autoscalesettingsmaxthroughput) | int | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | -| [`conflictResolutionPolicy`](#parameter-conflictresolutionpolicy) | object | The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. | -| [`defaultTtl`](#parameter-defaultttl) | int | Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`indexingPolicy`](#parameter-indexingpolicy) | object | Indexing policy of the container. | -| [`kind`](#parameter-kind) | string | Indicates the kind of algorithm used for partitioning. | -| [`paths`](#parameter-paths) | array | List of paths using which data within the container can be partitioned. | -| [`tags`](#parameter-tags) | object | Tags of the SQL Database resource. | -| [`throughput`](#parameter-throughput) | int | Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | -| [`uniqueKeyPolicyKeys`](#parameter-uniquekeypolicykeys) | array | The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. | - -### Parameter: `name` - -Name of the container. - -- Required: Yes -- Type: string - -### Parameter: `databaseAccountName` - -The name of the parent Database Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `sqlDatabaseName` - -The name of the parent SQL Database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `analyticalStorageTtl` - -Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `autoscaleSettingsMaxThroughput` - -Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `conflictResolutionPolicy` - -The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `defaultTtl` - -Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `indexingPolicy` - -Indexing policy of the container. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `kind` - -Indicates the kind of algorithm used for partitioning. - -- Required: No -- Type: string -- Default: `'Hash'` -- Allowed: - ```Bicep - [ - 'Hash' - 'MultiHash' - 'Range' - ] - ``` - -### Parameter: `paths` - -List of paths using which data within the container can be partitioned. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the SQL Database resource. - -- Required: No -- Type: object - -### Parameter: `throughput` - -Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. - -- Required: No -- Type: int -- Default: `400` - -### Parameter: `uniqueKeyPolicyKeys` - -The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the container. | -| `resourceGroupName` | string | The name of the resource group the container was created in. | -| `resourceId` | string | The resource ID of the container. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `indexingPolicy` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"indexingPolicy": { - "indexingMode": "consistent", - "includedPaths": [ - { - "path": "/*" - } - ], - "excludedPaths": [ - ] -} -``` - -
- -
- -Bicep format - -```bicep -indexingPolicy: { - indexingMode: 'consistent' - includedPaths: [ - { - path: '/*' - } - ] - excludedPaths: [] -} -``` - -
-

diff --git a/modules/document-db/database-account/sql-database/container/main.bicep b/modules/document-db/database-account/sql-database/container/main.bicep deleted file mode 100644 index 003b8dc007..0000000000 --- a/modules/document-db/database-account/sql-database/container/main.bicep +++ /dev/null @@ -1,110 +0,0 @@ -metadata name = 'DocumentDB Database Account SQL Database Containers' -metadata description = 'This module deploys a SQL Database Container in a CosmosDB Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Conditional. The name of the parent SQL Database. Required if the template is used in a standalone deployment.') -param sqlDatabaseName string - -@description('Required. Name of the container.') -param name string - -@description('Optional. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store.') -param analyticalStorageTtl int = 0 - -@description('Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions.') -param conflictResolutionPolicy object = {} - -@maxValue(2147483647) -@minValue(-1) -@description('Optional. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default.') -param defaultTtl int = -1 - -@description('Optional. Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used.') -param throughput int = 400 - -@maxValue(1000000) -@description('Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled.') -param autoscaleSettingsMaxThroughput int = -1 - -@description('Optional. Tags of the SQL Database resource.') -param tags object? - -@description('Optional. List of paths using which data within the container can be partitioned.') -param paths array = [] - -@description('Optional. Indexing policy of the container.') -param indexingPolicy object = {} - -@description('Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service.') -param uniqueKeyPolicyKeys array = [] - -@description('Optional. Indicates the kind of algorithm used for partitioning.') -@allowed([ - 'Hash' - 'MultiHash' - 'Range' -]) -param kind string = 'Hash' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName - - resource sqlDatabase 'sqlDatabases@2023-04-15' existing = { - name: sqlDatabaseName - } -} - -resource container 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2023-04-15' = { - name: name - parent: databaseAccount::sqlDatabase - tags: tags - properties: { - resource: { - analyticalStorageTtl: analyticalStorageTtl - conflictResolutionPolicy: conflictResolutionPolicy - defaultTtl: defaultTtl - id: name - indexingPolicy: !empty(indexingPolicy) ? indexingPolicy : null - partitionKey: { - paths: paths - kind: kind - } - uniqueKeyPolicy: !empty(uniqueKeyPolicyKeys) ? { - uniqueKeys: uniqueKeyPolicyKeys - } : null - } - options: contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' }) ? null : { - throughput: autoscaleSettingsMaxThroughput == -1 ? throughput : null - autoscaleSettings: autoscaleSettingsMaxThroughput != -1 ? { - maxThroughput: autoscaleSettingsMaxThroughput - } : null - } - } -} - -@description('The name of the container.') -output name string = container.name - -@description('The resource ID of the container.') -output resourceId string = container.id - -@description('The name of the resource group the container was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/document-db/database-account/sql-database/container/main.json b/modules/document-db/database-account/sql-database/container/main.json deleted file mode 100644 index 9166dbfa7a..0000000000 --- a/modules/document-db/database-account/sql-database/container/main.json +++ /dev/null @@ -1,198 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7712060799698135624" - }, - "name": "DocumentDB Database Account SQL Database Containers", - "description": "This module deploys a SQL Database Container in a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "sqlDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the container." - } - }, - "analyticalStorageTtl": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." - } - }, - "conflictResolutionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - } - }, - "defaultTtl": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 2147483647, - "metadata": { - "description": "Optional. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items dont expire by default." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": -1, - "maxValue": 1000000, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the SQL Database resource." - } - }, - "paths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the container." - } - }, - "uniqueKeyPolicyKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - } - }, - "kind": { - "type": "string", - "defaultValue": "Hash", - "allowedValues": [ - "Hash", - "MultiHash", - "Range" - ], - "metadata": { - "description": "Optional. Indicates the kind of algorithm used for partitioning." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "databaseAccount::sqlDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "container": { - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "analyticalStorageTtl": "[parameters('analyticalStorageTtl')]", - "conflictResolutionPolicy": "[parameters('conflictResolutionPolicy')]", - "defaultTtl": "[parameters('defaultTtl')]", - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[parameters('paths')]", - "kind": "[parameters('kind')]" - }, - "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - }, - "dependsOn": [ - "databaseAccount::sqlDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the container." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the container was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/sql-database/container/version.json b/modules/document-db/database-account/sql-database/container/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/sql-database/container/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/sql-database/main.bicep b/modules/document-db/database-account/sql-database/main.bicep deleted file mode 100644 index 1d931a726b..0000000000 --- a/modules/document-db/database-account/sql-database/main.bicep +++ /dev/null @@ -1,87 +0,0 @@ -metadata name = 'DocumentDB Database Account SQL Databases' -metadata description = 'This module deploys a SQL Database in a CosmosDB Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment.') -param databaseAccountName string - -@description('Required. Name of the SQL database .') -param name string - -@description('Optional. Array of containers to deploy in the SQL database.') -param containers array = [] - -@description('Optional. Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used.') -param throughput int = 400 - -@description('Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled.') -param autoscaleSettingsMaxThroughput int = -1 - -@description('Optional. Tags of the SQL database resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: databaseAccountName -} - -resource sqlDatabase 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2023-04-15' = { - name: name - parent: databaseAccount - tags: tags - properties: { - resource: { - id: name - } - options: contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' }) ? null : { - throughput: autoscaleSettingsMaxThroughput == -1 ? throughput : null - autoscaleSettings: autoscaleSettingsMaxThroughput != -1 ? { - maxThroughput: autoscaleSettingsMaxThroughput - } : null - } - } -} - -module container 'container/main.bicep' = [for container in containers: { - name: '${uniqueString(deployment().name, sqlDatabase.name)}-sqldb-${container.name}' - params: { - databaseAccountName: databaseAccountName - sqlDatabaseName: name - name: container.name - analyticalStorageTtl: contains(container, 'analyticalStorageTtl') ? container.analyticalStorageTtl : 0 - autoscaleSettingsMaxThroughput: contains(container, 'autoscaleSettingsMaxThroughput') ? container.autoscaleSettingsMaxThroughput : -1 - conflictResolutionPolicy: contains(container, 'conflictResolutionPolicy') ? container.conflictResolutionPolicy : {} - defaultTtl: contains(container, 'defaultTtl') ? container.defaultTtl : -1 - indexingPolicy: contains(container, 'indexingPolicy') ? container.indexingPolicy : {} - kind: contains(container, 'kind') ? container.kind : 'Hash' - paths: contains(container, 'paths') ? container.paths : [] - throughput: contains(container, 'throughput') ? container.throughput : 400 - uniqueKeyPolicyKeys: contains(container, 'uniqueKeyPolicyKeys') ? container.uniqueKeyPolicyKeys : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the SQL database.') -output name string = sqlDatabase.name - -@description('The resource ID of the SQL database.') -output resourceId string = sqlDatabase.id - -@description('The name of the resource group the SQL database was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/document-db/database-account/sql-database/main.json b/modules/document-db/database-account/sql-database/main.json deleted file mode 100644 index bc17eea062..0000000000 --- a/modules/document-db/database-account/sql-database/main.json +++ /dev/null @@ -1,366 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5236608683863945170" - }, - "name": "DocumentDB Database Account SQL Databases", - "description": "This module deploys a SQL Database in a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the SQL database ." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of containers to deploy in the SQL database." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the SQL database resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "sqlDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "container": { - "copy": { - "name": "container", - "count": "[length(parameters('containers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sqldb-{1}', uniqueString(deployment().name, parameters('name')), parameters('containers')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "sqlDatabaseName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('containers')[copyIndex()].name]" - }, - "analyticalStorageTtl": "[if(contains(parameters('containers')[copyIndex()], 'analyticalStorageTtl'), createObject('value', parameters('containers')[copyIndex()].analyticalStorageTtl), createObject('value', 0))]", - "autoscaleSettingsMaxThroughput": "[if(contains(parameters('containers')[copyIndex()], 'autoscaleSettingsMaxThroughput'), createObject('value', parameters('containers')[copyIndex()].autoscaleSettingsMaxThroughput), createObject('value', -1))]", - "conflictResolutionPolicy": "[if(contains(parameters('containers')[copyIndex()], 'conflictResolutionPolicy'), createObject('value', parameters('containers')[copyIndex()].conflictResolutionPolicy), createObject('value', createObject()))]", - "defaultTtl": "[if(contains(parameters('containers')[copyIndex()], 'defaultTtl'), createObject('value', parameters('containers')[copyIndex()].defaultTtl), createObject('value', -1))]", - "indexingPolicy": "[if(contains(parameters('containers')[copyIndex()], 'indexingPolicy'), createObject('value', parameters('containers')[copyIndex()].indexingPolicy), createObject('value', createObject()))]", - "kind": "[if(contains(parameters('containers')[copyIndex()], 'kind'), createObject('value', parameters('containers')[copyIndex()].kind), createObject('value', 'Hash'))]", - "paths": "[if(contains(parameters('containers')[copyIndex()], 'paths'), createObject('value', parameters('containers')[copyIndex()].paths), createObject('value', createArray()))]", - "throughput": "[if(contains(parameters('containers')[copyIndex()], 'throughput'), createObject('value', parameters('containers')[copyIndex()].throughput), createObject('value', 400))]", - "uniqueKeyPolicyKeys": "[if(contains(parameters('containers')[copyIndex()], 'uniqueKeyPolicyKeys'), createObject('value', parameters('containers')[copyIndex()].uniqueKeyPolicyKeys), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7712060799698135624" - }, - "name": "DocumentDB Database Account SQL Database Containers", - "description": "This module deploys a SQL Database Container in a CosmosDB Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "sqlDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the container." - } - }, - "analyticalStorageTtl": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." - } - }, - "conflictResolutionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - } - }, - "defaultTtl": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 2147483647, - "metadata": { - "description": "Optional. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items dont expire by default." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": -1, - "maxValue": 1000000, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the SQL Database resource." - } - }, - "paths": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of paths using which data within the container can be partitioned." - } - }, - "indexingPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Indexing policy of the container." - } - }, - "uniqueKeyPolicyKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - } - }, - "kind": { - "type": "string", - "defaultValue": "Hash", - "allowedValues": [ - "Hash", - "MultiHash", - "Range" - ], - "metadata": { - "description": "Optional. Indicates the kind of algorithm used for partitioning." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "databaseAccount::sqlDatabase": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", - "dependsOn": [ - "databaseAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "container": { - "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", - "apiVersion": "2023-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "analyticalStorageTtl": "[parameters('analyticalStorageTtl')]", - "conflictResolutionPolicy": "[parameters('conflictResolutionPolicy')]", - "defaultTtl": "[parameters('defaultTtl')]", - "id": "[parameters('name')]", - "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", - "partitionKey": { - "paths": "[parameters('paths')]", - "kind": "[parameters('kind')]" - }, - "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - }, - "dependsOn": [ - "databaseAccount::sqlDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the container." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "sqlDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the SQL database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the SQL database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the SQL database was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/document-db/database-account/sql-database/version.json b/modules/document-db/database-account/sql-database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/sql-database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep deleted file mode 100644 index f92185e3e8..0000000000 --- a/modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep deleted file mode 100644 index 49de1571cd..0000000000 --- a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep +++ /dev/null @@ -1,171 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddagrm' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - capabilitiesToAdd: [ - 'EnableGremlin' - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gremlinDatabases: [ - { - graphs: [ - { - indexingPolicy: { - automatic: true - } - name: 'car_collection' - partitionKeyPaths: [ - '/car_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'truck_collection' - partitionKeyPaths: [ - '/truck_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-001' - } - { - collections: [ - { - indexingPolicy: { - automatic: true - } - name: 'bike_collection' - partitionKeyPaths: [ - '/bike_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'bicycle_collection' - partitionKeyPaths: [ - '/bicycle_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-002' - } - ] - location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep deleted file mode 100644 index f92185e3e8..0000000000 --- a/modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep deleted file mode 100644 index 6acaad1ecb..0000000000 --- a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep +++ /dev/null @@ -1,304 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddamng' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - location: location - mongodbDatabases: [ - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'car_id' - 'car_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'car_collection' - shardKey: { - car_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'truck_id' - 'truck_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'truck_collection' - shardKey: { - truck_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-001' - } - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bike_id' - 'bike_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bike_collection' - shardKey: { - bike_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bicycle_id' - 'bicycle_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bicycle_collection' - shardKey: { - bicycle_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-002' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/document-db/database-account/tests/e2e/plain/dependencies.bicep b/modules/document-db/database-account/tests/e2e/plain/dependencies.bicep deleted file mode 100644 index f92185e3e8..0000000000 --- a/modules/document-db/database-account/tests/e2e/plain/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep deleted file mode 100644 index 2b71669ee2..0000000000 --- a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddapln' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep deleted file mode 100644 index 61dec739a6..0000000000 --- a/modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep +++ /dev/null @@ -1,99 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.documents.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep deleted file mode 100644 index 843e9e6afe..0000000000 --- a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep +++ /dev/null @@ -1,213 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddasql' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - location: location - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Sql' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sqlDatabases: [ - { - containers: [ - { - kind: 'Hash' - name: 'container-001' - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - throughput: 600 - } - ] - name: '${namePrefix}-sql-${serviceShort}-001' - throughput: 1000 - } - { - containers: [] - name: '${namePrefix}-sql-${serviceShort}-002' - } - { - containers: [ - { - kind: 'Hash' - name: 'container-003' - autoscaleSettingsMaxThroughput: 1000 - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - } - ] - name: '${namePrefix}-sql-${serviceShort}-003' - autoscaleSettingsMaxThroughput: 1000 - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/document-db/database-account/version.json b/modules/document-db/database-account/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/document-db/database-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/domain/MOVED-TO-AVM.md b/modules/event-grid/domain/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/event-grid/domain/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index b38969fef0..ce6f40b5e3 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -1,1093 +1,7 @@ -# Event Grid Domains `[Microsoft.EventGrid/domains]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/event-grid/domain](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/event-grid/domain).** -This module deploys an Event Grid Domain. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/event-grid/domain). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventGrid/domains` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/domains) | -| `Microsoft.EventGrid/domains/topics` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/domains/topics) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.domain:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdmin' - params: { - // Required parameters - name: 'egdmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egdmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdmax' - params: { - // Required parameters - name: 'egdmax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'domain' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - topics: [ - 'topic-egdmax001' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egdmax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "inboundIpRules": { - "value": [ - { - "action": "Allow", - "ipMask": "40.74.28.0/23" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "domain", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "topics": { - "value": [ - "topic-egdmax001" - ] - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdpe' - params: { - // Required parameters - name: 'egdpe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egdpe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdwaf' - params: { - // Required parameters - name: 'egdwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'domain' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - topics: [ - 'topic-egdwaf001' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egdwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "inboundIpRules": { - "value": [ - { - "action": "Allow", - "ipMask": "40.74.28.0/23" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "domain", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "topics": { - "value": [ - "topic-egdwaf001" - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Event Grid Domain. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoCreateTopicWithFirstSubscription`](#parameter-autocreatetopicwithfirstsubscription) | bool | Location for all Resources. | -| [`autoDeleteTopicWithLastSubscription`](#parameter-autodeletetopicwithlastsubscription) | bool | Location for all Resources. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`topics`](#parameter-topics) | array | The topic names which are associated with the domain. | - -### Parameter: `name` - -The name of the Event Grid Domain. - -- Required: Yes -- Type: string - -### Parameter: `autoCreateTopicWithFirstSubscription` - -Location for all Resources. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `autoDeleteTopicWithLastSubscription` - -Location for all Resources. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `inboundIpRules` - -This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `topics` - -The topic names which are associated with the domain. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid domain. | -| `resourceGroupName` | string | The name of the resource group the event grid domain was deployed into. | -| `resourceId` | string | The resource ID of the event grid domain. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep deleted file mode 100644 index 5177d56cf2..0000000000 --- a/modules/event-grid/domain/main.bicep +++ /dev/null @@ -1,321 +0,0 @@ -metadata name = 'Event Grid Domains' -metadata description = 'This module deploys an Event Grid Domain.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Grid Domain.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Location for all Resources.') -param autoCreateTopicWithFirstSubscription bool = true - -@description('Optional. Location for all Resources.') -param autoDeleteTopicWithLastSubscription bool = true - -@description('Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled.') -param inboundIpRules array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The topic names which are associated with the domain.') -param topics array = [] - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource domain 'Microsoft.EventGrid/domains@2022-06-15' = { - name: name - location: location - tags: tags - properties: { - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(inboundIpRules) ? 'Disabled' : null) - inboundIpRules: !empty(inboundIpRules) ? inboundIpRules : null - autoCreateTopicWithFirstSubscription: autoCreateTopicWithFirstSubscription - autoDeleteTopicWithLastSubscription: autoDeleteTopicWithLastSubscription - } -} - -module domain_topics 'topic/main.bicep' = [for (topic, index) in topics: { - name: '${uniqueString(deployment().name, location)}-topics-${index}' - params: { - domainName: domain.name - name: topic - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource domain_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: domain -} - -resource domain_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: domain -}] - -module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-domain-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'domain' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(domain.id, '/'))}-${privateEndpoint.?service ?? 'domain'}-${index}' - serviceResourceId: domain.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource domain_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(domain.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: domain -}] - -@description('The name of the event grid domain.') -output name string = domain.name - -@description('The resource ID of the event grid domain.') -output resourceId string = domain.id - -@description('The name of the resource group the event grid domain was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = domain.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json deleted file mode 100644 index 3ad0a4b95a..0000000000 --- a/modules/event-grid/domain/main.json +++ /dev/null @@ -1,1348 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12691133216908716098" - }, - "name": "Event Grid Domains", - "description": "This module deploys an Event Grid Domain.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Domain." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set." - } - }, - "autoCreateTopicWithFirstSubscription": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "autoDeleteTopicWithLastSubscription": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "inboundIpRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "topics": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The topic names which are associated with the domain." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "domain": { - "type": "Microsoft.EventGrid/domains", - "apiVersion": "2022-06-15", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('inboundIpRules'))), 'Disabled', null()))]", - "inboundIpRules": "[if(not(empty(parameters('inboundIpRules'))), parameters('inboundIpRules'), null())]", - "autoCreateTopicWithFirstSubscription": "[parameters('autoCreateTopicWithFirstSubscription')]", - "autoDeleteTopicWithLastSubscription": "[parameters('autoDeleteTopicWithLastSubscription')]" - } - }, - "domain_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "domain" - ] - }, - "domain_diagnosticSettings": { - "copy": { - "name": "domain_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "domain" - ] - }, - "domain_roleAssignments": { - "copy": { - "name": "domain_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventGrid/domains', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "domain" - ] - }, - "domain_topics": { - "copy": { - "name": "domain_topics", - "count": "[length(parameters('topics'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-topics-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "domainName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('topics')[copyIndex()]]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13344838042263797685" - }, - "name": "Event Grid Domain Topics", - "description": "This module deploys an Event Grid Domain Topic.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Domain Topic." - } - }, - "domainName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/domains/topics", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('domainName'), parameters('name'))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event grid topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event grid topic." - }, - "value": "[resourceId('Microsoft.EventGrid/domains/topics', parameters('domainName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event grid topic was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "domain" - ] - }, - "domain_privateEndpoints": { - "copy": { - "name": "domain_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-domain-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'domain')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/domains', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'domain'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "domain" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event grid domain." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event grid domain." - }, - "value": "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event grid domain was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('domain', '2022-06-15', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep b/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 69015ce3e4..0000000000 --- a/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/event-grid/domain/tests/e2e/max/dependencies.bicep b/modules/event-grid/domain/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8ba0c35f61..0000000000 --- a/modules/event-grid/domain/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/domain/tests/e2e/max/main.test.bicep b/modules/event-grid/domain/tests/e2e/max/main.test.bicep deleted file mode 100644 index 3be06cfaf7..0000000000 --- a/modules/event-grid/domain/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,125 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'domain' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - topics: [ - '${namePrefix}-topic-${serviceShort}001' - ] - } -}] diff --git a/modules/event-grid/domain/tests/e2e/pe/dependencies.bicep b/modules/event-grid/domain/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index 4d31fc9282..0000000000 --- a/modules/event-grid/domain/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/domain/tests/e2e/pe/main.test.bicep b/modules/event-grid/domain/tests/e2e/pe/main.test.bicep deleted file mode 100644 index 98d8709f03..0000000000 --- a/modules/event-grid/domain/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8ba0c35f61..0000000000 --- a/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index d65df56405..0000000000 --- a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,125 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'domain' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - topics: [ - '${namePrefix}-topic-${serviceShort}001' - ] - } -}] diff --git a/modules/event-grid/domain/topic/README.md b/modules/event-grid/domain/topic/README.md deleted file mode 100644 index 6dc88f87ef..0000000000 --- a/modules/event-grid/domain/topic/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Event Grid Domain Topics `[Microsoft.EventGrid/domains/topics]` - -This module deploys an Event Grid Domain Topic. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventGrid/domains/topics` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/domains/topics) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Event Grid Domain Topic. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`domainName`](#parameter-domainname) | string | The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | - -### Parameter: `name` - -The name of the Event Grid Domain Topic. - -- Required: Yes -- Type: string - -### Parameter: `domainName` - -The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the event grid topic. | -| `resourceGroupName` | string | The name of the resource group the event grid topic was deployed into. | -| `resourceId` | string | The resource ID of the event grid topic. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-grid/domain/topic/main.bicep b/modules/event-grid/domain/topic/main.bicep deleted file mode 100644 index 5cc3efa25b..0000000000 --- a/modules/event-grid/domain/topic/main.bicep +++ /dev/null @@ -1,45 +0,0 @@ -metadata name = 'Event Grid Domain Topics' -metadata description = 'This module deploys an Event Grid Domain Topic.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Grid Domain Topic.') -param name string - -@description('Conditional. The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment.') -param domainName string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource domain 'Microsoft.EventGrid/domains@2022-06-15' existing = { - name: domainName -} - -resource topic 'Microsoft.EventGrid/domains/topics@2022-06-15' = { - name: name - parent: domain -} - -@description('The name of the event grid topic.') -output name string = topic.name - -@description('The resource ID of the event grid topic.') -output resourceId string = topic.id - -@description('The name of the resource group the event grid topic was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-grid/domain/topic/main.json b/modules/event-grid/domain/topic/main.json deleted file mode 100644 index db8189344c..0000000000 --- a/modules/event-grid/domain/topic/main.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13344838042263797685" - }, - "name": "Event Grid Domain Topics", - "description": "This module deploys an Event Grid Domain Topic.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Domain Topic." - } - }, - "domainName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/domains/topics", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('domainName'), parameters('name'))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event grid topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event grid topic." - }, - "value": "[resourceId('Microsoft.EventGrid/domains/topics', parameters('domainName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event grid topic was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/domain/topic/version.json b/modules/event-grid/domain/topic/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-grid/domain/topic/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/domain/version.json b/modules/event-grid/domain/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/event-grid/domain/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/system-topic/MOVED-TO-AVM.md b/modules/event-grid/system-topic/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/event-grid/system-topic/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 5c5801dfe9..65afaf30f5 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -1,790 +1,7 @@ -# Event Grid System Topics `[Microsoft.EventGrid/systemTopics]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/event-grid/system-topic](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/event-grid/system-topic).** -This module deploys an Event Grid System Topic. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/event-grid/system-topic). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventGrid/systemTopics` | [2021-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2021-12-01/systemTopics) | -| `Microsoft.EventGrid/systemTopics/eventSubscriptions` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/systemTopics/eventSubscriptions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.system-topic:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egstmin' - params: { - // Required parameters - name: 'egstmin001' - source: '' - topicType: 'Microsoft.Storage.StorageAccounts' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egstmin001" - }, - "source": { - "value": "" - }, - "topicType": { - "value": "Microsoft.Storage.StorageAccounts" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egstmax' - params: { - // Required parameters - name: 'egstmax001' - source: '' - topicType: 'Microsoft.Storage.StorageAccounts' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: 'egstmax001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egstmax001" - }, - "source": { - "value": "" - }, - "topicType": { - "value": "Microsoft.Storage.StorageAccounts" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "egstmax001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egstwaf' - params: { - // Required parameters - name: 'egstwaf001' - source: '' - topicType: 'Microsoft.Storage.StorageAccounts' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: 'egstwaf001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egstwaf001" - }, - "source": { - "value": "" - }, - "topicType": { - "value": "Microsoft.Storage.StorageAccounts" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "egstwaf001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Event Grid Topic. | -| [`source`](#parameter-source) | string | Source for the system topic. | -| [`topicType`](#parameter-topictype) | string | TopicType for the system topic. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Event Grid Topic. - -- Required: Yes -- Type: string - -### Parameter: `source` - -Source for the system topic. - -- Required: Yes -- Type: string - -### Parameter: `topicType` - -TopicType for the system topic. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventSubscriptions` - -Event subscriptions to deploy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid system topic. | -| `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into. | -| `resourceId` | string | The resource ID of the event grid system topic. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/event-grid/system-topic/event-subscription/README.md b/modules/event-grid/system-topic/event-subscription/README.md deleted file mode 100644 index 397b1c50a7..0000000000 --- a/modules/event-grid/system-topic/event-subscription/README.md +++ /dev/null @@ -1,165 +0,0 @@ -# Event Grid System Topic Event Subscriptions `[Microsoft.EventGrid/systemTopics/eventSubscriptions]` - -This module deploys an Event Grid System Topic Event Subscription. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventGrid/systemTopics/eventSubscriptions` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/systemTopics/eventSubscriptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`destination`](#parameter-destination) | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | -| [`name`](#parameter-name) | string | The name of the Event Subscription. | -| [`systemTopicName`](#parameter-systemtopicname) | string | Name of the Event Grid System Topic. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deadLetterDestination`](#parameter-deadletterdestination) | object | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | -| [`deadLetterWithResourceIdentity`](#parameter-deadletterwithresourceidentity) | object | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | -| [`deliveryWithResourceIdentity`](#parameter-deliverywithresourceidentity) | object | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventDeliverySchema`](#parameter-eventdeliveryschema) | string | The event delivery schema for the event subscription. | -| [`expirationTimeUtc`](#parameter-expirationtimeutc) | string | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | -| [`filter`](#parameter-filter) | object | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | -| [`labels`](#parameter-labels) | array | The list of user defined labels. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | - -### Parameter: `destination` - -The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the Event Subscription. - -- Required: Yes -- Type: string - -### Parameter: `systemTopicName` - -Name of the Event Grid System Topic. - -- Required: Yes -- Type: string - -### Parameter: `deadLetterDestination` - -Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `deadLetterWithResourceIdentity` - -Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `deliveryWithResourceIdentity` - -Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventDeliverySchema` - -The event delivery schema for the event subscription. - -- Required: No -- Type: string -- Default: `'EventGridSchema'` -- Allowed: - ```Bicep - [ - 'CloudEventSchemaV1_0' - 'CustomInputSchema' - 'EventGridEvent' - 'EventGridSchema' - ] - ``` - -### Parameter: `expirationTimeUtc` - -The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `filter` - -The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `labels` - -The list of user defined labels. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `retryPolicy` - -The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event subscription. | -| `resourceGroupName` | string | The name of the resource group the event subscription was deployed into. | -| `resourceId` | string | The resource ID of the event subscription. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-grid/system-topic/event-subscription/main.bicep b/modules/event-grid/system-topic/event-subscription/main.bicep deleted file mode 100644 index 7daa026c4b..0000000000 --- a/modules/event-grid/system-topic/event-subscription/main.bicep +++ /dev/null @@ -1,94 +0,0 @@ -metadata name = 'Event Grid System Topic Event Subscriptions' -metadata description = 'This module deploys an Event Grid System Topic Event Subscription.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Subscription.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Name of the Event Grid System Topic.') -param systemTopicName string - -@description('Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information).') -param deadLetterDestination object = {} - -@description('Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information).') -param deadLetterWithResourceIdentity object = {} - -@description('Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information).') -param deliveryWithResourceIdentity object = {} - -@description('Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information).') -param destination object - -@description('Optional. The event delivery schema for the event subscription.') -@allowed( - [ - 'CloudEventSchemaV1_0' - 'CustomInputSchema' - 'EventGridSchema' - 'EventGridEvent' - ] -) -param eventDeliverySchema string = 'EventGridSchema' - -@description('Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ).') -param expirationTimeUtc string = '' - -@description('Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information).') -param filter object = {} - -@description('Optional. The list of user defined labels.') -param labels array = [] - -@description('Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events.') -param retryPolicy object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource systemTopic 'Microsoft.EventGrid/systemTopics@2022-06-15' existing = { - name: systemTopicName -} - -resource eventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2022-06-15' = { - name: name - parent: systemTopic - properties: { - deadLetterDestination: !empty(deadLetterDestination) ? deadLetterDestination : null - deadLetterWithResourceIdentity: !empty(deadLetterWithResourceIdentity) ? deadLetterWithResourceIdentity : null - deliveryWithResourceIdentity: !empty(deliveryWithResourceIdentity) ? deliveryWithResourceIdentity : null - destination: destination - eventDeliverySchema: eventDeliverySchema - expirationTimeUtc: !empty(expirationTimeUtc) ? expirationTimeUtc : '' - filter: !empty(filter) ? filter : {} - labels: !empty(labels) ? labels : [] - retryPolicy: !empty(retryPolicy) ? retryPolicy : null - } -} - -@description('The name of the event subscription.') -output name string = eventSubscription.name - -@description('The resource ID of the event subscription.') -output resourceId string = eventSubscription.id - -@description('The name of the resource group the event subscription was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = systemTopic.location diff --git a/modules/event-grid/system-topic/event-subscription/main.json b/modules/event-grid/system-topic/event-subscription/main.json deleted file mode 100644 index fc756da09d..0000000000 --- a/modules/event-grid/system-topic/event-subscription/main.json +++ /dev/null @@ -1,172 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15173790856574805238" - }, - "name": "Event Grid System Topic Event Subscriptions", - "description": "This module deploys an Event Grid System Topic Event Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "systemTopicName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Event Grid System Topic." - } - }, - "deadLetterDestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information)." - } - }, - "deadLetterWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information)." - } - }, - "deliveryWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information)." - } - }, - "destination": { - "type": "object", - "metadata": { - "description": "Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information)." - } - }, - "eventDeliverySchema": { - "type": "string", - "defaultValue": "EventGridSchema", - "allowedValues": [ - "CloudEventSchemaV1_0", - "CustomInputSchema", - "EventGridSchema", - "EventGridEvent" - ], - "metadata": { - "description": "Optional. The event delivery schema for the event subscription." - } - }, - "expirationTimeUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ)." - } - }, - "filter": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information)." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of user defined labels." - } - }, - "retryPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/systemTopics/eventSubscriptions", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('systemTopicName'), parameters('name'))]", - "properties": { - "deadLetterDestination": "[if(not(empty(parameters('deadLetterDestination'))), parameters('deadLetterDestination'), null())]", - "deadLetterWithResourceIdentity": "[if(not(empty(parameters('deadLetterWithResourceIdentity'))), parameters('deadLetterWithResourceIdentity'), null())]", - "deliveryWithResourceIdentity": "[if(not(empty(parameters('deliveryWithResourceIdentity'))), parameters('deliveryWithResourceIdentity'), null())]", - "destination": "[parameters('destination')]", - "eventDeliverySchema": "[parameters('eventDeliverySchema')]", - "expirationTimeUtc": "[if(not(empty(parameters('expirationTimeUtc'))), parameters('expirationTimeUtc'), '')]", - "filter": "[if(not(empty(parameters('filter'))), parameters('filter'), createObject())]", - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), createArray())]", - "retryPolicy": "[if(not(empty(parameters('retryPolicy'))), parameters('retryPolicy'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event subscription." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event subscription." - }, - "value": "[resourceId('Microsoft.EventGrid/systemTopics/eventSubscriptions', parameters('systemTopicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event subscription was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('systemTopicName')), '2022-06-15', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/system-topic/event-subscription/version.json b/modules/event-grid/system-topic/event-subscription/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/event-grid/system-topic/event-subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep deleted file mode 100644 index 97b33065d9..0000000000 --- a/modules/event-grid/system-topic/main.bicep +++ /dev/null @@ -1,243 +0,0 @@ -metadata name = 'Event Grid System Topics' -metadata description = 'This module deploys an Event Grid System Topic.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Grid Topic.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Required. Source for the system topic.') -param source string - -@description('Required. TopicType for the system topic.') -param topicType string - -@description('Optional. Event subscriptions to deploy.') -param eventSubscriptions array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' = { - name: name - location: location - identity: identity - tags: tags - properties: { - source: source - topicType: topicType - } -} - -// Event subscriptions -module systemTopics_eventSubscriptions 'event-subscription/main.bicep' = [for (eventSubscription, index) in eventSubscriptions: { - name: '${uniqueString(deployment().name, location)}-EventGrid-SystemTopics-EventSubscriptions-${index}' - params: { - destination: eventSubscription.destination - systemTopicName: systemTopic.name - name: eventSubscription.name - deadLetterDestination: contains(eventSubscription, 'deadLetterDestination') ? eventSubscription.deadLetterDestination : {} - deadLetterWithResourceIdentity: contains(eventSubscription, 'deadLetterWithResourceIdentity') ? eventSubscription.deadLetterWithResourceIdentity : {} - deliveryWithResourceIdentity: contains(eventSubscription, 'deliveryWithResourceIdentity') ? eventSubscription.deliveryWithResourceIdentity : {} - enableDefaultTelemetry: contains(eventSubscription, 'enableDefaultTelemetry') ? eventSubscription.enableDefaultTelemetry : true - eventDeliverySchema: contains(eventSubscription, 'eventDeliverySchema') ? eventSubscription.eventDeliverySchema : 'EventGridSchema' - expirationTimeUtc: contains(eventSubscription, 'expirationTimeUtc') ? eventSubscription.expirationTimeUtc : '' - filter: contains(eventSubscription, 'filter') ? eventSubscription.filter : {} - labels: contains(eventSubscription, 'labels') ? eventSubscription.labels : [] - location: contains(eventSubscription, 'location') ? eventSubscription.location : systemTopic.location - retryPolicy: contains(eventSubscription, 'retryPolicy') ? eventSubscription.retryPolicy : {} - } -}] - -resource systemTopic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: systemTopic -} - -resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: systemTopic -}] - -resource systemTopic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(systemTopic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: systemTopic -}] - -@description('The name of the event grid system topic.') -output name string = systemTopic.name - -@description('The resource ID of the event grid system topic.') -output resourceId string = systemTopic.id - -@description('The name of the resource group the event grid system topic was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(systemTopic.identity, 'principalId') ? systemTopic.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = systemTopic.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json deleted file mode 100644 index 9983061e2e..0000000000 --- a/modules/event-grid/system-topic/main.json +++ /dev/null @@ -1,659 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1660436981093999896" - }, - "name": "Event Grid System Topics", - "description": "This module deploys an Event Grid System Topic.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Topic." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "source": { - "type": "string", - "metadata": { - "description": "Required. Source for the system topic." - } - }, - "topicType": { - "type": "string", - "metadata": { - "description": "Required. TopicType for the system topic." - } - }, - "eventSubscriptions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Event subscriptions to deploy." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "systemTopic": { - "type": "Microsoft.EventGrid/systemTopics", - "apiVersion": "2021-12-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": { - "source": "[parameters('source')]", - "topicType": "[parameters('topicType')]" - } - }, - "systemTopic_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "systemTopic" - ] - }, - "systemTopic_diagnosticSettings": { - "copy": { - "name": "systemTopic_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "systemTopic" - ] - }, - "systemTopic_roleAssignments": { - "copy": { - "name": "systemTopic_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "systemTopic" - ] - }, - "systemTopics_eventSubscriptions": { - "copy": { - "name": "systemTopics_eventSubscriptions", - "count": "[length(parameters('eventSubscriptions'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EventGrid-SystemTopics-EventSubscriptions-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "destination": { - "value": "[parameters('eventSubscriptions')[copyIndex()].destination]" - }, - "systemTopicName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('eventSubscriptions')[copyIndex()].name]" - }, - "deadLetterDestination": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'deadLetterDestination'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deadLetterDestination), createObject('value', createObject()))]", - "deadLetterWithResourceIdentity": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'deadLetterWithResourceIdentity'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deadLetterWithResourceIdentity), createObject('value', createObject()))]", - "deliveryWithResourceIdentity": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'deliveryWithResourceIdentity'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deliveryWithResourceIdentity), createObject('value', createObject()))]", - "enableDefaultTelemetry": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'enableDefaultTelemetry'), createObject('value', parameters('eventSubscriptions')[copyIndex()].enableDefaultTelemetry), createObject('value', true()))]", - "eventDeliverySchema": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'eventDeliverySchema'), createObject('value', parameters('eventSubscriptions')[copyIndex()].eventDeliverySchema), createObject('value', 'EventGridSchema'))]", - "expirationTimeUtc": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'expirationTimeUtc'), createObject('value', parameters('eventSubscriptions')[copyIndex()].expirationTimeUtc), createObject('value', ''))]", - "filter": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'filter'), createObject('value', parameters('eventSubscriptions')[copyIndex()].filter), createObject('value', createObject()))]", - "labels": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'labels'), createObject('value', parameters('eventSubscriptions')[copyIndex()].labels), createObject('value', createArray()))]", - "location": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference('systemTopic', '2021-12-01', 'full').location))]", - "retryPolicy": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'retryPolicy'), createObject('value', parameters('eventSubscriptions')[copyIndex()].retryPolicy), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15173790856574805238" - }, - "name": "Event Grid System Topic Event Subscriptions", - "description": "This module deploys an Event Grid System Topic Event Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "systemTopicName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Event Grid System Topic." - } - }, - "deadLetterDestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information)." - } - }, - "deadLetterWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information)." - } - }, - "deliveryWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information)." - } - }, - "destination": { - "type": "object", - "metadata": { - "description": "Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information)." - } - }, - "eventDeliverySchema": { - "type": "string", - "defaultValue": "EventGridSchema", - "allowedValues": [ - "CloudEventSchemaV1_0", - "CustomInputSchema", - "EventGridSchema", - "EventGridEvent" - ], - "metadata": { - "description": "Optional. The event delivery schema for the event subscription." - } - }, - "expirationTimeUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ)." - } - }, - "filter": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information)." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of user defined labels." - } - }, - "retryPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/systemTopics/eventSubscriptions", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('systemTopicName'), parameters('name'))]", - "properties": { - "deadLetterDestination": "[if(not(empty(parameters('deadLetterDestination'))), parameters('deadLetterDestination'), null())]", - "deadLetterWithResourceIdentity": "[if(not(empty(parameters('deadLetterWithResourceIdentity'))), parameters('deadLetterWithResourceIdentity'), null())]", - "deliveryWithResourceIdentity": "[if(not(empty(parameters('deliveryWithResourceIdentity'))), parameters('deliveryWithResourceIdentity'), null())]", - "destination": "[parameters('destination')]", - "eventDeliverySchema": "[parameters('eventDeliverySchema')]", - "expirationTimeUtc": "[if(not(empty(parameters('expirationTimeUtc'))), parameters('expirationTimeUtc'), '')]", - "filter": "[if(not(empty(parameters('filter'))), parameters('filter'), createObject())]", - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), createArray())]", - "retryPolicy": "[if(not(empty(parameters('retryPolicy'))), parameters('retryPolicy'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event subscription." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event subscription." - }, - "value": "[resourceId('Microsoft.EventGrid/systemTopics/eventSubscriptions', parameters('systemTopicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event subscription was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('systemTopicName')), '2022-06-15', 'full').location]" - } - } - } - }, - "dependsOn": [ - "systemTopic" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event grid system topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event grid system topic." - }, - "value": "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event grid system topic was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('systemTopic', '2021-12-01', 'full').identity, 'principalId')), reference('systemTopic', '2021-12-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('systemTopic', '2021-12-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 61ebc54d90..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,17 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index ab3814500c..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egstmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - source: nestedDependencies.outputs.storageAccountResourceId - topicType: 'Microsoft.Storage.StorageAccounts' - } -}] diff --git a/modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 9b192272d4..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Storage Queue to create.') -param storageQueueName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource queueService 'queueServices@2022-09-01' = { - name: 'default' - - resource queue 'queues@2022-09-01' = { - name: storageQueueName - } - } -} - -@description('The name of the created Storage Account Queue.') -output queueName string = storageAccount::queueService::queue.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep deleted file mode 100644 index cdcc6727cb..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egstmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - storageQueueName: 'dep${namePrefix}sq${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - source: nestedDependencies.outputs.storageAccountResourceId - topicType: 'Microsoft.Storage.StorageAccounts' - eventSubscriptions: [ { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - isSubjectCaseSensitive: false - enableAdvancedFilteringOnArrays: true - } - retryPolicy: { - maxDeliveryAttempts: 10 - eventTimeToLive: '120' - } - eventDeliverySchema: 'CloudEventSchemaV1_0' - destination: { - endpointType: 'StorageQueue' - properties: { - resourceId: nestedDependencies.outputs.storageAccountResourceId - queueMessageTimeToLiveInSeconds: 86400 - queueName: nestedDependencies.outputs.queueName - } - } - } ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 9b192272d4..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Storage Queue to create.') -param storageQueueName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource queueService 'queueServices@2022-09-01' = { - name: 'default' - - resource queue 'queues@2022-09-01' = { - name: storageQueueName - } - } -} - -@description('The name of the created Storage Account Queue.') -output queueName string = storageAccount::queueService::queue.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 943ee3a929..0000000000 --- a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egstwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - storageQueueName: 'dep${namePrefix}sq${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - source: nestedDependencies.outputs.storageAccountResourceId - topicType: 'Microsoft.Storage.StorageAccounts' - eventSubscriptions: [ { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - isSubjectCaseSensitive: false - enableAdvancedFilteringOnArrays: true - } - retryPolicy: { - maxDeliveryAttempts: 10 - eventTimeToLive: '120' - } - eventDeliverySchema: 'CloudEventSchemaV1_0' - destination: { - endpointType: 'StorageQueue' - properties: { - resourceId: nestedDependencies.outputs.storageAccountResourceId - queueMessageTimeToLiveInSeconds: 86400 - queueName: nestedDependencies.outputs.queueName - } - } - } ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/system-topic/version.json b/modules/event-grid/system-topic/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-grid/system-topic/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/topic/MOVED-TO-AVM.md b/modules/event-grid/topic/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/event-grid/topic/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 6fd7b92f69..e8bb3dcd9d 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -1,1159 +1,7 @@ -# Event Grid Topics `[Microsoft.EventGrid/topics]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/event-grid/topic](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/event-grid/topic).** -This module deploys an Event Grid Topic. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/event-grid/topic). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventGrid/topics` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2020-06-01/topics) | -| `Microsoft.EventGrid/topics/eventSubscriptions` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/topics/eventSubscriptions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.topic:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtmin' - params: { - // Required parameters - name: 'egtmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egtmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtmax' - params: { - // Required parameters - name: 'egtmax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: 'egtmax001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'topic' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egtmax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "egtmax001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] - }, - "inboundIpRules": { - "value": [ - { - "action": "Allow", - "ipMask": "40.74.28.0/23" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "topic", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtpe' - params: { - // Required parameters - name: 'egtpe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egtpe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtwaf' - params: { - // Required parameters - name: 'egtwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: 'egtwaf001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'topic' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egtwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "egtwaf001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] - }, - "inboundIpRules": { - "value": [ - { - "action": "Allow", - "ipMask": "40.74.28.0/23" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "topic", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Event Grid Topic. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | -| [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Event Grid Topic. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventSubscriptions` - -Event subscriptions to deploy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `inboundIpRules` - -This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid topic. | -| `resourceGroupName` | string | The name of the resource group the event grid topic was deployed into. | -| `resourceId` | string | The resource ID of the event grid topic. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/event-grid/topic/event-subscription/README.md b/modules/event-grid/topic/event-subscription/README.md deleted file mode 100644 index aa6ab314d5..0000000000 --- a/modules/event-grid/topic/event-subscription/README.md +++ /dev/null @@ -1,165 +0,0 @@ -# EventGrid Topic Event Subscriptions `[Microsoft.EventGrid/topics/eventSubscriptions]` - -This module deploys an Event Grid Topic Event Subscription. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventGrid/topics/eventSubscriptions` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/topics/eventSubscriptions) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`destination`](#parameter-destination) | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | -| [`name`](#parameter-name) | string | The name of the Event Subscription. | -| [`topicName`](#parameter-topicname) | string | Name of the Event Grid Topic. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deadLetterDestination`](#parameter-deadletterdestination) | object | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | -| [`deadLetterWithResourceIdentity`](#parameter-deadletterwithresourceidentity) | object | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | -| [`deliveryWithResourceIdentity`](#parameter-deliverywithresourceidentity) | object | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventDeliverySchema`](#parameter-eventdeliveryschema) | string | The event delivery schema for the event subscription. | -| [`expirationTimeUtc`](#parameter-expirationtimeutc) | string | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | -| [`filter`](#parameter-filter) | object | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | -| [`labels`](#parameter-labels) | array | The list of user defined labels. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | - -### Parameter: `destination` - -The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the Event Subscription. - -- Required: Yes -- Type: string - -### Parameter: `topicName` - -Name of the Event Grid Topic. - -- Required: Yes -- Type: string - -### Parameter: `deadLetterDestination` - -Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `deadLetterWithResourceIdentity` - -Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `deliveryWithResourceIdentity` - -Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventDeliverySchema` - -The event delivery schema for the event subscription. - -- Required: No -- Type: string -- Default: `'EventGridSchema'` -- Allowed: - ```Bicep - [ - 'CloudEventSchemaV1_0' - 'CustomInputSchema' - 'EventGridEvent' - 'EventGridSchema' - ] - ``` - -### Parameter: `expirationTimeUtc` - -The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `filter` - -The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `labels` - -The list of user defined labels. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `retryPolicy` - -The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event subscription. | -| `resourceGroupName` | string | The name of the resource group the event subscription was deployed into. | -| `resourceId` | string | The resource ID of the event subscription. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-grid/topic/event-subscription/main.bicep b/modules/event-grid/topic/event-subscription/main.bicep deleted file mode 100644 index 216d233a71..0000000000 --- a/modules/event-grid/topic/event-subscription/main.bicep +++ /dev/null @@ -1,94 +0,0 @@ -metadata name = 'EventGrid Topic Event Subscriptions' -metadata description = 'This module deploys an Event Grid Topic Event Subscription.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Subscription.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Name of the Event Grid Topic.') -param topicName string - -@description('Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information).') -param deadLetterDestination object = {} - -@description('Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information).') -param deadLetterWithResourceIdentity object = {} - -@description('Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information).') -param deliveryWithResourceIdentity object = {} - -@description('Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information).') -param destination object - -@description('Optional. The event delivery schema for the event subscription.') -@allowed( - [ - 'CloudEventSchemaV1_0' - 'CustomInputSchema' - 'EventGridSchema' - 'EventGridEvent' - ] -) -param eventDeliverySchema string = 'EventGridSchema' - -@description('Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ).') -param expirationTimeUtc string = '' - -@description('Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information).') -param filter object = {} - -@description('Optional. The list of user defined labels.') -param labels array = [] - -@description('Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events.') -param retryPolicy object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource topic 'Microsoft.EventGrid/topics@2022-06-15' existing = { - name: topicName -} - -resource eventSubscription 'Microsoft.EventGrid/topics/eventSubscriptions@2022-06-15' = { - name: name - parent: topic - properties: { - deadLetterDestination: !empty(deadLetterDestination) ? deadLetterDestination : null - deadLetterWithResourceIdentity: !empty(deadLetterWithResourceIdentity) ? deadLetterWithResourceIdentity : null - deliveryWithResourceIdentity: !empty(deliveryWithResourceIdentity) ? deliveryWithResourceIdentity : null - destination: destination - eventDeliverySchema: eventDeliverySchema - expirationTimeUtc: !empty(expirationTimeUtc) ? expirationTimeUtc : '' - filter: !empty(filter) ? filter : {} - labels: !empty(labels) ? labels : [] - retryPolicy: !empty(retryPolicy) ? retryPolicy : null - } -} - -@description('The name of the event subscription.') -output name string = eventSubscription.name - -@description('The resource ID of the event subscription.') -output resourceId string = eventSubscription.id - -@description('The name of the resource group the event subscription was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = topic.location diff --git a/modules/event-grid/topic/event-subscription/main.json b/modules/event-grid/topic/event-subscription/main.json deleted file mode 100644 index 3d5fcc0124..0000000000 --- a/modules/event-grid/topic/event-subscription/main.json +++ /dev/null @@ -1,172 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "19673224192591950" - }, - "name": "EventGrid Topic Event Subscriptions", - "description": "This module deploys an Event Grid Topic Event Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "topicName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Event Grid Topic." - } - }, - "deadLetterDestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information)." - } - }, - "deadLetterWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information)." - } - }, - "deliveryWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information)." - } - }, - "destination": { - "type": "object", - "metadata": { - "description": "Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information)." - } - }, - "eventDeliverySchema": { - "type": "string", - "defaultValue": "EventGridSchema", - "allowedValues": [ - "CloudEventSchemaV1_0", - "CustomInputSchema", - "EventGridSchema", - "EventGridEvent" - ], - "metadata": { - "description": "Optional. The event delivery schema for the event subscription." - } - }, - "expirationTimeUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ)." - } - }, - "filter": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information)." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of user defined labels." - } - }, - "retryPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/topics/eventSubscriptions", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('topicName'), parameters('name'))]", - "properties": { - "deadLetterDestination": "[if(not(empty(parameters('deadLetterDestination'))), parameters('deadLetterDestination'), null())]", - "deadLetterWithResourceIdentity": "[if(not(empty(parameters('deadLetterWithResourceIdentity'))), parameters('deadLetterWithResourceIdentity'), null())]", - "deliveryWithResourceIdentity": "[if(not(empty(parameters('deliveryWithResourceIdentity'))), parameters('deliveryWithResourceIdentity'), null())]", - "destination": "[parameters('destination')]", - "eventDeliverySchema": "[parameters('eventDeliverySchema')]", - "expirationTimeUtc": "[if(not(empty(parameters('expirationTimeUtc'))), parameters('expirationTimeUtc'), '')]", - "filter": "[if(not(empty(parameters('filter'))), parameters('filter'), createObject())]", - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), createArray())]", - "retryPolicy": "[if(not(empty(parameters('retryPolicy'))), parameters('retryPolicy'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event subscription." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event subscription." - }, - "value": "[resourceId('Microsoft.EventGrid/topics/eventSubscriptions', parameters('topicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event subscription was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.EventGrid/topics', parameters('topicName')), '2022-06-15', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/topic/event-subscription/version.json b/modules/event-grid/topic/event-subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-grid/topic/event-subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep deleted file mode 100644 index 440efefed8..0000000000 --- a/modules/event-grid/topic/main.bicep +++ /dev/null @@ -1,323 +0,0 @@ -metadata name = 'Event Grid Topics' -metadata description = 'This module deploys an Event Grid Topic.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Event Grid Topic.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled.') -param inboundIpRules array = [] - -@description('Optional. Event subscriptions to deploy.') -param eventSubscriptions array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource topic 'Microsoft.EventGrid/topics@2020-06-01' = { - name: name - location: location - tags: tags - properties: { - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(inboundIpRules) ? 'Disabled' : null) - inboundIpRules: (empty(inboundIpRules) ? null : inboundIpRules) - } -} - -// Event subscriptions -module topics_eventSubscriptions 'event-subscription/main.bicep' = [for (eventSubscription, index) in eventSubscriptions: { - name: '${uniqueString(deployment().name, location)}-EventGrid-Topics-EventSubscriptions-${index}' - params: { - destination: eventSubscription.destination - topicName: topic.name - name: eventSubscription.name - deadLetterDestination: contains(eventSubscriptions, 'deadLetterDestination') ? eventSubscription.deadLetterDestination : {} - deadLetterWithResourceIdentity: contains(eventSubscriptions, 'deadLetterWithResourceIdentity') ? eventSubscription.deadLetterWithResourceIdentity : {} - deliveryWithResourceIdentity: contains(eventSubscriptions, 'deliveryWithResourceIdentity') ? eventSubscription.deliveryWithResourceIdentity : {} - enableDefaultTelemetry: contains(eventSubscriptions, 'enableDefaultTelemetry') ? eventSubscription.enableDefaultTelemetry : true - eventDeliverySchema: contains(eventSubscriptions, 'eventDeliverySchema') ? eventSubscription.eventDeliverySchema : 'EventGridSchema' - expirationTimeUtc: contains(eventSubscriptions, 'expirationTimeUtc') ? eventSubscription.expirationTimeUtc : '' - filter: contains(eventSubscriptions, 'filter') ? eventSubscription.filter : {} - labels: contains(eventSubscriptions, 'labels') ? eventSubscription.labels : [] - location: contains(eventSubscriptions, 'location') ? eventSubscription.location : topic.location - retryPolicy: contains(eventSubscriptions, 'retryPolicy') ? eventSubscription.retryPolicy : {} - } -}] - -resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: topic -} - -resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: topic -}] - -module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-topic-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'topic' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(topic.id, '/'))}-${privateEndpoint.?service ?? 'topic'}-${index}' - serviceResourceId: topic.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: topic -}] - -@description('The name of the event grid topic.') -output name string = topic.name - -@description('The resource ID of the event grid topic.') -output resourceId string = topic.id - -@description('The name of the resource group the event grid topic was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = topic.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json deleted file mode 100644 index 2b5559ee2a..0000000000 --- a/modules/event-grid/topic/main.json +++ /dev/null @@ -1,1425 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12820080478660459397" - }, - "name": "Event Grid Topics", - "description": "This module deploys an Event Grid Topic.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Topic." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set." - } - }, - "inboundIpRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled." - } - }, - "eventSubscriptions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Event subscriptions to deploy." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "topic": { - "type": "Microsoft.EventGrid/topics", - "apiVersion": "2020-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('inboundIpRules'))), 'Disabled', null()))]", - "inboundIpRules": "[if(empty(parameters('inboundIpRules')), null(), parameters('inboundIpRules'))]" - } - }, - "topic_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_diagnosticSettings": { - "copy": { - "name": "topic_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventGrid/topics', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topics_eventSubscriptions": { - "copy": { - "name": "topics_eventSubscriptions", - "count": "[length(parameters('eventSubscriptions'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EventGrid-Topics-EventSubscriptions-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "destination": { - "value": "[parameters('eventSubscriptions')[copyIndex()].destination]" - }, - "topicName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('eventSubscriptions')[copyIndex()].name]" - }, - "deadLetterDestination": "[if(contains(parameters('eventSubscriptions'), 'deadLetterDestination'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deadLetterDestination), createObject('value', createObject()))]", - "deadLetterWithResourceIdentity": "[if(contains(parameters('eventSubscriptions'), 'deadLetterWithResourceIdentity'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deadLetterWithResourceIdentity), createObject('value', createObject()))]", - "deliveryWithResourceIdentity": "[if(contains(parameters('eventSubscriptions'), 'deliveryWithResourceIdentity'), createObject('value', parameters('eventSubscriptions')[copyIndex()].deliveryWithResourceIdentity), createObject('value', createObject()))]", - "enableDefaultTelemetry": "[if(contains(parameters('eventSubscriptions'), 'enableDefaultTelemetry'), createObject('value', parameters('eventSubscriptions')[copyIndex()].enableDefaultTelemetry), createObject('value', true()))]", - "eventDeliverySchema": "[if(contains(parameters('eventSubscriptions'), 'eventDeliverySchema'), createObject('value', parameters('eventSubscriptions')[copyIndex()].eventDeliverySchema), createObject('value', 'EventGridSchema'))]", - "expirationTimeUtc": "[if(contains(parameters('eventSubscriptions'), 'expirationTimeUtc'), createObject('value', parameters('eventSubscriptions')[copyIndex()].expirationTimeUtc), createObject('value', ''))]", - "filter": "[if(contains(parameters('eventSubscriptions'), 'filter'), createObject('value', parameters('eventSubscriptions')[copyIndex()].filter), createObject('value', createObject()))]", - "labels": "[if(contains(parameters('eventSubscriptions'), 'labels'), createObject('value', parameters('eventSubscriptions')[copyIndex()].labels), createObject('value', createArray()))]", - "location": "[if(contains(parameters('eventSubscriptions'), 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference('topic', '2020-06-01', 'full').location))]", - "retryPolicy": "[if(contains(parameters('eventSubscriptions'), 'retryPolicy'), createObject('value', parameters('eventSubscriptions')[copyIndex()].retryPolicy), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "19673224192591950" - }, - "name": "EventGrid Topic Event Subscriptions", - "description": "This module deploys an Event Grid Topic Event Subscription.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "topicName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Event Grid Topic." - } - }, - "deadLetterDestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information)." - } - }, - "deadLetterWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information)." - } - }, - "deliveryWithResourceIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information)." - } - }, - "destination": { - "type": "object", - "metadata": { - "description": "Required. The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information)." - } - }, - "eventDeliverySchema": { - "type": "string", - "defaultValue": "EventGridSchema", - "allowedValues": [ - "CloudEventSchemaV1_0", - "CustomInputSchema", - "EventGridSchema", - "EventGridEvent" - ], - "metadata": { - "description": "Optional. The event delivery schema for the event subscription." - } - }, - "expirationTimeUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ)." - } - }, - "filter": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information)." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of user defined labels." - } - }, - "retryPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/topics/eventSubscriptions", - "apiVersion": "2022-06-15", - "name": "[format('{0}/{1}', parameters('topicName'), parameters('name'))]", - "properties": { - "deadLetterDestination": "[if(not(empty(parameters('deadLetterDestination'))), parameters('deadLetterDestination'), null())]", - "deadLetterWithResourceIdentity": "[if(not(empty(parameters('deadLetterWithResourceIdentity'))), parameters('deadLetterWithResourceIdentity'), null())]", - "deliveryWithResourceIdentity": "[if(not(empty(parameters('deliveryWithResourceIdentity'))), parameters('deliveryWithResourceIdentity'), null())]", - "destination": "[parameters('destination')]", - "eventDeliverySchema": "[parameters('eventDeliverySchema')]", - "expirationTimeUtc": "[if(not(empty(parameters('expirationTimeUtc'))), parameters('expirationTimeUtc'), '')]", - "filter": "[if(not(empty(parameters('filter'))), parameters('filter'), createObject())]", - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), createArray())]", - "retryPolicy": "[if(not(empty(parameters('retryPolicy'))), parameters('retryPolicy'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event subscription." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event subscription." - }, - "value": "[resourceId('Microsoft.EventGrid/topics/eventSubscriptions', parameters('topicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event subscription was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.EventGrid/topics', parameters('topicName')), '2022-06-15', 'full').location]" - } - } - } - }, - "dependsOn": [ - "topic" - ] - }, - "topic_privateEndpoints": { - "copy": { - "name": "topic_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-topic-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'topic')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/topics', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'topic'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "topic" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event grid topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event grid topic." - }, - "value": "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the event grid topic was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('topic', '2020-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep b/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 29f7356f10..0000000000 --- a/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/event-grid/topic/tests/e2e/max/dependencies.bicep b/modules/event-grid/topic/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 448380e27d..0000000000 --- a/modules/event-grid/topic/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,89 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Storage Queue to create.') -param storageQueueName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource queueService 'queueServices@2022-09-01' = { - name: 'default' - - resource queue 'queues@2022-09-01' = { - name: storageQueueName - } - } -} - -@description('The name of the created Storage Account Queue.') -output queueName string = storageAccount::queueService::queue.name - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/topic/tests/e2e/max/main.test.bicep b/modules/event-grid/topic/tests/e2e/max/main.test.bicep deleted file mode 100644 index bba0f24999..0000000000 --- a/modules/event-grid/topic/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - storageQueueName: 'dep${namePrefix}sq${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - eventSubscriptions: [ { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - isSubjectCaseSensitive: false - enableAdvancedFilteringOnArrays: true - } - retryPolicy: { - maxDeliveryAttempts: 10 - eventTimeToLive: '120' - } - eventDeliverySchema: 'CloudEventSchemaV1_0' - destination: { - endpointType: 'StorageQueue' - properties: { - resourceId: nestedDependencies.outputs.storageAccountResourceId - queueMessageTimeToLiveInSeconds: 86400 - queueName: nestedDependencies.outputs.queueName - } - } - } ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'topic' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/topic/tests/e2e/pe/dependencies.bicep b/modules/event-grid/topic/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index 4d31fc9282..0000000000 --- a/modules/event-grid/topic/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/topic/tests/e2e/pe/main.test.bicep b/modules/event-grid/topic/tests/e2e/pe/main.test.bicep deleted file mode 100644 index e2244c60d7..0000000000 --- a/modules/event-grid/topic/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 448380e27d..0000000000 --- a/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,89 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Storage Queue to create.') -param storageQueueName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.eventgrid.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - - resource queueService 'queueServices@2022-09-01' = { - name: 'default' - - resource queue 'queues@2022-09-01' = { - name: storageQueueName - } - } -} - -@description('The name of the created Storage Account Queue.') -output queueName string = storageAccount::queueService::queue.name - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 10a11dab1b..0000000000 --- a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - storageQueueName: 'dep${namePrefix}sq${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - eventSubscriptions: [ { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - isSubjectCaseSensitive: false - enableAdvancedFilteringOnArrays: true - } - retryPolicy: { - maxDeliveryAttempts: 10 - eventTimeToLive: '120' - } - eventDeliverySchema: 'CloudEventSchemaV1_0' - destination: { - endpointType: 'StorageQueue' - properties: { - resourceId: nestedDependencies.outputs.storageAccountResourceId - queueMessageTimeToLiveInSeconds: 86400 - queueName: nestedDependencies.outputs.queueName - } - } - } ] - inboundIpRules: [ - { - action: 'Allow' - ipMask: '40.74.28.0/23' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'topic' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/event-grid/topic/version.json b/modules/event-grid/topic/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/event-grid/topic/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 0a0cbfd8da..d6c72005d5 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -1,1856 +1,7 @@ -# Event Hub Namespaces `[Microsoft.EventHub/namespaces]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Event Hub Namespace. +**This module has been evolved into the following AVM module: [avm/res/event-hub/namespace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/event-hub/namespace).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/event-hub/namespace). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventHub/namespaces` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces) | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/authorizationRules) | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | -| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/networkRuleSets) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-hub.namespace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Pe](#example-4-pe) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnmin' - params: { - // Required parameters - name: 'ehnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnenc' - params: { - // Required parameters - name: 'ehnenc001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - publicNetworkAccess: 'SecuredByPerimeter' - requireInfrastructureEncryption: true - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnenc001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "SecuredByPerimeter" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnmax' - params: { - // Required parameters - name: 'ehnmax001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - eventhubs: [ - { - name: 'az-evh-x-001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - captureDescriptionDestinationBlobContainer: 'eventhub' - captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' - captureDescriptionDestinationStorageAccountResourceId: '' - captureDescriptionEnabled: true - captureDescriptionEncoding: 'Avro' - captureDescriptionIntervalInSeconds: 300 - captureDescriptionSizeLimitInBytes: 314572800 - captureDescriptionSkipEmptyArchives: true - consumergroups: [ - { - name: 'custom' - userMetadata: 'customMetadata' - } - ] - messageRetentionInDays: 1 - name: 'az-evh-x-002' - partitionCount: 2 - retentionDescriptionCleanupPolicy: 'Delete' - retentionDescriptionRetentionTimeInHours: 3 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - status: 'Active' - } - { - name: 'az-evh-x-003' - retentionDescriptionCleanupPolicy: 'Compact' - retentionDescriptionTombstoneRetentionTimeInHours: 24 - } - ] - isAutoInflateEnabled: true - kafkaEnabled: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - maximumThroughputUnits: 4 - minimumTlsVersion: '1.2' - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.10.10.10' - } - ] - publicNetworkAccess: 'Disabled' - trustedServiceAccessEnabled: false - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuCapacity: 2 - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnmax001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "SendListenAccess", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventhubs": { - "value": [ - { - "name": "az-evh-x-001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "SendListenAccess", - "rights": [ - "Listen", - "Send" - ] - } - ], - "captureDescriptionDestinationArchiveNameFormat": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", - "captureDescriptionDestinationBlobContainer": "eventhub", - "captureDescriptionDestinationName": "EventHubArchive.AzureBlockBlob", - "captureDescriptionDestinationStorageAccountResourceId": "", - "captureDescriptionEnabled": true, - "captureDescriptionEncoding": "Avro", - "captureDescriptionIntervalInSeconds": 300, - "captureDescriptionSizeLimitInBytes": 314572800, - "captureDescriptionSkipEmptyArchives": true, - "consumergroups": [ - { - "name": "custom", - "userMetadata": "customMetadata" - } - ], - "messageRetentionInDays": 1, - "name": "az-evh-x-002", - "partitionCount": 2, - "retentionDescriptionCleanupPolicy": "Delete", - "retentionDescriptionRetentionTimeInHours": 3, - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "status": "Active" - }, - { - "name": "az-evh-x-003", - "retentionDescriptionCleanupPolicy": "Compact", - "retentionDescriptionTombstoneRetentionTimeInHours": 24 - } - ] - }, - "isAutoInflateEnabled": { - "value": true - }, - "kafkaEnabled": { - "value": true - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "maximumThroughputUnits": { - "value": 4 - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.10.10.10" - } - ], - "publicNetworkAccess": "Disabled", - "trustedServiceAccessEnabled": false, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuCapacity": { - "value": 2 - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- -### Example 4: _Pe_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnpe' - params: { - // Required parameters - name: 'ehnpe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - skuCapacity: 2 - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnpe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "skuCapacity": { - "value": 2 - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnwaf' - params: { - // Required parameters - name: 'ehnwaf001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - eventhubs: [ - { - name: 'az-evh-x-001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - captureDescriptionDestinationBlobContainer: 'eventhub' - captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' - captureDescriptionDestinationStorageAccountResourceId: '' - captureDescriptionEnabled: true - captureDescriptionEncoding: 'Avro' - captureDescriptionIntervalInSeconds: 300 - captureDescriptionSizeLimitInBytes: 314572800 - captureDescriptionSkipEmptyArchives: true - consumergroups: [ - { - name: 'custom' - userMetadata: 'customMetadata' - } - ] - messageRetentionInDays: 1 - name: 'az-evh-x-002' - partitionCount: 2 - retentionDescriptionCleanupPolicy: 'Delete' - retentionDescriptionRetentionTimeInHours: 3 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - status: 'Active' - } - { - name: 'az-evh-x-003' - retentionDescriptionCleanupPolicy: 'Compact' - retentionDescriptionTombstoneRetentionTimeInHours: 24 - } - ] - isAutoInflateEnabled: true - kafkaEnabled: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - maximumThroughputUnits: 4 - minimumTlsVersion: '1.2' - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.10.10.10' - } - ] - trustedServiceAccessEnabled: false - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - skuCapacity: 2 - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnwaf001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "SendListenAccess", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventhubs": { - "value": [ - { - "name": "az-evh-x-001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "SendListenAccess", - "rights": [ - "Listen", - "Send" - ] - } - ], - "captureDescriptionDestinationArchiveNameFormat": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", - "captureDescriptionDestinationBlobContainer": "eventhub", - "captureDescriptionDestinationName": "EventHubArchive.AzureBlockBlob", - "captureDescriptionDestinationStorageAccountResourceId": "", - "captureDescriptionEnabled": true, - "captureDescriptionEncoding": "Avro", - "captureDescriptionIntervalInSeconds": 300, - "captureDescriptionSizeLimitInBytes": 314572800, - "captureDescriptionSkipEmptyArchives": true, - "consumergroups": [ - { - "name": "custom", - "userMetadata": "customMetadata" - } - ], - "messageRetentionInDays": 1, - "name": "az-evh-x-002", - "partitionCount": 2, - "retentionDescriptionCleanupPolicy": "Delete", - "retentionDescriptionRetentionTimeInHours": 3, - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "status": "Active" - }, - { - "name": "az-evh-x-003", - "retentionDescriptionCleanupPolicy": "Compact", - "retentionDescriptionTombstoneRetentionTimeInHours": 24 - } - ] - }, - "isAutoInflateEnabled": { - "value": true - }, - "kafkaEnabled": { - "value": true - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "maximumThroughputUnits": { - "value": 4 - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.10.10.10" - } - ], - "trustedServiceAccessEnabled": false, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "skuCapacity": { - "value": 2 - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the event hub namespace. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Event Hub namespace. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Event Hubs namespace. | -| [`disasterRecoveryConfig`](#parameter-disasterrecoveryconfig) | object | The disaster recovery config for this namespace. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventhubs`](#parameter-eventhubs) | array | The event hubs to deploy into this namespace. | -| [`isAutoInflateEnabled`](#parameter-isautoinflateenabled) | bool | Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. | -| [`kafkaEnabled`](#parameter-kafkaenabled) | bool | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`maximumThroughputUnits`](#parameter-maximumthroughputunits) | int | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | -| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuCapacity`](#parameter-skucapacity) | int | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | -| [`skuName`](#parameter-skuname) | string | event hub plan SKU name. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the Event Hub Namespace zone redundant. | - -### Parameter: `name` - -The name of the event hub namespace. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the Event Hub namespace. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -This property disables SAS authentication for the Event Hubs namespace. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `disasterRecoveryConfig` - -The disaster recovery config for this namespace. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventhubs` - -The event hubs to deploy into this namespace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `isAutoInflateEnabled` - -Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `kafkaEnabled` - -Value that indicates whether Kafka is enabled for Event Hubs Namespace. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `maximumThroughputUnits` - -Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `minimumTlsVersion` - -The minimum TLS version for the cluster to support. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - ] - ``` - -### Parameter: `networkRuleSets` - -Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - 'SecuredByPerimeter' - ] - ``` - -### Parameter: `requireInfrastructureEncryption` - -Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuCapacity` - -The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `skuName` - -event hub plan SKU name. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneRedundant` - -Switch to make the Event Hub Namespace zone redundant. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the eventspace. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the eventspace. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/event-hub/namespace/authorization-rule/README.md b/modules/event-hub/namespace/authorization-rule/README.md deleted file mode 100644 index 430a336800..0000000000 --- a/modules/event-hub/namespace/authorization-rule/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Event Hub Namespace Authorization Rule `[Microsoft.EventHub/namespaces/authorizationRules]` - -This module deploys an Event Hub Namespace Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the resource group the authorization rule was created in. | -| `resourceId` | string | The resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/authorization-rule/main.bicep b/modules/event-hub/namespace/authorization-rule/main.bicep deleted file mode 100644 index 18c7df3449..0000000000 --- a/modules/event-hub/namespace/authorization-rule/main.bicep +++ /dev/null @@ -1,53 +0,0 @@ -metadata name = 'Event Hub Namespace Authorization Rule' -metadata description = 'This module deploys an Event Hub Namespace Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Required. The name of the authorization rule.') -param name string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource authorizationRule 'Microsoft.EventHub/namespaces/authorizationRules@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the resource group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-hub/namespace/authorization-rule/main.json b/modules/event-hub/namespace/authorization-rule/main.json deleted file mode 100644 index 90eefef91d..0000000000 --- a/modules/event-hub/namespace/authorization-rule/main.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3454130656900257881" - }, - "name": "Event Hub Namespace Authorization Rule", - "description": "This module deploys an Event Hub Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/authorization-rule/version.json b/modules/event-hub/namespace/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-hub/namespace/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/disaster-recovery-config/README.md b/modules/event-hub/namespace/disaster-recovery-config/README.md deleted file mode 100644 index 5587dbcbd0..0000000000 --- a/modules/event-hub/namespace/disaster-recovery-config/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Event Hub Namespace Disaster Recovery Configs `[Microsoft.EventHub/namespaces/disasterRecoveryConfigs]` - -This module deploys an Event Hub Namespace Disaster Recovery Config. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the disaster recovery config. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`partnerNamespaceId`](#parameter-partnernamespaceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | - -### Parameter: `name` - -The name of the disaster recovery config. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `partnerNamespaceId` - -Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the disaster recovery config. | -| `resourceGroupName` | string | The name of the resource group the disaster recovery config was created in. | -| `resourceId` | string | The resource ID of the disaster recovery config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.bicep b/modules/event-hub/namespace/disaster-recovery-config/main.bicep deleted file mode 100644 index 1cc93c8e67..0000000000 --- a/modules/event-hub/namespace/disaster-recovery-config/main.bicep +++ /dev/null @@ -1,48 +0,0 @@ -metadata name = 'Event Hub Namespace Disaster Recovery Configs' -metadata description = 'This module deploys an Event Hub Namespace Disaster Recovery Config.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Required. The name of the disaster recovery config.') -param name string - -@description('Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing.') -param partnerNamespaceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - partnerNamespace: partnerNamespaceId - } -} - -@description('The name of the disaster recovery config.') -output name string = disasterRecoveryConfig.name - -@description('The resource ID of the disaster recovery config.') -output resourceId string = disasterRecoveryConfig.id - -@description('The name of the resource group the disaster recovery config was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.json b/modules/event-hub/namespace/disaster-recovery-config/main.json deleted file mode 100644 index dd8315fd47..0000000000 --- a/modules/event-hub/namespace/disaster-recovery-config/main.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16561098614039073875" - }, - "name": "Event Hub Namespace Disaster Recovery Configs", - "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the disaster recovery config." - } - }, - "partnerNamespaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "partnerNamespace": "[parameters('partnerNamespaceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the disaster recovery config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the disaster recovery config." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/disasterRecoveryConfigs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the disaster recovery config was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/disaster-recovery-config/version.json b/modules/event-hub/namespace/disaster-recovery-config/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-hub/namespace/disaster-recovery-config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md deleted file mode 100644 index cd1f41f928..0000000000 --- a/modules/event-hub/namespace/eventhub/README.md +++ /dev/null @@ -1,403 +0,0 @@ -# Event Hub Namespace Event Hubs `[Microsoft.EventHub/namespaces/eventhubs]` - -This module deploys an Event Hub Namespace Event Hub. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the event hub. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the event hub. | -| [`captureDescriptionDestinationArchiveNameFormat`](#parameter-capturedescriptiondestinationarchivenameformat) | string | Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. | -| [`captureDescriptionDestinationBlobContainer`](#parameter-capturedescriptiondestinationblobcontainer) | string | Blob container Name. | -| [`captureDescriptionDestinationName`](#parameter-capturedescriptiondestinationname) | string | Name for capture destination. | -| [`captureDescriptionDestinationStorageAccountResourceId`](#parameter-capturedescriptiondestinationstorageaccountresourceid) | string | Resource ID of the storage account to be used to create the blobs. | -| [`captureDescriptionEnabled`](#parameter-capturedescriptionenabled) | bool | A value that indicates whether capture description is enabled. | -| [`captureDescriptionEncoding`](#parameter-capturedescriptionencoding) | string | Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. | -| [`captureDescriptionIntervalInSeconds`](#parameter-capturedescriptionintervalinseconds) | int | The time window allows you to set the frequency with which the capture to Azure Blobs will happen. | -| [`captureDescriptionSizeLimitInBytes`](#parameter-capturedescriptionsizelimitinbytes) | int | The size window defines the amount of data built up in your Event Hub before an capture operation. | -| [`captureDescriptionSkipEmptyArchives`](#parameter-capturedescriptionskipemptyarchives) | bool | A value that indicates whether to Skip Empty Archives. | -| [`consumergroups`](#parameter-consumergroups) | array | The consumer groups to create in this event hub instance. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`messageRetentionInDays`](#parameter-messageretentionindays) | int | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". | -| [`partitionCount`](#parameter-partitioncount) | int | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | -| [`retentionDescriptionCleanupPolicy`](#parameter-retentiondescriptioncleanuppolicy) | string | Retention cleanup policy. Enumerates the possible values for cleanup policy. | -| [`retentionDescriptionRetentionTimeInHours`](#parameter-retentiondescriptionretentiontimeinhours) | int | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | -| [`retentionDescriptionTombstoneRetentionTimeInHours`](#parameter-retentiondescriptiontombstoneretentiontimeinhours) | int | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`status`](#parameter-status) | string | Enumerates the possible values for the status of the Event Hub. | - -### Parameter: `name` - -The name of the event hub. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the event hub. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - ``` - -### Parameter: `captureDescriptionDestinationArchiveNameFormat` - -Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. - -- Required: No -- Type: string -- Default: `'{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}'` - -### Parameter: `captureDescriptionDestinationBlobContainer` - -Blob container Name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `captureDescriptionDestinationName` - -Name for capture destination. - -- Required: No -- Type: string -- Default: `'EventHubArchive.AzureBlockBlob'` - -### Parameter: `captureDescriptionDestinationStorageAccountResourceId` - -Resource ID of the storage account to be used to create the blobs. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `captureDescriptionEnabled` - -A value that indicates whether capture description is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `captureDescriptionEncoding` - -Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. - -- Required: No -- Type: string -- Default: `'Avro'` -- Allowed: - ```Bicep - [ - 'Avro' - 'AvroDeflate' - ] - ``` - -### Parameter: `captureDescriptionIntervalInSeconds` - -The time window allows you to set the frequency with which the capture to Azure Blobs will happen. - -- Required: No -- Type: int -- Default: `300` - -### Parameter: `captureDescriptionSizeLimitInBytes` - -The size window defines the amount of data built up in your Event Hub before an capture operation. - -- Required: No -- Type: int -- Default: `314572800` - -### Parameter: `captureDescriptionSkipEmptyArchives` - -A value that indicates whether to Skip Empty Archives. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `consumergroups` - -The consumer groups to create in this event hub instance. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: '$Default' - } - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `messageRetentionInDays` - -Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `partitionCount` - -Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `retentionDescriptionCleanupPolicy` - -Retention cleanup policy. Enumerates the possible values for cleanup policy. - -- Required: No -- Type: string -- Default: `'Delete'` -- Allowed: - ```Bicep - [ - 'Compact' - 'Delete' - ] - ``` - -### Parameter: `retentionDescriptionRetentionTimeInHours` - -Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `retentionDescriptionTombstoneRetentionTimeInHours` - -Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `status` - -Enumerates the possible values for the status of the Event Hub. - -- Required: No -- Type: string -- Default: `'Active'` -- Allowed: - ```Bicep - [ - 'Active' - 'Creating' - 'Deleting' - 'Disabled' - 'ReceiveDisabled' - 'Renaming' - 'Restoring' - 'SendDisabled' - 'Unknown' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `eventHubId` | string | The resource ID of the event hub. | -| `name` | string | The name of the event hub. | -| `resourceGroupName` | string | The resource group the event hub was deployed into. | -| `resourceId` | string | The authentication rule resource ID of the event hub. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/README.md b/modules/event-hub/namespace/eventhub/authorization-rule/README.md deleted file mode 100644 index f0679730be..0000000000 --- a/modules/event-hub/namespace/eventhub/authorization-rule/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Event Hub Namespace Event Hub Authorization Rules `[Microsoft.EventHub/namespaces/eventhubs/authorizationRules]` - -This module deploys an Event Hub Namespace Event Hub Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubName`](#parameter-eventhubname) | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `eventHubName` - -The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the resource group the authorization rule was created in. | -| `resourceId` | string | The resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep b/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep deleted file mode 100644 index 81c703399c..0000000000 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'Event Hub Namespace Event Hub Authorization Rules' -metadata description = 'This module deploys an Event Hub Namespace Event Hub Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment.') -param eventHubName string - -@description('Required. The name of the authorization rule.') -param name string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName - - resource eventhub 'eventhubs@2022-10-01-preview' existing = { - name: eventHubName - } -} - -resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2022-10-01-preview' = { - name: name - parent: namespace::eventhub - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the resource group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.json b/modules/event-hub/namespace/eventhub/authorization-rule/main.json deleted file mode 100644 index e660b56d74..0000000000 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14602222687176746114" - }, - "name": "Event Hub Namespace Event Hub Authorization Rules", - "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/authorizationRules', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/version.json b/modules/event-hub/namespace/eventhub/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-hub/namespace/eventhub/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/eventhub/consumergroup/README.md b/modules/event-hub/namespace/eventhub/consumergroup/README.md deleted file mode 100644 index 7a0da60dee..0000000000 --- a/modules/event-hub/namespace/eventhub/consumergroup/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Event Hub Namespace Event Hub Consumer Groups `[Microsoft.EventHub/namespaces/eventhubs/consumergroups]` - -This module deploys an Event Hub Namespace Event Hub Consumer Group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the consumer group. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubName`](#parameter-eventhubname) | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`userMetadata`](#parameter-usermetadata) | string | User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. | - -### Parameter: `name` - -The name of the consumer group. - -- Required: Yes -- Type: string - -### Parameter: `eventHubName` - -The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `userMetadata` - -User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the consumer group. | -| `resourceGroupName` | string | The name of the resource group the consumer group was created in. | -| `resourceId` | string | The resource ID of the consumer group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.bicep b/modules/event-hub/namespace/eventhub/consumergroup/main.bicep deleted file mode 100644 index debfe0b56d..0000000000 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'Event Hub Namespace Event Hub Consumer Groups' -metadata description = 'This module deploys an Event Hub Namespace Event Hub Consumer Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s.') -param namespaceName string - -@description('Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment.') -param eventHubName string - -@description('Required. The name of the consumer group.') -param name string - -@description('Optional. User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored.') -param userMetadata string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName - - resource eventhub 'eventhubs@2022-10-01-preview' existing = { - name: eventHubName - } -} - -resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2022-10-01-preview' = { - name: name - parent: namespace::eventhub - properties: { - userMetadata: !empty(userMetadata) ? userMetadata : null - } -} - -@description('The name of the consumer group.') -output name string = consumerGroup.name - -@description('The resource ID of the consumer group.') -output resourceId string = consumerGroup.id - -@description('The name of the resource group the consumer group was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.json b/modules/event-hub/namespace/eventhub/consumergroup/main.json deleted file mode 100644 index 1412965f0d..0000000000 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1238713274798294217" - }, - "name": "Event Hub Namespace Event Hub Consumer Groups", - "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the consumer group." - } - }, - "userMetadata": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the consumer group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the consumer group." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the consumer group was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/eventhub/consumergroup/version.json b/modules/event-hub/namespace/eventhub/consumergroup/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-hub/namespace/eventhub/consumergroup/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep deleted file mode 100644 index 1a7b842fb7..0000000000 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ /dev/null @@ -1,269 +0,0 @@ -metadata name = 'Event Hub Namespace Event Hubs' -metadata description = 'This module deploys an Event Hub Namespace Event Hub.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Required. The name of the event hub.') -param name string - -@description('Optional. Authorization Rules for the event hub.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } -] - -@description('Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact".') -@minValue(1) -@maxValue(7) -param messageRetentionInDays int = 1 - -@description('Optional. Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions.') -@minValue(1) -@maxValue(32) -param partitionCount int = 2 - -@description('Optional. Enumerates the possible values for the status of the Event Hub.') -@allowed([ - 'Active' - 'Creating' - 'Deleting' - 'Disabled' - 'ReceiveDisabled' - 'Renaming' - 'Restoring' - 'SendDisabled' - 'Unknown' -]) -param status string = 'Active' - -@description('Optional. The consumer groups to create in this event hub instance.') -param consumergroups array = [ - { - name: '$Default' - } -] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Name for capture destination.') -param captureDescriptionDestinationName string = 'EventHubArchive.AzureBlockBlob' - -@description('Optional. Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order.') -param captureDescriptionDestinationArchiveNameFormat string = '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - -@description('Optional. Blob container Name.') -param captureDescriptionDestinationBlobContainer string = '' - -@description('Optional. Resource ID of the storage account to be used to create the blobs.') -param captureDescriptionDestinationStorageAccountResourceId string = '' - -@description('Optional. A value that indicates whether capture description is enabled.') -param captureDescriptionEnabled bool = false - -@description('Optional. Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version.') -@allowed([ - 'Avro' - 'AvroDeflate' -]) -param captureDescriptionEncoding string = 'Avro' - -@description('Optional. The time window allows you to set the frequency with which the capture to Azure Blobs will happen.') -@minValue(60) -@maxValue(900) -param captureDescriptionIntervalInSeconds int = 300 - -@description('Optional. The size window defines the amount of data built up in your Event Hub before an capture operation.') -@minValue(10485760) -@maxValue(524288000) -param captureDescriptionSizeLimitInBytes int = 314572800 - -@description('Optional. A value that indicates whether to Skip Empty Archives.') -param captureDescriptionSkipEmptyArchives bool = false - -@allowed([ - 'Compact' - 'Delete' -]) -@description('Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy.') -param retentionDescriptionCleanupPolicy string = 'Delete' - -@minValue(1) -@maxValue(168) -@description('Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue.') -param retentionDescriptionRetentionTimeInHours int = 1 - -@minValue(1) -@maxValue(168) -@description('Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub.') -param retentionDescriptionTombstoneRetentionTimeInHours int = 1 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var eventHubProperties = { - messageRetentionInDays: messageRetentionInDays - partitionCount: partitionCount - status: status - retentionDescription: { - cleanupPolicy: retentionDescriptionCleanupPolicy - retentionTimeInHours: retentionDescriptionCleanupPolicy == 'Delete' ? retentionDescriptionRetentionTimeInHours : null - tombstoneRetentionTimeInHours: retentionDescriptionCleanupPolicy == 'Compact' ? retentionDescriptionTombstoneRetentionTimeInHours : null - } -} - -var eventHubPropertiesCapture = { - captureDescription: { - destination: { - name: captureDescriptionDestinationName - properties: { - archiveNameFormat: captureDescriptionDestinationArchiveNameFormat - blobContainer: captureDescriptionDestinationBlobContainer - storageAccountResourceId: captureDescriptionDestinationStorageAccountResourceId - } - } - enabled: captureDescriptionEnabled - encoding: captureDescriptionEncoding - intervalInSeconds: captureDescriptionIntervalInSeconds - sizeLimitInBytes: captureDescriptionSizeLimitInBytes - skipEmptyArchives: captureDescriptionSkipEmptyArchives - } -} - -var builtInRoleNames = { - 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') - 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') - 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-10-01-preview' = { - name: name - parent: namespace - properties: captureDescriptionEnabled ? union(eventHubProperties, eventHubPropertiesCapture) : eventHubProperties -} - -resource eventHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: eventHub -} - -module eventHub_consumergroups 'consumergroup/main.bicep' = [for (consumerGroup, index) in consumergroups: { - name: '${deployment().name}-ConsumerGroup-${index}' - params: { - namespaceName: namespaceName - eventHubName: eventHub.name - name: consumerGroup.name - userMetadata: contains(consumerGroup, 'userMetadata') ? consumerGroup.userMetadata : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module eventHub_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthRule-${index}' - params: { - namespaceName: namespaceName - eventHubName: eventHub.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource eventHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(eventHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: eventHub -}] - -@description('The name of the event hub.') -output name string = eventHub.name - -@description('The resource ID of the event hub.') -output eventHubId string = eventHub.id - -@description('The resource group the event hub was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The authentication rule resource ID of the event hub.') -output resourceId string = az.resourceId('Microsoft.EventHub/namespaces/authorizationRules', namespaceName, 'RootManageSharedAccessKey') - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json deleted file mode 100644 index fe75c77b08..0000000000 --- a/modules/event-hub/namespace/eventhub/main.json +++ /dev/null @@ -1,702 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3029831252290713160" - }, - "name": "Event Hub Namespace Event Hubs", - "description": "This module deploys an Event Hub Namespace Event Hub.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the event hub." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the event hub." - } - }, - "messageRetentionInDays": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 7, - "metadata": { - "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to \"Compact\"." - } - }, - "partitionCount": { - "type": "int", - "defaultValue": 2, - "minValue": 1, - "maxValue": 32, - "metadata": { - "description": "Optional. Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Creating", - "Deleting", - "Disabled", - "ReceiveDisabled", - "Renaming", - "Restoring", - "SendDisabled", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of the Event Hub." - } - }, - "consumergroups": { - "type": "array", - "defaultValue": [ - { - "name": "$Default" - } - ], - "metadata": { - "description": "Optional. The consumer groups to create in this event hub instance." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "captureDescriptionDestinationName": { - "type": "string", - "defaultValue": "EventHubArchive.AzureBlockBlob", - "metadata": { - "description": "Optional. Name for capture destination." - } - }, - "captureDescriptionDestinationArchiveNameFormat": { - "type": "string", - "defaultValue": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", - "metadata": { - "description": "Optional. Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order." - } - }, - "captureDescriptionDestinationBlobContainer": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Blob container Name." - } - }, - "captureDescriptionDestinationStorageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the storage account to be used to create the blobs." - } - }, - "captureDescriptionEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether capture description is enabled." - } - }, - "captureDescriptionEncoding": { - "type": "string", - "defaultValue": "Avro", - "allowedValues": [ - "Avro", - "AvroDeflate" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the encoding format of capture description. Note: \"AvroDeflate\" will be deprecated in New API Version." - } - }, - "captureDescriptionIntervalInSeconds": { - "type": "int", - "defaultValue": 300, - "minValue": 60, - "maxValue": 900, - "metadata": { - "description": "Optional. The time window allows you to set the frequency with which the capture to Azure Blobs will happen." - } - }, - "captureDescriptionSizeLimitInBytes": { - "type": "int", - "defaultValue": 314572800, - "minValue": 10485760, - "maxValue": 524288000, - "metadata": { - "description": "Optional. The size window defines the amount of data built up in your Event Hub before an capture operation." - } - }, - "captureDescriptionSkipEmptyArchives": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether to Skip Empty Archives." - } - }, - "retentionDescriptionCleanupPolicy": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Compact", - "Delete" - ], - "metadata": { - "description": "Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy." - } - }, - "retentionDescriptionRetentionTimeInHours": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 168, - "metadata": { - "description": "Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue." - } - }, - "retentionDescriptionTombstoneRetentionTimeInHours": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 168, - "metadata": { - "description": "Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "eventHubProperties": { - "messageRetentionInDays": "[parameters('messageRetentionInDays')]", - "partitionCount": "[parameters('partitionCount')]", - "status": "[parameters('status')]", - "retentionDescription": { - "cleanupPolicy": "[parameters('retentionDescriptionCleanupPolicy')]", - "retentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Delete'), parameters('retentionDescriptionRetentionTimeInHours'), null())]", - "tombstoneRetentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Compact'), parameters('retentionDescriptionTombstoneRetentionTimeInHours'), null())]" - } - }, - "eventHubPropertiesCapture": { - "captureDescription": { - "destination": { - "name": "[parameters('captureDescriptionDestinationName')]", - "properties": { - "archiveNameFormat": "[parameters('captureDescriptionDestinationArchiveNameFormat')]", - "blobContainer": "[parameters('captureDescriptionDestinationBlobContainer')]", - "storageAccountResourceId": "[parameters('captureDescriptionDestinationStorageAccountResourceId')]" - } - }, - "enabled": "[parameters('captureDescriptionEnabled')]", - "encoding": "[parameters('captureDescriptionEncoding')]", - "intervalInSeconds": "[parameters('captureDescriptionIntervalInSeconds')]", - "sizeLimitInBytes": "[parameters('captureDescriptionSizeLimitInBytes')]", - "skipEmptyArchives": "[parameters('captureDescriptionSkipEmptyArchives')]" - } - }, - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.EventHub/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "eventHub": { - "type": "Microsoft.EventHub/namespaces/eventhubs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]", - "dependsOn": [ - "namespace" - ] - }, - "eventHub_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_roleAssignments": { - "copy": { - "name": "eventHub_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_consumergroups": { - "copy": { - "name": "eventHub_consumergroups", - "count": "[length(parameters('consumergroups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ConsumerGroup-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "eventHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('consumergroups')[copyIndex()].name]" - }, - "userMetadata": "[if(contains(parameters('consumergroups')[copyIndex()], 'userMetadata'), createObject('value', parameters('consumergroups')[copyIndex()].userMetadata), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1238713274798294217" - }, - "name": "Event Hub Namespace Event Hub Consumer Groups", - "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the consumer group." - } - }, - "userMetadata": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the consumer group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the consumer group." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the consumer group was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_authorizationRules": { - "copy": { - "name": "eventHub_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "eventHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14602222687176746114" - }, - "name": "Event Hub Namespace Event Hub Authorization Rules", - "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/authorizationRules', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHub" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event hub." - }, - "value": "[parameters('name')]" - }, - "eventHubId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event hub." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the event hub was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The authentication rule resource ID of the event hub." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', parameters('namespaceName'), 'RootManageSharedAccessKey')]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/eventhub/version.json b/modules/event-hub/namespace/eventhub/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/event-hub/namespace/eventhub/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep deleted file mode 100644 index 96924140f6..0000000000 --- a/modules/event-hub/namespace/main.bicep +++ /dev/null @@ -1,509 +0,0 @@ -metadata name = 'Event Hub Namespaces' -metadata description = 'This module deploys an Event Hub Namespace.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the event hub namespace.') -@maxLength(50) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. event hub plan SKU name.') -@allowed([ - 'Basic' - 'Standard' - 'Premium' -]) -param skuName string = 'Standard' - -@description('Optional. The Event Hub\'s throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units.') -@minValue(1) -@maxValue(20) -param skuCapacity int = 1 - -@description('Optional. Switch to make the Event Hub Namespace zone redundant.') -param zoneRedundant bool = false - -@description('Optional. Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub.') -param isAutoInflateEnabled bool = false - -@description('Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units.') -@minValue(0) -@maxValue(20) -param maximumThroughputUnits int = 1 - -@description('Optional. Authorization Rules for the Event Hub namespace.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } -] - -@description('Optional. This property disables SAS authentication for the Event Hubs namespace.') -param disableLocalAuth bool = true - -@description('Optional. Value that indicates whether Kafka is enabled for Event Hubs Namespace.') -param kafkaEnabled bool = false - -@allowed([ - '1.0' - '1.1' - '1.2' -]) -@description('Optional. The minimum TLS version for the cluster to support.') -param minimumTlsVersion string = '1.2' - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Disabled' - 'Enabled' - 'SecuredByPerimeter' -]) -param publicNetworkAccess string = '' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = {} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') -param requireInfrastructureEncryption bool = false - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The event hubs to deploy into this namespace.') -param eventhubs array = [] - -@description('Optional. The disaster recovery config for this namespace.') -param disasterRecoveryConfig object = {} - -var maximumThroughputUnitsVar = !isAutoInflateEnabled ? 0 : maximumThroughputUnits - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') - 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') - 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { - name: name - location: location - tags: tags - identity: identity - sku: { - name: skuName - tier: skuName - capacity: skuCapacity - } - properties: { - disableLocalAuth: disableLocalAuth - encryption: !empty(customerManagedKey) ? { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: [ - { - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - keyName: customerManagedKey!.keyName - keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - ] - requireInfrastructureEncryption: requireInfrastructureEncryption - } : null - isAutoInflateEnabled: isAutoInflateEnabled - kafkaEnabled: kafkaEnabled - maximumThroughputUnits: maximumThroughputUnitsVar - minimumTlsVersion: minimumTlsVersion - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : publicNetworkAccess) - zoneRedundant: zoneRedundant - } -} - -module eventHubNamespace_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-AuthRule-${index}' - params: { - namespaceName: eventHubNamespace.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module eventHubNamespace_disasterRecoveryConfig 'disaster-recovery-config/main.bicep' = if (!empty(disasterRecoveryConfig)) { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-DisRecConfig' - params: { - namespaceName: eventHubNamespace.name - name: disasterRecoveryConfig.name - partnerNamespaceId: contains(disasterRecoveryConfig, 'partnerNamespaceId') ? disasterRecoveryConfig.partnerNamespaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module eventHubNamespace_eventhubs 'eventhub/main.bicep' = [for (eventHub, index) in eventhubs: { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-EventHub-${index}' - params: { - namespaceName: eventHubNamespace.name - name: eventHub.name - authorizationRules: contains(eventHub, 'authorizationRules') ? eventHub.authorizationRules : [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - captureDescriptionDestinationArchiveNameFormat: contains(eventHub, 'captureDescriptionDestinationArchiveNameFormat') ? eventHub.captureDescriptionDestinationArchiveNameFormat : '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - captureDescriptionDestinationBlobContainer: contains(eventHub, 'captureDescriptionDestinationBlobContainer') ? eventHub.captureDescriptionDestinationBlobContainer : '' - captureDescriptionDestinationName: contains(eventHub, 'captureDescriptionDestinationName') ? eventHub.captureDescriptionDestinationName : 'EventHubArchive.AzureBlockBlob' - captureDescriptionDestinationStorageAccountResourceId: contains(eventHub, 'captureDescriptionDestinationStorageAccountResourceId') ? eventHub.captureDescriptionDestinationStorageAccountResourceId : '' - captureDescriptionEnabled: contains(eventHub, 'captureDescriptionEnabled') ? eventHub.captureDescriptionEnabled : false - captureDescriptionEncoding: contains(eventHub, 'captureDescriptionEncoding') ? eventHub.captureDescriptionEncoding : 'Avro' - captureDescriptionIntervalInSeconds: contains(eventHub, 'captureDescriptionIntervalInSeconds') ? eventHub.captureDescriptionIntervalInSeconds : 300 - captureDescriptionSizeLimitInBytes: contains(eventHub, 'captureDescriptionSizeLimitInBytes') ? eventHub.captureDescriptionSizeLimitInBytes : 314572800 - captureDescriptionSkipEmptyArchives: contains(eventHub, 'captureDescriptionSkipEmptyArchives') ? eventHub.captureDescriptionSkipEmptyArchives : false - consumergroups: contains(eventHub, 'consumergroups') ? eventHub.consumergroups : [] - lock: eventHub.?lock ?? lock - messageRetentionInDays: contains(eventHub, 'messageRetentionInDays') ? eventHub.messageRetentionInDays : 1 - partitionCount: contains(eventHub, 'partitionCount') ? eventHub.partitionCount : 2 - roleAssignments: contains(eventHub, 'roleAssignments') ? eventHub.roleAssignments : [] - status: contains(eventHub, 'status') ? eventHub.status : 'Active' - retentionDescriptionCleanupPolicy: contains(eventHub, 'retentionDescriptionCleanupPolicy') ? eventHub.retentionDescriptionCleanupPolicy : 'Delete' - retentionDescriptionRetentionTimeInHours: contains(eventHub, 'retentionDescriptionRetentionTimeInHours') ? eventHub.retentionDescriptionRetentionTimeInHours : 1 - retentionDescriptionTombstoneRetentionTimeInHours: contains(eventHub, 'retentionDescriptionTombstoneRetentionTimeInHours') ? eventHub.retentionDescriptionTombstoneRetentionTimeInHours : 1 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module eventHubNamespace_networkRuleSet 'network-rule-set/main.bicep' = if (!empty(networkRuleSets) || !empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' - params: { - namespaceName: eventHubNamespace.name - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') - defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' - trustedServiceAccessEnabled: networkRuleSets.?trustedServiceAccessEnabled - ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] - virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-eventHubNamespace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'namespace' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(eventHubNamespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' - serviceResourceId: eventHubNamespace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource eventHubNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(eventHubNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: eventHubNamespace -}] - -resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: eventHubNamespace -} - -resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: eventHubNamespace -}] - -@description('The name of the eventspace.') -output name string = eventHubNamespace.name - -@description('The resource ID of the eventspace.') -output resourceId string = eventHubNamespace.id - -@description('The resource group where the namespace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(eventHubNamespace.identity, 'principalId') ? eventHubNamespace.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = eventHubNamespace.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json deleted file mode 100644 index 9d00a5e788..0000000000 --- a/modules/event-hub/namespace/main.json +++ /dev/null @@ -1,2595 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16520792819194375091" - }, - "name": "Event Hub Namespaces", - "description": "This module deploys an Event Hub Namespace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the event hub namespace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard", - "Premium" - ], - "metadata": { - "description": "Optional. event hub plan SKU name." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 20, - "metadata": { - "description": "Optional. The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to make the Event Hub Namespace zone redundant." - } - }, - "isAutoInflateEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub." - } - }, - "maximumThroughputUnits": { - "type": "int", - "defaultValue": 1, - "minValue": 0, - "maxValue": 20, - "metadata": { - "description": "Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Event Hub namespace." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property disables SAS authentication for the Event Hubs namespace." - } - }, - "kafkaEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Value that indicates whether Kafka is enabled for Event Hubs Namespace." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. The minimum TLS version for the cluster to support." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Disabled", - "Enabled", - "SecuredByPerimeter" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "networkRuleSets": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "requireInfrastructureEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "eventhubs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The event hubs to deploy into this namespace." - } - }, - "disasterRecoveryConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The disaster recovery config for this namespace." - } - } - }, - "variables": { - "maximumThroughputUnitsVar": "[if(not(parameters('isAutoInflateEnabled')), 0, parameters('maximumThroughputUnits'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "eventHubNamespace": { - "type": "Microsoft.EventHub/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuName')]", - "capacity": "[parameters('skuCapacity')]" - }, - "properties": { - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", - "isAutoInflateEnabled": "[parameters('isAutoInflateEnabled')]", - "kafkaEnabled": "[parameters('kafkaEnabled')]", - "maximumThroughputUnits": "[variables('maximumThroughputUnitsVar')]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "publicNetworkAccess": "[if(contains(parameters('networkRuleSets'), 'publicNetworkAccess'), parameters('networkRuleSets').publicNetworkAccess, if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', parameters('publicNetworkAccess')))]", - "zoneRedundant": "[parameters('zoneRedundant')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "eventHubNamespace_roleAssignments": { - "copy": { - "name": "eventHubNamespace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_diagnosticSettings": { - "copy": { - "name": "eventHubNamespace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_authorizationRules": { - "copy": { - "name": "eventHubNamespace_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-AuthRule-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3454130656900257881" - }, - "name": "Event Hub Namespace Authorization Rule", - "description": "This module deploys an Event Hub Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_disasterRecoveryConfig": { - "condition": "[not(empty(parameters('disasterRecoveryConfig')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-DisRecConfig', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('disasterRecoveryConfig').name]" - }, - "partnerNamespaceId": "[if(contains(parameters('disasterRecoveryConfig'), 'partnerNamespaceId'), createObject('value', parameters('disasterRecoveryConfig').partnerNamespaceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16561098614039073875" - }, - "name": "Event Hub Namespace Disaster Recovery Configs", - "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the disaster recovery config." - } - }, - "partnerNamespaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "partnerNamespace": "[parameters('partnerNamespaceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the disaster recovery config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the disaster recovery config." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/disasterRecoveryConfigs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the disaster recovery config was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_eventhubs": { - "copy": { - "name": "eventHubNamespace_eventhubs", - "count": "[length(parameters('eventhubs'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-EventHub-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('eventhubs')[copyIndex()].name]" - }, - "authorizationRules": "[if(contains(parameters('eventhubs')[copyIndex()], 'authorizationRules'), createObject('value', parameters('eventhubs')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')))))]", - "captureDescriptionDestinationArchiveNameFormat": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionDestinationArchiveNameFormat'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionDestinationArchiveNameFormat), createObject('value', '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}'))]", - "captureDescriptionDestinationBlobContainer": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionDestinationBlobContainer'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionDestinationBlobContainer), createObject('value', ''))]", - "captureDescriptionDestinationName": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionDestinationName'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionDestinationName), createObject('value', 'EventHubArchive.AzureBlockBlob'))]", - "captureDescriptionDestinationStorageAccountResourceId": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionDestinationStorageAccountResourceId'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionDestinationStorageAccountResourceId), createObject('value', ''))]", - "captureDescriptionEnabled": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionEnabled'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionEnabled), createObject('value', false()))]", - "captureDescriptionEncoding": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionEncoding'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionEncoding), createObject('value', 'Avro'))]", - "captureDescriptionIntervalInSeconds": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionIntervalInSeconds'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionIntervalInSeconds), createObject('value', 300))]", - "captureDescriptionSizeLimitInBytes": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionSizeLimitInBytes'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionSizeLimitInBytes), createObject('value', 314572800))]", - "captureDescriptionSkipEmptyArchives": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionSkipEmptyArchives'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionSkipEmptyArchives), createObject('value', false()))]", - "consumergroups": "[if(contains(parameters('eventhubs')[copyIndex()], 'consumergroups'), createObject('value', parameters('eventhubs')[copyIndex()].consumergroups), createObject('value', createArray()))]", - "lock": { - "value": "[coalesce(tryGet(parameters('eventhubs')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "messageRetentionInDays": "[if(contains(parameters('eventhubs')[copyIndex()], 'messageRetentionInDays'), createObject('value', parameters('eventhubs')[copyIndex()].messageRetentionInDays), createObject('value', 1))]", - "partitionCount": "[if(contains(parameters('eventhubs')[copyIndex()], 'partitionCount'), createObject('value', parameters('eventhubs')[copyIndex()].partitionCount), createObject('value', 2))]", - "roleAssignments": "[if(contains(parameters('eventhubs')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventhubs')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "status": "[if(contains(parameters('eventhubs')[copyIndex()], 'status'), createObject('value', parameters('eventhubs')[copyIndex()].status), createObject('value', 'Active'))]", - "retentionDescriptionCleanupPolicy": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionCleanupPolicy'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionCleanupPolicy), createObject('value', 'Delete'))]", - "retentionDescriptionRetentionTimeInHours": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionRetentionTimeInHours'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionRetentionTimeInHours), createObject('value', 1))]", - "retentionDescriptionTombstoneRetentionTimeInHours": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionTombstoneRetentionTimeInHours'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionTombstoneRetentionTimeInHours), createObject('value', 1))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3029831252290713160" - }, - "name": "Event Hub Namespace Event Hubs", - "description": "This module deploys an Event Hub Namespace Event Hub.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the event hub." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the event hub." - } - }, - "messageRetentionInDays": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 7, - "metadata": { - "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to \"Compact\"." - } - }, - "partitionCount": { - "type": "int", - "defaultValue": 2, - "minValue": 1, - "maxValue": 32, - "metadata": { - "description": "Optional. Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Creating", - "Deleting", - "Disabled", - "ReceiveDisabled", - "Renaming", - "Restoring", - "SendDisabled", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of the Event Hub." - } - }, - "consumergroups": { - "type": "array", - "defaultValue": [ - { - "name": "$Default" - } - ], - "metadata": { - "description": "Optional. The consumer groups to create in this event hub instance." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "captureDescriptionDestinationName": { - "type": "string", - "defaultValue": "EventHubArchive.AzureBlockBlob", - "metadata": { - "description": "Optional. Name for capture destination." - } - }, - "captureDescriptionDestinationArchiveNameFormat": { - "type": "string", - "defaultValue": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", - "metadata": { - "description": "Optional. Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order." - } - }, - "captureDescriptionDestinationBlobContainer": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Blob container Name." - } - }, - "captureDescriptionDestinationStorageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the storage account to be used to create the blobs." - } - }, - "captureDescriptionEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether capture description is enabled." - } - }, - "captureDescriptionEncoding": { - "type": "string", - "defaultValue": "Avro", - "allowedValues": [ - "Avro", - "AvroDeflate" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the encoding format of capture description. Note: \"AvroDeflate\" will be deprecated in New API Version." - } - }, - "captureDescriptionIntervalInSeconds": { - "type": "int", - "defaultValue": 300, - "minValue": 60, - "maxValue": 900, - "metadata": { - "description": "Optional. The time window allows you to set the frequency with which the capture to Azure Blobs will happen." - } - }, - "captureDescriptionSizeLimitInBytes": { - "type": "int", - "defaultValue": 314572800, - "minValue": 10485760, - "maxValue": 524288000, - "metadata": { - "description": "Optional. The size window defines the amount of data built up in your Event Hub before an capture operation." - } - }, - "captureDescriptionSkipEmptyArchives": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether to Skip Empty Archives." - } - }, - "retentionDescriptionCleanupPolicy": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Compact", - "Delete" - ], - "metadata": { - "description": "Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy." - } - }, - "retentionDescriptionRetentionTimeInHours": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 168, - "metadata": { - "description": "Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue." - } - }, - "retentionDescriptionTombstoneRetentionTimeInHours": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 168, - "metadata": { - "description": "Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "eventHubProperties": { - "messageRetentionInDays": "[parameters('messageRetentionInDays')]", - "partitionCount": "[parameters('partitionCount')]", - "status": "[parameters('status')]", - "retentionDescription": { - "cleanupPolicy": "[parameters('retentionDescriptionCleanupPolicy')]", - "retentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Delete'), parameters('retentionDescriptionRetentionTimeInHours'), null())]", - "tombstoneRetentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Compact'), parameters('retentionDescriptionTombstoneRetentionTimeInHours'), null())]" - } - }, - "eventHubPropertiesCapture": { - "captureDescription": { - "destination": { - "name": "[parameters('captureDescriptionDestinationName')]", - "properties": { - "archiveNameFormat": "[parameters('captureDescriptionDestinationArchiveNameFormat')]", - "blobContainer": "[parameters('captureDescriptionDestinationBlobContainer')]", - "storageAccountResourceId": "[parameters('captureDescriptionDestinationStorageAccountResourceId')]" - } - }, - "enabled": "[parameters('captureDescriptionEnabled')]", - "encoding": "[parameters('captureDescriptionEncoding')]", - "intervalInSeconds": "[parameters('captureDescriptionIntervalInSeconds')]", - "sizeLimitInBytes": "[parameters('captureDescriptionSizeLimitInBytes')]", - "skipEmptyArchives": "[parameters('captureDescriptionSkipEmptyArchives')]" - } - }, - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.EventHub/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "eventHub": { - "type": "Microsoft.EventHub/namespaces/eventhubs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]", - "dependsOn": [ - "namespace" - ] - }, - "eventHub_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_roleAssignments": { - "copy": { - "name": "eventHub_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_consumergroups": { - "copy": { - "name": "eventHub_consumergroups", - "count": "[length(parameters('consumergroups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ConsumerGroup-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "eventHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('consumergroups')[copyIndex()].name]" - }, - "userMetadata": "[if(contains(parameters('consumergroups')[copyIndex()], 'userMetadata'), createObject('value', parameters('consumergroups')[copyIndex()].userMetadata), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "1238713274798294217" - }, - "name": "Event Hub Namespace Event Hub Consumer Groups", - "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the consumer group." - } - }, - "userMetadata": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the consumer group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the consumer group." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the consumer group was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHub" - ] - }, - "eventHub_authorizationRules": { - "copy": { - "name": "eventHub_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "eventHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14602222687176746114" - }, - "name": "Event Hub Namespace Event Hub Authorization Rules", - "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/authorizationRules', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHub" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the event hub." - }, - "value": "[parameters('name')]" - }, - "eventHubId": { - "type": "string", - "metadata": { - "description": "The resource ID of the event hub." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the event hub was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The authentication rule resource ID of the event hub." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', parameters('namespaceName'), 'RootManageSharedAccessKey')]" - } - } - } - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_networkRuleSet": { - "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-NetworkRuleSet', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "publicNetworkAccess": "[if(contains(parameters('networkRuleSets'), 'publicNetworkAccess'), createObject('value', parameters('networkRuleSets').publicNetworkAccess), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), createObject('value', 'Disabled'), createObject('value', 'Enabled')))]", - "defaultAction": "[if(contains(parameters('networkRuleSets'), 'defaultAction'), createObject('value', parameters('networkRuleSets').defaultAction), createObject('value', 'Allow'))]", - "trustedServiceAccessEnabled": { - "value": "[tryGet(parameters('networkRuleSets'), 'trustedServiceAccessEnabled')]" - }, - "ipRules": "[if(contains(parameters('networkRuleSets'), 'ipRules'), createObject('value', parameters('networkRuleSets').ipRules), createObject('value', createArray()))]", - "virtualNetworkRules": "[if(contains(parameters('networkRuleSets'), 'virtualNetworkRules'), createObject('value', parameters('networkRuleSets').virtualNetworkRules), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "7604418407731554463" - }, - "name": "Event Hub Namespace Network Rule Sets", - "description": "This module deploys an Event Hub Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "trustedServiceAccessEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "networkRules", - "count": "[length(parameters('virtualNetworkRules'))]", - "input": { - "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]", - "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/networkRuleSets", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(or(not(empty(parameters('ipRules'))), not(empty(parameters('virtualNetworkRules')))), 'Deny', parameters('defaultAction')))]", - "trustedServiceAccessEnabled": "[parameters('trustedServiceAccessEnabled')]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]", - "virtualNetworkRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), variables('networkRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "eventHubNamespace" - ] - }, - "eventHubNamespace_privateEndpoints": { - "copy": { - "name": "eventHubNamespace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-eventHubNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11154909986774213690" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6129461321051281170" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "eventHubNamespace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the eventspace." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the eventspace." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('eventHubNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('eventHubNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('eventHubNamespace', '2022-10-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md deleted file mode 100644 index 6dfa4d8311..0000000000 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Event Hub Namespace Network Rule Sets `[Microsoft.EventHub/namespaces/networkRuleSets]` - -This module deploys an Event Hub Namespace Network Rule Set. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/networkRuleSets) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipRules`](#parameter-iprules) | array | An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. | -| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `defaultAction` - -Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. - -- Required: No -- Type: string -- Default: `'Allow'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipRules` - -An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicNetworkAccess` - -This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `trustedServiceAccessEnabled` - -Value that indicates whether Trusted Service Access is enabled or not. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `virtualNetworkRules` - -An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the network rule set. | -| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | -| `resourceId` | string | The resource ID of the network rule set. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-hub/namespace/network-rule-set/main.bicep b/modules/event-hub/namespace/network-rule-set/main.bicep deleted file mode 100644 index a9bef191b4..0000000000 --- a/modules/event-hub/namespace/network-rule-set/main.bicep +++ /dev/null @@ -1,76 +0,0 @@ -metadata name = 'Event Hub Namespace Network Rule Sets' -metadata description = 'This module deploys an Event Hub Namespace Network Rule Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') -param publicNetworkAccess string = 'Enabled' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') -param defaultAction string = 'Allow' - -@description('Optional. Value that indicates whether Trusted Service Access is enabled or not.') -param trustedServiceAccessEnabled bool = true - -@description('Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') -param virtualNetworkRules array = [] - -@description('Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') -param ipRules array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var networkRules = [for (virtualNetworkRule, index) in virtualNetworkRules: { - ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : null - subnet: contains(virtualNetworkRule, 'subnetResourceId') ? { - id: virtualNetworkRule.subnetResourceId - } : null -}] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2022-10-01-preview' = { - name: 'default' - parent: namespace - properties: { - publicNetworkAccess: publicNetworkAccess - defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction) - trustedServiceAccessEnabled: trustedServiceAccessEnabled - ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules - virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules - } -} - -@description('The name of the network rule set.') -output name string = networkRuleSet.name - -@description('The resource ID of the network rule set.') -output resourceId string = networkRuleSet.id - -@description('The name of the resource group the network rule set was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/event-hub/namespace/network-rule-set/main.json b/modules/event-hub/namespace/network-rule-set/main.json deleted file mode 100644 index e2e06dbf01..0000000000 --- a/modules/event-hub/namespace/network-rule-set/main.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "7604418407731554463" - }, - "name": "Event Hub Namespace Network Rule Sets", - "description": "This module deploys an Event Hub Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "trustedServiceAccessEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "networkRules", - "count": "[length(parameters('virtualNetworkRules'))]", - "input": { - "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]", - "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventHub/namespaces/networkRuleSets", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(or(not(empty(parameters('ipRules'))), not(empty(parameters('virtualNetworkRules')))), 'Deny', parameters('defaultAction')))]", - "trustedServiceAccessEnabled": "[parameters('trustedServiceAccessEnabled')]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]", - "virtualNetworkRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), variables('networkRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.EventHub/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/event-hub/namespace/network-rule-set/version.json b/modules/event-hub/namespace/network-rule-set/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/event-hub/namespace/network-rule-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep b/modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 424ca90ffe..0000000000 --- a/modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -} diff --git a/modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index dab158fd15..0000000000 --- a/modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by event hub namespace - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - // Key Vault Crypto User - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep b/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 56749b440d..0000000000 --- a/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnenc' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publicNetworkAccess: 'SecuredByPerimeter' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - skuName: 'Premium' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - requireInfrastructureEncryption: true - } -} diff --git a/modules/event-hub/namespace/tests/e2e/max/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 6bc7e40df9..0000000000 --- a/modules/event-hub/namespace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,83 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.EventHub' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5224046f19..0000000000 --- a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,239 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - zoneRedundant: true - skuName: 'Standard' - skuCapacity: 2 - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - eventhubs: [ - { - name: '${namePrefix}-az-evh-x-001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: '${namePrefix}-az-evh-x-002' - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - captureDescriptionDestinationBlobContainer: 'eventhub' - captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' - captureDescriptionDestinationStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - captureDescriptionEnabled: true - captureDescriptionEncoding: 'Avro' - captureDescriptionIntervalInSeconds: 300 - captureDescriptionSizeLimitInBytes: 314572800 - captureDescriptionSkipEmptyArchives: true - consumergroups: [ - { - name: 'custom' - userMetadata: 'customMetadata' - } - ] - messageRetentionInDays: 1 - partitionCount: 2 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - status: 'Active' - retentionDescriptionCleanupPolicy: 'Delete' - retentionDescriptionRetentionTimeInHours: 3 - } - { - name: '${namePrefix}-az-evh-x-003' - retentionDescriptionCleanupPolicy: 'Compact' - retentionDescriptionTombstoneRetentionTimeInHours: 24 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.10.10.10' - } - ] - trustedServiceAccessEnabled: false - publicNetworkAccess: 'Disabled' - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - kafkaEnabled: true - disableLocalAuth: true - isAutoInflateEnabled: true - minimumTlsVersion: '1.2' - maximumThroughputUnits: 4 - publicNetworkAccess: 'Disabled' - } -} diff --git a/modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index a1124e6d21..0000000000 --- a/modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,54 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.EventHub' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-hub/namespace/tests/e2e/pe/main.test.bicep b/modules/event-hub/namespace/tests/e2e/pe/main.test.bicep deleted file mode 100644 index e55e3faf2f..0000000000 --- a/modules/event-hub/namespace/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,74 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Premium' - skuCapacity: 2 - zoneRedundant: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 6bc7e40df9..0000000000 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,83 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.EventHub' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index c00b8c1668..0000000000 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,221 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - zoneRedundant: true - skuName: 'Standard' - skuCapacity: 2 - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - eventhubs: [ - { - name: '${namePrefix}-az-evh-x-001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: '${namePrefix}-az-evh-x-002' - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'SendListenAccess' - rights: [ - 'Listen' - 'Send' - ] - } - ] - captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - captureDescriptionDestinationBlobContainer: 'eventhub' - captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' - captureDescriptionDestinationStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - captureDescriptionEnabled: true - captureDescriptionEncoding: 'Avro' - captureDescriptionIntervalInSeconds: 300 - captureDescriptionSizeLimitInBytes: 314572800 - captureDescriptionSkipEmptyArchives: true - consumergroups: [ - { - name: 'custom' - userMetadata: 'customMetadata' - } - ] - messageRetentionInDays: 1 - partitionCount: 2 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - status: 'Active' - retentionDescriptionCleanupPolicy: 'Delete' - retentionDescriptionRetentionTimeInHours: 3 - } - { - name: '${namePrefix}-az-evh-x-003' - retentionDescriptionCleanupPolicy: 'Compact' - retentionDescriptionTombstoneRetentionTimeInHours: 24 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.10.10.10' - } - ] - trustedServiceAccessEnabled: false - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - kafkaEnabled: true - disableLocalAuth: true - isAutoInflateEnabled: true - minimumTlsVersion: '1.2' - maximumThroughputUnits: 4 - publicNetworkAccess: 'Disabled' - } -} diff --git a/modules/event-hub/namespace/version.json b/modules/event-hub/namespace/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/event-hub/namespace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/health-bot/health-bot/MOVED-TO-AVM.md b/modules/health-bot/health-bot/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/health-bot/health-bot/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 5a48c03307..3bba9a0a1e 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -1,518 +1,7 @@ -# Azure Health Bots `[Microsoft.HealthBot/healthBots]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/health-bot/health-bot](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/health-bot/health-bot).** -This module deploys an Azure Health Bot. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/health-bot/health-bot). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.HealthBot/healthBots` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthBot/2022-08-08/healthBots) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/health-bot.health-bot:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-hbhbmin' - params: { - // Required parameters - name: 'hbhbmin001' - sku: 'F0' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hbhbmin001" - }, - "sku": { - "value": "F0" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-hbhbmax' - params: { - // Required parameters - name: 'hbhbmax001' - sku: 'F0' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hbhbmax001" - }, - "sku": { - "value": "F0" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-hbhbwaf' - params: { - // Required parameters - name: 'hbhbwaf001' - sku: 'F0' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hbhbwaf001" - }, - "sku": { - "value": "F0" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the resource. | -| [`sku`](#parameter-sku) | string | The name of the Azure Health Bot SKU. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the resource. - -- Required: Yes -- Type: string - -### Parameter: `sku` - -The name of the Azure Health Bot SKU. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'C0' - 'F0' - 'S1' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the health bot. | -| `resourceGroupName` | string | The resource group the health bot was deployed into. | -| `resourceId` | string | The resource ID of the health bot. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep deleted file mode 100644 index bf0e08c90d..0000000000 --- a/modules/health-bot/health-bot/main.bicep +++ /dev/null @@ -1,145 +0,0 @@ -metadata name = 'Azure Health Bots' -metadata description = 'This module deploys an Azure Health Bot.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the resource.') -param name string - -@allowed([ - 'C0' - 'F0' - 'S1' -]) -@description('Required. The name of the Azure Health Bot SKU.') -param sku string - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource healthBot 'Microsoft.HealthBot/healthBots@2022-08-08' = { - name: name - location: location - tags: tags - identity: identity - sku: { - name: sku - } - properties: {} -} - -resource healthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: healthBot -} - -resource healthBot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(healthBot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: healthBot -}] - -@description('The resource group the health bot was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the health bot.') -output name string = healthBot.name - -@description('The resource ID of the health bot.') -output resourceId string = healthBot.id - -@description('The location the resource was deployed into.') -output location string = healthBot.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json deleted file mode 100644 index 538d2d760a..0000000000 --- a/modules/health-bot/health-bot/main.json +++ /dev/null @@ -1,286 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "582765600236650029" - }, - "name": "Azure Health Bots", - "description": "This module deploys an Azure Health Bot.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "sku": { - "type": "string", - "allowedValues": [ - "C0", - "F0", - "S1" - ], - "metadata": { - "description": "Required. The name of the Azure Health Bot SKU." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "healthBot": { - "type": "Microsoft.HealthBot/healthBots", - "apiVersion": "2022-08-08", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "[parameters('sku')]" - }, - "properties": {} - }, - "healthBot_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "healthBot" - ] - }, - "healthBot_roleAssignments": { - "copy": { - "name": "healthBot_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.HealthBot/healthBots', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "healthBot" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the health bot was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the health bot." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the health bot." - }, - "value": "[resourceId('Microsoft.HealthBot/healthBots', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('healthBot', '2022-08-08', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f2b46c90a3..0000000000 --- a/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hbhbmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - sku: 'F0' - } -}] diff --git a/modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 539240be2b..0000000000 --- a/modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep deleted file mode 100644 index d5e7889ab8..0000000000 --- a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hbhbmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - sku: 'F0' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } -}] diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 539240be2b..0000000000 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 4e5cb79986..0000000000 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hbhbwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - sku: 'F0' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } -}] diff --git a/modules/health-bot/health-bot/version.json b/modules/health-bot/health-bot/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/health-bot/health-bot/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/healthcare-apis/workspace/MOVED-TO-AVM.md b/modules/healthcare-apis/workspace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/healthcare-apis/workspace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 41a48290aa..32b5f47802 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -1,977 +1,7 @@ -# Healthcare API Workspaces `[Microsoft.HealthcareApis/workspaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/healthcare-apis/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/healthcare-apis/workspace).** -This module deploys a Healthcare API Workspace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/healthcare-apis/workspace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.HealthcareApis/workspaces` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates) | -| `Microsoft.HealthcareApis/workspaces/dicomservices` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.HealthcareApis/workspaces/fhirservices` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.HealthcareApis/workspaces/iotconnectors` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/healthcare-apis.workspace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-hawmin' - params: { - // Required parameters - name: 'hawmin001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - publicNetworkAccess: 'Enabled' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hawmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "publicNetworkAccess": { - "value": "Enabled" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-hawmax' - params: { - // Required parameters - name: 'hawmax001' - // Non-required parameters - dicomservices: [ - { - corsAllowCredentials: false - corsHeaders: [ - '*' - ] - corsMaxAge: 600 - corsMethods: [ - 'GET' - ] - corsOrigins: [ - '*' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - location: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'az-dicom-x-001' - publicNetworkAccess: 'Enabled' - workspaceName: 'hawmax001' - } - ] - enableDefaultTelemetry: '' - fhirservices: [ - { - corsAllowCredentials: false - corsHeaders: [ - '*' - ] - corsMaxAge: 600 - corsMethods: [ - 'GET' - ] - corsOrigins: [ - '*' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - importEnabled: false - initialImportMode: false - kind: 'fhir-R4' - location: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'az-fhir-x-001' - publicNetworkAccess: 'Enabled' - resourceVersionPolicy: 'versioned' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - smartProxyEnabled: false - workspaceName: 'hawmax001' - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hawmax001" - }, - // Non-required parameters - "dicomservices": { - "value": [ - { - "corsAllowCredentials": false, - "corsHeaders": [ - "*" - ], - "corsMaxAge": 600, - "corsMethods": [ - "GET" - ], - "corsOrigins": [ - "*" - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "enableDefaultTelemetry": "", - "location": "", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "az-dicom-x-001", - "publicNetworkAccess": "Enabled", - "workspaceName": "hawmax001" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fhirservices": { - "value": [ - { - "corsAllowCredentials": false, - "corsHeaders": [ - "*" - ], - "corsMaxAge": 600, - "corsMethods": [ - "GET" - ], - "corsOrigins": [ - "*" - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "enableDefaultTelemetry": "", - "importEnabled": false, - "initialImportMode": false, - "kind": "fhir-R4", - "location": "", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "az-fhir-x-001", - "publicNetworkAccess": "Enabled", - "resourceVersionPolicy": "versioned", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ], - "smartProxyEnabled": false, - "workspaceName": "hawmax001" - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-hawwaf' - params: { - // Required parameters - name: 'hawwaf001' - // Non-required parameters - dicomservices: [ - { - corsAllowCredentials: false - corsHeaders: [ - '*' - ] - corsMaxAge: 600 - corsMethods: [ - 'GET' - ] - corsOrigins: [ - '*' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - location: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'az-dicom-x-001' - publicNetworkAccess: 'Enabled' - workspaceName: 'hawwaf001' - } - ] - enableDefaultTelemetry: '' - fhirservices: [ - { - corsAllowCredentials: false - corsHeaders: [ - '*' - ] - corsMaxAge: 600 - corsMethods: [ - 'GET' - ] - corsOrigins: [ - '*' - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - importEnabled: false - initialImportMode: false - kind: 'fhir-R4' - location: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'az-fhir-x-001' - publicNetworkAccess: 'Enabled' - resourceVersionPolicy: 'versioned' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - smartProxyEnabled: false - workspaceName: 'hawwaf001' - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccess: 'Enabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hawwaf001" - }, - // Non-required parameters - "dicomservices": { - "value": [ - { - "corsAllowCredentials": false, - "corsHeaders": [ - "*" - ], - "corsMaxAge": 600, - "corsMethods": [ - "GET" - ], - "corsOrigins": [ - "*" - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "enableDefaultTelemetry": "", - "location": "", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "az-dicom-x-001", - "publicNetworkAccess": "Enabled", - "workspaceName": "hawwaf001" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fhirservices": { - "value": [ - { - "corsAllowCredentials": false, - "corsHeaders": [ - "*" - ], - "corsMaxAge": 600, - "corsMethods": [ - "GET" - ], - "corsOrigins": [ - "*" - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "enableDefaultTelemetry": "", - "importEnabled": false, - "initialImportMode": false, - "kind": "fhir-R4", - "location": "", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "az-fhir-x-001", - "publicNetworkAccess": "Enabled", - "resourceVersionPolicy": "versioned", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ], - "smartProxyEnabled": false, - "workspaceName": "hawwaf001" - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Health Data Services Workspace service. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dicomservices`](#parameter-dicomservices) | array | Deploy DICOM services. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`fhirservices`](#parameter-fhirservices) | array | Deploy FHIR services. | -| [`iotconnectors`](#parameter-iotconnectors) | array | Deploy IOT connectors. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Health Data Services Workspace service. - -- Required: Yes -- Type: string - -### Parameter: `dicomservices` - -Deploy DICOM services. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `fhirservices` - -Deploy FHIR services. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `iotconnectors` - -Deploy IOT connectors. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicNetworkAccess` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the health data services workspace. | -| `resourceGroupName` | string | The resource group where the workspace is deployed. | -| `resourceId` | string | The resource ID of the health data services workspace. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `iotconnectors` - -Create an IOT Connector (MedTech) service with the workspace. - -

- -Parameter JSON format - -```json -"iotConnectors": { - "value": [ - { - "name": "[[namePrefix]]-az-iomt-x-001", - "workspaceName": "[[namePrefix]]001", - "corsOrigins": [ "*" ], - "corsHeaders": [ "*" ], - "corsMethods": [ "GET" ], - "corsMaxAge": 600, - "corsAllowCredentials": false, - "location": "[[location]]", - "diagnosticStorageAccountId": "[[storageAccountResourceId]]", - "diagnosticWorkspaceId": "[[logAnalyticsWorkspaceResourceId]]", - "diagnosticEventHubAuthorizationRuleId": "[[eventHubAuthorizationRuleId]]", - "diagnosticEventHubName": "[[eventHubNamespaceEventHubName]]", - "publicNetworkAccess": "Enabled", - "enableDefaultTelemetry": false, - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "[[managedIdentityResourceId]]": {} - }, - "eventHubName": "[[eventHubName]]", - "consumerGroup": "[[consumerGroup]]", - "eventHubNamespaceName": "[[eventHubNamespaceName]]", - "deviceMapping": "[[deviceMapping]]", - "destinationMapping": "[[destinationMapping]]", - "fhirServiceResourceId": "[[fhirServiceResourceId]]", - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -iotConnectors: [ - { - name: '[[namePrefix]]-az-iomt-x-001' - workspaceName: '[[namePrefix]]001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - publicNetworkAccess: 'Enabled' - enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: true - userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} - } - eventHubName: '[[eventHubName]]' - consumerGroup: '[[consumerGroup]]' - eventHubNamespaceName: '[[eventHubNamespaceName]]' - deviceMapping: '[[deviceMapping]]' - destinationMapping: '[[destinationMapping]]' - fhirServiceResourceId: '[[fhirServiceResourceId]]' - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md deleted file mode 100644 index 454ed418e7..0000000000 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ /dev/null @@ -1,322 +0,0 @@ -# Healthcare API Workspace DICOM Services `[Microsoft.HealthcareApis/workspaces/dicomservices]` - -This module deploys a Healthcare API Workspace DICOM Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.HealthcareApis/workspaces/dicomservices` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the DICOM service. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`corsAllowCredentials`](#parameter-corsallowcredentials) | bool | Use this setting to indicate that cookies should be included in CORS requests. | -| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. | -| [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | -| [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | -| [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the DICOM service. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `corsAllowCredentials` - -Use this setting to indicate that cookies should be included in CORS requests. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `corsHeaders` - -Specify HTTP headers which can be used during the request. Use "*" for any header. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `corsMaxAge` - -Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `corsMethods` - -Specify the allowed HTTP methods. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'DELETE' - 'GET' - 'OPTIONS' - 'PATCH' - 'POST' - 'PUT' - ] - ``` - -### Parameter: `corsOrigins` - -Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `publicNetworkAccess` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the dicom service. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the dicom service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep deleted file mode 100644 index ab6af14e3d..0000000000 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ /dev/null @@ -1,210 +0,0 @@ -metadata name = 'Healthcare API Workspace DICOM Services' -metadata description = 'This module deploys a Healthcare API Workspace DICOM Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the DICOM service.') -@maxLength(50) -param name string - -@description('Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Optional. Specify URLs of origin sites that can access this API, or use "*" to allow access from any site.') -param corsOrigins array = [] - -@description('Optional. Specify HTTP headers which can be used during the request. Use "*" for any header.') -param corsHeaders array = [] - -@allowed([ - 'DELETE' - 'GET' - 'OPTIONS' - 'PATCH' - 'POST' - 'PUT' -]) -@description('Optional. Specify the allowed HTTP methods.') -param corsMethods array = [] - -@description('Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes.') -param corsMaxAge int = -1 - -@description('Optional. Use this setting to indicate that cookies should be included in CORS requests.') -param corsAllowCredentials bool = false - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param publicNetworkAccess string = 'Disabled' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -// =========== // -// Deployments // -// =========== // -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: workspaceName -} - -resource dicom 'Microsoft.HealthcareApis/workspaces/dicomservices@2022-06-01' = { - name: name - location: location - tags: tags - parent: workspace - identity: identity - properties: { - corsConfiguration: { - allowCredentials: corsAllowCredentials - headers: corsHeaders - maxAge: corsMaxAge == -1 ? null : corsMaxAge - methods: corsMethods - origins: corsOrigins - } - publicNetworkAccess: publicNetworkAccess - } -} - -resource dicom_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dicom -} - -resource dicom_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: dicom -}] - -@description('The name of the dicom service.') -output name string = dicom.name - -@description('The resource ID of the dicom service.') -output resourceId string = dicom.id - -@description('The resource group where the namespace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(dicom.identity, 'principalId') ? dicom.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = dicom.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json deleted file mode 100644 index a2a2bbc78b..0000000000 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ /dev/null @@ -1,400 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4829507560537153518" - }, - "name": "Healthcare API Workspace DICOM Services", - "description": "This module deploys a Healthcare API Workspace DICOM Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the DICOM service." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "corsOrigins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify URLs of origin sites that can access this API, or use \"*\" to allow access from any site." - } - }, - "corsHeaders": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header." - } - }, - "corsMethods": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "DELETE", - "GET", - "OPTIONS", - "PATCH", - "POST", - "PUT" - ], - "metadata": { - "description": "Optional. Specify the allowed HTTP methods." - } - }, - "corsMaxAge": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes." - } - }, - "corsAllowCredentials": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use this setting to indicate that cookies should be included in CORS requests." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "dicom": { - "type": "Microsoft.HealthcareApis/workspaces/dicomservices", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "corsConfiguration": { - "allowCredentials": "[parameters('corsAllowCredentials')]", - "headers": "[parameters('corsHeaders')]", - "maxAge": "[if(equals(parameters('corsMaxAge'), -1), null(), parameters('corsMaxAge'))]", - "methods": "[parameters('corsMethods')]", - "origins": "[parameters('corsOrigins')]" - }, - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "dicom_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dicom" - ] - }, - "dicom_diagnosticSettings": { - "copy": { - "name": "dicom_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "dicom" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the dicom service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the dicom service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dicom', '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/dicomservice/version.json b/modules/healthcare-apis/workspace/dicomservice/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/healthcare-apis/workspace/dicomservice/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md deleted file mode 100644 index a5e3cad81d..0000000000 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ /dev/null @@ -1,589 +0,0 @@ -# Healthcare API Workspace FHIR Services `[Microsoft.HealthcareApis/workspaces/fhirservices]` - -This module deploys a Healthcare API Workspace FHIR Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.HealthcareApis/workspaces/fhirservices` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the FHIR service. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessPolicyObjectIds`](#parameter-accesspolicyobjectids) | array | List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. | -| [`acrLoginServers`](#parameter-acrloginservers) | array | The list of the Azure container registry login servers. | -| [`acrOciArtifacts`](#parameter-acrociartifacts) | array | The list of Open Container Initiative (OCI) artifacts. | -| [`authenticationAudience`](#parameter-authenticationaudience) | string | The audience url for the service. | -| [`authenticationAuthority`](#parameter-authenticationauthority) | string | The authority url for the service. | -| [`corsAllowCredentials`](#parameter-corsallowcredentials) | bool | Use this setting to indicate that cookies should be included in CORS requests. | -| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. | -| [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | -| [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | -| [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`exportStorageAccountName`](#parameter-exportstorageaccountname) | string | The name of the default export storage account. | -| [`importEnabled`](#parameter-importenabled) | bool | If the import operation is enabled. | -| [`importStorageAccountName`](#parameter-importstorageaccountname) | string | The name of the default integration storage account. | -| [`initialImportMode`](#parameter-initialimportmode) | bool | If the FHIR service is in InitialImportMode. | -| [`kind`](#parameter-kind) | string | The kind of the service. Defaults to R4. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | -| [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the FHIR service. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `accessPolicyObjectIds` - -List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `acrLoginServers` - -The list of the Azure container registry login servers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `acrOciArtifacts` - -The list of Open Container Initiative (OCI) artifacts. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `authenticationAudience` - -The audience url for the service. - -- Required: No -- Type: string -- Default: `[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]` - -### Parameter: `authenticationAuthority` - -The authority url for the service. - -- Required: No -- Type: string -- Default: `[uri(environment().authentication.loginEndpoint, subscription().tenantId)]` - -### Parameter: `corsAllowCredentials` - -Use this setting to indicate that cookies should be included in CORS requests. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `corsHeaders` - -Specify HTTP headers which can be used during the request. Use "*" for any header. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `corsMaxAge` - -Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `corsMethods` - -Specify the allowed HTTP methods. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'DELETE' - 'GET' - 'OPTIONS' - 'PATCH' - 'POST' - 'PUT' - ] - ``` - -### Parameter: `corsOrigins` - -Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exportStorageAccountName` - -The name of the default export storage account. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `importEnabled` - -If the import operation is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `importStorageAccountName` - -The name of the default integration storage account. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `initialImportMode` - -If the FHIR service is in InitialImportMode. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `kind` - -The kind of the service. Defaults to R4. - -- Required: No -- Type: string -- Default: `'fhir-R4'` -- Allowed: - ```Bicep - [ - 'fhir-R4' - 'fhir-Stu3' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `publicNetworkAccess` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `resourceVersionOverrides` - -A list of FHIR Resources and their version policy overrides. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceVersionPolicy` - -The default value for tracking history across all resources. - -- Required: No -- Type: string -- Default: `'versioned'` -- Allowed: - ```Bicep - [ - 'no-version' - 'versioned' - 'versioned-update' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `smartProxyEnabled` - -If the SMART on FHIR proxy is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the fhir service. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the fhir service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `workspaceName` | string | The name of the fhir workspace. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `acrOciArtifacts` - -You can specify multiple Azure Container OCI artifacts using the following format: - -

- -Parameter JSON format - -```json -"acrOciArtifacts": { - "value": { - [{ - "digest": "sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108", - "imageName": "myimage:v1", - "loginServer": "myregistry.azurecr.io" - }] - } -} -``` - -
- -
- -Bicep format - -```bicep -acrOciArtifacts: [ - { - digest: 'sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108' - imageName: 'myimage:v1' - loginServer: 'myregistry.azurecr.io' - } -] -``` - -
- -

diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep deleted file mode 100644 index b41f57a9b9..0000000000 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ /dev/null @@ -1,347 +0,0 @@ -metadata name = 'Healthcare API Workspace FHIR Services' -metadata description = 'This module deploys a Healthcare API Workspace FHIR Service.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(50) -@description('Required. The name of the FHIR service.') -param name string - -@allowed([ - 'fhir-R4' - 'fhir-Stu3' -]) -@description('Optional. The kind of the service. Defaults to R4.') -param kind string = 'fhir-R4' - -@description('Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Optional. List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service.') -param accessPolicyObjectIds array = [] - -@description('Optional. The list of the Azure container registry login servers.') -param acrLoginServers array = [] - -@description('Optional. The list of Open Container Initiative (OCI) artifacts.') -param acrOciArtifacts array = [] - -@description('Optional. The authority url for the service.') -param authenticationAuthority string = uri(environment().authentication.loginEndpoint, subscription().tenantId) - -@description('Optional. The audience url for the service.') -param authenticationAudience string = 'https://${workspaceName}-${name}.fhir.azurehealthcareapis.com' - -@description('Optional. Specify URLs of origin sites that can access this API, or use "*" to allow access from any site.') -param corsOrigins array = [] - -@description('Optional. Specify HTTP headers which can be used during the request. Use "*" for any header.') -param corsHeaders array = [] - -@allowed([ - 'DELETE' - 'GET' - 'OPTIONS' - 'PATCH' - 'POST' - 'PUT' -]) -@description('Optional. Specify the allowed HTTP methods.') -param corsMethods array = [] - -@description('Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes.') -param corsMaxAge int = -1 - -@description('Optional. Use this setting to indicate that cookies should be included in CORS requests.') -param corsAllowCredentials bool = false - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The name of the default export storage account.') -param exportStorageAccountName string = '' - -@description('Optional. The name of the default integration storage account.') -param importStorageAccountName string = '' - -@description('Optional. If the import operation is enabled.') -param importEnabled bool = false - -@description('Optional. If the FHIR service is in InitialImportMode.') -param initialImportMode bool = false - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param publicNetworkAccess string = 'Disabled' - -@allowed([ - 'no-version' - 'versioned' - 'versioned-update' -]) -@description('Optional. The default value for tracking history across all resources.') -param resourceVersionPolicy string = 'versioned' - -@description('Optional. A list of FHIR Resources and their version policy overrides.') -param resourceVersionOverrides object = {} - -@description('Optional. If the SMART on FHIR proxy is enabled.') -param smartProxyEnabled bool = false - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var accessPolicies = [for id in accessPolicyObjectIds: { - objectId: id -}] - -var exportConfiguration = { - storageAccountName: exportStorageAccountName -} - -// =========== // -// Deployments // -// =========== // -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') - 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') - 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') - 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') - 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') - 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') - 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') - 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: workspaceName -} - -resource fhir 'Microsoft.HealthcareApis/workspaces/fhirservices@2022-06-01' = { - name: name - parent: workspace - location: location - kind: kind - tags: tags - identity: identity - properties: { - accessPolicies: accessPolicies - authenticationConfiguration: { - authority: authenticationAuthority - audience: authenticationAudience - smartProxyEnabled: smartProxyEnabled - } - corsConfiguration: { - allowCredentials: corsAllowCredentials - headers: corsHeaders - maxAge: corsMaxAge == -1 ? null : corsMaxAge - methods: corsMethods - origins: corsOrigins - } - publicNetworkAccess: publicNetworkAccess - exportConfiguration: exportStorageAccountName == '' ? {} : exportConfiguration - importConfiguration: { - enabled: importEnabled - initialImportMode: initialImportMode - integrationDataStore: importStorageAccountName == '' ? null : importStorageAccountName - } - resourceVersionPolicyConfiguration: { - default: resourceVersionPolicy - resourceTypeOverrides: empty(resourceVersionOverrides) ? null : resourceVersionOverrides - } - acrConfiguration: { - loginServers: acrLoginServers - ociArtifacts: empty(acrOciArtifacts) ? null : acrOciArtifacts - } - } -} - -resource fhir_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: fhir -} - -resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: fhir -}] - -resource fhir_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(fhir.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: fhir -}] - -@description('The name of the fhir service.') -output name string = fhir.name - -@description('The resource ID of the fhir service.') -output resourceId string = fhir.id - -@description('The resource group where the namespace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(fhir.identity, 'principalId') ? fhir.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = fhir.location - -@description('The name of the fhir workspace.') -output workspaceName string = workspace.name - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json deleted file mode 100644 index f02cfeeaed..0000000000 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ /dev/null @@ -1,650 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13185908730981475512" - }, - "name": "Healthcare API Workspace FHIR Services", - "description": "This module deploys a Healthcare API Workspace FHIR Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the FHIR service." - } - }, - "kind": { - "type": "string", - "defaultValue": "fhir-R4", - "allowedValues": [ - "fhir-R4", - "fhir-Stu3" - ], - "metadata": { - "description": "Optional. The kind of the service. Defaults to R4." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "accessPolicyObjectIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service." - } - }, - "acrLoginServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of the Azure container registry login servers." - } - }, - "acrOciArtifacts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Open Container Initiative (OCI) artifacts." - } - }, - "authenticationAuthority": { - "type": "string", - "defaultValue": "[uri(environment().authentication.loginEndpoint, subscription().tenantId)]", - "metadata": { - "description": "Optional. The authority url for the service." - } - }, - "authenticationAudience": { - "type": "string", - "defaultValue": "[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]", - "metadata": { - "description": "Optional. The audience url for the service." - } - }, - "corsOrigins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify URLs of origin sites that can access this API, or use \"*\" to allow access from any site." - } - }, - "corsHeaders": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header." - } - }, - "corsMethods": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "DELETE", - "GET", - "OPTIONS", - "PATCH", - "POST", - "PUT" - ], - "metadata": { - "description": "Optional. Specify the allowed HTTP methods." - } - }, - "corsMaxAge": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes." - } - }, - "corsAllowCredentials": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use this setting to indicate that cookies should be included in CORS requests." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "exportStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the default export storage account." - } - }, - "importStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the default integration storage account." - } - }, - "importEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the import operation is enabled." - } - }, - "initialImportMode": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the FHIR service is in InitialImportMode." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "resourceVersionPolicy": { - "type": "string", - "defaultValue": "versioned", - "allowedValues": [ - "no-version", - "versioned", - "versioned-update" - ], - "metadata": { - "description": "Optional. The default value for tracking history across all resources." - } - }, - "resourceVersionOverrides": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A list of FHIR Resources and their version policy overrides." - } - }, - "smartProxyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the SMART on FHIR proxy is enabled." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "accessPolicies", - "count": "[length(parameters('accessPolicyObjectIds'))]", - "input": { - "objectId": "[parameters('accessPolicyObjectIds')[copyIndex('accessPolicies')]]" - } - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "exportConfiguration": { - "storageAccountName": "[parameters('exportStorageAccountName')]" - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "fhir": { - "type": "Microsoft.HealthcareApis/workspaces/fhirservices", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "accessPolicies": "[variables('accessPolicies')]", - "authenticationConfiguration": { - "authority": "[parameters('authenticationAuthority')]", - "audience": "[parameters('authenticationAudience')]", - "smartProxyEnabled": "[parameters('smartProxyEnabled')]" - }, - "corsConfiguration": { - "allowCredentials": "[parameters('corsAllowCredentials')]", - "headers": "[parameters('corsHeaders')]", - "maxAge": "[if(equals(parameters('corsMaxAge'), -1), null(), parameters('corsMaxAge'))]", - "methods": "[parameters('corsMethods')]", - "origins": "[parameters('corsOrigins')]" - }, - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "exportConfiguration": "[if(equals(parameters('exportStorageAccountName'), ''), createObject(), variables('exportConfiguration'))]", - "importConfiguration": { - "enabled": "[parameters('importEnabled')]", - "initialImportMode": "[parameters('initialImportMode')]", - "integrationDataStore": "[if(equals(parameters('importStorageAccountName'), ''), null(), parameters('importStorageAccountName'))]" - }, - "resourceVersionPolicyConfiguration": { - "default": "[parameters('resourceVersionPolicy')]", - "resourceTypeOverrides": "[if(empty(parameters('resourceVersionOverrides')), null(), parameters('resourceVersionOverrides'))]" - }, - "acrConfiguration": { - "loginServers": "[parameters('acrLoginServers')]", - "ociArtifacts": "[if(empty(parameters('acrOciArtifacts')), null(), parameters('acrOciArtifacts'))]" - } - }, - "dependsOn": [ - "workspace" - ] - }, - "fhir_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "fhir" - ] - }, - "fhir_diagnosticSettings": { - "copy": { - "name": "fhir_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "fhir" - ] - }, - "fhir_roleAssignments": { - "copy": { - "name": "fhir_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "fhir" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the fhir service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the fhir service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('fhir', '2022-06-01', 'full').location]" - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "The name of the fhir workspace." - }, - "value": "[parameters('workspaceName')]" - } - } -} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/fhirservice/version.json b/modules/healthcare-apis/workspace/fhirservice/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/healthcare-apis/workspace/fhirservice/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md deleted file mode 100644 index 72dff50dec..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ /dev/null @@ -1,441 +0,0 @@ -# Healthcare API Workspace IoT Connectors `[Microsoft.HealthcareApis/workspaces/iotconnectors]` - -This module deploys a Healthcare API Workspace IoT Connector. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.HealthcareApis/workspaces/iotconnectors` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deviceMapping`](#parameter-devicemapping) | object | The mapping JSON that determines how incoming device data is normalized. | -| [`eventHubName`](#parameter-eventhubname) | string | Event Hub name to connect to. | -| [`eventHubNamespaceName`](#parameter-eventhubnamespacename) | string | Namespace of the Event Hub to connect to. | -| [`name`](#parameter-name) | string | The name of the MedTech service. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`consumerGroup`](#parameter-consumergroup) | string | Consumer group of the event hub to connected to. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `deviceMapping` - -The mapping JSON that determines how incoming device data is normalized. - -- Required: No -- Type: object -- Default: - ```Bicep - { - template: [] - templateType: 'CollectionContent' - } - ``` - -### Parameter: `eventHubName` - -Event Hub name to connect to. - -- Required: Yes -- Type: string - -### Parameter: `eventHubNamespaceName` - -Namespace of the Event Hub to connect to. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the MedTech service. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `consumerGroup` - -Consumer group of the event hub to connected to. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `fhirdestination` - -FHIR Destination. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the medtech service. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the medtech service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `workspaceName` | string | The name of the medtech workspace. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `deviceMapping` - -You can specify a collection of device mapping using the following format: - -> NOTE: More detailed information on device mappings can be found [here](https://learn.microsoft.com/en-us/azure/healthcare-apis/iot/how-to-use-device-mappings). - -

- -Parameter JSON format - -```json -"deviceMapping": { - "value": { - "templateType": "CollectionContent", - "template": [ - { - "templateType": "JsonPathContent", - "template": { - "typeName": "heartrate", - "typeMatchExpression": "$..[?(@heartRate)]", - "deviceIdExpression": "$.deviceId", - "timestampExpression": "$.endDate", - "values": [ - { - "required": "true", - "valueExpression": "$.heartRate", - "valueName": "hr" - } - ] - } - } - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -deviceMapping: { - templateType: 'CollectionContent' - template: [ - { - templateType: 'JsonPathContent' - template: { - typeName: 'heartrate' - typeMatchExpression: '$..[?(@heartRate)]' - deviceIdExpression: '$.deviceId' - timestampExpression: '$.endDate' - values: [ - { - required: 'true' - valueExpression: '$.heartRat' - valueName: 'hr' - } - ] - } - }] -} -``` - -
- -

- -### Parameter Usage: `destinationMapping` - -You can specify a collection of destination mapping using the following format: - -> NOTE: More detailed information on destination mappings can be found [here](https://learn.microsoft.com/en-us/azure/healthcare-apis/iot/how-to-use-fhir-mappings). - -

- -Parameter JSON format - -```json -"destinationMapping": { - "value": { - "templateType": "CodeValueFhir", - "template": { - "codes": [ - { - "code": "8867-4", - "system": "http://loinc.org", - "display": "Heart rate" - } - ], - "periodInterval": 60, - "typeName": "heartrate", - "value": { - "defaultPeriod": 5000, - "unit": "count/min", - "valueName": "hr", - "valueType": "SampledData" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -destinationMapping: { - templateType: 'CodeValueFhir' - template: { - codes: [ - { - code: '8867-4' - system: 'http://loinc.org' - display: 'Heart rate' - } - ], - periodInterval: 60, - typeName: 'heartrate' - value: { - defaultPeriod: 5000 - unit: 'count/min' - valueName: 'hr' - valueType: 'SampledData' - } - } -} -``` - -
- -

diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md deleted file mode 100644 index 2b4f0ee464..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Healthcare API Workspace IoT Connector FHIR Destinations `[Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations]` - -This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`destinationMapping`](#parameter-destinationmapping) | object | The mapping JSON that determines how normalized data is converted to FHIR Observations. | -| [`fhirServiceResourceId`](#parameter-fhirserviceresourceid) | string | The resource identifier of the FHIR Service to connect to. | -| [`name`](#parameter-name) | string | The name of the FHIR destination. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`iotConnectorName`](#parameter-iotconnectorname) | string | The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`resourceIdentityResolutionType`](#parameter-resourceidentityresolutiontype) | string | Determines how resource identity is resolved on the destination. | - -### Parameter: `destinationMapping` - -The mapping JSON that determines how normalized data is converted to FHIR Observations. - -- Required: No -- Type: object -- Default: - ```Bicep - { - template: [] - templateType: 'CollectionFhir' - } - ``` - -### Parameter: `fhirServiceResourceId` - -The resource identifier of the FHIR Service to connect to. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the FHIR destination. - -- Required: Yes -- Type: string - -### Parameter: `iotConnectorName` - -The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `resourceIdentityResolutionType` - -Determines how resource identity is resolved on the destination. - -- Required: No -- Type: string -- Default: `'Lookup'` -- Allowed: - ```Bicep - [ - 'Create' - 'Lookup' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `iotConnectorName` | string | The name of the medtech service. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the FHIR destination. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the FHIR destination. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `destinationMapping` - -You can specify a collection of destination mapping using the following format: - -> NOTE: More detailed information on destination mappings can be found [here](https://learn.microsoft.com/en-us/azure/healthcare-apis/iot/how-to-use-fhir-mappings). - -

- -Parameter JSON format - -```json -"destinationMapping": { - "value": { - "templateType": "CodeValueFhir", - "template": { - "codes": [ - { - "code": "8867-4", - "system": "http://loinc.org", - "display": "Heart rate" - } - ], - "periodInterval": 60, - "typeName": "heartrate", - "value": { - "defaultPeriod": 5000, - "unit": "count/min", - "valueName": "hr", - "valueType": "SampledData" - } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -destinationMapping: { - templateType: 'CodeValueFhir' - template: { - codes: [ - { - code: '8867-4' - system: 'http://loinc.org' - display: 'Heart rate' - } - ], - periodInterval: 60, - typeName: 'heartrate' - value: { - defaultPeriod: 5000 - unit: 'count/min' - valueName: 'hr' - valueType: 'SampledData' - } - } -} -``` - -
diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep deleted file mode 100644 index 476b7e3ef4..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep +++ /dev/null @@ -1,86 +0,0 @@ -metadata name = 'Healthcare API Workspace IoT Connector FHIR Destinations' -metadata description = 'This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the FHIR destination.') -@maxLength(24) -param name string - -@description('Required. The mapping JSON that determines how normalized data is converted to FHIR Observations.') -param destinationMapping object = { - templateType: 'CollectionFhir' - template: [] -} - -@description('Conditional. The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment.') -param iotConnectorName string - -@description('Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Required. The resource identifier of the FHIR Service to connect to.') -param fhirServiceResourceId string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@allowed([ - 'Create' - 'Lookup' -]) -@description('Optional. Determines how resource identity is resolved on the destination.') -param resourceIdentityResolutionType string = 'Lookup' - -// =========== // -// Deployments // -// =========== // -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: workspaceName - - resource iotConnector 'iotconnectors@2022-06-01' existing = { - name: iotConnectorName - } -} - -resource fhirDestination 'Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations@2022-06-01' = { - name: name - parent: workspace::iotConnector - location: location - properties: { - resourceIdentityResolutionType: resourceIdentityResolutionType - fhirServiceResourceId: fhirServiceResourceId - fhirMapping: { - content: destinationMapping - } - } -} - -@description('The name of the FHIR destination.') -output name string = fhirDestination.name - -@description('The resource ID of the FHIR destination.') -output resourceId string = fhirDestination.id - -@description('The resource group where the namespace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = fhirDestination.location - -@description('The name of the medtech service.') -output iotConnectorName string = workspace::iotConnector.name diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json deleted file mode 100644 index 04779d95b0..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6245123463457389463" - }, - "name": "Healthcare API Workspace IoT Connector FHIR Destinations", - "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the FHIR destination." - } - }, - "destinationMapping": { - "type": "object", - "defaultValue": { - "templateType": "CollectionFhir", - "template": [] - }, - "metadata": { - "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations." - } - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "fhirServiceResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource identifier of the FHIR Service to connect to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "resourceIdentityResolutionType": { - "type": "string", - "defaultValue": "Lookup", - "allowedValues": [ - "Create", - "Lookup" - ], - "metadata": { - "description": "Optional. Determines how resource identity is resolved on the destination." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}/{2}', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "resourceIdentityResolutionType": "[parameters('resourceIdentityResolutionType')]", - "fhirServiceResourceId": "[parameters('fhirServiceResourceId')]", - "fhirMapping": { - "content": "[parameters('destinationMapping')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the FHIR destination." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the FHIR destination." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name')), '2022-06-01', 'full').location]" - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "The name of the medtech service." - }, - "value": "[parameters('iotConnectorName')]" - } - } -} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/version.json b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep deleted file mode 100644 index f4f3e8cb8f..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ /dev/null @@ -1,220 +0,0 @@ -metadata name = 'Healthcare API Workspace IoT Connectors' -metadata description = 'This module deploys a Healthcare API Workspace IoT Connector.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the MedTech service.') -@maxLength(50) -param name string - -@description('Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Required. Event Hub name to connect to.') -param eventHubName string - -@description('Optional. Consumer group of the event hub to connected to.') -param consumerGroup string = name - -@description('Required. Namespace of the Event Hub to connect to.') -param eventHubNamespaceName string - -@description('Required. The mapping JSON that determines how incoming device data is normalized.') -param deviceMapping object = { - templateType: 'CollectionContent' - template: [] -} - -@description('Optional. FHIR Destination.') -param fhirdestination object = {} - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -// =========== // -// Deployments // -// =========== // -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: workspaceName -} - -resource iotConnector 'Microsoft.HealthcareApis/workspaces/iotconnectors@2022-06-01' = { - name: name - parent: workspace - location: location - tags: tags - identity: identity - properties: { - ingestionEndpointConfiguration: { - eventHubName: eventHubName - consumerGroup: consumerGroup - fullyQualifiedEventHubNamespace: '${eventHubNamespaceName}.servicebus.windows.net' - } - deviceMapping: { - content: deviceMapping - } - } -} - -resource iotConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: iotConnector -} - -resource iotConnector_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: iotConnector -}] - -module fhir_destination 'fhirdestination/main.bicep' = if (!empty(fhirdestination)) { - name: '${deployment().name}-FhirDestination' - params: { - name: '${uniqueString(workspaceName, iotConnector.name)}-map' - iotConnectorName: iotConnector.name - resourceIdentityResolutionType: contains(fhirdestination, 'resourceIdentityResolutionType') ? fhirdestination.resourceIdentityResolutionType : 'Lookup' - fhirServiceResourceId: fhirdestination.fhirServiceResourceId - destinationMapping: contains(fhirdestination, 'destinationMapping') ? fhirdestination.destinationMapping : { - templateType: 'CollectionFhir' - template: [] - } - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - workspaceName: workspaceName - } -} - -@description('The name of the medtech service.') -output name string = iotConnector.name - -@description('The resource ID of the medtech service.') -output resourceId string = iotConnector.id - -@description('The resource group where the namespace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(iotConnector.identity, 'principalId') ? iotConnector.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = iotConnector.location - -@description('The name of the medtech workspace.') -output workspaceName string = workspace.name - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json deleted file mode 100644 index 62c864b848..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ /dev/null @@ -1,569 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15635348365399723785" - }, - "name": "Healthcare API Workspace IoT Connectors", - "description": "This module deploys a Healthcare API Workspace IoT Connector.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the MedTech service." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Required. Event Hub name to connect to." - } - }, - "consumerGroup": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Consumer group of the event hub to connected to." - } - }, - "eventHubNamespaceName": { - "type": "string", - "metadata": { - "description": "Required. Namespace of the Event Hub to connect to." - } - }, - "deviceMapping": { - "type": "object", - "defaultValue": { - "templateType": "CollectionContent", - "template": [] - }, - "metadata": { - "description": "Required. The mapping JSON that determines how incoming device data is normalized." - } - }, - "fhirdestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. FHIR Destination." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "iotConnector": { - "type": "Microsoft.HealthcareApis/workspaces/iotconnectors", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "ingestionEndpointConfiguration": { - "eventHubName": "[parameters('eventHubName')]", - "consumerGroup": "[parameters('consumerGroup')]", - "fullyQualifiedEventHubNamespace": "[format('{0}.servicebus.windows.net', parameters('eventHubNamespaceName'))]" - }, - "deviceMapping": { - "content": "[parameters('deviceMapping')]" - } - }, - "dependsOn": [ - "workspace" - ] - }, - "iotConnector_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "iotConnector" - ] - }, - "iotConnector_diagnosticSettings": { - "copy": { - "name": "iotConnector_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "iotConnector" - ] - }, - "fhir_destination": { - "condition": "[not(empty(parameters('fhirdestination')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-FhirDestination', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}-map', uniqueString(parameters('workspaceName'), parameters('name')))]" - }, - "iotConnectorName": { - "value": "[parameters('name')]" - }, - "resourceIdentityResolutionType": "[if(contains(parameters('fhirdestination'), 'resourceIdentityResolutionType'), createObject('value', parameters('fhirdestination').resourceIdentityResolutionType), createObject('value', 'Lookup'))]", - "fhirServiceResourceId": { - "value": "[parameters('fhirdestination').fhirServiceResourceId]" - }, - "destinationMapping": "[if(contains(parameters('fhirdestination'), 'destinationMapping'), createObject('value', parameters('fhirdestination').destinationMapping), createObject('value', createObject('templateType', 'CollectionFhir', 'template', createArray())))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "workspaceName": { - "value": "[parameters('workspaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6245123463457389463" - }, - "name": "Healthcare API Workspace IoT Connector FHIR Destinations", - "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the FHIR destination." - } - }, - "destinationMapping": { - "type": "object", - "defaultValue": { - "templateType": "CollectionFhir", - "template": [] - }, - "metadata": { - "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations." - } - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "fhirServiceResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource identifier of the FHIR Service to connect to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "resourceIdentityResolutionType": { - "type": "string", - "defaultValue": "Lookup", - "allowedValues": [ - "Create", - "Lookup" - ], - "metadata": { - "description": "Optional. Determines how resource identity is resolved on the destination." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}/{2}', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "resourceIdentityResolutionType": "[parameters('resourceIdentityResolutionType')]", - "fhirServiceResourceId": "[parameters('fhirServiceResourceId')]", - "fhirMapping": { - "content": "[parameters('destinationMapping')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the FHIR destination." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the FHIR destination." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name')), '2022-06-01', 'full').location]" - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "The name of the medtech service." - }, - "value": "[parameters('iotConnectorName')]" - } - } - } - }, - "dependsOn": [ - "iotConnector" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the medtech service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the medtech service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('iotConnector', '2022-06-01', 'full').location]" - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "The name of the medtech workspace." - }, - "value": "[parameters('workspaceName')]" - } - } -} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/iotconnector/version.json b/modules/healthcare-apis/workspace/iotconnector/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/healthcare-apis/workspace/iotconnector/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep deleted file mode 100644 index dfc7fa3888..0000000000 --- a/modules/healthcare-apis/workspace/main.bicep +++ /dev/null @@ -1,227 +0,0 @@ -metadata name = 'Healthcare API Workspaces' -metadata description = 'This module deploys a Healthcare API Workspace.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Health Data Services Workspace service.') -@maxLength(50) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param publicNetworkAccess string = 'Disabled' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Deploy DICOM services.') -param dicomservices array = [] - -@description('Optional. Deploy FHIR services.') -param fhirservices array = [] - -@description('Optional. Deploy IOT connectors.') -param iotconnectors array = [] - -var enableReferencedModulesTelemetry = false - -// =========== // -// Deployments // -// =========== // -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') - 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') - 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') - 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') - 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') - 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') - 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') - 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' = { - name: name - location: location - tags: tags - properties: { - publicNetworkAccess: publicNetworkAccess - } -} - -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace -} - -resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: workspace -}] - -module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in fhirservices: { - name: '${uniqueString(deployment().name, location)}-Health-FHIR-${index}' - params: { - name: fhir.name - location: location - workspaceName: workspace.name - kind: fhir.kind - tags: fhir.?tags ?? tags - publicNetworkAccess: contains(fhir, 'publicNetworkAccess') ? fhir.publicNetworkAccess : 'Disabled' - managedIdentities: contains(fhir, 'managedIdentities') ? fhir.managedIdentities : null - roleAssignments: contains(fhir, 'roleAssignments') ? fhir.roleAssignments : [] - accessPolicyObjectIds: contains(fhir, 'accessPolicyObjectIds') ? fhir.accessPolicyObjectIds : [] - acrLoginServers: contains(fhir, 'acrLoginServers') ? fhir.acrLoginServers : [] - acrOciArtifacts: contains(fhir, 'acrOciArtifacts') ? fhir.acrOciArtifacts : [] - authenticationAuthority: contains(fhir, 'authenticationAuthority') ? fhir.authenticationAuthority : uri(environment().authentication.loginEndpoint, subscription().tenantId) - authenticationAudience: contains(fhir, 'authenticationAudience') ? fhir.authenticationAudience : 'https://${workspace.name}-${fhir.name}.fhir.azurehealthcareapis.com' - corsOrigins: contains(fhir, 'corsOrigins') ? fhir.corsOrigins : [] - corsHeaders: contains(fhir, 'corsHeaders') ? fhir.corsHeaders : [] - corsMethods: contains(fhir, 'corsMethods') ? fhir.corsMethods : [] - corsMaxAge: contains(fhir, 'corsMaxAge') ? fhir.corsMaxAge : -1 - corsAllowCredentials: contains(fhir, 'corsAllowCredentials') ? fhir.corsAllowCredentials : false - diagnosticSettings: fhir.?diagnosticSettings - exportStorageAccountName: contains(fhir, 'exportStorageAccountName') ? fhir.exportStorageAccountName : '' - importStorageAccountName: contains(fhir, 'importStorageAccountName') ? fhir.importStorageAccountName : '' - importEnabled: contains(fhir, 'importEnabled') ? fhir.importEnabled : false - initialImportMode: contains(fhir, 'initialImportMode') ? fhir.initialImportMode : false - lock: fhir.?lock ?? lock - resourceVersionPolicy: contains(fhir, 'resourceVersionPolicy') ? fhir.resourceVersionPolicy : 'versioned' - resourceVersionOverrides: contains(fhir, 'resourceVersionOverrides') ? fhir.resourceVersionOverrides : {} - smartProxyEnabled: contains(fhir, 'smartProxyEnabled') ? fhir.smartProxyEnabled : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) in dicomservices: { - name: '${uniqueString(deployment().name, location)}-Health-DICOM-${index}' - params: { - name: dicom.name - location: location - workspaceName: workspace.name - tags: dicom.?tags ?? tags - publicNetworkAccess: contains(dicom, 'publicNetworkAccess') ? dicom.publicNetworkAccess : 'Disabled' - managedIdentities: contains(dicom, 'managedIdentities') ? dicom.managedIdentities : null - corsOrigins: contains(dicom, 'corsOrigins') ? dicom.corsOrigins : [] - corsHeaders: contains(dicom, 'corsHeaders') ? dicom.corsHeaders : [] - corsMethods: contains(dicom, 'corsMethods') ? dicom.corsMethods : [] - corsMaxAge: contains(dicom, 'corsMaxAge') ? dicom.corsMaxAge : -1 - corsAllowCredentials: contains(dicom, 'corsAllowCredentials') ? dicom.corsAllowCredentials : false - diagnosticSettings: dicom.?diagnosticSettings - lock: dicom.?lock ?? lock - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module workspace_iotconnector 'iotconnector/main.bicep' = [for (iotConnector, index) in iotconnectors: { - name: '${uniqueString(deployment().name, location)}-Health-IOMT-${index}' - params: { - name: iotConnector.name - location: location - workspaceName: workspace.name - tags: iotConnector.?tags ?? tags - eventHubName: iotConnector.eventHubName - eventHubNamespaceName: iotConnector.eventHubNamespaceName - deviceMapping: contains(iotConnector, 'deviceMapping') ? iotConnector.deviceMapping : { - templateType: 'CollectionContent' - template: [] - } - fhirdestination: contains(iotConnector, 'fhirdestination') ? iotConnector.fhirdestination : {} - consumerGroup: contains(iotConnector, 'consumerGroup') ? iotConnector.consumerGroup : iotConnector.name - managedIdentities: contains(iotConnector, 'managedIdentities') ? iotConnector.managedIdentities : null - diagnosticSettings: iotConnector.?diagnosticSettings - lock: iotConnector.?lock ?? lock - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the health data services workspace.') -output name string = workspace.name - -@description('The resource ID of the health data services workspace.') -output resourceId string = workspace.id - -@description('The resource group where the workspace is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = workspace.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json deleted file mode 100644 index 919958fc5a..0000000000 --- a/modules/healthcare-apis/workspace/main.json +++ /dev/null @@ -1,2075 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16618408806092022062" - }, - "name": "Healthcare API Workspaces", - "description": "This module deploys a Healthcare API Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the Health Data Services Workspace service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "dicomservices": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Deploy DICOM services." - } - }, - "fhirservices": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Deploy FHIR services." - } - }, - "iotconnectors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Deploy IOT connectors." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } - }, - "workspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_fhirservices": { - "copy": { - "name": "workspace_fhirservices", - "count": "[length(parameters('fhirservices'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Health-FHIR-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('fhirservices')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "workspaceName": { - "value": "[parameters('name')]" - }, - "kind": { - "value": "[parameters('fhirservices')[copyIndex()].kind]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('fhirservices')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "publicNetworkAccess": "[if(contains(parameters('fhirservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('fhirservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", - "managedIdentities": "[if(contains(parameters('fhirservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('fhirservices')[copyIndex()].managedIdentities), createObject('value', null()))]", - "roleAssignments": "[if(contains(parameters('fhirservices')[copyIndex()], 'roleAssignments'), createObject('value', parameters('fhirservices')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "accessPolicyObjectIds": "[if(contains(parameters('fhirservices')[copyIndex()], 'accessPolicyObjectIds'), createObject('value', parameters('fhirservices')[copyIndex()].accessPolicyObjectIds), createObject('value', createArray()))]", - "acrLoginServers": "[if(contains(parameters('fhirservices')[copyIndex()], 'acrLoginServers'), createObject('value', parameters('fhirservices')[copyIndex()].acrLoginServers), createObject('value', createArray()))]", - "acrOciArtifacts": "[if(contains(parameters('fhirservices')[copyIndex()], 'acrOciArtifacts'), createObject('value', parameters('fhirservices')[copyIndex()].acrOciArtifacts), createObject('value', createArray()))]", - "authenticationAuthority": "[if(contains(parameters('fhirservices')[copyIndex()], 'authenticationAuthority'), createObject('value', parameters('fhirservices')[copyIndex()].authenticationAuthority), createObject('value', uri(environment().authentication.loginEndpoint, subscription().tenantId)))]", - "authenticationAudience": "[if(contains(parameters('fhirservices')[copyIndex()], 'authenticationAudience'), createObject('value', parameters('fhirservices')[copyIndex()].authenticationAudience), createObject('value', format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('name'), parameters('fhirservices')[copyIndex()].name)))]", - "corsOrigins": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsOrigins'), createObject('value', parameters('fhirservices')[copyIndex()].corsOrigins), createObject('value', createArray()))]", - "corsHeaders": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsHeaders'), createObject('value', parameters('fhirservices')[copyIndex()].corsHeaders), createObject('value', createArray()))]", - "corsMethods": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsMethods'), createObject('value', parameters('fhirservices')[copyIndex()].corsMethods), createObject('value', createArray()))]", - "corsMaxAge": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsMaxAge'), createObject('value', parameters('fhirservices')[copyIndex()].corsMaxAge), createObject('value', -1))]", - "corsAllowCredentials": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsAllowCredentials'), createObject('value', parameters('fhirservices')[copyIndex()].corsAllowCredentials), createObject('value', false()))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('fhirservices')[copyIndex()], 'diagnosticSettings')]" - }, - "exportStorageAccountName": "[if(contains(parameters('fhirservices')[copyIndex()], 'exportStorageAccountName'), createObject('value', parameters('fhirservices')[copyIndex()].exportStorageAccountName), createObject('value', ''))]", - "importStorageAccountName": "[if(contains(parameters('fhirservices')[copyIndex()], 'importStorageAccountName'), createObject('value', parameters('fhirservices')[copyIndex()].importStorageAccountName), createObject('value', ''))]", - "importEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'importEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].importEnabled), createObject('value', false()))]", - "initialImportMode": "[if(contains(parameters('fhirservices')[copyIndex()], 'initialImportMode'), createObject('value', parameters('fhirservices')[copyIndex()].initialImportMode), createObject('value', false()))]", - "lock": { - "value": "[coalesce(tryGet(parameters('fhirservices')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "resourceVersionPolicy": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionPolicy'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionPolicy), createObject('value', 'versioned'))]", - "resourceVersionOverrides": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionOverrides'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionOverrides), createObject('value', createObject()))]", - "smartProxyEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'smartProxyEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].smartProxyEnabled), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13185908730981475512" - }, - "name": "Healthcare API Workspace FHIR Services", - "description": "This module deploys a Healthcare API Workspace FHIR Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the FHIR service." - } - }, - "kind": { - "type": "string", - "defaultValue": "fhir-R4", - "allowedValues": [ - "fhir-R4", - "fhir-Stu3" - ], - "metadata": { - "description": "Optional. The kind of the service. Defaults to R4." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "accessPolicyObjectIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service." - } - }, - "acrLoginServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of the Azure container registry login servers." - } - }, - "acrOciArtifacts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Open Container Initiative (OCI) artifacts." - } - }, - "authenticationAuthority": { - "type": "string", - "defaultValue": "[uri(environment().authentication.loginEndpoint, subscription().tenantId)]", - "metadata": { - "description": "Optional. The authority url for the service." - } - }, - "authenticationAudience": { - "type": "string", - "defaultValue": "[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]", - "metadata": { - "description": "Optional. The audience url for the service." - } - }, - "corsOrigins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify URLs of origin sites that can access this API, or use \"*\" to allow access from any site." - } - }, - "corsHeaders": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header." - } - }, - "corsMethods": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "DELETE", - "GET", - "OPTIONS", - "PATCH", - "POST", - "PUT" - ], - "metadata": { - "description": "Optional. Specify the allowed HTTP methods." - } - }, - "corsMaxAge": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes." - } - }, - "corsAllowCredentials": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use this setting to indicate that cookies should be included in CORS requests." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "exportStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the default export storage account." - } - }, - "importStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the default integration storage account." - } - }, - "importEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the import operation is enabled." - } - }, - "initialImportMode": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the FHIR service is in InitialImportMode." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "resourceVersionPolicy": { - "type": "string", - "defaultValue": "versioned", - "allowedValues": [ - "no-version", - "versioned", - "versioned-update" - ], - "metadata": { - "description": "Optional. The default value for tracking history across all resources." - } - }, - "resourceVersionOverrides": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A list of FHIR Resources and their version policy overrides." - } - }, - "smartProxyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the SMART on FHIR proxy is enabled." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "accessPolicies", - "count": "[length(parameters('accessPolicyObjectIds'))]", - "input": { - "objectId": "[parameters('accessPolicyObjectIds')[copyIndex('accessPolicies')]]" - } - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "exportConfiguration": { - "storageAccountName": "[parameters('exportStorageAccountName')]" - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "fhir": { - "type": "Microsoft.HealthcareApis/workspaces/fhirservices", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "accessPolicies": "[variables('accessPolicies')]", - "authenticationConfiguration": { - "authority": "[parameters('authenticationAuthority')]", - "audience": "[parameters('authenticationAudience')]", - "smartProxyEnabled": "[parameters('smartProxyEnabled')]" - }, - "corsConfiguration": { - "allowCredentials": "[parameters('corsAllowCredentials')]", - "headers": "[parameters('corsHeaders')]", - "maxAge": "[if(equals(parameters('corsMaxAge'), -1), null(), parameters('corsMaxAge'))]", - "methods": "[parameters('corsMethods')]", - "origins": "[parameters('corsOrigins')]" - }, - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "exportConfiguration": "[if(equals(parameters('exportStorageAccountName'), ''), createObject(), variables('exportConfiguration'))]", - "importConfiguration": { - "enabled": "[parameters('importEnabled')]", - "initialImportMode": "[parameters('initialImportMode')]", - "integrationDataStore": "[if(equals(parameters('importStorageAccountName'), ''), null(), parameters('importStorageAccountName'))]" - }, - "resourceVersionPolicyConfiguration": { - "default": "[parameters('resourceVersionPolicy')]", - "resourceTypeOverrides": "[if(empty(parameters('resourceVersionOverrides')), null(), parameters('resourceVersionOverrides'))]" - }, - "acrConfiguration": { - "loginServers": "[parameters('acrLoginServers')]", - "ociArtifacts": "[if(empty(parameters('acrOciArtifacts')), null(), parameters('acrOciArtifacts'))]" - } - }, - "dependsOn": [ - "workspace" - ] - }, - "fhir_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "fhir" - ] - }, - "fhir_diagnosticSettings": { - "copy": { - "name": "fhir_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "fhir" - ] - }, - "fhir_roleAssignments": { - "copy": { - "name": "fhir_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "fhir" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the fhir service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the fhir service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('fhir', '2022-06-01', 'full').location]" - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "The name of the fhir workspace." - }, - "value": "[parameters('workspaceName')]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_dicomservices": { - "copy": { - "name": "workspace_dicomservices", - "count": "[length(parameters('dicomservices'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Health-DICOM-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('dicomservices')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "workspaceName": { - "value": "[parameters('name')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "publicNetworkAccess": "[if(contains(parameters('dicomservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('dicomservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", - "managedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].managedIdentities), createObject('value', null()))]", - "corsOrigins": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsOrigins'), createObject('value', parameters('dicomservices')[copyIndex()].corsOrigins), createObject('value', createArray()))]", - "corsHeaders": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsHeaders'), createObject('value', parameters('dicomservices')[copyIndex()].corsHeaders), createObject('value', createArray()))]", - "corsMethods": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsMethods'), createObject('value', parameters('dicomservices')[copyIndex()].corsMethods), createObject('value', createArray()))]", - "corsMaxAge": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsMaxAge'), createObject('value', parameters('dicomservices')[copyIndex()].corsMaxAge), createObject('value', -1))]", - "corsAllowCredentials": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsAllowCredentials'), createObject('value', parameters('dicomservices')[copyIndex()].corsAllowCredentials), createObject('value', false()))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('dicomservices')[copyIndex()], 'diagnosticSettings')]" - }, - "lock": { - "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4829507560537153518" - }, - "name": "Healthcare API Workspace DICOM Services", - "description": "This module deploys a Healthcare API Workspace DICOM Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the DICOM service." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "corsOrigins": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify URLs of origin sites that can access this API, or use \"*\" to allow access from any site." - } - }, - "corsHeaders": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header." - } - }, - "corsMethods": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "DELETE", - "GET", - "OPTIONS", - "PATCH", - "POST", - "PUT" - ], - "metadata": { - "description": "Optional. Specify the allowed HTTP methods." - } - }, - "corsMaxAge": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes." - } - }, - "corsAllowCredentials": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use this setting to indicate that cookies should be included in CORS requests." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "dicom": { - "type": "Microsoft.HealthcareApis/workspaces/dicomservices", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "corsConfiguration": { - "allowCredentials": "[parameters('corsAllowCredentials')]", - "headers": "[parameters('corsHeaders')]", - "maxAge": "[if(equals(parameters('corsMaxAge'), -1), null(), parameters('corsMaxAge'))]", - "methods": "[parameters('corsMethods')]", - "origins": "[parameters('corsOrigins')]" - }, - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "dicom_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dicom" - ] - }, - "dicom_diagnosticSettings": { - "copy": { - "name": "dicom_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "dicom" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the dicom service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the dicom service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dicom', '2022-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_iotconnector": { - "copy": { - "name": "workspace_iotconnector", - "count": "[length(parameters('iotconnectors'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Health-IOMT-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('iotconnectors')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "workspaceName": { - "value": "[parameters('name')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "eventHubName": { - "value": "[parameters('iotconnectors')[copyIndex()].eventHubName]" - }, - "eventHubNamespaceName": { - "value": "[parameters('iotconnectors')[copyIndex()].eventHubNamespaceName]" - }, - "deviceMapping": "[if(contains(parameters('iotconnectors')[copyIndex()], 'deviceMapping'), createObject('value', parameters('iotconnectors')[copyIndex()].deviceMapping), createObject('value', createObject('templateType', 'CollectionContent', 'template', createArray())))]", - "fhirdestination": "[if(contains(parameters('iotconnectors')[copyIndex()], 'fhirdestination'), createObject('value', parameters('iotconnectors')[copyIndex()].fhirdestination), createObject('value', createObject()))]", - "consumerGroup": "[if(contains(parameters('iotconnectors')[copyIndex()], 'consumerGroup'), createObject('value', parameters('iotconnectors')[copyIndex()].consumerGroup), createObject('value', parameters('iotconnectors')[copyIndex()].name))]", - "managedIdentities": "[if(contains(parameters('iotconnectors')[copyIndex()], 'managedIdentities'), createObject('value', parameters('iotconnectors')[copyIndex()].managedIdentities), createObject('value', null()))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('iotconnectors')[copyIndex()], 'diagnosticSettings')]" - }, - "lock": { - "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15635348365399723785" - }, - "name": "Healthcare API Workspace IoT Connectors", - "description": "This module deploys a Healthcare API Workspace IoT Connector.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the MedTech service." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "eventHubName": { - "type": "string", - "metadata": { - "description": "Required. Event Hub name to connect to." - } - }, - "consumerGroup": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Consumer group of the event hub to connected to." - } - }, - "eventHubNamespaceName": { - "type": "string", - "metadata": { - "description": "Required. Namespace of the Event Hub to connect to." - } - }, - "deviceMapping": { - "type": "object", - "defaultValue": { - "templateType": "CollectionContent", - "template": [] - }, - "metadata": { - "description": "Required. The mapping JSON that determines how incoming device data is normalized." - } - }, - "fhirdestination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. FHIR Destination." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.HealthcareApis/workspaces", - "apiVersion": "2022-06-01", - "name": "[parameters('workspaceName')]" - }, - "iotConnector": { - "type": "Microsoft.HealthcareApis/workspaces/iotconnectors", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "ingestionEndpointConfiguration": { - "eventHubName": "[parameters('eventHubName')]", - "consumerGroup": "[parameters('consumerGroup')]", - "fullyQualifiedEventHubNamespace": "[format('{0}.servicebus.windows.net', parameters('eventHubNamespaceName'))]" - }, - "deviceMapping": { - "content": "[parameters('deviceMapping')]" - } - }, - "dependsOn": [ - "workspace" - ] - }, - "iotConnector_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "iotConnector" - ] - }, - "iotConnector_diagnosticSettings": { - "copy": { - "name": "iotConnector_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "iotConnector" - ] - }, - "fhir_destination": { - "condition": "[not(empty(parameters('fhirdestination')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-FhirDestination', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[format('{0}-map', uniqueString(parameters('workspaceName'), parameters('name')))]" - }, - "iotConnectorName": { - "value": "[parameters('name')]" - }, - "resourceIdentityResolutionType": "[if(contains(parameters('fhirdestination'), 'resourceIdentityResolutionType'), createObject('value', parameters('fhirdestination').resourceIdentityResolutionType), createObject('value', 'Lookup'))]", - "fhirServiceResourceId": { - "value": "[parameters('fhirdestination').fhirServiceResourceId]" - }, - "destinationMapping": "[if(contains(parameters('fhirdestination'), 'destinationMapping'), createObject('value', parameters('fhirdestination').destinationMapping), createObject('value', createObject('templateType', 'CollectionFhir', 'template', createArray())))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "workspaceName": { - "value": "[parameters('workspaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6245123463457389463" - }, - "name": "Healthcare API Workspace IoT Connector FHIR Destinations", - "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the FHIR destination." - } - }, - "destinationMapping": { - "type": "object", - "defaultValue": { - "templateType": "CollectionFhir", - "template": [] - }, - "metadata": { - "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations." - } - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent health data services workspace. Required if the template is used in a standalone deployment." - } - }, - "fhirServiceResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource identifier of the FHIR Service to connect to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "resourceIdentityResolutionType": { - "type": "string", - "defaultValue": "Lookup", - "allowedValues": [ - "Create", - "Lookup" - ], - "metadata": { - "description": "Optional. Determines how resource identity is resolved on the destination." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations", - "apiVersion": "2022-06-01", - "name": "[format('{0}/{1}/{2}', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "resourceIdentityResolutionType": "[parameters('resourceIdentityResolutionType')]", - "fhirServiceResourceId": "[parameters('fhirServiceResourceId')]", - "fhirMapping": { - "content": "[parameters('destinationMapping')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the FHIR destination." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the FHIR destination." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations', parameters('workspaceName'), parameters('iotConnectorName'), parameters('name')), '2022-06-01', 'full').location]" - }, - "iotConnectorName": { - "type": "string", - "metadata": { - "description": "The name of the medtech service." - }, - "value": "[parameters('iotConnectorName')]" - } - } - } - }, - "dependsOn": [ - "iotConnector" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the medtech service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the medtech service." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the namespace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('iotConnector', '2022-06-01', 'full').location]" - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "The name of the medtech workspace." - }, - "value": "[parameters('workspaceName')]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the health data services workspace." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the health data services workspace." - }, - "value": "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the workspace is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('workspace', '2022-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 4eb6a8dc85..0000000000 --- a/modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hawmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - publicNetworkAccess: 'Enabled' - } -} diff --git a/modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 96f9aff771..0000000000 --- a/modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Event Hub Namespace to create.') -param eventHubNamespaceName string - -@description('Required. The name of the Event Hub consumer group to create.') -param eventHubConsumerGroupName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource ehns 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { - name: eventHubNamespaceName - location: location - sku: { - name: 'Standard' - tier: 'Standard' - capacity: 1 - } - properties: { - zoneRedundant: false - isAutoInflateEnabled: false - } - - resource eventhub 'eventhubs@2022-01-01-preview' = { - name: '${eventHubNamespaceName}-hub' - properties: { - messageRetentionInDays: 1 - partitionCount: 1 - } - - resource consumergroup 'consumergroups@2022-01-01-preview' = { - name: eventHubConsumerGroupName - } - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Event Hub Namespace.') -output eventHubNamespaceResourceId string = ehns.id - -@description('The name of the created Event Hub Namespace.') -output eventHubNamespaceName string = ehns.name - -@description('The resource ID of the created Event Hub.') -output eventHubResourceId string = ehns::eventhub.id - -@description('The name of the created Event Hub.') -output eventHubName string = ehns::eventhub.name diff --git a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index 3d1bf48e56..0000000000 --- a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,179 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hawmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - eventHubConsumerGroupName: '${namePrefix}-az-iomt-x-001' - eventHubNamespaceName: 'dep-${namePrefix}-ehns-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - publicNetworkAccess: 'Enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - fhirservices: [ - { - name: '${namePrefix}-az-fhir-x-001' - kind: 'fhir-R4' - workspaceName: '${namePrefix}${serviceShort}001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - publicNetworkAccess: 'Enabled' - resourceVersionPolicy: 'versioned' - smartProxyEnabled: false - enableDefaultTelemetry: enableDefaultTelemetry - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - importEnabled: false - initialImportMode: false - roleAssignments: [ - { - roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - dicomservices: [ - { - name: '${namePrefix}-az-dicom-x-001' - workspaceName: '${namePrefix}${serviceShort}001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - publicNetworkAccess: 'Enabled' - enableDefaultTelemetry: enableDefaultTelemetry - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 96f9aff771..0000000000 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Event Hub Namespace to create.') -param eventHubNamespaceName string - -@description('Required. The name of the Event Hub consumer group to create.') -param eventHubConsumerGroupName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource ehns 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { - name: eventHubNamespaceName - location: location - sku: { - name: 'Standard' - tier: 'Standard' - capacity: 1 - } - properties: { - zoneRedundant: false - isAutoInflateEnabled: false - } - - resource eventhub 'eventhubs@2022-01-01-preview' = { - name: '${eventHubNamespaceName}-hub' - properties: { - messageRetentionInDays: 1 - partitionCount: 1 - } - - resource consumergroup 'consumergroups@2022-01-01-preview' = { - name: eventHubConsumerGroupName - } - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Event Hub Namespace.') -output eventHubNamespaceResourceId string = ehns.id - -@description('The name of the created Event Hub Namespace.') -output eventHubNamespaceName string = ehns.name - -@description('The resource ID of the created Event Hub.') -output eventHubResourceId string = ehns::eventhub.id - -@description('The name of the created Event Hub.') -output eventHubName string = ehns::eventhub.name diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index bc4990b2d3..0000000000 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,162 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hawwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - eventHubConsumerGroupName: '${namePrefix}-az-iomt-x-001' - eventHubNamespaceName: 'dep-${namePrefix}-ehns-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - publicNetworkAccess: 'Enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - fhirservices: [ - { - name: '${namePrefix}-az-fhir-x-001' - kind: 'fhir-R4' - workspaceName: '${namePrefix}${serviceShort}001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - publicNetworkAccess: 'Enabled' - resourceVersionPolicy: 'versioned' - smartProxyEnabled: false - enableDefaultTelemetry: enableDefaultTelemetry - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - importEnabled: false - initialImportMode: false - roleAssignments: [ - { - roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - dicomservices: [ - { - name: '${namePrefix}-az-dicom-x-001' - workspaceName: '${namePrefix}${serviceShort}001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - publicNetworkAccess: 'Enabled' - enableDefaultTelemetry: enableDefaultTelemetry - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/healthcare-apis/workspace/version.json b/modules/healthcare-apis/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/healthcare-apis/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/action-group/MOVED-TO-AVM.md b/modules/insights/action-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/action-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index c5087c691b..62d9f4e04e 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -1,600 +1,7 @@ -# Action Groups `[Microsoft.Insights/actionGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/action-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/action-group).** -This module deploys an Action Group. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/action-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/actionGroups` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2023-01-01/actionGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.action-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iagmin' - params: { - // Required parameters - groupShortName: 'agiagmin001' - name: 'iagmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupShortName": { - "value": "agiagmin001" - }, - "name": { - "value": "iagmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iagmax' - params: { - // Required parameters - groupShortName: 'agiagmax001' - name: 'iagmax001' - // Non-required parameters - emailReceivers: [ - { - emailAddress: 'test.user@testcompany.com' - name: 'TestUser_-EmailAction-' - useCommonAlertSchema: true - } - { - emailAddress: 'test.user2@testcompany.com' - name: 'TestUser2' - useCommonAlertSchema: true - } - ] - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - smsReceivers: [ - { - countryCode: '1' - name: 'TestUser_-SMSAction-' - phoneNumber: '2345678901' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupShortName": { - "value": "agiagmax001" - }, - "name": { - "value": "iagmax001" - }, - // Non-required parameters - "emailReceivers": { - "value": [ - { - "emailAddress": "test.user@testcompany.com", - "name": "TestUser_-EmailAction-", - "useCommonAlertSchema": true - }, - { - "emailAddress": "test.user2@testcompany.com", - "name": "TestUser2", - "useCommonAlertSchema": true - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "smsReceivers": { - "value": [ - { - "countryCode": "1", - "name": "TestUser_-SMSAction-", - "phoneNumber": "2345678901" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iagwaf' - params: { - // Required parameters - groupShortName: 'agiagwaf001' - name: 'iagwaf001' - // Non-required parameters - emailReceivers: [ - { - emailAddress: 'test.user@testcompany.com' - name: 'TestUser_-EmailAction-' - useCommonAlertSchema: true - } - { - emailAddress: 'test.user2@testcompany.com' - name: 'TestUser2' - useCommonAlertSchema: true - } - ] - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - smsReceivers: [ - { - countryCode: '1' - name: 'TestUser_-SMSAction-' - phoneNumber: '2345678901' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupShortName": { - "value": "agiagwaf001" - }, - "name": { - "value": "iagwaf001" - }, - // Non-required parameters - "emailReceivers": { - "value": [ - { - "emailAddress": "test.user@testcompany.com", - "name": "TestUser_-EmailAction-", - "useCommonAlertSchema": true - }, - { - "emailAddress": "test.user2@testcompany.com", - "name": "TestUser2", - "useCommonAlertSchema": true - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "smsReceivers": { - "value": [ - { - "countryCode": "1", - "name": "TestUser_-SMSAction-", - "phoneNumber": "2345678901" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`groupShortName`](#parameter-groupshortname) | string | The short name of the action group. | -| [`name`](#parameter-name) | string | The name of the action group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`armRoleReceivers`](#parameter-armrolereceivers) | array | The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | -| [`automationRunbookReceivers`](#parameter-automationrunbookreceivers) | array | The list of AutomationRunbook receivers that are part of this action group. | -| [`azureAppPushReceivers`](#parameter-azureapppushreceivers) | array | The list of AzureAppPush receivers that are part of this action group. | -| [`azureFunctionReceivers`](#parameter-azurefunctionreceivers) | array | The list of function receivers that are part of this action group. | -| [`emailReceivers`](#parameter-emailreceivers) | array | The list of email receivers that are part of this action group. | -| [`enabled`](#parameter-enabled) | bool | Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`itsmReceivers`](#parameter-itsmreceivers) | array | The list of ITSM receivers that are part of this action group. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`logicAppReceivers`](#parameter-logicappreceivers) | array | The list of logic app receivers that are part of this action group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`smsReceivers`](#parameter-smsreceivers) | array | The list of SMS receivers that are part of this action group. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`voiceReceivers`](#parameter-voicereceivers) | array | The list of voice receivers that are part of this action group. | -| [`webhookReceivers`](#parameter-webhookreceivers) | array | The list of webhook receivers that are part of this action group. | - -### Parameter: `groupShortName` - -The short name of the action group. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the action group. - -- Required: Yes -- Type: string - -### Parameter: `armRoleReceivers` - -The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `automationRunbookReceivers` - -The list of AutomationRunbook receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `azureAppPushReceivers` - -The list of AzureAppPush receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `azureFunctionReceivers` - -The list of function receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `emailReceivers` - -The list of email receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enabled` - -Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `itsmReceivers` - -The list of ITSM receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `logicAppReceivers` - -The list of logic app receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `smsReceivers` - -The list of SMS receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `voiceReceivers` - -The list of voice receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `webhookReceivers` - -The list of webhook receivers that are part of this action group. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the action group . | -| `resourceGroupName` | string | The resource group the action group was deployed into. | -| `resourceId` | string | The resource ID of the action group . | - -## Cross-referenced modules - -_None_ - -## Notes - -- Receiver name must be unique across the ActionGroup. -- Email, SMS, Azure App push and Voice can be grouped in the same Action. To do so, the `name` field of the receivers must be in the `RecName_-ActionType-` format where: - - _RecName_ is the name you want to give to the Action - - _ActionType_ is one of the action types that can be grouped together. Possible values are: - - EmailAction - - SMSAction - - AzureAppAction - - VoiceAction - -- To understand the impact of the `useCommonAlertSchema` field, see [documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-common-schema). +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/action-group/main.bicep b/modules/insights/action-group/main.bicep deleted file mode 100644 index bca49be2f7..0000000000 --- a/modules/insights/action-group/main.bicep +++ /dev/null @@ -1,146 +0,0 @@ -metadata name = 'Action Groups' -metadata description = 'This module deploys an Action Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the action group.') -param name string - -@description('Required. The short name of the action group.') -param groupShortName string - -@description('Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications.') -param enabled bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The list of email receivers that are part of this action group.') -param emailReceivers array = [] - -@description('Optional. The list of SMS receivers that are part of this action group.') -param smsReceivers array = [] - -@description('Optional. The list of webhook receivers that are part of this action group.') -param webhookReceivers array = [] - -@description('Optional. The list of ITSM receivers that are part of this action group.') -param itsmReceivers array = [] - -@description('Optional. The list of AzureAppPush receivers that are part of this action group.') -param azureAppPushReceivers array = [] - -@description('Optional. The list of AutomationRunbook receivers that are part of this action group.') -param automationRunbookReceivers array = [] - -@description('Optional. The list of voice receivers that are part of this action group.') -param voiceReceivers array = [] - -@description('Optional. The list of logic app receivers that are part of this action group.') -param logicAppReceivers array = [] - -@description('Optional. The list of function receivers that are part of this action group.') -param azureFunctionReceivers array = [] - -@description('Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported.') -param armRoleReceivers array = [] - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = 'global' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2023-01-01' = { - name: name - location: location - tags: tags - properties: { - groupShortName: groupShortName - enabled: enabled - emailReceivers: (empty(emailReceivers) ? null : emailReceivers) - smsReceivers: (empty(smsReceivers) ? null : smsReceivers) - webhookReceivers: (empty(webhookReceivers) ? null : webhookReceivers) - itsmReceivers: (empty(itsmReceivers) ? null : itsmReceivers) - azureAppPushReceivers: (empty(azureAppPushReceivers) ? null : azureAppPushReceivers) - automationRunbookReceivers: (empty(automationRunbookReceivers) ? null : automationRunbookReceivers) - voiceReceivers: (empty(voiceReceivers) ? null : voiceReceivers) - logicAppReceivers: (empty(logicAppReceivers) ? null : logicAppReceivers) - azureFunctionReceivers: (empty(azureFunctionReceivers) ? null : azureFunctionReceivers) - armRoleReceivers: (empty(armRoleReceivers) ? null : armRoleReceivers) - } -} - -resource actionGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(actionGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: actionGroup -}] - -@description('The resource group the action group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the action group .') -output name string = actionGroup.name - -@description('The resource ID of the action group .') -output resourceId string = actionGroup.id - -@description('The location the resource was deployed into.') -output location string = actionGroup.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/action-group/main.json b/modules/insights/action-group/main.json deleted file mode 100644 index ac749fc55c..0000000000 --- a/modules/insights/action-group/main.json +++ /dev/null @@ -1,299 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17468299355631227280" - }, - "name": "Action Groups", - "description": "This module deploys an Action Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the action group." - } - }, - "groupShortName": { - "type": "string", - "metadata": { - "description": "Required. The short name of the action group." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "emailReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of email receivers that are part of this action group." - } - }, - "smsReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SMS receivers that are part of this action group." - } - }, - "webhookReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of webhook receivers that are part of this action group." - } - }, - "itsmReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of ITSM receivers that are part of this action group." - } - }, - "azureAppPushReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AzureAppPush receivers that are part of this action group." - } - }, - "automationRunbookReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AutomationRunbook receivers that are part of this action group." - } - }, - "voiceReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of voice receivers that are part of this action group." - } - }, - "logicAppReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of logic app receivers that are part of this action group." - } - }, - "azureFunctionReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of function receivers that are part of this action group." - } - }, - "armRoleReceivers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "actionGroup": { - "type": "Microsoft.Insights/actionGroups", - "apiVersion": "2023-01-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "groupShortName": "[parameters('groupShortName')]", - "enabled": "[parameters('enabled')]", - "emailReceivers": "[if(empty(parameters('emailReceivers')), null(), parameters('emailReceivers'))]", - "smsReceivers": "[if(empty(parameters('smsReceivers')), null(), parameters('smsReceivers'))]", - "webhookReceivers": "[if(empty(parameters('webhookReceivers')), null(), parameters('webhookReceivers'))]", - "itsmReceivers": "[if(empty(parameters('itsmReceivers')), null(), parameters('itsmReceivers'))]", - "azureAppPushReceivers": "[if(empty(parameters('azureAppPushReceivers')), null(), parameters('azureAppPushReceivers'))]", - "automationRunbookReceivers": "[if(empty(parameters('automationRunbookReceivers')), null(), parameters('automationRunbookReceivers'))]", - "voiceReceivers": "[if(empty(parameters('voiceReceivers')), null(), parameters('voiceReceivers'))]", - "logicAppReceivers": "[if(empty(parameters('logicAppReceivers')), null(), parameters('logicAppReceivers'))]", - "azureFunctionReceivers": "[if(empty(parameters('azureFunctionReceivers')), null(), parameters('azureFunctionReceivers'))]", - "armRoleReceivers": "[if(empty(parameters('armRoleReceivers')), null(), parameters('armRoleReceivers'))]" - } - }, - "actionGroup_roleAssignments": { - "copy": { - "name": "actionGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/actionGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/actionGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "actionGroup" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the action group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the action group ." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the action group ." - }, - "value": "[resourceId('Microsoft.Insights/actionGroups', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('actionGroup', '2023-01-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/action-group/tests/e2e/defaults/main.test.bicep b/modules/insights/action-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 019b31bb3b..0000000000 --- a/modules/insights/action-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iagmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupShortName: 'ag${serviceShort}001' - } -}] diff --git a/modules/insights/action-group/tests/e2e/max/dependencies.bicep b/modules/insights/action-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/insights/action-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/action-group/tests/e2e/max/main.test.bicep b/modules/insights/action-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index 55291588f1..0000000000 --- a/modules/insights/action-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iagmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupShortName: 'ag${serviceShort}001' - emailReceivers: [ - { - emailAddress: 'test.user@testcompany.com' - name: 'TestUser_-EmailAction-' - useCommonAlertSchema: true - } - { - emailAddress: 'test.user2@testcompany.com' - name: 'TestUser2' - useCommonAlertSchema: true - } - ] - smsReceivers: [ - { - countryCode: '1' - name: 'TestUser_-SMSAction-' - phoneNumber: '2345678901' - } - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 33b5630927..0000000000 --- a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iagwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupShortName: 'ag${serviceShort}001' - emailReceivers: [ - { - emailAddress: 'test.user@testcompany.com' - name: 'TestUser_-EmailAction-' - useCommonAlertSchema: true - } - { - emailAddress: 'test.user2@testcompany.com' - name: 'TestUser2' - useCommonAlertSchema: true - } - ] - smsReceivers: [ - { - countryCode: '1' - name: 'TestUser_-SMSAction-' - phoneNumber: '2345678901' - } - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/action-group/version.json b/modules/insights/action-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/action-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/activity-log-alert/MOVED-TO-AVM.md b/modules/insights/activity-log-alert/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/activity-log-alert/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 02ded7facf..16025f553f 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -1,559 +1,7 @@ -# Activity Log Alerts `[Microsoft.Insights/activityLogAlerts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/activity-log-alert](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/activity-log-alert).** -This module deploys an Activity Log Alert. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/activity-log-alert). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/activityLogAlerts` | [2020-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-10-01/activityLogAlerts) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.activity-log-alert:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ialamax' - params: { - // Required parameters - conditions: [ - { - equals: 'ServiceHealth' - field: 'category' - } - { - anyOf: [ - { - equals: 'Incident' - field: 'properties.incidentType' - } - { - equals: 'Maintenance' - field: 'properties.incidentType' - } - ] - } - { - containsAny: [ - 'Action Groups' - 'Activity Logs & Alerts' - ] - field: 'properties.impactedServices[*].ServiceName' - } - { - containsAny: [ - 'Global' - 'West Europe' - ] - field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' - } - ] - name: 'ialamax001' - // Non-required parameters - actions: [ - { - actionGroupId: '' - } - ] - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - scopes: [ - '' - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "conditions": { - "value": [ - { - "equals": "ServiceHealth", - "field": "category" - }, - { - "anyOf": [ - { - "equals": "Incident", - "field": "properties.incidentType" - }, - { - "equals": "Maintenance", - "field": "properties.incidentType" - } - ] - }, - { - "containsAny": [ - "Action Groups", - "Activity Logs & Alerts" - ], - "field": "properties.impactedServices[*].ServiceName" - }, - { - "containsAny": [ - "Global", - "West Europe" - ], - "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName" - } - ] - }, - "name": { - "value": "ialamax001" - }, - // Non-required parameters - "actions": { - "value": [ - { - "actionGroupId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "scopes": { - "value": [ - "" - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ialawaf' - params: { - // Required parameters - conditions: [ - { - equals: 'ServiceHealth' - field: 'category' - } - { - anyOf: [ - { - equals: 'Incident' - field: 'properties.incidentType' - } - { - equals: 'Maintenance' - field: 'properties.incidentType' - } - ] - } - { - containsAny: [ - 'Action Groups' - 'Activity Logs & Alerts' - ] - field: 'properties.impactedServices[*].ServiceName' - } - { - containsAny: [ - 'Global' - 'West Europe' - ] - field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' - } - ] - name: 'ialawaf001' - // Non-required parameters - actions: [ - { - actionGroupId: '' - } - ] - enableDefaultTelemetry: '' - scopes: [ - '' - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "conditions": { - "value": [ - { - "equals": "ServiceHealth", - "field": "category" - }, - { - "anyOf": [ - { - "equals": "Incident", - "field": "properties.incidentType" - }, - { - "equals": "Maintenance", - "field": "properties.incidentType" - } - ] - }, - { - "containsAny": [ - "Action Groups", - "Activity Logs & Alerts" - ], - "field": "properties.impactedServices[*].ServiceName" - }, - { - "containsAny": [ - "Global", - "West Europe" - ], - "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName" - } - ] - }, - "name": { - "value": "ialawaf001" - }, - // Non-required parameters - "actions": { - "value": [ - { - "actionGroupId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "scopes": { - "value": [ - "" - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`conditions`](#parameter-conditions) | array | An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). | -| [`name`](#parameter-name) | string | The name of the alert. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | The list of actions to take when alert triggers. | -| [`alertDescription`](#parameter-alertdescription) | string | Description of the alert. | -| [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`scopes`](#parameter-scopes) | array | The list of resource IDs that this Activity Log Alert is scoped to. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `conditions` - -An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the alert. - -- Required: Yes -- Type: string - -### Parameter: `actions` - -The list of actions to take when alert triggers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `alertDescription` - -Description of the alert. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enabled` - -Indicates whether this alert is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scopes` - -The list of resource IDs that this Activity Log Alert is scoped to. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - '[subscription().id]' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the activity log alert. | -| `resourceGroupName` | string | The resource group the activity log alert was deployed into. | -| `resourceId` | string | The resource ID of the activity log alert. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep deleted file mode 100644 index 86c5717716..0000000000 --- a/modules/insights/activity-log-alert/main.bicep +++ /dev/null @@ -1,129 +0,0 @@ -metadata name = 'Activity Log Alerts' -metadata description = 'This module deploys an Activity Log Alert.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the alert.') -param name string - -@description('Optional. Description of the alert.') -param alertDescription string = '' - -@description('Optional. Location for all resources.') -param location string = 'global' - -@description('Optional. Indicates whether this alert is enabled.') -param enabled bool = true - -@description('Optional. The list of resource IDs that this Activity Log Alert is scoped to.') -param scopes array = [ - subscription().id -] - -@description('Optional. The list of actions to take when alert triggers.') -param actions array = [] - -@description('Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy).') -param conditions array - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var actionGroups = [for action in actions: { - actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action - webhookProperties: contains(action, 'webhookProperties') ? action.webhookProperties : null -}] - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { - name: name - location: location - tags: tags - properties: { - scopes: scopes - condition: { - allOf: conditions - } - actions: { - actionGroups: actionGroups - } - enabled: enabled - description: alertDescription - } -} - -resource activityLogAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(activityLogAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: activityLogAlert -}] - -@description('The name of the activity log alert.') -output name string = activityLogAlert.name - -@description('The resource ID of the activity log alert.') -output resourceId string = activityLogAlert.id - -@description('The resource group the activity log alert was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = activityLogAlert.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json deleted file mode 100644 index 404dcfedae..0000000000 --- a/modules/insights/activity-log-alert/main.json +++ /dev/null @@ -1,259 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10623125824018281845" - }, - "name": "Activity Log Alerts", - "description": "This module deploys an Activity Log Alert.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the alert." - } - }, - "alertDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the alert." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether this alert is enabled." - } - }, - "scopes": { - "type": "array", - "defaultValue": [ - "[subscription().id]" - ], - "metadata": { - "description": "Optional. The list of resource IDs that this Activity Log Alert is scoped to." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of actions to take when alert triggers." - } - }, - "conditions": { - "type": "array", - "metadata": { - "description": "Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "actionGroups", - "count": "[length(parameters('actions'))]", - "input": { - "actionGroupId": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'actionGroupId'), parameters('actions')[copyIndex('actionGroups')].actionGroupId, parameters('actions')[copyIndex('actionGroups')])]", - "webhookProperties": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'webhookProperties'), parameters('actions')[copyIndex('actionGroups')].webhookProperties, null())]" - } - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "activityLogAlert": { - "type": "Microsoft.Insights/activityLogAlerts", - "apiVersion": "2020-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "scopes": "[parameters('scopes')]", - "condition": { - "allOf": "[parameters('conditions')]" - }, - "actions": { - "actionGroups": "[variables('actionGroups')]" - }, - "enabled": "[parameters('enabled')]", - "description": "[parameters('alertDescription')]" - } - }, - "activityLogAlert_roleAssignments": { - "copy": { - "name": "activityLogAlert_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/activityLogAlerts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/activityLogAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "activityLogAlert" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the activity log alert." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the activity log alert." - }, - "value": "[resourceId('Microsoft.Insights/activityLogAlerts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the activity log alert was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('activityLogAlert', '2020-10-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep deleted file mode 100644 index f031089363..0000000000 --- a/modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Required. The name of the Action Group to create.') -param actionGroupName string - -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { - name: actionGroupName - location: 'global' - properties: { - groupShortName: substring(replace(actionGroupName, '-', ''), 0, 11) - enabled: true - } -} - -@description('The resource ID of the created Action Group.') -output actionGroupResourceId string = actionGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep deleted file mode 100644 index 09f337ec7c..0000000000 --- a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ialamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - conditions: [ - { - field: 'category' - equals: 'ServiceHealth' - } - { - anyOf: [ - { - field: 'properties.incidentType' - equals: 'Incident' - } - { - field: 'properties.incidentType' - equals: 'Maintenance' - } - ] - } - { - field: 'properties.impactedServices[*].ServiceName' - containsAny: [ - 'Action Groups' - 'Activity Logs & Alerts' - ] - } - { - field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' - containsAny: [ - 'West Europe' - 'Global' - ] - } - ] - actions: [ - { - actionGroupId: nestedDependencies.outputs.actionGroupResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - scopes: [ - subscription().id - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index f031089363..0000000000 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Required. The name of the Action Group to create.') -param actionGroupName string - -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { - name: actionGroupName - location: 'global' - properties: { - groupShortName: substring(replace(actionGroupName, '-', ''), 0, 11) - enabled: true - } -} - -@description('The resource ID of the created Action Group.') -output actionGroupResourceId string = actionGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 4efeddccfe..0000000000 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,103 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ialawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - conditions: [ - { - field: 'category' - equals: 'ServiceHealth' - } - { - anyOf: [ - { - field: 'properties.incidentType' - equals: 'Incident' - } - { - field: 'properties.incidentType' - equals: 'Maintenance' - } - ] - } - { - field: 'properties.impactedServices[*].ServiceName' - containsAny: [ - 'Action Groups' - 'Activity Logs & Alerts' - ] - } - { - field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' - containsAny: [ - 'West Europe' - 'Global' - ] - } - ] - actions: [ - { - actionGroupId: nestedDependencies.outputs.actionGroupResourceId - } - ] - scopes: [ - subscription().id - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/activity-log-alert/version.json b/modules/insights/activity-log-alert/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/activity-log-alert/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/component/MOVED-TO-AVM.md b/modules/insights/component/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/component/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 71509c45e5..ae617029d2 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -1,647 +1,7 @@ -# Application Insights `[Microsoft.Insights/components]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/component](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/component).** -This component deploys an Application Insights instance. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/component). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/components` | [2020-02-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-02-02/components) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.component:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module component 'br:bicep/modules/insights.component:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-icmin' - params: { - // Required parameters - name: 'icmin001' - workspaceResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "icmin001" - }, - "workspaceResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module component 'br:bicep/modules/insights.component:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-icmax' - params: { - // Required parameters - name: 'icmax001' - workspaceResourceId: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "icmax001" - }, - "workspaceResourceId": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module component 'br:bicep/modules/insights.component:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-icwaf' - params: { - // Required parameters - name: 'icwaf001' - workspaceResourceId: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "icwaf001" - }, - "workspaceResourceId": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Application Insights. | -| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationType`](#parameter-applicationtype) | string | Application type. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`kind`](#parameter-kind) | string | The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Application Insights ingestion. - Enabled or Disabled. | -| [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Application Insights query. - Enabled or Disabled. | -| [`retentionInDays`](#parameter-retentionindays) | int | Retention period in days. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`samplingPercentage`](#parameter-samplingpercentage) | int | Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Application Insights. - -- Required: Yes -- Type: string - -### Parameter: `workspaceResourceId` - -Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. - -- Required: Yes -- Type: string - -### Parameter: `applicationType` - -Application type. - -- Required: No -- Type: string -- Default: `'web'` -- Allowed: - ```Bicep - [ - 'other' - 'web' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `kind` - -The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `publicNetworkAccessForIngestion` - -The network access type for accessing Application Insights ingestion. - Enabled or Disabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `publicNetworkAccessForQuery` - -The network access type for accessing Application Insights query. - Enabled or Disabled. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `retentionInDays` - -Retention period in days. - -- Required: No -- Type: int -- Default: `365` -- Allowed: - ```Bicep - [ - 30 - 60 - 90 - 120 - 180 - 270 - 365 - 550 - 730 - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `samplingPercentage` - -Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. - -- Required: No -- Type: int -- Default: `100` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `applicationId` | string | The application ID of the application insights component. | -| `instrumentationKey` | string | Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application insights component. | -| `resourceGroupName` | string | The resource group the application insights component was deployed into. | -| `resourceId` | string | The resource ID of the application insights component. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/component/main.bicep b/modules/insights/component/main.bicep deleted file mode 100644 index 801e9eb20a..0000000000 --- a/modules/insights/component/main.bicep +++ /dev/null @@ -1,223 +0,0 @@ -metadata name = 'Application Insights' -metadata description = 'This component deploys an Application Insights instance.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Application Insights.') -param name string - -@description('Optional. Application type.') -@allowed([ - 'web' - 'other' -]) -param applicationType string = 'web' - -@description('Required. Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property.') -param workspaceResourceId string - -@description('Optional. The network access type for accessing Application Insights ingestion. - Enabled or Disabled.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccessForIngestion string = 'Enabled' - -@description('Optional. The network access type for accessing Application Insights query. - Enabled or Disabled.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccessForQuery string = 'Enabled' - -@description('Optional. Retention period in days.') -@allowed([ - 30 - 60 - 90 - 120 - 180 - 270 - 365 - 550 - 730 -]) -param retentionInDays int = 365 - -@description('Optional. Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry.') -@minValue(0) -@maxValue(100) -param samplingPercentage int = 100 - -@description('Optional. The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone.') -param kind string = '' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appInsights 'Microsoft.Insights/components@2020-02-02' = { - name: name - location: location - tags: tags - kind: kind - properties: { - Application_Type: applicationType - WorkspaceResourceId: workspaceResourceId - publicNetworkAccessForIngestion: publicNetworkAccessForIngestion - publicNetworkAccessForQuery: publicNetworkAccessForQuery - RetentionInDays: retentionInDays - SamplingPercentage: samplingPercentage - } -} - -resource appInsights_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(appInsights.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: appInsights -}] - -resource appInsights_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: appInsights -}] -@description('The name of the application insights component.') -output name string = appInsights.name - -@description('The resource ID of the application insights component.') -output resourceId string = appInsights.id - -@description('The resource group the application insights component was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The application ID of the application insights component.') -output applicationId string = appInsights.properties.AppId - -@description('The location the resource was deployed into.') -output location string = appInsights.location - -@description('Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component.') -output instrumentationKey string = appInsights.properties.InstrumentationKey -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json deleted file mode 100644 index 8e8789fea1..0000000000 --- a/modules/insights/component/main.json +++ /dev/null @@ -1,433 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16117162182230487170" - }, - "name": "Application Insights", - "description": "This component deploys an Application Insights instance.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application Insights." - } - }, - "applicationType": { - "type": "string", - "defaultValue": "web", - "allowedValues": [ - "web", - "other" - ], - "metadata": { - "description": "Optional. Application type." - } - }, - "workspaceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property." - } - }, - "publicNetworkAccessForIngestion": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Application Insights ingestion. - Enabled or Disabled." - } - }, - "publicNetworkAccessForQuery": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Application Insights query. - Enabled or Disabled." - } - }, - "retentionInDays": { - "type": "int", - "defaultValue": 365, - "allowedValues": [ - 30, - 60, - 90, - 120, - 180, - 270, - 365, - 550, - 730 - ], - "metadata": { - "description": "Optional. Retention period in days." - } - }, - "samplingPercentage": { - "type": "int", - "defaultValue": 100, - "minValue": 0, - "maxValue": 100, - "metadata": { - "description": "Optional. Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry." - } - }, - "kind": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appInsights": { - "type": "Microsoft.Insights/components", - "apiVersion": "2020-02-02", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "kind": "[parameters('kind')]", - "properties": { - "Application_Type": "[parameters('applicationType')]", - "WorkspaceResourceId": "[parameters('workspaceResourceId')]", - "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", - "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]", - "RetentionInDays": "[parameters('retentionInDays')]", - "SamplingPercentage": "[parameters('samplingPercentage')]" - } - }, - "appInsights_roleAssignments": { - "copy": { - "name": "appInsights_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/components/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/components', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "appInsights" - ] - }, - "appInsights_diagnosticSettings": { - "copy": { - "name": "appInsights_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Insights/components/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "appInsights" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the application insights component." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the application insights component." - }, - "value": "[resourceId('Microsoft.Insights/components', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the application insights component was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "applicationId": { - "type": "string", - "metadata": { - "description": "The application ID of the application insights component." - }, - "value": "[reference('appInsights').AppId]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('appInsights', '2020-02-02', 'full').location]" - }, - "instrumentationKey": { - "type": "string", - "metadata": { - "description": "Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component." - }, - "value": "[reference('appInsights').InstrumentationKey]" - } - } -} \ No newline at end of file diff --git a/modules/insights/component/tests/e2e/defaults/dependencies.bicep b/modules/insights/component/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index cc24476629..0000000000 --- a/modules/insights/component/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/component/tests/e2e/defaults/main.test.bicep b/modules/insights/component/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 2c505a853f..0000000000 --- a/modules/insights/component/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'icmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - workspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - } -}] diff --git a/modules/insights/component/tests/e2e/max/dependencies.bicep b/modules/insights/component/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/insights/component/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/component/tests/e2e/max/main.test.bicep b/modules/insights/component/tests/e2e/max/main.test.bicep deleted file mode 100644 index 69e8998fab..0000000000 --- a/modules/insights/component/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,98 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'icmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e1940171ae..0000000000 --- a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,98 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'icwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/component/version.json b/modules/insights/component/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/component/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md b/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 48b0cc4d25..ad2d3249d0 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -1,489 +1,7 @@ -# Data Collection Endpoints `[Microsoft.Insights/dataCollectionEndpoints]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/data-collection-endpoint](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/data-collection-endpoint).** -This module deploys a Data Collection Endpoint. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/data-collection-endpoint). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/dataCollectionEndpoints` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-04-01/dataCollectionEndpoints) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.data-collection-endpoint:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcemin' - params: { - // Required parameters - name: 'idcemin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "idcemin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcemax' - params: { - // Required parameters - name: 'idcemax001' - // Non-required parameters - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "idcemax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcewaf' - params: { - // Required parameters - name: 'idcewaf001' - // Non-required parameters - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "idcewaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the data collection endpoint. The name is case insensitive. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`kind`](#parameter-kind) | string | The kind of the resource. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The configuration to set whether network access from public internet to the endpoints are allowed. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -The name of the data collection endpoint. The name is case insensitive. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `kind` - -The kind of the resource. - -- Required: No -- Type: string -- Default: `'Linux'` -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicNetworkAccess` - -The configuration to set whether network access from public internet to the endpoints are allowed. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the dataCollectionEndpoint. | -| `resourceGroupName` | string | The name of the resource group the dataCollectionEndpoint was created in. | -| `resourceId` | string | The resource ID of the dataCollectionEndpoint. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep deleted file mode 100644 index b4f4003adb..0000000000 --- a/modules/insights/data-collection-endpoint/main.bicep +++ /dev/null @@ -1,149 +0,0 @@ -metadata name = 'Data Collection Endpoints' -metadata description = 'This module deploys a Data Collection Endpoint.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@description('Required. The name of the data collection endpoint. The name is case insensitive.') -param name string - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The kind of the resource.') -@allowed([ - 'Linux' - 'Windows' -]) -param kind string = 'Linux' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The configuration to set whether network access from public internet to the endpoints are allowed.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = 'Disabled' - -@description('Optional. Resource tags.') -param tags object? - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -// =============== // -// Deployments // -// =============== // - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021-04-01' = { - kind: kind - location: location - name: name - tags: tags - properties: { - networkAcls: { - publicNetworkAccess: publicNetworkAccess - } - } -} - -resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dataCollectionEndpoint -} - -resource dataCollectionEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dataCollectionEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dataCollectionEndpoint -}] - -// =========== // -// Outputs // -// =========== // - -@description('The name of the dataCollectionEndpoint.') -output name string = dataCollectionEndpoint.name - -@description('The resource ID of the dataCollectionEndpoint.') -output resourceId string = dataCollectionEndpoint.id - -@description('The name of the resource group the dataCollectionEndpoint was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = dataCollectionEndpoint.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json deleted file mode 100644 index fbababc42e..0000000000 --- a/modules/insights/data-collection-endpoint/main.json +++ /dev/null @@ -1,275 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15918286561058568413" - }, - "name": "Data Collection Endpoints", - "description": "This module deploys a Data Collection Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the data collection endpoint. The name is case insensitive." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "kind": { - "type": "string", - "defaultValue": "Linux", - "allowedValues": [ - "Linux", - "Windows" - ], - "metadata": { - "description": "Optional. The kind of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The configuration to set whether network access from public internet to the endpoints are allowed." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dataCollectionEndpoint": { - "type": "Microsoft.Insights/dataCollectionEndpoints", - "apiVersion": "2021-04-01", - "name": "[parameters('name')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "networkAcls": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } - } - }, - "dataCollectionEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dataCollectionEndpoint" - ] - }, - "dataCollectionEndpoint_roleAssignments": { - "copy": { - "name": "dataCollectionEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dataCollectionEndpoint" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the dataCollectionEndpoint." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the dataCollectionEndpoint." - }, - "value": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the dataCollectionEndpoint was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dataCollectionEndpoint', '2021-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 9d0759239d..0000000000 --- a/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcemin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep deleted file mode 100644 index d16e1031b1..0000000000 --- a/modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep deleted file mode 100644 index 3cc4c9c606..0000000000 --- a/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcemax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publicNetworkAccess: 'Enabled' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index d16e1031b1..0000000000 --- a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index db4a6e31a0..0000000000 --- a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcewaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publicNetworkAccess: 'Enabled' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-endpoint/version.json b/modules/insights/data-collection-endpoint/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/data-collection-endpoint/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/data-collection-rule/MOVED-TO-AVM.md b/modules/insights/data-collection-rule/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/data-collection-rule/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 886394f71a..11a1247e80 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -1,1736 +1,7 @@ -# Data Collection Rules `[Microsoft.Insights/dataCollectionRules]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/data-collection-rule](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/data-collection-rule).** -This module deploys a Data Collection Rule. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/data-collection-rule). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/dataCollectionRules` | [2021-09-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-09-01-preview/dataCollectionRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.data-collection-rule:1.0.0`. - -- [Customadv](#example-1-customadv) -- [Custombasic](#example-2-custombasic) -- [Customiis](#example-3-customiis) -- [Using only defaults](#example-4-using-only-defaults) -- [Linux](#example-5-linux) -- [Windows](#example-6-windows) - -### Example 1: _Customadv_ - -
- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrcusadv' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - '' - ] - outputStream: 'Custom-CustomTableAdvanced_CL' - streams: [ - 'Custom-CustomTableAdvanced_CL' - ] - transformKql: 'source | extend LogFields = split(RawData, \',\') | extend EventTime = todatetime(LogFields[0]) | extend EventLevel = tostring(LogFields[1]) | extend EventCode = toint(LogFields[2]) | extend Message = tostring(LogFields[3]) | project TimeGenerated, EventTime, EventLevel, EventCode, Message' - } - ] - dataSources: { - logFiles: [ - { - filePatterns: [ - 'C:\\TestLogsAdvanced\\TestLog*.log' - ] - format: 'text' - name: 'CustomTableAdvanced_CL' - samplingFrequencyInSeconds: 60 - settings: { - text: { - recordStartTimestampFormat: 'ISO 8601' - } - } - streams: [ - 'Custom-CustomTableAdvanced_CL' - ] - } - ] - } - destinations: { - logAnalytics: [ - { - name: '' - workspaceResourceId: '' - } - ] - } - name: 'idcrcusadv001' - // Non-required parameters - dataCollectionEndpointId: '' - description: 'Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): \',,,\', for example: \'2023-01-25T20:15:05Z,ERROR,404,Page not found\'' - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - streamDeclarations: { - 'Custom-CustomTableAdvanced_CL': { - columns: [ - { - name: 'TimeGenerated' - type: 'datetime' - } - { - name: 'EventTime' - type: 'datetime' - } - { - name: 'EventLevel' - type: 'string' - } - { - name: 'EventCode' - type: 'int' - } - { - name: 'Message' - type: 'string' - } - { - name: 'RawData' - type: 'string' - } - ] - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "" - ], - "outputStream": "Custom-CustomTableAdvanced_CL", - "streams": [ - "Custom-CustomTableAdvanced_CL" - ], - "transformKql": "source | extend LogFields = split(RawData, \",\") | extend EventTime = todatetime(LogFields[0]) | extend EventLevel = tostring(LogFields[1]) | extend EventCode = toint(LogFields[2]) | extend Message = tostring(LogFields[3]) | project TimeGenerated, EventTime, EventLevel, EventCode, Message" - } - ] - }, - "dataSources": { - "value": { - "logFiles": [ - { - "filePatterns": [ - "C:\\TestLogsAdvanced\\TestLog*.log" - ], - "format": "text", - "name": "CustomTableAdvanced_CL", - "samplingFrequencyInSeconds": 60, - "settings": { - "text": { - "recordStartTimestampFormat": "ISO 8601" - } - }, - "streams": [ - "Custom-CustomTableAdvanced_CL" - ] - } - ] - } - }, - "destinations": { - "value": { - "logAnalytics": [ - { - "name": "", - "workspaceResourceId": "" - } - ] - } - }, - "name": { - "value": "idcrcusadv001" - }, - // Non-required parameters - "dataCollectionEndpointId": { - "value": "" - }, - "description": { - "value": "Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): \",,,\", for example: \"2023-01-25T20:15:05Z,ERROR,404,Page not found\"" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "streamDeclarations": { - "value": { - "Custom-CustomTableAdvanced_CL": { - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventTime", - "type": "datetime" - }, - { - "name": "EventLevel", - "type": "string" - }, - { - "name": "EventCode", - "type": "int" - }, - { - "name": "Message", - "type": "string" - }, - { - "name": "RawData", - "type": "string" - } - ] - } - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- -### Example 2: _Custombasic_ - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrcusbas' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - '' - ] - outputStream: 'Custom-CustomTableBasic_CL' - streams: [ - 'Custom-CustomTableBasic_CL' - ] - transformKql: 'source' - } - ] - dataSources: { - logFiles: [ - { - filePatterns: [ - 'C:\\TestLogsBasic\\TestLog*.log' - ] - format: 'text' - name: 'CustomTableBasic_CL' - samplingFrequencyInSeconds: 60 - settings: { - text: { - recordStartTimestampFormat: 'ISO 8601' - } - } - streams: [ - 'Custom-CustomTableBasic_CL' - ] - } - ] - } - destinations: { - logAnalytics: [ - { - name: '' - workspaceResourceId: '' - } - ] - } - name: 'idcrcusbas001' - // Non-required parameters - dataCollectionEndpointId: '' - description: 'Collecting custom text logs without ingestion-time transformation.' - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - streamDeclarations: { - 'Custom-CustomTableBasic_CL': { - columns: [ - { - name: 'TimeGenerated' - type: 'datetime' - } - { - name: 'RawData' - type: 'string' - } - ] - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "" - ], - "outputStream": "Custom-CustomTableBasic_CL", - "streams": [ - "Custom-CustomTableBasic_CL" - ], - "transformKql": "source" - } - ] - }, - "dataSources": { - "value": { - "logFiles": [ - { - "filePatterns": [ - "C:\\TestLogsBasic\\TestLog*.log" - ], - "format": "text", - "name": "CustomTableBasic_CL", - "samplingFrequencyInSeconds": 60, - "settings": { - "text": { - "recordStartTimestampFormat": "ISO 8601" - } - }, - "streams": [ - "Custom-CustomTableBasic_CL" - ] - } - ] - } - }, - "destinations": { - "value": { - "logAnalytics": [ - { - "name": "", - "workspaceResourceId": "" - } - ] - } - }, - "name": { - "value": "idcrcusbas001" - }, - // Non-required parameters - "dataCollectionEndpointId": { - "value": "" - }, - "description": { - "value": "Collecting custom text logs without ingestion-time transformation." - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "streamDeclarations": { - "value": { - "Custom-CustomTableBasic_CL": { - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "RawData", - "type": "string" - } - ] - } - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- -### Example 3: _Customiis_ - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrcusiis' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - '' - ] - outputStream: 'Microsoft-W3CIISLog' - streams: [ - 'Microsoft-W3CIISLog' - ] - transformKql: 'source' - } - ] - dataSources: { - iisLogs: [ - { - logDirectories: [ - 'C:\\inetpub\\logs\\LogFiles\\W3SVC1' - ] - name: 'iisLogsDataSource' - streams: [ - 'Microsoft-W3CIISLog' - ] - } - ] - } - destinations: { - logAnalytics: [ - { - name: '' - workspaceResourceId: '' - } - ] - } - name: 'idcrcusiis001' - // Non-required parameters - dataCollectionEndpointId: '' - description: 'Collecting IIS logs.' - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "" - ], - "outputStream": "Microsoft-W3CIISLog", - "streams": [ - "Microsoft-W3CIISLog" - ], - "transformKql": "source" - } - ] - }, - "dataSources": { - "value": { - "iisLogs": [ - { - "logDirectories": [ - "C:\\inetpub\\logs\\LogFiles\\W3SVC1" - ], - "name": "iisLogsDataSource", - "streams": [ - "Microsoft-W3CIISLog" - ] - } - ] - } - }, - "destinations": { - "value": { - "logAnalytics": [ - { - "name": "", - "workspaceResourceId": "" - } - ] - } - }, - "name": { - "value": "idcrcusiis001" - }, - // Non-required parameters - "dataCollectionEndpointId": { - "value": "" - }, - "description": { - "value": "Collecting IIS logs." - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- -### Example 4: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrmin' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - 'azureMonitorMetrics-default' - ] - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - dataSources: { - performanceCounters: [ - { - counterSpecifiers: [ - '\\Process(_Total)\\Handle Count' - '\\Process(_Total)\\Thread Count' - '\\Processor Information(_Total)\\% Privileged Time' - '\\Processor Information(_Total)\\% Processor Time' - '\\Processor Information(_Total)\\% User Time' - '\\Processor Information(_Total)\\Processor Frequency' - '\\System\\Context Switches/sec' - '\\System\\Processes' - '\\System\\Processor Queue Length' - '\\System\\System Up Time' - ] - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - } - name: 'idcrmin001' - // Non-required parameters - enableDefaultTelemetry: '' - kind: 'Windows' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "azureMonitorMetrics-default" - ], - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ] - }, - "dataSources": { - "value": { - "performanceCounters": [ - { - "counterSpecifiers": [ - "\\Process(_Total)\\Handle Count", - "\\Process(_Total)\\Thread Count", - "\\Processor Information(_Total)\\% Privileged Time", - "\\Processor Information(_Total)\\% Processor Time", - "\\Processor Information(_Total)\\% User Time", - "\\Processor Information(_Total)\\Processor Frequency", - "\\System\\Context Switches/sec", - "\\System\\Processes", - "\\System\\Processor Queue Length", - "\\System\\System Up Time" - ], - "name": "perfCounterDataSource60", - "samplingFrequencyInSeconds": 60, - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ] - } - }, - "destinations": { - "value": { - "azureMonitorMetrics": { - "name": "azureMonitorMetrics-default" - } - } - }, - "name": { - "value": "idcrmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - } - } -} -``` - -
-

- -### Example 5: _Linux_ - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrlin' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - 'azureMonitorMetrics-default' - ] - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - { - destinations: [ - '' - ] - streams: [ - 'Microsoft-Syslog' - ] - } - ] - dataSources: { - performanceCounters: [ - { - counterSpecifiers: [ - 'Logical Disk(*)\\% Free Inodes' - 'Logical Disk(*)\\% Free Space' - 'Logical Disk(*)\\% Used Inodes' - 'Logical Disk(*)\\% Used Space' - 'Logical Disk(*)\\Disk Read Bytes/sec' - 'Logical Disk(*)\\Disk Reads/sec' - 'Logical Disk(*)\\Disk Transfers/sec' - 'Logical Disk(*)\\Disk Write Bytes/sec' - 'Logical Disk(*)\\Disk Writes/sec' - 'Logical Disk(*)\\Free Megabytes' - 'Logical Disk(*)\\Logical Disk Bytes/sec' - 'Memory(*)\\% Available Memory' - 'Memory(*)\\% Available Swap Space' - 'Memory(*)\\% Used Memory' - 'Memory(*)\\% Used Swap Space' - 'Memory(*)\\Available MBytes Memory' - 'Memory(*)\\Available MBytes Swap' - 'Memory(*)\\Page Reads/sec' - 'Memory(*)\\Page Writes/sec' - 'Memory(*)\\Pages/sec' - 'Memory(*)\\Used MBytes Swap Space' - 'Memory(*)\\Used Memory MBytes' - 'Network(*)\\Total Bytes' - 'Network(*)\\Total Bytes Received' - 'Network(*)\\Total Bytes Transmitted' - 'Network(*)\\Total Collisions' - 'Network(*)\\Total Packets Received' - 'Network(*)\\Total Packets Transmitted' - 'Network(*)\\Total Rx Errors' - 'Network(*)\\Total Tx Errors' - 'Processor(*)\\% DPC Time' - 'Processor(*)\\% Idle Time' - 'Processor(*)\\% Interrupt Time' - 'Processor(*)\\% IO Wait Time' - 'Processor(*)\\% Nice Time' - 'Processor(*)\\% Privileged Time' - 'Processor(*)\\% Processor Time' - 'Processor(*)\\% User Time' - ] - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - syslog: [ - { - facilityNames: [ - 'auth' - 'authpriv' - ] - logLevels: [ - 'Alert' - 'Critical' - 'Debug' - 'Emergency' - 'Error' - 'Info' - 'Notice' - 'Warning' - ] - name: 'sysLogsDataSource-debugLevel' - streams: [ - 'Microsoft-Syslog' - ] - } - { - facilityNames: [ - 'cron' - 'daemon' - 'kern' - 'local0' - 'mark' - ] - logLevels: [ - 'Alert' - 'Critical' - 'Emergency' - 'Error' - 'Warning' - ] - name: 'sysLogsDataSource-warningLevel' - streams: [ - 'Microsoft-Syslog' - ] - } - { - facilityNames: [ - 'local1' - 'local2' - 'local3' - 'local4' - 'local5' - 'local6' - 'local7' - 'lpr' - 'mail' - 'news' - 'syslog' - ] - logLevels: [ - 'Alert' - 'Critical' - 'Emergency' - 'Error' - ] - name: 'sysLogsDataSource-errLevel' - streams: [ - 'Microsoft-Syslog' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - logAnalytics: [ - { - name: '' - workspaceResourceId: '' - } - ] - } - name: 'idcrlin001' - // Non-required parameters - description: 'Collecting Linux-specific performance counters and Linux Syslog' - enableDefaultTelemetry: '' - kind: 'Linux' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Linux' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "azureMonitorMetrics-default" - ], - "streams": [ - "Microsoft-InsightsMetrics" - ] - }, - { - "destinations": [ - "" - ], - "streams": [ - "Microsoft-Syslog" - ] - } - ] - }, - "dataSources": { - "value": { - "performanceCounters": [ - { - "counterSpecifiers": [ - "Logical Disk(*)\\% Free Inodes", - "Logical Disk(*)\\% Free Space", - "Logical Disk(*)\\% Used Inodes", - "Logical Disk(*)\\% Used Space", - "Logical Disk(*)\\Disk Read Bytes/sec", - "Logical Disk(*)\\Disk Reads/sec", - "Logical Disk(*)\\Disk Transfers/sec", - "Logical Disk(*)\\Disk Write Bytes/sec", - "Logical Disk(*)\\Disk Writes/sec", - "Logical Disk(*)\\Free Megabytes", - "Logical Disk(*)\\Logical Disk Bytes/sec", - "Memory(*)\\% Available Memory", - "Memory(*)\\% Available Swap Space", - "Memory(*)\\% Used Memory", - "Memory(*)\\% Used Swap Space", - "Memory(*)\\Available MBytes Memory", - "Memory(*)\\Available MBytes Swap", - "Memory(*)\\Page Reads/sec", - "Memory(*)\\Page Writes/sec", - "Memory(*)\\Pages/sec", - "Memory(*)\\Used MBytes Swap Space", - "Memory(*)\\Used Memory MBytes", - "Network(*)\\Total Bytes", - "Network(*)\\Total Bytes Received", - "Network(*)\\Total Bytes Transmitted", - "Network(*)\\Total Collisions", - "Network(*)\\Total Packets Received", - "Network(*)\\Total Packets Transmitted", - "Network(*)\\Total Rx Errors", - "Network(*)\\Total Tx Errors", - "Processor(*)\\% DPC Time", - "Processor(*)\\% Idle Time", - "Processor(*)\\% Interrupt Time", - "Processor(*)\\% IO Wait Time", - "Processor(*)\\% Nice Time", - "Processor(*)\\% Privileged Time", - "Processor(*)\\% Processor Time", - "Processor(*)\\% User Time" - ], - "name": "perfCounterDataSource60", - "samplingFrequencyInSeconds": 60, - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ], - "syslog": [ - { - "facilityNames": [ - "auth", - "authpriv" - ], - "logLevels": [ - "Alert", - "Critical", - "Debug", - "Emergency", - "Error", - "Info", - "Notice", - "Warning" - ], - "name": "sysLogsDataSource-debugLevel", - "streams": [ - "Microsoft-Syslog" - ] - }, - { - "facilityNames": [ - "cron", - "daemon", - "kern", - "local0", - "mark" - ], - "logLevels": [ - "Alert", - "Critical", - "Emergency", - "Error", - "Warning" - ], - "name": "sysLogsDataSource-warningLevel", - "streams": [ - "Microsoft-Syslog" - ] - }, - { - "facilityNames": [ - "local1", - "local2", - "local3", - "local4", - "local5", - "local6", - "local7", - "lpr", - "mail", - "news", - "syslog" - ], - "logLevels": [ - "Alert", - "Critical", - "Emergency", - "Error" - ], - "name": "sysLogsDataSource-errLevel", - "streams": [ - "Microsoft-Syslog" - ] - } - ] - } - }, - "destinations": { - "value": { - "azureMonitorMetrics": { - "name": "azureMonitorMetrics-default" - }, - "logAnalytics": [ - { - "name": "", - "workspaceResourceId": "" - } - ] - } - }, - "name": { - "value": "idcrlin001" - }, - // Non-required parameters - "description": { - "value": "Collecting Linux-specific performance counters and Linux Syslog" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Linux" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Linux", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- -### Example 6: _Windows_ - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idcrwin' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - 'azureMonitorMetrics-default' - ] - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - { - destinations: [ - '' - ] - streams: [ - 'Microsoft-Event' - ] - } - ] - dataSources: { - performanceCounters: [ - { - counterSpecifiers: [ - '\\LogicalDisk(_Total)\\% Disk Read Time' - '\\LogicalDisk(_Total)\\% Disk Time' - '\\LogicalDisk(_Total)\\% Disk Write Time' - '\\LogicalDisk(_Total)\\% Free Space' - '\\LogicalDisk(_Total)\\% Idle Time' - '\\LogicalDisk(_Total)\\Avg. Disk Queue Length' - '\\LogicalDisk(_Total)\\Avg. Disk Read Queue Length' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Read' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Transfer' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Write' - '\\LogicalDisk(_Total)\\Avg. Disk Write Queue Length' - '\\LogicalDisk(_Total)\\Disk Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Read Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Reads/sec' - '\\LogicalDisk(_Total)\\Disk Transfers/sec' - '\\LogicalDisk(_Total)\\Disk Write Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Writes/sec' - '\\LogicalDisk(_Total)\\Free Megabytes' - '\\Memory\\% Committed Bytes In Use' - '\\Memory\\Available Bytes' - '\\Memory\\Cache Bytes' - '\\Memory\\Committed Bytes' - '\\Memory\\Page Faults/sec' - '\\Memory\\Pages/sec' - '\\Memory\\Pool Nonpaged Bytes' - '\\Memory\\Pool Paged Bytes' - '\\Network Interface(*)\\Bytes Received/sec' - '\\Network Interface(*)\\Bytes Sent/sec' - '\\Network Interface(*)\\Bytes Total/sec' - '\\Network Interface(*)\\Packets Outbound Errors' - '\\Network Interface(*)\\Packets Received Errors' - '\\Network Interface(*)\\Packets Received/sec' - '\\Network Interface(*)\\Packets Sent/sec' - '\\Network Interface(*)\\Packets/sec' - '\\Process(_Total)\\Handle Count' - '\\Process(_Total)\\Thread Count' - '\\Process(_Total)\\Working Set' - '\\Process(_Total)\\Working Set - Private' - '\\Processor Information(_Total)\\% Privileged Time' - '\\Processor Information(_Total)\\% Processor Time' - '\\Processor Information(_Total)\\% User Time' - '\\Processor Information(_Total)\\Processor Frequency' - '\\System\\Context Switches/sec' - '\\System\\Processes' - '\\System\\Processor Queue Length' - '\\System\\System Up Time' - ] - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - windowsEventLogs: [ - { - name: 'eventLogsDataSource' - streams: [ - 'Microsoft-Event' - ] - xPathQueries: [ - 'Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' - 'Security!*[System[(band(Keywords,13510798882111488))]]' - 'System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - logAnalytics: [ - { - name: '' - workspaceResourceId: '' - } - ] - } - name: 'idcrwin001' - // Non-required parameters - description: 'Collecting Windows-specific performance counters and Windows Event Logs' - enableDefaultTelemetry: '' - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - kind: 'Windows' - resourceType: 'Data Collection Rules' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "azureMonitorMetrics-default" - ], - "streams": [ - "Microsoft-InsightsMetrics" - ] - }, - { - "destinations": [ - "" - ], - "streams": [ - "Microsoft-Event" - ] - } - ] - }, - "dataSources": { - "value": { - "performanceCounters": [ - { - "counterSpecifiers": [ - "\\LogicalDisk(_Total)\\% Disk Read Time", - "\\LogicalDisk(_Total)\\% Disk Time", - "\\LogicalDisk(_Total)\\% Disk Write Time", - "\\LogicalDisk(_Total)\\% Free Space", - "\\LogicalDisk(_Total)\\% Idle Time", - "\\LogicalDisk(_Total)\\Avg. Disk Queue Length", - "\\LogicalDisk(_Total)\\Avg. Disk Read Queue Length", - "\\LogicalDisk(_Total)\\Avg. Disk sec/Read", - "\\LogicalDisk(_Total)\\Avg. Disk sec/Transfer", - "\\LogicalDisk(_Total)\\Avg. Disk sec/Write", - "\\LogicalDisk(_Total)\\Avg. Disk Write Queue Length", - "\\LogicalDisk(_Total)\\Disk Bytes/sec", - "\\LogicalDisk(_Total)\\Disk Read Bytes/sec", - "\\LogicalDisk(_Total)\\Disk Reads/sec", - "\\LogicalDisk(_Total)\\Disk Transfers/sec", - "\\LogicalDisk(_Total)\\Disk Write Bytes/sec", - "\\LogicalDisk(_Total)\\Disk Writes/sec", - "\\LogicalDisk(_Total)\\Free Megabytes", - "\\Memory\\% Committed Bytes In Use", - "\\Memory\\Available Bytes", - "\\Memory\\Cache Bytes", - "\\Memory\\Committed Bytes", - "\\Memory\\Page Faults/sec", - "\\Memory\\Pages/sec", - "\\Memory\\Pool Nonpaged Bytes", - "\\Memory\\Pool Paged Bytes", - "\\Network Interface(*)\\Bytes Received/sec", - "\\Network Interface(*)\\Bytes Sent/sec", - "\\Network Interface(*)\\Bytes Total/sec", - "\\Network Interface(*)\\Packets Outbound Errors", - "\\Network Interface(*)\\Packets Received Errors", - "\\Network Interface(*)\\Packets Received/sec", - "\\Network Interface(*)\\Packets Sent/sec", - "\\Network Interface(*)\\Packets/sec", - "\\Process(_Total)\\Handle Count", - "\\Process(_Total)\\Thread Count", - "\\Process(_Total)\\Working Set", - "\\Process(_Total)\\Working Set - Private", - "\\Processor Information(_Total)\\% Privileged Time", - "\\Processor Information(_Total)\\% Processor Time", - "\\Processor Information(_Total)\\% User Time", - "\\Processor Information(_Total)\\Processor Frequency", - "\\System\\Context Switches/sec", - "\\System\\Processes", - "\\System\\Processor Queue Length", - "\\System\\System Up Time" - ], - "name": "perfCounterDataSource60", - "samplingFrequencyInSeconds": 60, - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ], - "windowsEventLogs": [ - { - "name": "eventLogsDataSource", - "streams": [ - "Microsoft-Event" - ], - "xPathQueries": [ - "Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]", - "Security!*[System[(band(Keywords,13510798882111488))]]", - "System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]" - ] - } - ] - } - }, - "destinations": { - "value": { - "azureMonitorMetrics": { - "name": "azureMonitorMetrics-default" - }, - "logAnalytics": [ - { - "name": "", - "workspaceResourceId": "" - } - ] - } - }, - "name": { - "value": "idcrwin001" - }, - // Non-required parameters - "description": { - "value": "Collecting Windows-specific performance counters and Windows Event Logs" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "kind": "Windows", - "resourceType": "Data Collection Rules" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataFlows`](#parameter-dataflows) | array | The specification of data flows. | -| [`dataSources`](#parameter-datasources) | object | Specification of data sources that will be collected. | -| [`destinations`](#parameter-destinations) | object | Specification of destinations that can be used in data flows. | -| [`name`](#parameter-name) | string | The name of the data collection rule. The name is case insensitive. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dataCollectionEndpointId`](#parameter-datacollectionendpointid) | string | The resource ID of the data collection endpoint that this rule can be used with. | -| [`description`](#parameter-description) | string | Description of the data collection rule. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`kind`](#parameter-kind) | string | The kind of the resource. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`streamDeclarations`](#parameter-streamdeclarations) | object | Declaration of custom streams used in this rule. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `dataFlows` - -The specification of data flows. - -- Required: Yes -- Type: array - -### Parameter: `dataSources` - -Specification of data sources that will be collected. - -- Required: Yes -- Type: object - -### Parameter: `destinations` - -Specification of destinations that can be used in data flows. - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the data collection rule. The name is case insensitive. - -- Required: Yes -- Type: string - -### Parameter: `dataCollectionEndpointId` - -The resource ID of the data collection endpoint that this rule can be used with. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -Description of the data collection rule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `kind` - -The kind of the resource. - -- Required: No -- Type: string -- Default: `'Linux'` -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `streamDeclarations` - -Declaration of custom streams used in this rule. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the dataCollectionRule. | -| `resourceGroupName` | string | The name of the resource group the dataCollectionRule was created in. | -| `resourceId` | string | The resource ID of the dataCollectionRule. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep deleted file mode 100644 index e5086019f1..0000000000 --- a/modules/insights/data-collection-rule/main.bicep +++ /dev/null @@ -1,163 +0,0 @@ -metadata name = 'Data Collection Rules' -metadata description = 'This module deploys a Data Collection Rule.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@sys.description('Required. The name of the data collection rule. The name is case insensitive.') -param name string - -@sys.description('Optional. The resource ID of the data collection endpoint that this rule can be used with.') -param dataCollectionEndpointId string = '' - -@sys.description('Required. The specification of data flows.') -param dataFlows array - -@sys.description('Required. Specification of data sources that will be collected.') -param dataSources object - -@sys.description('Optional. Description of the data collection rule.') -param description string = '' - -@sys.description('Required. Specification of destinations that can be used in data flows.') -param destinations object - -@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. The kind of the resource.') -@allowed([ - 'Linux' - 'Windows' -]) -param kind string = 'Linux' - -@sys.description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Declaration of custom streams used in this rule.') -param streamDeclarations object = {} - -@sys.description('Optional. Resource tags.') -param tags object? - -// =============== // -// Deployments // -// =============== // - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = { - kind: kind - location: location - name: name - tags: tags - properties: { - dataSources: dataSources - destinations: destinations - dataFlows: dataFlows - dataCollectionEndpointId: !empty(dataCollectionEndpointId) ? dataCollectionEndpointId : null - streamDeclarations: !empty(streamDeclarations) ? streamDeclarations : null - description: !empty(description) ? description : null - } -} - -resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dataCollectionRule -} - -resource dataCollectionRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dataCollectionRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dataCollectionRule -}] - -// =========== // -// Outputs // -// =========== // - -@sys.description('The name of the dataCollectionRule.') -output name string = dataCollectionRule.name - -@sys.description('The resource ID of the dataCollectionRule.') -output resourceId string = dataCollectionRule.id - -@sys.description('The name of the resource group the dataCollectionRule was created in.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = dataCollectionRule.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json deleted file mode 100644 index f35574da13..0000000000 --- a/modules/insights/data-collection-rule/main.json +++ /dev/null @@ -1,306 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10935624485627515874" - }, - "name": "Data Collection Rules", - "description": "This module deploys a Data Collection Rule.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the data collection rule. The name is case insensitive." - } - }, - "dataCollectionEndpointId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the data collection endpoint that this rule can be used with." - } - }, - "dataFlows": { - "type": "array", - "metadata": { - "description": "Required. The specification of data flows." - } - }, - "dataSources": { - "type": "object", - "metadata": { - "description": "Required. Specification of data sources that will be collected." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the data collection rule." - } - }, - "destinations": { - "type": "object", - "metadata": { - "description": "Required. Specification of destinations that can be used in data flows." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "kind": { - "type": "string", - "defaultValue": "Linux", - "allowedValues": [ - "Linux", - "Windows" - ], - "metadata": { - "description": "Optional. The kind of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "streamDeclarations": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Declaration of custom streams used in this rule." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dataCollectionRule": { - "type": "Microsoft.Insights/dataCollectionRules", - "apiVersion": "2021-09-01-preview", - "name": "[parameters('name')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "dataSources": "[parameters('dataSources')]", - "destinations": "[parameters('destinations')]", - "dataFlows": "[parameters('dataFlows')]", - "dataCollectionEndpointId": "[if(not(empty(parameters('dataCollectionEndpointId'))), parameters('dataCollectionEndpointId'), null())]", - "streamDeclarations": "[if(not(empty(parameters('streamDeclarations'))), parameters('streamDeclarations'), null())]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]" - } - }, - "dataCollectionRule_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dataCollectionRule" - ] - }, - "dataCollectionRule_roleAssignments": { - "copy": { - "name": "dataCollectionRule_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dataCollectionRule" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the dataCollectionRule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the dataCollectionRule." - }, - "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the dataCollectionRule was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dataCollectionRule', '2021-09-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep deleted file mode 100644 index e31386a910..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep +++ /dev/null @@ -1,79 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the data collection endpoint to create.') -param dataCollectionEndpointName string - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location - - resource customTableAdvanced 'tables@2022-10-01' = { - name: 'CustomTableAdvanced_CL' - properties: { - schema: { - name: 'CustomTableAdvanced_CL' - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'EventTime' - type: 'DateTime' - } - { - name: 'EventLevel' - type: 'String' - } - { - name: 'EventCode' - type: 'Int' - } - { - name: 'Message' - type: 'String' - } - { - name: 'RawData' - type: 'String' - } - ] - } - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021-04-01' = { - kind: 'Windows' - location: location - name: dataCollectionEndpointName - properties: { - networkAcls: { - publicNetworkAccess: 'Enabled' - } - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The name of the deployed log analytics workspace.') -output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.name - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Data Collection Endpoint.') -output dataCollectionEndpointResourceId string = dataCollectionEndpoint.id diff --git a/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep deleted file mode 100644 index df94e99d0e..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep +++ /dev/null @@ -1,145 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrcusadv' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - dataCollectionEndpointName: 'dep-${namePrefix}-dce-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId - description: 'Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): ",,,", for example: "2023-01-25T20:15:05Z,ERROR,404,Page not found"' - dataFlows: [ - { - streams: [ - 'Custom-CustomTableAdvanced_CL' - ] - destinations: [ - resourceGroupResources.outputs.logAnalyticsWorkspaceName - ] - transformKql: 'source | extend LogFields = split(RawData, ",") | extend EventTime = todatetime(LogFields[0]) | extend EventLevel = tostring(LogFields[1]) | extend EventCode = toint(LogFields[2]) | extend Message = tostring(LogFields[3]) | project TimeGenerated, EventTime, EventLevel, EventCode, Message' - outputStream: 'Custom-CustomTableAdvanced_CL' - } - ] - dataSources: { - logFiles: [ - { - name: 'CustomTableAdvanced_CL' - samplingFrequencyInSeconds: 60 - streams: [ - 'Custom-CustomTableAdvanced_CL' - ] - filePatterns: [ - 'C:\\TestLogsAdvanced\\TestLog*.log' - ] - format: 'text' - settings: { - text: { - recordStartTimestampFormat: 'ISO 8601' - } - } - } - ] - } - destinations: { - logAnalytics: [ - { - workspaceResourceId: resourceGroupResources.outputs.logAnalyticsWorkspaceResourceId - name: resourceGroupResources.outputs.logAnalyticsWorkspaceName - } - ] - } - streamDeclarations: { - 'Custom-CustomTableAdvanced_CL': { - columns: [ - { - name: 'TimeGenerated' - type: 'datetime' - } - { - name: 'EventTime' - type: 'datetime' - } - { - name: 'EventLevel' - type: 'string' - } - { - name: 'EventCode' - type: 'int' - } - { - name: 'Message' - type: 'string' - } - { - name: 'RawData' - type: 'string' - } - ] - } - } - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep deleted file mode 100644 index f1804cde92..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the data collection endpoint to create.') -param dataCollectionEndpointName string - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location - - resource customTableBasic 'tables@2022-10-01' = { - name: 'CustomTableBasic_CL' - properties: { - schema: { - name: 'CustomTableBasic_CL' - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'RawData' - type: 'String' - } - ] - } - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021-04-01' = { - kind: 'Windows' - location: location - name: dataCollectionEndpointName - properties: { - networkAcls: { - publicNetworkAccess: 'Enabled' - } - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The name of the deployed log analytics workspace.') -output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.name - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Data Collection Endpoint.') -output dataCollectionEndpointResourceId string = dataCollectionEndpoint.id diff --git a/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep deleted file mode 100644 index b044a95732..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep +++ /dev/null @@ -1,129 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrcusbas' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - dataCollectionEndpointName: 'dep-${namePrefix}-dce-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId - description: 'Collecting custom text logs without ingestion-time transformation.' - dataFlows: [ - { - streams: [ - 'Custom-CustomTableBasic_CL' - ] - destinations: [ - resourceGroupResources.outputs.logAnalyticsWorkspaceName - ] - transformKql: 'source' - outputStream: 'Custom-CustomTableBasic_CL' - } - ] - dataSources: { - logFiles: [ - { - name: 'CustomTableBasic_CL' - samplingFrequencyInSeconds: 60 - streams: [ - 'Custom-CustomTableBasic_CL' - ] - filePatterns: [ - 'C:\\TestLogsBasic\\TestLog*.log' - ] - format: 'text' - settings: { - text: { - recordStartTimestampFormat: 'ISO 8601' - } - } - } - ] - } - destinations: { - logAnalytics: [ - { - workspaceResourceId: resourceGroupResources.outputs.logAnalyticsWorkspaceResourceId - name: resourceGroupResources.outputs.logAnalyticsWorkspaceName - } - ] - } - streamDeclarations: { - 'Custom-CustomTableBasic_CL': { - columns: [ - { - name: 'TimeGenerated' - type: 'datetime' - } - { - name: 'RawData' - type: 'string' - } - ] - } - } - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep deleted file mode 100644 index 3da1691963..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep +++ /dev/null @@ -1,44 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the data collection endpoint to create.') -param dataCollectionEndpointName string - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021-04-01' = { - kind: 'Windows' - location: location - name: dataCollectionEndpointName - properties: { - networkAcls: { - publicNetworkAccess: 'Enabled' - } - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The name of the deployed log analytics workspace.') -output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.name - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Data Collection Endpoint.') -output dataCollectionEndpointResourceId string = dataCollectionEndpoint.id diff --git a/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep deleted file mode 100644 index 16bc3e3382..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep +++ /dev/null @@ -1,108 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrcusiis' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - dataCollectionEndpointName: 'dep-${namePrefix}-dce-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId - description: 'Collecting IIS logs.' - dataFlows: [ - { - streams: [ - 'Microsoft-W3CIISLog' - ] - destinations: [ - resourceGroupResources.outputs.logAnalyticsWorkspaceName - ] - transformKql: 'source' - outputStream: 'Microsoft-W3CIISLog' - } - ] - dataSources: { - iisLogs: [ - { - name: 'iisLogsDataSource' - streams: [ - 'Microsoft-W3CIISLog' - ] - logDirectories: [ - 'C:\\inetpub\\logs\\LogFiles\\W3SVC1' - ] - } - ] - } - destinations: { - logAnalytics: [ - { - workspaceResourceId: resourceGroupResources.outputs.logAnalyticsWorkspaceResourceId - name: resourceGroupResources.outputs.logAnalyticsWorkspaceName - } - ] - } - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 0328438f44..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,87 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - dataSources: { - performanceCounters: [ - { - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - counterSpecifiers: [ - '\\Processor Information(_Total)\\% Processor Time' - '\\Processor Information(_Total)\\% Privileged Time' - '\\Processor Information(_Total)\\% User Time' - '\\Processor Information(_Total)\\Processor Frequency' - '\\System\\Processes' - '\\Process(_Total)\\Thread Count' - '\\Process(_Total)\\Handle Count' - '\\System\\System Up Time' - '\\System\\Context Switches/sec' - '\\System\\Processor Queue Length' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - } - dataFlows: [ - { - streams: [ - 'Microsoft-InsightsMetrics' - ] - destinations: [ - 'azureMonitorMetrics-default' - ] - } - ] - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Windows' - } -}] diff --git a/modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep deleted file mode 100644 index 24938ae9b5..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The name of the deployed log analytics workspace.') -output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.name - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep deleted file mode 100644 index 8a213a0651..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep +++ /dev/null @@ -1,221 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrlin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - description: 'Collecting Linux-specific performance counters and Linux Syslog' - dataSources: { - performanceCounters: [ - { - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - counterSpecifiers: [ - 'Processor(*)\\% Processor Time' - 'Processor(*)\\% Idle Time' - 'Processor(*)\\% User Time' - 'Processor(*)\\% Nice Time' - 'Processor(*)\\% Privileged Time' - 'Processor(*)\\% IO Wait Time' - 'Processor(*)\\% Interrupt Time' - 'Processor(*)\\% DPC Time' - 'Memory(*)\\Available MBytes Memory' - 'Memory(*)\\% Available Memory' - 'Memory(*)\\Used Memory MBytes' - 'Memory(*)\\% Used Memory' - 'Memory(*)\\Pages/sec' - 'Memory(*)\\Page Reads/sec' - 'Memory(*)\\Page Writes/sec' - 'Memory(*)\\Available MBytes Swap' - 'Memory(*)\\% Available Swap Space' - 'Memory(*)\\Used MBytes Swap Space' - 'Memory(*)\\% Used Swap Space' - 'Logical Disk(*)\\% Free Inodes' - 'Logical Disk(*)\\% Used Inodes' - 'Logical Disk(*)\\Free Megabytes' - 'Logical Disk(*)\\% Free Space' - 'Logical Disk(*)\\% Used Space' - 'Logical Disk(*)\\Logical Disk Bytes/sec' - 'Logical Disk(*)\\Disk Read Bytes/sec' - 'Logical Disk(*)\\Disk Write Bytes/sec' - 'Logical Disk(*)\\Disk Transfers/sec' - 'Logical Disk(*)\\Disk Reads/sec' - 'Logical Disk(*)\\Disk Writes/sec' - 'Network(*)\\Total Bytes Transmitted' - 'Network(*)\\Total Bytes Received' - 'Network(*)\\Total Bytes' - 'Network(*)\\Total Packets Transmitted' - 'Network(*)\\Total Packets Received' - 'Network(*)\\Total Rx Errors' - 'Network(*)\\Total Tx Errors' - 'Network(*)\\Total Collisions' - ] - } - ] - syslog: [ - { - name: 'sysLogsDataSource-debugLevel' - streams: [ - 'Microsoft-Syslog' - ] - facilityNames: [ - 'auth' - 'authpriv' - ] - logLevels: [ - 'Debug' - 'Info' - 'Notice' - 'Warning' - 'Error' - 'Critical' - 'Alert' - 'Emergency' - ] - } - { - name: 'sysLogsDataSource-warningLevel' - streams: [ - 'Microsoft-Syslog' - ] - facilityNames: [ - 'cron' - 'daemon' - 'mark' - 'kern' - 'local0' - ] - logLevels: [ - 'Warning' - 'Error' - 'Critical' - 'Alert' - 'Emergency' - ] - } - { - name: 'sysLogsDataSource-errLevel' - streams: [ - 'Microsoft-Syslog' - ] - facilityNames: [ - 'local1' - 'local2' - 'local3' - 'local4' - 'local5' - 'local6' - 'local7' - 'lpr' - 'mail' - 'news' - 'syslog' - ] - logLevels: [ - 'Error' - 'Critical' - 'Alert' - 'Emergency' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - logAnalytics: [ - { - workspaceResourceId: resourceGroupResources.outputs.logAnalyticsWorkspaceResourceId - name: resourceGroupResources.outputs.logAnalyticsWorkspaceName - } - ] - } - dataFlows: [ - { - streams: [ - 'Microsoft-InsightsMetrics' - ] - destinations: [ - 'azureMonitorMetrics-default' - ] - } - { - streams: [ - 'Microsoft-Syslog' - ] - destinations: [ - resourceGroupResources.outputs.logAnalyticsWorkspaceName - ] - } - - ] - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Linux' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Linux' - } - } -}] diff --git a/modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep deleted file mode 100644 index 24938ae9b5..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the log analytics workspace to create.') -param logAnalyticsWorkspaceName string - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id - -@description('The name of the deployed log analytics workspace.') -output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.name - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep deleted file mode 100644 index 5831e1db12..0000000000 --- a/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep +++ /dev/null @@ -1,175 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcrwin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - description: 'Collecting Windows-specific performance counters and Windows Event Logs' - dataSources: { - performanceCounters: [ - { - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - counterSpecifiers: [ - '\\Processor Information(_Total)\\% Processor Time' - '\\Processor Information(_Total)\\% Privileged Time' - '\\Processor Information(_Total)\\% User Time' - '\\Processor Information(_Total)\\Processor Frequency' - '\\System\\Processes' - '\\Process(_Total)\\Thread Count' - '\\Process(_Total)\\Handle Count' - '\\System\\System Up Time' - '\\System\\Context Switches/sec' - '\\System\\Processor Queue Length' - '\\Memory\\% Committed Bytes In Use' - '\\Memory\\Available Bytes' - '\\Memory\\Committed Bytes' - '\\Memory\\Cache Bytes' - '\\Memory\\Pool Paged Bytes' - '\\Memory\\Pool Nonpaged Bytes' - '\\Memory\\Pages/sec' - '\\Memory\\Page Faults/sec' - '\\Process(_Total)\\Working Set' - '\\Process(_Total)\\Working Set - Private' - '\\LogicalDisk(_Total)\\% Disk Time' - '\\LogicalDisk(_Total)\\% Disk Read Time' - '\\LogicalDisk(_Total)\\% Disk Write Time' - '\\LogicalDisk(_Total)\\% Idle Time' - '\\LogicalDisk(_Total)\\Disk Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Read Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Write Bytes/sec' - '\\LogicalDisk(_Total)\\Disk Transfers/sec' - '\\LogicalDisk(_Total)\\Disk Reads/sec' - '\\LogicalDisk(_Total)\\Disk Writes/sec' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Transfer' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Read' - '\\LogicalDisk(_Total)\\Avg. Disk sec/Write' - '\\LogicalDisk(_Total)\\Avg. Disk Queue Length' - '\\LogicalDisk(_Total)\\Avg. Disk Read Queue Length' - '\\LogicalDisk(_Total)\\Avg. Disk Write Queue Length' - '\\LogicalDisk(_Total)\\% Free Space' - '\\LogicalDisk(_Total)\\Free Megabytes' - '\\Network Interface(*)\\Bytes Total/sec' - '\\Network Interface(*)\\Bytes Sent/sec' - '\\Network Interface(*)\\Bytes Received/sec' - '\\Network Interface(*)\\Packets/sec' - '\\Network Interface(*)\\Packets Sent/sec' - '\\Network Interface(*)\\Packets Received/sec' - '\\Network Interface(*)\\Packets Outbound Errors' - '\\Network Interface(*)\\Packets Received Errors' - ] - } - ] - windowsEventLogs: [ - { - name: 'eventLogsDataSource' - streams: [ - 'Microsoft-Event' - ] - xPathQueries: [ - 'Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' - 'Security!*[System[(band(Keywords,13510798882111488))]]' - 'System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - logAnalytics: [ - { - workspaceResourceId: resourceGroupResources.outputs.logAnalyticsWorkspaceResourceId - name: resourceGroupResources.outputs.logAnalyticsWorkspaceName - } - ] - } - dataFlows: [ - { - streams: [ - 'Microsoft-InsightsMetrics' - ] - destinations: [ - 'azureMonitorMetrics-default' - ] - } - { - streams: [ - 'Microsoft-Event' - ] - destinations: [ - resourceGroupResources.outputs.logAnalyticsWorkspaceName - ] - } - - ] - enableDefaultTelemetry: enableDefaultTelemetry - kind: 'Windows' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Data Collection Rules' - kind: 'Windows' - } - } -}] diff --git a/modules/insights/data-collection-rule/version.json b/modules/insights/data-collection-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/data-collection-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/diagnostic-setting/MOVED-TO-AVM.md b/modules/insights/diagnostic-setting/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/diagnostic-setting/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index 35e68f7f10..fe4a886959 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -1,329 +1,7 @@ -# Diagnostic Settings (Activity Logs) for Azure Subscriptions `[Microsoft.Insights/diagnosticSettings]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/diagnostic-setting](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/diagnostic-setting).** -This module deploys a Subscription wide export of the Activity Log. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/diagnostic-setting). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.diagnostic-setting:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idsmax' - params: { - enableDefaultTelemetry: '' - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'idsmax001' - storageAccountResourceId: '' - workspaceResourceId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "eventHubAuthorizationRuleResourceId": { - "value": "" - }, - "eventHubName": { - "value": "" - }, - "metricCategories": { - "value": [ - { - "category": "AllMetrics" - } - ] - }, - "name": { - "value": "idsmax001" - }, - "storageAccountResourceId": { - "value": "" - }, - "workspaceResourceId": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idswaf' - params: { - enableDefaultTelemetry: '' - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'idswaf001' - storageAccountResourceId: '' - workspaceResourceId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "eventHubAuthorizationRuleResourceId": { - "value": "" - }, - "eventHubName": { - "value": "" - }, - "metricCategories": { - "value": [ - { - "category": "AllMetrics" - } - ] - }, - "name": { - "value": "idswaf001" - }, - "storageAccountResourceId": { - "value": "" - }, - "workspaceResourceId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventHubAuthorizationRuleResourceId`](#parameter-eventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-eventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`logAnalyticsDestinationType`](#parameter-loganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-logcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-marketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-metriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-name) | string | Name of the Diagnostic settings. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Resource ID of the diagnostic storage account. | -| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. | - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - -- Required: No -- Type: string - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`category`](#parameter-logcategoriesandgroupscategory) | string | Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-logcategoriesandgroupscategorygroup) | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `logCategoriesAndGroups.category` - -Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `logCategoriesAndGroups.categoryGroup` - -Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - -### Parameter: `marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`category`](#parameter-metriccategoriescategory) | string | Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `metricCategories.category` - -Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Diagnostic settings. - -- Required: No -- Type: string -- Default: `[format('{0}-diagnosticSettings', uniqueString(subscription().id))]` - -### Parameter: `storageAccountResourceId` - -Resource ID of the diagnostic storage account. - -- Required: No -- Type: string - -### Parameter: `workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. - -- Required: No -- Type: string - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the diagnostic settings. | -| `resourceId` | string | The resource ID of the diagnostic settings. | -| `subscriptionName` | string | The name of the subscription to deploy into. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/diagnostic-setting/main.bicep b/modules/insights/diagnostic-setting/main.bicep deleted file mode 100644 index 1022dca764..0000000000 --- a/modules/insights/diagnostic-setting/main.bicep +++ /dev/null @@ -1,111 +0,0 @@ -metadata name = 'Diagnostic Settings (Activity Logs) for Azure Subscriptions' -metadata description = 'This module deploys a Subscription wide export of the Activity Log.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Optional. Name of the Diagnostic settings.') -@minLength(1) -@maxLength(260) -param name string = '${uniqueString(subscription().id)}-diagnosticSettings' - -@description('Optional. Resource ID of the diagnostic storage account.') -param storageAccountResourceId string? - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param workspaceResourceId string? - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param eventHubAuthorizationRuleResourceId string? - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param eventHubName string? - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -param logCategoriesAndGroups logCategoriesAndGroupsType - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -param metricCategories metricCategoriesType? - -@description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') -@allowed([ - '' - 'Dedicated' - 'AzureDiagnostics' -]) -param logAnalyticsDestinationType string = '' - -@description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') -param marketplacePartnerResourceId string? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location deployment metadata.') -param location string = deployment().location - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { - name: name - properties: { - storageAccountId: storageAccountResourceId - workspaceId: workspaceResourceId - eventHubAuthorizationRuleId: eventHubAuthorizationRuleResourceId - eventHubName: eventHubName - logAnalyticsDestinationType: !empty(logAnalyticsDestinationType) ? logAnalyticsDestinationType : null - marketplacePartnerId: marketplacePartnerResourceId - logs: logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - metrics: metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - } -} - -@description('The name of the diagnostic settings.') -output name string = diagnosticSetting.name - -@description('The resource ID of the diagnostic settings.') -output resourceId string = diagnosticSetting.id - -@description('The name of the subscription to deploy into.') -output subscriptionName string = subscription().displayName - -// =============== // -// Definitions // -// =============== // - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -type logCategoriesAndGroupsType = { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? -}[]? - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -type metricCategoriesType = { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string -}[]? diff --git a/modules/insights/diagnostic-setting/main.json b/modules/insights/diagnostic-setting/main.json deleted file mode 100644 index 15e8e5876f..0000000000 --- a/modules/insights/diagnostic-setting/main.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14463307770250978710" - }, - "name": "Diagnostic Settings (Activity Logs) for Azure Subscriptions", - "description": "This module deploys a Subscription wide export of the Activity Log.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "logCategoriesAndGroupsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategoriesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', uniqueString(subscription().id))]", - "minLength": 1, - "maxLength": 260, - "metadata": { - "description": "Optional. Name of the Diagnostic settings." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "logCategoriesAndGroups": { - "$ref": "#/definitions/logCategoriesAndGroupsType", - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "$ref": "#/definitions/metricCategoriesType", - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Dedicated", - "AzureDiagnostics" - ], - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "diagnosticSetting": { - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "name": "[parameters('name')]", - "properties": { - "storageAccountId": "[parameters('storageAccountResourceId')]", - "workspaceId": "[parameters('workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[parameters('eventHubName')]", - "logAnalyticsDestinationType": "[if(not(empty(parameters('logAnalyticsDestinationType'))), parameters('logAnalyticsDestinationType'), null())]", - "marketplacePartnerId": "[parameters('marketplacePartnerResourceId')]", - "logs": "[coalesce(parameters('logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "metrics": "[coalesce(parameters('metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the diagnostic settings." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the diagnostic settings." - }, - "value": "[subscriptionResourceId('Microsoft.Insights/diagnosticSettings', parameters('name'))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The name of the subscription to deploy into." - }, - "value": "[subscription().displayName]" - } - } -} \ No newline at end of file diff --git a/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep deleted file mode 100644 index 82001d753f..0000000000 --- a/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,71 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } -}] diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index a84b3f82bc..0000000000 --- a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,71 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } -}] diff --git a/modules/insights/diagnostic-setting/version.json b/modules/insights/diagnostic-setting/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/diagnostic-setting/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/metric-alert/MOVED-TO-AVM.md b/modules/insights/metric-alert/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/metric-alert/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index e519eb367e..0985b6e3cd 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -1,592 +1,7 @@ -# Metric Alerts `[Microsoft.Insights/metricAlerts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/metric-alert](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/metric-alert).** -This module deploys a Metric Alert. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/metric-alert). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/metricAlerts` | [2018-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2018-03-01/metricAlerts) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.metric-alert:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-imamax' - params: { - // Required parameters - criterias: [ - { - criterionType: 'StaticThresholdCriterion' - metricName: 'Percentage CPU' - metricNamespace: 'microsoft.compute/virtualmachines' - name: 'HighCPU' - operator: 'GreaterThan' - threshold: '90' - timeAggregation: 'Average' - } - ] - name: 'imamax001' - // Non-required parameters - actions: [ - '' - ] - alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - targetResourceRegion: 'westeurope' - targetResourceType: 'microsoft.compute/virtualmachines' - windowSize: 'PT15M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "criterias": { - "value": [ - { - "criterionType": "StaticThresholdCriterion", - "metricName": "Percentage CPU", - "metricNamespace": "microsoft.compute/virtualmachines", - "name": "HighCPU", - "operator": "GreaterThan", - "threshold": "90", - "timeAggregation": "Average" - } - ] - }, - "name": { - "value": "imamax001" - }, - // Non-required parameters - "actions": { - "value": [ - "" - ] - }, - "alertCriteriaType": { - "value": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "targetResourceRegion": { - "value": "westeurope" - }, - "targetResourceType": { - "value": "microsoft.compute/virtualmachines" - }, - "windowSize": { - "value": "PT15M" - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-imawaf' - params: { - // Required parameters - criterias: [ - { - criterionType: 'StaticThresholdCriterion' - metricName: 'Percentage CPU' - metricNamespace: 'microsoft.compute/virtualmachines' - name: 'HighCPU' - operator: 'GreaterThan' - threshold: '90' - timeAggregation: 'Average' - } - ] - name: 'imawaf001' - // Non-required parameters - actions: [ - '' - ] - alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - targetResourceRegion: 'westeurope' - targetResourceType: 'microsoft.compute/virtualmachines' - windowSize: 'PT15M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "criterias": { - "value": [ - { - "criterionType": "StaticThresholdCriterion", - "metricName": "Percentage CPU", - "metricNamespace": "microsoft.compute/virtualmachines", - "name": "HighCPU", - "operator": "GreaterThan", - "threshold": "90", - "timeAggregation": "Average" - } - ] - }, - "name": { - "value": "imawaf001" - }, - // Non-required parameters - "actions": { - "value": [ - "" - ] - }, - "alertCriteriaType": { - "value": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "targetResourceRegion": { - "value": "westeurope" - }, - "targetResourceType": { - "value": "microsoft.compute/virtualmachines" - }, - "windowSize": { - "value": "PT15M" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`criterias`](#parameter-criterias) | array | Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. | -| [`name`](#parameter-name) | string | The name of the alert. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`targetResourceRegion`](#parameter-targetresourceregion) | string | The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | -| [`targetResourceType`](#parameter-targetresourcetype) | string | The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | The list of actions to take when alert triggers. | -| [`alertCriteriaType`](#parameter-alertcriteriatype) | string | Maps to the 'odata.type' field. Specifies the type of the alert criteria. | -| [`alertDescription`](#parameter-alertdescription) | string | Description of the alert. | -| [`autoMitigate`](#parameter-automitigate) | bool | The flag that indicates whether the alert should be auto resolved or not. | -| [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`evaluationFrequency`](#parameter-evaluationfrequency) | string | how often the metric alert is evaluated represented in ISO 8601 duration format. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`scopes`](#parameter-scopes) | array | the list of resource IDs that this metric alert is scoped to. | -| [`severity`](#parameter-severity) | int | The severity of the alert. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`windowSize`](#parameter-windowsize) | string | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | - -### Parameter: `criterias` - -Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the alert. - -- Required: Yes -- Type: string - -### Parameter: `targetResourceRegion` - -The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `targetResourceType` - -The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `actions` - -The list of actions to take when alert triggers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `alertCriteriaType` - -Maps to the 'odata.type' field. Specifies the type of the alert criteria. - -- Required: No -- Type: string -- Default: `'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria'` -- Allowed: - ```Bicep - [ - 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' - 'Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria' - ] - ``` - -### Parameter: `alertDescription` - -Description of the alert. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `autoMitigate` - -The flag that indicates whether the alert should be auto resolved or not. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabled` - -Indicates whether this alert is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `evaluationFrequency` - -how often the metric alert is evaluated represented in ISO 8601 duration format. - -- Required: No -- Type: string -- Default: `'PT5M'` -- Allowed: - ```Bicep - [ - 'PT15M' - 'PT1H' - 'PT1M' - 'PT30M' - 'PT5M' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scopes` - -the list of resource IDs that this metric alert is scoped to. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - '[subscription().id]' - ] - ``` - -### Parameter: `severity` - -The severity of the alert. - -- Required: No -- Type: int -- Default: `3` -- Allowed: - ```Bicep - [ - 0 - 1 - 2 - 3 - 4 - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `windowSize` - -the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. - -- Required: No -- Type: string -- Default: `'PT15M'` -- Allowed: - ```Bicep - [ - 'P1D' - 'PT12H' - 'PT15M' - 'PT1H' - 'PT1M' - 'PT30M' - 'PT5M' - 'PT6H' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the metric alert. | -| `resourceGroupName` | string | The resource group the metric alert was deployed into. | -| `resourceId` | string | The resource ID of the metric alert. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep deleted file mode 100644 index 9ac5667d66..0000000000 --- a/modules/insights/metric-alert/main.bicep +++ /dev/null @@ -1,184 +0,0 @@ -metadata name = 'Metric Alerts' -metadata description = 'This module deploys a Metric Alert.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the alert.') -param name string - -@description('Optional. Description of the alert.') -param alertDescription string = '' - -@description('Optional. Location for all resources.') -param location string = 'global' - -@description('Optional. Indicates whether this alert is enabled.') -param enabled bool = true - -@description('Optional. The severity of the alert.') -@allowed([ - 0 - 1 - 2 - 3 - 4 -]) -param severity int = 3 - -@description('Optional. how often the metric alert is evaluated represented in ISO 8601 duration format.') -@allowed([ - 'PT1M' - 'PT5M' - 'PT15M' - 'PT30M' - 'PT1H' -]) -param evaluationFrequency string = 'PT5M' - -@description('Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold.') -@allowed([ - 'PT1M' - 'PT5M' - 'PT15M' - 'PT30M' - 'PT1H' - 'PT6H' - 'PT12H' - 'P1D' -]) -param windowSize string = 'PT15M' - -@description('Optional. the list of resource IDs that this metric alert is scoped to.') -param scopes array = [ - subscription().id -] - -@description('Conditional. The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria.') -param targetResourceType string = '' - -@description('Conditional. The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria.') -param targetResourceRegion string = '' - -@description('Optional. The flag that indicates whether the alert should be auto resolved or not.') -param autoMitigate bool = true - -@description('Optional. The list of actions to take when alert triggers.') -param actions array = [] - -@description('Optional. Maps to the \'odata.type\' field. Specifies the type of the alert criteria.') -@allowed([ - 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' - 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - 'Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria' -]) -param alertCriteriaType string = 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - -@description('Required. Criterias to trigger the alert. Array of \'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria\' or \'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria\' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated.') -param criterias array - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var actionGroups = [for action in actions: { - actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action - webHookProperties: contains(action, 'webHookProperties') ? action.webHookProperties : null -}] - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { - name: name - location: location - tags: tags - properties: { - description: alertDescription - severity: severity - enabled: enabled - scopes: scopes - evaluationFrequency: evaluationFrequency - windowSize: windowSize - targetResourceType: targetResourceType - targetResourceRegion: targetResourceRegion - criteria: { - 'odata.type': any(alertCriteriaType) - allOf: criterias - } - autoMitigate: autoMitigate - actions: actionGroups - } -} - -resource metricAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(metricAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: metricAlert -}] - -@description('The resource group the metric alert was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the metric alert.') -output name string = metricAlert.name - -@description('The resource ID of the metric alert.') -output resourceId string = metricAlert.id - -@description('The location the resource was deployed into.') -output location string = metricAlert.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json deleted file mode 100644 index bb99105f80..0000000000 --- a/modules/insights/metric-alert/main.json +++ /dev/null @@ -1,342 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3497356791031567888" - }, - "name": "Metric Alerts", - "description": "This module deploys a Metric Alert.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the alert." - } - }, - "alertDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the alert." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether this alert is enabled." - } - }, - "severity": { - "type": "int", - "defaultValue": 3, - "allowedValues": [ - 0, - 1, - 2, - 3, - 4 - ], - "metadata": { - "description": "Optional. The severity of the alert." - } - }, - "evaluationFrequency": { - "type": "string", - "defaultValue": "PT5M", - "allowedValues": [ - "PT1M", - "PT5M", - "PT15M", - "PT30M", - "PT1H" - ], - "metadata": { - "description": "Optional. how often the metric alert is evaluated represented in ISO 8601 duration format." - } - }, - "windowSize": { - "type": "string", - "defaultValue": "PT15M", - "allowedValues": [ - "PT1M", - "PT5M", - "PT15M", - "PT30M", - "PT1H", - "PT6H", - "PT12H", - "P1D" - ], - "metadata": { - "description": "Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold." - } - }, - "scopes": { - "type": "array", - "defaultValue": [ - "[subscription().id]" - ], - "metadata": { - "description": "Optional. the list of resource IDs that this metric alert is scoped to." - } - }, - "targetResourceType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria." - } - }, - "targetResourceRegion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria." - } - }, - "autoMitigate": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The flag that indicates whether the alert should be auto resolved or not." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of actions to take when alert triggers." - } - }, - "alertCriteriaType": { - "type": "string", - "defaultValue": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria", - "allowedValues": [ - "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria", - "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria", - "Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria" - ], - "metadata": { - "description": "Optional. Maps to the 'odata.type' field. Specifies the type of the alert criteria." - } - }, - "criterias": { - "type": "array", - "metadata": { - "description": "Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "actionGroups", - "count": "[length(parameters('actions'))]", - "input": { - "actionGroupId": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'actionGroupId'), parameters('actions')[copyIndex('actionGroups')].actionGroupId, parameters('actions')[copyIndex('actionGroups')])]", - "webHookProperties": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'webHookProperties'), parameters('actions')[copyIndex('actionGroups')].webHookProperties, null())]" - } - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "metricAlert": { - "type": "Microsoft.Insights/metricAlerts", - "apiVersion": "2018-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('alertDescription')]", - "severity": "[parameters('severity')]", - "enabled": "[parameters('enabled')]", - "scopes": "[parameters('scopes')]", - "evaluationFrequency": "[parameters('evaluationFrequency')]", - "windowSize": "[parameters('windowSize')]", - "targetResourceType": "[parameters('targetResourceType')]", - "targetResourceRegion": "[parameters('targetResourceRegion')]", - "criteria": { - "odata.type": "[parameters('alertCriteriaType')]", - "allOf": "[parameters('criterias')]" - }, - "autoMitigate": "[parameters('autoMitigate')]", - "actions": "[variables('actionGroups')]" - } - }, - "metricAlert_roleAssignments": { - "copy": { - "name": "metricAlert_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/metricAlerts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/metricAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "metricAlert" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the metric alert was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the metric alert." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the metric alert." - }, - "value": "[resourceId('Microsoft.Insights/metricAlerts', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('metricAlert', '2018-03-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/metric-alert/tests/e2e/max/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/max/dependencies.bicep deleted file mode 100644 index eb23eca835..0000000000 --- a/modules/insights/metric-alert/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,29 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Action Group to create.') -param actionGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { - name: actionGroupName - location: 'global' - - properties: { - enabled: true - groupShortName: substring(actionGroupName, 0, 11) - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Action Group.') -output actionGroupResourceId string = actionGroup.id diff --git a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep deleted file mode 100644 index ef36753b63..0000000000 --- a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,98 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'imamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - criterias: [ - { - criterionType: 'StaticThresholdCriterion' - metricName: 'Percentage CPU' - metricNamespace: 'microsoft.compute/virtualmachines' - name: 'HighCPU' - operator: 'GreaterThan' - threshold: '90' - timeAggregation: 'Average' - } - ] - actions: [ - nestedDependencies.outputs.actionGroupResourceId - ] - alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - targetResourceRegion: 'westeurope' - targetResourceType: 'microsoft.compute/virtualmachines' - windowSize: 'PT15M' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index eb23eca835..0000000000 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,29 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Action Group to create.') -param actionGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { - name: actionGroupName - location: 'global' - - properties: { - enabled: true - groupShortName: substring(actionGroupName, 0, 11) - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Action Group.') -output actionGroupResourceId string = actionGroup.id diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 8af9b43124..0000000000 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,81 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'imawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - criterias: [ - { - criterionType: 'StaticThresholdCriterion' - metricName: 'Percentage CPU' - metricNamespace: 'microsoft.compute/virtualmachines' - name: 'HighCPU' - operator: 'GreaterThan' - threshold: '90' - timeAggregation: 'Average' - } - ] - actions: [ - nestedDependencies.outputs.actionGroupResourceId - ] - alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - targetResourceRegion: 'westeurope' - targetResourceType: 'microsoft.compute/virtualmachines' - windowSize: 'PT15M' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/metric-alert/version.json b/modules/insights/metric-alert/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/metric-alert/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/private-link-scope/MOVED-TO-AVM.md b/modules/insights/private-link-scope/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/private-link-scope/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 70ad8a003c..290b03cfbc 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -1,895 +1,7 @@ -# Azure Monitor Private Link Scopes `[microsoft.insights/privateLinkScopes]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/private-link-scope](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/private-link-scope).** -This module deploys an Azure Monitor Private Link Scope. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/private-link-scope). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `microsoft.insights/privateLinkScopes` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2021-07-01-preview/privateLinkScopes) | -| `Microsoft.Insights/privateLinkScopes/scopedResources` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-07-01-preview/privateLinkScopes/scopedResources) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.private-link-scope:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep - name: '${uniqueString(deployment().name, location)}-test-iplsmin' - params: { - // Required parameters - name: 'iplsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iplsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep - name: '${uniqueString(deployment().name, location)}-test-iplsmax' - params: { - // Required parameters - name: 'iplsmax001' - // Non-required parameters - accessModeSettings: { - exclusions: [ - { - ingestionAccessMode: 'PrivateOnly' - privateEndpointConnectionName: 'thisisatest' - queryAccessMode: 'PrivateOnly' - } - ] - ingestionAccessMode: 'Open' - queryAccessMode: 'Open' - } - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - scopedResources: [ - { - linkedResourceId: '' - name: 'scoped1' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iplsmax001" - }, - // Non-required parameters - "accessModeSettings": { - "value": { - "exclusions": [ - { - "ingestionAccessMode": "PrivateOnly", - "privateEndpointConnectionName": "thisisatest", - "queryAccessMode": "PrivateOnly" - } - ], - "ingestionAccessMode": "Open", - "queryAccessMode": "Open" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "scopedResources": { - "value": [ - { - "linkedResourceId": "", - "name": "scoped1" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep - name: '${uniqueString(deployment().name, location)}-test-iplswaf' - params: { - // Required parameters - name: 'iplswaf001' - // Non-required parameters - accessModeSettings: { - exclusions: [ - { - ingestionAccessMode: 'PrivateOnly' - privateEndpointConnectionName: 'thisisatest' - queryAccessMode: 'PrivateOnly' - } - ] - ingestionAccessMode: 'Open' - queryAccessMode: 'Open' - } - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - scopedResources: [ - { - linkedResourceId: '' - name: 'scoped1' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iplswaf001" - }, - // Non-required parameters - "accessModeSettings": { - "value": { - "exclusions": [ - { - "ingestionAccessMode": "PrivateOnly", - "privateEndpointConnectionName": "thisisatest", - "queryAccessMode": "PrivateOnly" - } - ], - "ingestionAccessMode": "Open", - "queryAccessMode": "Open" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "scopedResources": { - "value": [ - { - "linkedResourceId": "", - "name": "scoped1" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the private link scope. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessModeSettings`](#parameter-accessmodesettings) | object | Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.

* Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.

* Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -Name of the private link scope. - -- Required: Yes -- Type: string - -### Parameter: `accessModeSettings` - -Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.

* Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.

* Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`ingestionAccessMode`](#parameter-accessmodesettingsingestionaccessmode) | string | Specifies the default access mode of ingestion through associated private endpoints in scope. | -| [`queryAccessMode`](#parameter-accessmodesettingsqueryaccessmode) | string | Specifies the default access mode of queries through associated private endpoints in scope. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`exclusions`](#parameter-accessmodesettingsexclusions) | array | List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning. | - -### Parameter: `accessModeSettings.ingestionAccessMode` - -Specifies the default access mode of ingestion through associated private endpoints in scope. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Open' - 'PrivateOnly' - ] - ``` - -### Parameter: `accessModeSettings.queryAccessMode` - -Specifies the default access mode of queries through associated private endpoints in scope. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Open' - 'PrivateOnly' - ] - ``` - -### Parameter: `accessModeSettings.exclusions` - -List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning. - -- Required: No -- Type: array - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location of the private link scope. Should be global. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scopedResources` - -Configuration details for Azure Monitor Resources. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`linkedResourceId`](#parameter-scopedresourceslinkedresourceid) | string | The resource ID of the scoped Azure monitor resource. | -| [`name`](#parameter-scopedresourcesname) | string | Name of the private link scoped resource. | - -### Parameter: `scopedResources.linkedResourceId` - -The resource ID of the scoped Azure monitor resource. - -- Required: Yes -- Type: string - -### Parameter: `scopedResources.name` - -Name of the private link scoped resource. - -- Required: Yes -- Type: string - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private link scope. | -| `resourceGroupName` | string | The resource group the private link scope was deployed into. | -| `resourceId` | string | The resource ID of the private link scope. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep deleted file mode 100644 index 66fc5d5273..0000000000 --- a/modules/insights/private-link-scope/main.bicep +++ /dev/null @@ -1,268 +0,0 @@ -metadata name = 'Azure Monitor Private Link Scopes' -metadata description = 'This module deploys an Azure Monitor Private Link Scope.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the private link scope.') -@minLength(1) -param name string - -@description('''Optional. Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration. - - * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured. - * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode.''') -param accessModeSettings accessModeType - -@description('Optional. The location of the private link scope. Should be global.') -param location string = 'global' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for Azure Monitor Resources.') -param scopedResources scopedResourceType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = { - name: name - location: location - tags: tags - properties: { - accessModeSettings: accessModeSettings ?? { - ingestionAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly' - queryAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly' - } - } -} - -module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scopedResource, index) in (scopedResources ?? []): { - name: '${uniqueString(deployment().name, location)}-PvtLinkScope-ScopedRes-${index}' - params: { - name: scopedResource.name - privateLinkScopeName: privateLinkScope.name - linkedResourceId: scopedResource.linkedResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource privateLinkScope_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: privateLinkScope -} - -module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-privateLinkScope-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'azuremonitor' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(privateLinkScope.id, '/'))}-${privateEndpoint.?service ?? 'azuremonitor'}-${index}' - serviceResourceId: privateLinkScope.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource privateLinkScope_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(privateLinkScope.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: privateLinkScope -}] - -@description('The name of the private link scope.') -output name string = privateLinkScope.name - -@description('The resource ID of the private link scope.') -output resourceId string = privateLinkScope.id - -@description('The resource group the private link scope was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = privateLinkScope.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type scopedResourceType = { - @description('Required. Name of the private link scoped resource.') - name: string - - @description('Required. The resource ID of the scoped Azure monitor resource.') - linkedResourceId: string -}[]? - -type accessModeType = { - @description('Optional. List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning.') - exclusions: { - @description('Required. The private endpoint connection name associated to the private endpoint on which we want to apply the specific access mode settings.') - privateEndpointConnectionName: string - - @description('Required. Specifies the access mode of ingestion through the specified private endpoint connection in the exclusion.') - ingestionAccessMode: 'Open' | 'PrivateOnly' - - @description('Required. Specifies the access mode of queries through the specified private endpoint connection in the exclusion.') - queryAccessMode: 'Open' | 'PrivateOnly' - }[]? - - @description('Required. Specifies the default access mode of ingestion through associated private endpoints in scope.') - ingestionAccessMode: 'Open' | 'PrivateOnly' - - @description('Required. Specifies the default access mode of queries through associated private endpoints in scope.') - queryAccessMode: 'Open' | 'PrivateOnly' -}? diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json deleted file mode 100644 index a969091d94..0000000000 --- a/modules/insights/private-link-scope/main.json +++ /dev/null @@ -1,1268 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4014545030296978209" - }, - "name": "Azure Monitor Private Link Scopes", - "description": "This module deploys an Azure Monitor Private Link Scope.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "scopedResourceType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private link scoped resource." - } - }, - "linkedResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the scoped Azure monitor resource." - } - } - } - }, - "nullable": true - }, - "accessModeType": { - "type": "object", - "properties": { - "exclusions": { - "type": "array", - "items": { - "type": "object", - "properties": { - "privateEndpointConnectionName": { - "type": "string", - "metadata": { - "description": "Required. The private endpoint connection name associated to the private endpoint on which we want to apply the specific access mode settings." - } - }, - "ingestionAccessMode": { - "type": "string", - "allowedValues": [ - "Open", - "PrivateOnly" - ], - "metadata": { - "description": "Required. Specifies the access mode of ingestion through the specified private endpoint connection in the exclusion." - } - }, - "queryAccessMode": { - "type": "string", - "allowedValues": [ - "Open", - "PrivateOnly" - ], - "metadata": { - "description": "Required. Specifies the access mode of queries through the specified private endpoint connection in the exclusion." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning." - } - }, - "ingestionAccessMode": { - "type": "string", - "allowedValues": [ - "Open", - "PrivateOnly" - ], - "metadata": { - "description": "Required. Specifies the default access mode of ingestion through associated private endpoints in scope." - } - }, - "queryAccessMode": { - "type": "string", - "allowedValues": [ - "Open", - "PrivateOnly" - ], - "metadata": { - "description": "Required. Specifies the default access mode of queries through associated private endpoints in scope." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the private link scope." - } - }, - "accessModeSettings": { - "$ref": "#/definitions/accessModeType", - "metadata": { - "description": "Optional. Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.\r\n\r\n * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.\r\n * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the private link scope. Should be global." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "scopedResources": { - "$ref": "#/definitions/scopedResourceType", - "metadata": { - "description": "Optional. Configuration details for Azure Monitor Resources." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateLinkScope": { - "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2021-07-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "accessModeSettings": "[coalesce(parameters('accessModeSettings'), createObject('ingestionAccessMode', if(empty(parameters('privateEndpoints')), 'Open', 'PrivateOnly'), 'queryAccessMode', if(empty(parameters('privateEndpoints')), 'Open', 'PrivateOnly')))]" - } - }, - "privateLinkScope_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateLinkScope" - ] - }, - "privateLinkScope_roleAssignments": { - "copy": { - "name": "privateLinkScope_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", - "name": "[guid(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateLinkScope" - ] - }, - "privateLinkScope_scopedResource": { - "copy": { - "name": "privateLinkScope_scopedResource", - "count": "[length(coalesce(parameters('scopedResources'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PvtLinkScope-ScopedRes-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('scopedResources'), createArray())[copyIndex()].name]" - }, - "privateLinkScopeName": { - "value": "[parameters('name')]" - }, - "linkedResourceId": { - "value": "[coalesce(parameters('scopedResources'), createArray())[copyIndex()].linkedResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "590222292996782879" - }, - "name": "Private Link Scope Scoped Resources", - "description": "This module deploys a Private Link Scope Scoped Resource.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the private link scoped resource." - } - }, - "privateLinkScopeName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent private link scope. Required if the template is used in a standalone deployment." - } - }, - "linkedResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the scoped Azure monitor resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2021-07-01-preview", - "name": "[format('{0}/{1}', parameters('privateLinkScopeName'), parameters('name'))]", - "properties": { - "linkedResourceId": "[parameters('linkedResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group where the resource has been deployed." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed scopedResource." - }, - "value": "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', parameters('privateLinkScopeName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The full name of the deployed Scoped Resource." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "privateLinkScope" - ] - }, - "privateLinkScope_privateEndpoints": { - "copy": { - "name": "privateLinkScope_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-privateLinkScope-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'azuremonitor')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'azuremonitor'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11154909986774213690" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6129461321051281170" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "privateLinkScope" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private link scope." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private link scope." - }, - "value": "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private link scope was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateLinkScope', '2021-07-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/private-link-scope/scoped-resource/README.md b/modules/insights/private-link-scope/scoped-resource/README.md deleted file mode 100644 index 5946a32116..0000000000 --- a/modules/insights/private-link-scope/scoped-resource/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Private Link Scope Scoped Resources `[Microsoft.Insights/privateLinkScopes/scopedResources]` - -This module deploys a Private Link Scope Scoped Resource. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Insights/privateLinkScopes/scopedResources` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-07-01-preview/privateLinkScopes/scopedResources) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`linkedResourceId`](#parameter-linkedresourceid) | string | The resource ID of the scoped Azure monitor resource. | -| [`name`](#parameter-name) | string | Name of the private link scoped resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateLinkScopeName`](#parameter-privatelinkscopename) | string | The name of the parent private link scope. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `linkedResourceId` - -The resource ID of the scoped Azure monitor resource. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the private link scoped resource. - -- Required: Yes -- Type: string - -### Parameter: `privateLinkScopeName` - -The name of the parent private link scope. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The full name of the deployed Scoped Resource. | -| `resourceGroupName` | string | The name of the resource group where the resource has been deployed. | -| `resourceId` | string | The resource ID of the deployed scopedResource. | - -## Cross-referenced modules - -_None_ diff --git a/modules/insights/private-link-scope/scoped-resource/main.bicep b/modules/insights/private-link-scope/scoped-resource/main.bicep deleted file mode 100644 index 0c42825f72..0000000000 --- a/modules/insights/private-link-scope/scoped-resource/main.bicep +++ /dev/null @@ -1,50 +0,0 @@ -metadata name = 'Private Link Scope Scoped Resources' -metadata description = 'This module deploys a Private Link Scope Scoped Resource.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the private link scoped resource.') -@minLength(1) -param name string - -@description('Conditional. The name of the parent private link scope. Required if the template is used in a standalone deployment.') -@minLength(1) -param privateLinkScopeName string - -@description('Required. The resource ID of the scoped Azure monitor resource.') -param linkedResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateLinkScope 'Microsoft.Insights/privateLinkScopes@2021-07-01-preview' existing = { - name: privateLinkScopeName -} - -resource scopedResource 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = { - name: name - parent: privateLinkScope - properties: { - linkedResourceId: linkedResourceId - } -} - -@description('The name of the resource group where the resource has been deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the deployed scopedResource.') -output resourceId string = scopedResource.id - -@description('The full name of the deployed Scoped Resource.') -output name string = scopedResource.name diff --git a/modules/insights/private-link-scope/scoped-resource/main.json b/modules/insights/private-link-scope/scoped-resource/main.json deleted file mode 100644 index 72ff632731..0000000000 --- a/modules/insights/private-link-scope/scoped-resource/main.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "590222292996782879" - }, - "name": "Private Link Scope Scoped Resources", - "description": "This module deploys a Private Link Scope Scoped Resource.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the private link scoped resource." - } - }, - "privateLinkScopeName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Conditional. The name of the parent private link scope. Required if the template is used in a standalone deployment." - } - }, - "linkedResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the scoped Azure monitor resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Insights/privateLinkScopes/scopedResources", - "apiVersion": "2021-07-01-preview", - "name": "[format('{0}/{1}', parameters('privateLinkScopeName'), parameters('name'))]", - "properties": { - "linkedResourceId": "[parameters('linkedResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group where the resource has been deployed." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed scopedResource." - }, - "value": "[resourceId('Microsoft.Insights/privateLinkScopes/scopedResources', parameters('privateLinkScopeName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The full name of the deployed Scoped Resource." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/insights/private-link-scope/scoped-resource/version.json b/modules/insights/private-link-scope/scoped-resource/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/private-link-scope/scoped-resource/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 33740e555d..0000000000 --- a/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iplsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep deleted file mode 100644 index e09c9b5a0c..0000000000 --- a/modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.monitor.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep deleted file mode 100644 index 651acc7941..0000000000 --- a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,111 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iplsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-la-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - accessModeSettings: { - exclusions: [ - { - ingestionAccessMode: 'PrivateOnly' - queryAccessMode: 'PrivateOnly' - privateEndpointConnectionName: 'thisisatest' - } - ] - ingestionAccessMode: 'Open' - queryAccessMode: 'Open' - } - scopedResources: [ - { - name: 'scoped1' - linkedResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index e09c9b5a0c..0000000000 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.monitor.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index fc7a863664..0000000000 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iplswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-la-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - accessModeSettings: { - exclusions: [ - { - ingestionAccessMode: 'PrivateOnly' - queryAccessMode: 'PrivateOnly' - privateEndpointConnectionName: 'thisisatest' - } - ] - ingestionAccessMode: 'Open' - queryAccessMode: 'Open' - } - scopedResources: [ - { - name: 'scoped1' - linkedResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/private-link-scope/version.json b/modules/insights/private-link-scope/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/private-link-scope/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md b/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index be3ba88d2d..af0014cf91 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -1,655 +1,7 @@ -# Scheduled Query Rules `[Microsoft.Insights/scheduledQueryRules]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/scheduled-query-rule](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/scheduled-query-rule).** -This module deploys a Scheduled Query Rule. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/scheduled-query-rule). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/scheduledQueryRules` | [2021-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-02-01-preview/scheduledQueryRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.scheduled-query-rule:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-isqrmax' - params: { - // Required parameters - criterias: { - allOf: [ - { - dimensions: [ - { - name: 'Computer' - operator: 'Include' - values: [ - '*' - ] - } - { - name: 'InstanceName' - operator: 'Include' - values: [ - '*' - ] - } - ] - metricMeasureColumn: 'AggregatedValue' - operator: 'GreaterThan' - query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' - threshold: 0 - timeAggregation: 'Average' - } - ] - } - name: 'isqrmax001' - scopes: [ - '' - ] - // Non-required parameters - alertDescription: 'My sample Alert' - autoMitigate: false - enableDefaultTelemetry: '' - evaluationFrequency: 'PT5M' - queryTimeRange: 'PT5M' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - suppressForMinutes: 'PT5M' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - windowSize: 'PT5M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "criterias": { - "value": { - "allOf": [ - { - "dimensions": [ - { - "name": "Computer", - "operator": "Include", - "values": [ - "*" - ] - }, - { - "name": "InstanceName", - "operator": "Include", - "values": [ - "*" - ] - } - ], - "metricMeasureColumn": "AggregatedValue", - "operator": "GreaterThan", - "query": "Perf | where ObjectName == \"LogicalDisk\" | where CounterName == \"% Free Space\" | where InstanceName <> \"HarddiskVolume1\" and InstanceName <> \"_Total\" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)", - "threshold": 0, - "timeAggregation": "Average" - } - ] - } - }, - "name": { - "value": "isqrmax001" - }, - "scopes": { - "value": [ - "" - ] - }, - // Non-required parameters - "alertDescription": { - "value": "My sample Alert" - }, - "autoMitigate": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "evaluationFrequency": { - "value": "PT5M" - }, - "queryTimeRange": { - "value": "PT5M" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "suppressForMinutes": { - "value": "PT5M" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "windowSize": { - "value": "PT5M" - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-isqrwaf' - params: { - // Required parameters - criterias: { - allOf: [ - { - dimensions: [ - { - name: 'Computer' - operator: 'Include' - values: [ - '*' - ] - } - { - name: 'InstanceName' - operator: 'Include' - values: [ - '*' - ] - } - ] - metricMeasureColumn: 'AggregatedValue' - operator: 'GreaterThan' - query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' - threshold: 0 - timeAggregation: 'Average' - } - ] - } - name: 'isqrwaf001' - scopes: [ - '' - ] - // Non-required parameters - alertDescription: 'My sample Alert' - autoMitigate: false - enableDefaultTelemetry: '' - evaluationFrequency: 'PT5M' - queryTimeRange: 'PT5M' - suppressForMinutes: 'PT5M' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - windowSize: 'PT5M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "criterias": { - "value": { - "allOf": [ - { - "dimensions": [ - { - "name": "Computer", - "operator": "Include", - "values": [ - "*" - ] - }, - { - "name": "InstanceName", - "operator": "Include", - "values": [ - "*" - ] - } - ], - "metricMeasureColumn": "AggregatedValue", - "operator": "GreaterThan", - "query": "Perf | where ObjectName == \"LogicalDisk\" | where CounterName == \"% Free Space\" | where InstanceName <> \"HarddiskVolume1\" and InstanceName <> \"_Total\" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)", - "threshold": 0, - "timeAggregation": "Average" - } - ] - } - }, - "name": { - "value": "isqrwaf001" - }, - "scopes": { - "value": [ - "" - ] - }, - // Non-required parameters - "alertDescription": { - "value": "My sample Alert" - }, - "autoMitigate": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "evaluationFrequency": { - "value": "PT5M" - }, - "queryTimeRange": { - "value": "PT5M" - }, - "suppressForMinutes": { - "value": "PT5M" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "windowSize": { - "value": "PT5M" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`criterias`](#parameter-criterias) | object | The rule criteria that defines the conditions of the scheduled query rule. | -| [`name`](#parameter-name) | string | The name of the Alert. | -| [`scopes`](#parameter-scopes) | array | The list of resource IDs that this scheduled query rule is scoped to. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actions`](#parameter-actions) | array | Actions to invoke when the alert fires. | -| [`alertDescription`](#parameter-alertdescription) | string | The description of the scheduled query rule. | -| [`autoMitigate`](#parameter-automitigate) | bool | The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. | -| [`enabled`](#parameter-enabled) | bool | The flag which indicates whether this scheduled query rule is enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`evaluationFrequency`](#parameter-evaluationfrequency) | string | How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. | -| [`kind`](#parameter-kind) | string | Indicates the type of scheduled query rule. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`queryTimeRange`](#parameter-querytimerange) | string | If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`severity`](#parameter-severity) | int | Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. | -| [`skipQueryValidation`](#parameter-skipqueryvalidation) | bool | The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. | -| [`suppressForMinutes`](#parameter-suppressforminutes) | string | Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`targetResourceTypes`](#parameter-targetresourcetypes) | array | List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. | -| [`windowSize`](#parameter-windowsize) | string | The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. | - -### Parameter: `criterias` - -The rule criteria that defines the conditions of the scheduled query rule. - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the Alert. - -- Required: Yes -- Type: string - -### Parameter: `scopes` - -The list of resource IDs that this scheduled query rule is scoped to. - -- Required: Yes -- Type: array - -### Parameter: `actions` - -Actions to invoke when the alert fires. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `alertDescription` - -The description of the scheduled query rule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `autoMitigate` - -The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabled` - -The flag which indicates whether this scheduled query rule is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `evaluationFrequency` - -How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `kind` - -Indicates the type of scheduled query rule. - -- Required: No -- Type: string -- Default: `'LogAlert'` -- Allowed: - ```Bicep - [ - 'LogAlert' - 'LogToMetric' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `queryTimeRange` - -If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `severity` - -Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. - -- Required: No -- Type: int -- Default: `3` -- Allowed: - ```Bicep - [ - 0 - 1 - 2 - 3 - 4 - ] - ``` - -### Parameter: `skipQueryValidation` - -The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `suppressForMinutes` - -Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `targetResourceTypes` - -List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `windowSize` - -The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the created query rule. | -| `resourceGroupName` | string | The Resource Group of the created query rule. | -| `resourceId` | string | The resource ID of the created query rule. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep deleted file mode 100644 index 5a205cd495..0000000000 --- a/modules/insights/scheduled-query-rule/main.bicep +++ /dev/null @@ -1,169 +0,0 @@ -metadata name = 'Scheduled Query Rules' -metadata description = 'This module deploys a Scheduled Query Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Alert.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The description of the scheduled query rule.') -param alertDescription string = '' - -@description('Optional. The flag which indicates whether this scheduled query rule is enabled.') -param enabled bool = true - -@description('Optional. Indicates the type of scheduled query rule.') -@allowed([ - 'LogAlert' - 'LogToMetric' -]) -param kind string = 'LogAlert' - -@description('Optional. The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert.') -param autoMitigate bool = true - -@description('Optional. If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert.') -param queryTimeRange string = '' - -@description('Optional. The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert.') -param skipQueryValidation bool = false - -@description('Optional. List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert.') -param targetResourceTypes array = [] - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Required. The list of resource IDs that this scheduled query rule is scoped to.') -param scopes array - -@description('Optional. Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert.') -@allowed([ - 0 - 1 - 2 - 3 - 4 -]) -param severity int = 3 - -@description('Optional. How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert.') -param evaluationFrequency string = '' - -@description('Optional. The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert.') -param windowSize string = '' - -@description('Optional. Actions to invoke when the alert fires.') -param actions array = [] - -@description('Required. The rule criteria that defines the conditions of the scheduled query rule.') -param criterias object - -@description('Optional. Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert.') -param suppressForMinutes string = '' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource queryRule 'Microsoft.Insights/scheduledQueryRules@2021-02-01-preview' = { - name: name - location: location - tags: tags - kind: kind - properties: { - actions: { - actionGroups: actions - customProperties: {} - } - autoMitigate: (kind == 'LogAlert') ? autoMitigate : null - criteria: criterias - description: alertDescription - displayName: name - enabled: enabled - evaluationFrequency: (kind == 'LogAlert' && !empty(evaluationFrequency)) ? evaluationFrequency : null - muteActionsDuration: (kind == 'LogAlert' && !empty(suppressForMinutes)) ? suppressForMinutes : null - overrideQueryTimeRange: (kind == 'LogAlert' && !empty(queryTimeRange)) ? queryTimeRange : null - scopes: scopes - severity: (kind == 'LogAlert') ? severity : null - skipQueryValidation: (kind == 'LogAlert') ? skipQueryValidation : null - targetResourceTypes: (kind == 'LogAlert') ? targetResourceTypes : null - windowSize: (kind == 'LogAlert' && !empty(windowSize)) ? windowSize : null - } -} - -resource queryRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(queryRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: queryRule -}] - -@description('The Name of the created query rule.') -output name string = queryRule.name - -@description('The resource ID of the created query rule.') -output resourceId string = queryRule.id - -@description('The Resource Group of the created query rule.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = queryRule.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json deleted file mode 100644 index 87d5b4cd95..0000000000 --- a/modules/insights/scheduled-query-rule/main.json +++ /dev/null @@ -1,329 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12406976097155234839" - }, - "name": "Scheduled Query Rules", - "description": "This module deploys a Scheduled Query Rule.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Alert." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "alertDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the scheduled query rule." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The flag which indicates whether this scheduled query rule is enabled." - } - }, - "kind": { - "type": "string", - "defaultValue": "LogAlert", - "allowedValues": [ - "LogAlert", - "LogToMetric" - ], - "metadata": { - "description": "Optional. Indicates the type of scheduled query rule." - } - }, - "autoMitigate": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert." - } - }, - "queryTimeRange": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert." - } - }, - "skipQueryValidation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert." - } - }, - "targetResourceTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "scopes": { - "type": "array", - "metadata": { - "description": "Required. The list of resource IDs that this scheduled query rule is scoped to." - } - }, - "severity": { - "type": "int", - "defaultValue": 3, - "allowedValues": [ - 0, - 1, - 2, - 3, - 4 - ], - "metadata": { - "description": "Optional. Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert." - } - }, - "evaluationFrequency": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert." - } - }, - "windowSize": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert." - } - }, - "actions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Actions to invoke when the alert fires." - } - }, - "criterias": { - "type": "object", - "metadata": { - "description": "Required. The rule criteria that defines the conditions of the scheduled query rule." - } - }, - "suppressForMinutes": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "queryRule": { - "type": "Microsoft.Insights/scheduledQueryRules", - "apiVersion": "2021-02-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "kind": "[parameters('kind')]", - "properties": { - "actions": { - "actionGroups": "[parameters('actions')]", - "customProperties": {} - }, - "autoMitigate": "[if(equals(parameters('kind'), 'LogAlert'), parameters('autoMitigate'), null())]", - "criteria": "[parameters('criterias')]", - "description": "[parameters('alertDescription')]", - "displayName": "[parameters('name')]", - "enabled": "[parameters('enabled')]", - "evaluationFrequency": "[if(and(equals(parameters('kind'), 'LogAlert'), not(empty(parameters('evaluationFrequency')))), parameters('evaluationFrequency'), null())]", - "muteActionsDuration": "[if(and(equals(parameters('kind'), 'LogAlert'), not(empty(parameters('suppressForMinutes')))), parameters('suppressForMinutes'), null())]", - "overrideQueryTimeRange": "[if(and(equals(parameters('kind'), 'LogAlert'), not(empty(parameters('queryTimeRange')))), parameters('queryTimeRange'), null())]", - "scopes": "[parameters('scopes')]", - "severity": "[if(equals(parameters('kind'), 'LogAlert'), parameters('severity'), null())]", - "skipQueryValidation": "[if(equals(parameters('kind'), 'LogAlert'), parameters('skipQueryValidation'), null())]", - "targetResourceTypes": "[if(equals(parameters('kind'), 'LogAlert'), parameters('targetResourceTypes'), null())]", - "windowSize": "[if(and(equals(parameters('kind'), 'LogAlert'), not(empty(parameters('windowSize')))), parameters('windowSize'), null())]" - } - }, - "queryRule_roleAssignments": { - "copy": { - "name": "queryRule_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/scheduledQueryRules/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queryRule" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Name of the created query rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the created query rule." - }, - "value": "[resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The Resource Group of the created query rule." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('queryRule', '2021-02-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 9e9a8f2510..0000000000 --- a/modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep deleted file mode 100644 index b6aa16ced8..0000000000 --- a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,116 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'isqrmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - alertDescription: 'My sample Alert' - autoMitigate: false - criterias: { - allOf: [ - { - dimensions: [ - { - name: 'Computer' - operator: 'Include' - values: [ - '*' - ] - } - { - name: 'InstanceName' - operator: 'Include' - values: [ - '*' - ] - } - ] - metricMeasureColumn: 'AggregatedValue' - operator: 'GreaterThan' - query: 'Perf | where ObjectName == "LogicalDisk" | where CounterName == "% Free Space" | where InstanceName <> "HarddiskVolume1" and InstanceName <> "_Total" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' - threshold: 0 - timeAggregation: 'Average' - } - ] - } - evaluationFrequency: 'PT5M' - queryTimeRange: 'PT5M' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - scopes: [ - nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - ] - suppressForMinutes: 'PT5M' - windowSize: 'PT5M' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 9e9a8f2510..0000000000 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 3504694196..0000000000 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,99 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'isqrwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - alertDescription: 'My sample Alert' - autoMitigate: false - criterias: { - allOf: [ - { - dimensions: [ - { - name: 'Computer' - operator: 'Include' - values: [ - '*' - ] - } - { - name: 'InstanceName' - operator: 'Include' - values: [ - '*' - ] - } - ] - metricMeasureColumn: 'AggregatedValue' - operator: 'GreaterThan' - query: 'Perf | where ObjectName == "LogicalDisk" | where CounterName == "% Free Space" | where InstanceName <> "HarddiskVolume1" and InstanceName <> "_Total" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' - threshold: 0 - timeAggregation: 'Average' - } - ] - } - evaluationFrequency: 'PT5M' - queryTimeRange: 'PT5M' - scopes: [ - nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - ] - suppressForMinutes: 'PT5M' - windowSize: 'PT5M' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/insights/scheduled-query-rule/version.json b/modules/insights/scheduled-query-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/scheduled-query-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/insights/webtest/MOVED-TO-AVM.md b/modules/insights/webtest/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/insights/webtest/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index 4fbcb8642c..0d96dc1ca3 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -1,622 +1,7 @@ -# Web Tests `[Microsoft.Insights/webtests]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/insights/webtest](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/insights/webtest).** -This module deploys a Web Test. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/insights/webtest). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/webtests` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2022-06-15/webtests) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.webtest:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iwtmin' - params: { - // Required parameters - name: 'iwtmin001' - request: { - HttpVerb: 'GET' - RequestUrl: 'https://learn.microsoft.com/en-us/' - } - tags: { - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - 'hidden-title': 'This is visible in the resource name' - } - webTestName: 'wt$iwtmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iwtmin001" - }, - "request": { - "value": { - "HttpVerb": "GET", - "RequestUrl": "https://learn.microsoft.com/en-us/" - } - }, - "tags": { - "value": { - "hidden-link:${nestedDependencies.outputs.appInsightResourceId}": "Resource", - "hidden-title": "This is visible in the resource name" - } - }, - "webTestName": { - "value": "wt$iwtmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iwtmax' - params: { - // Required parameters - name: 'iwtmax001' - request: { - HttpVerb: 'GET' - RequestUrl: 'https://learn.microsoft.com/en-us/' - } - tags: { - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - 'hidden-title': 'This is visible in the resource name' - } - webTestName: 'wt$iwtmax001' - // Non-required parameters - enableDefaultTelemetry: '' - locations: [ - { - Id: 'emea-nl-ams-azr' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - syntheticMonitorId: 'iwtmax001' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iwtmax001" - }, - "request": { - "value": { - "HttpVerb": "GET", - "RequestUrl": "https://learn.microsoft.com/en-us/" - } - }, - "tags": { - "value": { - "hidden-link:${nestedDependencies.outputs.appInsightResourceId}": "Resource", - "hidden-title": "This is visible in the resource name" - } - }, - "webTestName": { - "value": "wt$iwtmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "locations": { - "value": [ - { - "Id": "emea-nl-ams-azr" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "syntheticMonitorId": { - "value": "iwtmax001" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iwtwaf' - params: { - // Required parameters - name: 'iwtwaf001' - request: { - HttpVerb: 'GET' - RequestUrl: 'https://learn.microsoft.com/en-us/' - } - tags: { - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - 'hidden-title': 'This is visible in the resource name' - } - webTestName: 'wt$iwtwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - locations: [ - { - Id: 'emea-nl-ams-azr' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - syntheticMonitorId: 'iwtwaf001' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iwtwaf001" - }, - "request": { - "value": { - "HttpVerb": "GET", - "RequestUrl": "https://learn.microsoft.com/en-us/" - } - }, - "tags": { - "value": { - "hidden-link:${nestedDependencies.outputs.appInsightResourceId}": "Resource", - "hidden-title": "This is visible in the resource name" - } - }, - "webTestName": { - "value": "wt$iwtwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "locations": { - "value": [ - { - "Id": "emea-nl-ams-azr" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "syntheticMonitorId": { - "value": "iwtwaf001" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the webtest. | -| [`request`](#parameter-request) | object | The collection of request properties. | -| [`tags`](#parameter-tags) | object | A single hidden-link tag pointing to an existing AI component is required. | -| [`webTestName`](#parameter-webtestname) | string | User defined name if this WebTest. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`configuration`](#parameter-configuration) | object | An XML configuration specification for a WebTest. | -| [`description`](#parameter-description) | string | User defined description for this WebTest. | -| [`enabled`](#parameter-enabled) | bool | Is the test actively being monitored. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`frequency`](#parameter-frequency) | int | Interval in seconds between test runs for this WebTest. | -| [`kind`](#parameter-kind) | string | The kind of WebTest that this web test watches. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`locations`](#parameter-locations) | array | List of where to physically run the tests from to give global coverage for accessibility of your application. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`retryEnabled`](#parameter-retryenabled) | bool | Allow for retries should this WebTest fail. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`syntheticMonitorId`](#parameter-syntheticmonitorid) | string | Unique ID of this WebTest. | -| [`timeout`](#parameter-timeout) | int | Seconds until this WebTest will timeout and fail. | -| [`validationRules`](#parameter-validationrules) | object | The collection of validation rule properties. | - -### Parameter: `name` - -Name of the webtest. - -- Required: Yes -- Type: string - -### Parameter: `request` - -The collection of request properties. - -- Required: Yes -- Type: object - -### Parameter: `tags` - -A single hidden-link tag pointing to an existing AI component is required. - -- Required: Yes -- Type: object - -### Parameter: `webTestName` - -User defined name if this WebTest. - -- Required: Yes -- Type: string - -### Parameter: `configuration` - -An XML configuration specification for a WebTest. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `description` - -User defined description for this WebTest. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enabled` - -Is the test actively being monitored. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `frequency` - -Interval in seconds between test runs for this WebTest. - -- Required: No -- Type: int -- Default: `300` - -### Parameter: `kind` - -The kind of WebTest that this web test watches. - -- Required: No -- Type: string -- Default: `'standard'` -- Allowed: - ```Bicep - [ - 'multistep' - 'ping' - 'standard' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `locations` - -List of where to physically run the tests from to give global coverage for accessibility of your application. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - Id: 'us-il-ch1-azr' - } - { - Id: 'us-fl-mia-edge' - } - { - Id: 'latam-br-gru-edge' - } - { - Id: 'apac-sg-sin-azr' - } - { - Id: 'emea-nl-ams-azr' - } - ] - ``` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `retryEnabled` - -Allow for retries should this WebTest fail. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `syntheticMonitorId` - -Unique ID of this WebTest. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `timeout` - -Seconds until this WebTest will timeout and fail. - -- Required: No -- Type: int -- Default: `30` - -### Parameter: `validationRules` - -The collection of validation rule properties. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the webtest. | -| `resourceGroupName` | string | The resource group the resource was deployed into. | -| `resourceId` | string | The resource ID of the webtest. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep deleted file mode 100644 index b5d72e8b02..0000000000 --- a/modules/insights/webtest/main.bicep +++ /dev/null @@ -1,188 +0,0 @@ -metadata name = 'Web Tests' -metadata description = 'This module deploys a Web Test.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the webtest.') -param name string - -@sys.description('Required. User defined name if this WebTest.') -param webTestName string - -@sys.description('Required. A single hidden-link tag pointing to an existing AI component is required.') -param tags object - -@sys.description('Required. The collection of request properties.') -param request object - -@sys.description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@sys.description('Optional. User defined description for this WebTest.') -param description string = '' - -@sys.description('Optional. Unique ID of this WebTest.') -param syntheticMonitorId string = name - -@sys.description('Optional. The kind of WebTest that this web test watches.') -@allowed([ - 'multistep' - 'ping' - 'standard' -]) -param kind string = 'standard' - -@sys.description('Optional. List of where to physically run the tests from to give global coverage for accessibility of your application.') -param locations array = [ - { - Id: 'us-il-ch1-azr' - } - { - Id: 'us-fl-mia-edge' - } - { - Id: 'latam-br-gru-edge' - } - { - Id: 'apac-sg-sin-azr' - } - { - Id: 'emea-nl-ams-azr' - } -] - -@sys.description('Optional. Is the test actively being monitored.') -param enabled bool = true - -@sys.description('Optional. Interval in seconds between test runs for this WebTest.') -param frequency int = 300 - -@sys.description('Optional. Seconds until this WebTest will timeout and fail.') -param timeout int = 30 - -@sys.description('Optional. Allow for retries should this WebTest fail.') -param retryEnabled bool = true - -@sys.description('Optional. The collection of validation rule properties.') -param validationRules object = {} - -@sys.description('Optional. An XML configuration specification for a WebTest.') -param configuration object = {} - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource webtest 'Microsoft.Insights/webtests@2022-06-15' = { - name: name - location: location - tags: tags - properties: { - Kind: kind - Locations: locations - Name: webTestName - Description: description - SyntheticMonitorId: syntheticMonitorId - Enabled: enabled - Frequency: frequency - Timeout: timeout - RetryEnabled: retryEnabled - Request: request - ValidationRules: validationRules - Configuration: configuration - } -} - -resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: webtest -} - -resource webtest_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(webtest.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: webtest -}] - -@sys.description('The name of the webtest.') -output name string = webtest.name - -@sys.description('The resource ID of the webtest.') -output resourceId string = webtest.id - -@sys.description('The resource group the resource was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = webtest.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json deleted file mode 100644 index 5275b0e4c2..0000000000 --- a/modules/insights/webtest/main.json +++ /dev/null @@ -1,363 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1408808004644515116" - }, - "name": "Web Tests", - "description": "This module deploys a Web Test.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the webtest." - } - }, - "webTestName": { - "type": "string", - "metadata": { - "description": "Required. User defined name if this WebTest." - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "Required. A single hidden-link tag pointing to an existing AI component is required." - } - }, - "request": { - "type": "object", - "metadata": { - "description": "Required. The collection of request properties." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User defined description for this WebTest." - } - }, - "syntheticMonitorId": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Unique ID of this WebTest." - } - }, - "kind": { - "type": "string", - "defaultValue": "standard", - "allowedValues": [ - "multistep", - "ping", - "standard" - ], - "metadata": { - "description": "Optional. The kind of WebTest that this web test watches." - } - }, - "locations": { - "type": "array", - "defaultValue": [ - { - "Id": "us-il-ch1-azr" - }, - { - "Id": "us-fl-mia-edge" - }, - { - "Id": "latam-br-gru-edge" - }, - { - "Id": "apac-sg-sin-azr" - }, - { - "Id": "emea-nl-ams-azr" - } - ], - "metadata": { - "description": "Optional. List of where to physically run the tests from to give global coverage for accessibility of your application." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Is the test actively being monitored." - } - }, - "frequency": { - "type": "int", - "defaultValue": 300, - "metadata": { - "description": "Optional. Interval in seconds between test runs for this WebTest." - } - }, - "timeout": { - "type": "int", - "defaultValue": 30, - "metadata": { - "description": "Optional. Seconds until this WebTest will timeout and fail." - } - }, - "retryEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Allow for retries should this WebTest fail." - } - }, - "validationRules": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The collection of validation rule properties." - } - }, - "configuration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. An XML configuration specification for a WebTest." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "webtest": { - "type": "Microsoft.Insights/webtests", - "apiVersion": "2022-06-15", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "Kind": "[parameters('kind')]", - "Locations": "[parameters('locations')]", - "Name": "[parameters('webTestName')]", - "Description": "[parameters('description')]", - "SyntheticMonitorId": "[parameters('syntheticMonitorId')]", - "Enabled": "[parameters('enabled')]", - "Frequency": "[parameters('frequency')]", - "Timeout": "[parameters('timeout')]", - "RetryEnabled": "[parameters('retryEnabled')]", - "Request": "[parameters('request')]", - "ValidationRules": "[parameters('validationRules')]", - "Configuration": "[parameters('configuration')]" - } - }, - "webtest_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "webtest" - ] - }, - "webtest_roleAssignments": { - "copy": { - "name": "webtest_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Insights/webtests', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "webtest" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the webtest." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the webtest." - }, - "value": "[resourceId('Microsoft.Insights/webtests', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('webtest', '2022-06-15', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/insights/webtest/tests/e2e/defaults/dependencies.bicep b/modules/insights/webtest/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 79e003515d..0000000000 --- a/modules/insights/webtest/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,26 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param appInsightName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource appInsight 'Microsoft.Insights/components@2020-02-02' = { - name: appInsightName - location: location - kind: 'web' - properties: { - Application_Type: 'web' - WorkspaceResourceId: logAnalyticsWorkspace.id - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output appInsightResourceId string = appInsight.id diff --git a/modules/insights/webtest/tests/e2e/defaults/main.test.bicep b/modules/insights/webtest/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index a8c77a7505..0000000000 --- a/modules/insights/webtest/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,68 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iwtmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - appInsightName: 'dep-${namePrefix}-appi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - } - enableDefaultTelemetry: enableDefaultTelemetry - webTestName: 'wt${namePrefix}$${serviceShort}001' - request: { - RequestUrl: 'https://learn.microsoft.com/en-us/' - HttpVerb: 'GET' - } - } -}] diff --git a/modules/insights/webtest/tests/e2e/max/dependencies.bicep b/modules/insights/webtest/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 79e003515d..0000000000 --- a/modules/insights/webtest/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,26 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param appInsightName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource appInsight 'Microsoft.Insights/components@2020-02-02' = { - name: appInsightName - location: location - kind: 'web' - properties: { - Application_Type: 'web' - WorkspaceResourceId: logAnalyticsWorkspace.id - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output appInsightResourceId string = appInsight.id diff --git a/modules/insights/webtest/tests/e2e/max/main.test.bicep b/modules/insights/webtest/tests/e2e/max/main.test.bicep deleted file mode 100644 index 6821002ea8..0000000000 --- a/modules/insights/webtest/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iwtmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - appInsightName: 'dep-${namePrefix}-appi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - } - enableDefaultTelemetry: enableDefaultTelemetry - webTestName: 'wt${namePrefix}$${serviceShort}001' - syntheticMonitorId: '${namePrefix}${serviceShort}001' - locations: [ - { - Id: 'emea-nl-ams-azr' - } - ] - request: { - RequestUrl: 'https://learn.microsoft.com/en-us/' - HttpVerb: 'GET' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - } -}] diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 79e003515d..0000000000 --- a/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,26 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param appInsightName string - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -resource appInsight 'Microsoft.Insights/components@2020-02-02' = { - name: appInsightName - location: location - kind: 'web' - properties: { - Application_Type: 'web' - WorkspaceResourceId: logAnalyticsWorkspace.id - } -} - -@description('The resource ID of the created Log Analytics Workspace.') -output appInsightResourceId string = appInsight.id diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 8674910b4f..0000000000 --- a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,78 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iwtwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - appInsightName: 'dep-${namePrefix}-appi-${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' - } - enableDefaultTelemetry: enableDefaultTelemetry - webTestName: 'wt${namePrefix}$${serviceShort}001' - syntheticMonitorId: '${namePrefix}${serviceShort}001' - locations: [ - { - Id: 'emea-nl-ams-azr' - } - ] - request: { - RequestUrl: 'https://learn.microsoft.com/en-us/' - HttpVerb: 'GET' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - } -}] diff --git a/modules/insights/webtest/version.json b/modules/insights/webtest/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/insights/webtest/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/key-vault/vault/MOVED-TO-AVM.md b/modules/key-vault/vault/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/key-vault/vault/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index d78189962a..78c9ee539b 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1,1754 +1,7 @@ -# Key Vaults `[Microsoft.KeyVault/vaults]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/key-vault/vault](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/key-vault/vault).** -This module deploys a Key Vault. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/key-vault/vault). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.KeyVault/vaults` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults) | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | -| `Microsoft.KeyVault/vaults/keys` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/keys) | -| `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/key-vault.vault:1.0.0`. - -- [Accesspolicies](#example-1-accesspolicies) -- [Using only defaults](#example-2-using-only-defaults) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Pe](#example-4-pe) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Accesspolicies_ - -
- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvap' - params: { - // Required parameters - name: 'kvvap002' - // Non-required parameters - accessPolicies: [ - { - objectId: '' - permissions: { - keys: [ - 'get' - 'list' - 'update' - ] - secrets: [ - 'get' - 'list' - ] - } - tenantId: '' - } - { - objectId: '' - permissions: { - certificates: [ - 'backup' - 'create' - 'delete' - ] - secrets: [ - 'get' - 'list' - ] - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enablePurgeProtection: false - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "kvvap002" - }, - // Non-required parameters - "accessPolicies": { - "value": [ - { - "objectId": "", - "permissions": { - "keys": [ - "get", - "list", - "update" - ], - "secrets": [ - "get", - "list" - ] - }, - "tenantId": "" - }, - { - "objectId": "", - "permissions": { - "certificates": [ - "backup", - "create", - "delete" - ], - "secrets": [ - "get", - "list" - ] - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvmin' - params: { - // Required parameters - name: 'kvvmin002' - // Non-required parameters - enableDefaultTelemetry: '' - enablePurgeProtection: false - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "kvvmin002" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvmax' - params: { - // Required parameters - name: 'kvvmax002' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enablePurgeProtection: false - enableRbacAuthorization: true - keys: [ - { - attributesExp: 1725109032 - attributesNbf: 10000 - name: 'keyName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - rotationPolicy: { - attributes: { - expiryTime: 'P2Y' - } - lifetimeActions: [ - { - action: { - type: 'Rotate' - } - trigger: { - timeBeforeExpiry: 'P2M' - } - } - { - action: { - type: 'Notify' - } - trigger: { - timeBeforeExpiry: 'P30D' - } - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'vault' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - secrets: { - secureList: [ - { - attributesExp: 1702648632 - attributesNbf: 10000 - contentType: 'Something' - name: 'secretName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - value: 'secretValue' - } - ] - } - softDeleteRetentionInDays: 7 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "kvvmax002" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "enableRbacAuthorization": { - "value": true - }, - "keys": { - "value": [ - { - "attributesExp": 1725109032, - "attributesNbf": 10000, - "name": "keyName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "rotationPolicy": { - "attributes": { - "expiryTime": "P2Y" - }, - "lifetimeActions": [ - { - "action": { - "type": "Rotate" - }, - "trigger": { - "timeBeforeExpiry": "P2M" - } - }, - { - "action": { - "type": "Notify" - }, - "trigger": { - "timeBeforeExpiry": "P30D" - } - } - ] - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "vault", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "attributesExp": 1702648632, - "attributesNbf": 10000, - "contentType": "Something", - "name": "secretName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "value": "secretValue" - } - ] - } - }, - "softDeleteRetentionInDays": { - "value": 7 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Pe_ - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvpe' - params: { - // Required parameters - name: 'kvvpe001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enablePurgeProtection: false - enableRbacAuthorization: true - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - name: 'dep-pe-kvvpe' - privateDnsZoneResourceIds: [ - '' - ] - service: 'vault' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "kvvpe001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "enableRbacAuthorization": { - "value": true - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "customDnsConfigs": [ - { - "fqdn": "abc.keyvault.com", - "ipAddresses": [ - "10.0.0.10" - ] - } - ], - "ipConfigurations": [ - { - "name": "myIPconfig", - "properties": { - "groupId": "vault", - "memberName": "default", - "privateIPAddress": "10.0.0.10" - } - } - ], - "name": "dep-pe-kvvpe", - "privateDnsZoneResourceIds": [ - "" - ], - "service": "vault", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvwaf' - params: { - // Required parameters - name: 'kvvwaf002' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enablePurgeProtection: false - enableRbacAuthorization: true - keys: [ - { - attributesExp: 1725109032 - attributesNbf: 10000 - name: 'keyName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - rotationPolicy: { - attributes: { - expiryTime: 'P2Y' - } - lifetimeActions: [ - { - action: { - type: 'Rotate' - } - trigger: { - timeBeforeExpiry: 'P2M' - } - } - { - action: { - type: 'Notify' - } - trigger: { - timeBeforeExpiry: 'P30D' - } - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: '' - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'vault' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - secrets: { - secureList: [ - { - attributesExp: 1702648632 - attributesNbf: 10000 - contentType: 'Something' - name: 'secretName' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - value: 'secretValue' - } - ] - } - softDeleteRetentionInDays: 7 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "kvvwaf002" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - }, - "enableRbacAuthorization": { - "value": true - }, - "keys": { - "value": [ - { - "attributesExp": 1725109032, - "attributesNbf": 10000, - "name": "keyName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "rotationPolicy": { - "attributes": { - "expiryTime": "P2Y" - }, - "lifetimeActions": [ - { - "action": { - "type": "Rotate" - }, - "trigger": { - "timeBeforeExpiry": "P2M" - } - }, - { - "action": { - "type": "Notify" - }, - "trigger": { - "timeBeforeExpiry": "P30D" - } - } - ] - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "value": "40.74.28.0/23" - } - ], - "virtualNetworkRules": [ - { - "id": "", - "ignoreMissingVnetServiceEndpoint": false - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "vault", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "attributesExp": 1702648632, - "attributesNbf": 10000, - "contentType": "Something", - "name": "secretName", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "value": "secretValue" - } - ] - } - }, - "softDeleteRetentionInDays": { - "value": 7 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Key Vault. Must be globally unique. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessPolicies`](#parameter-accesspolicies) | array | All access policies to create. | -| [`createMode`](#parameter-createmode) | string | The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Provide 'true' to enable Key Vault's purge protection feature. | -| [`enableRbacAuthorization`](#parameter-enablerbacauthorization) | bool | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | -| [`enableSoftDelete`](#parameter-enablesoftdelete) | bool | Switch to enable/disable Key Vault's soft delete feature. | -| [`enableVaultForDeployment`](#parameter-enablevaultfordeployment) | bool | Specifies if the vault is enabled for deployment by script or compute. | -| [`enableVaultForDiskEncryption`](#parameter-enablevaultfordiskencryption) | bool | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | -| [`enableVaultForTemplateDeployment`](#parameter-enablevaultfortemplatedeployment) | bool | Specifies if the vault is enabled for a template deployment. | -| [`keys`](#parameter-keys) | array | All keys to create. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`networkAcls`](#parameter-networkacls) | object | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`secrets`](#parameter-secrets) | secureObject | All secrets to create. | -| [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | softDelete data retention days. It accepts >=7 and <=90. | -| [`tags`](#parameter-tags) | object | Resource tags. | -| [`vaultSku`](#parameter-vaultsku) | string | Specifies the SKU for the vault. | - -### Parameter: `name` - -Name of the Key Vault. Must be globally unique. - -- Required: Yes -- Type: string - -### Parameter: `accessPolicies` - -All access policies to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `createMode` - -The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enablePurgeProtection` - -Provide 'true' to enable Key Vault's purge protection feature. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableRbacAuthorization` - -Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableSoftDelete` - -Switch to enable/disable Key Vault's soft delete feature. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableVaultForDeployment` - -Specifies if the vault is enabled for deployment by script or compute. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableVaultForDiskEncryption` - -Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableVaultForTemplateDeployment` - -Specifies if the vault is enabled for a template deployment. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `keys` - -All keys to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `networkAcls` - -Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `secrets` - -All secrets to create. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `softDeleteRetentionInDays` - -softDelete data retention days. It accepts >=7 and <=90. - -- Required: No -- Type: int -- Default: `90` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - -### Parameter: `vaultSku` - -Specifies the SKU for the vault. - -- Required: No -- Type: string -- Default: `'premium'` -- Allowed: - ```Bicep - [ - 'premium' - 'standard' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the key vault. | -| `resourceGroupName` | string | The name of the resource group the key vault was created in. | -| `resourceId` | string | The resource ID of the key vault. | -| `uri` | string | The URI of the key vault. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md deleted file mode 100644 index 4e417d6857..0000000000 --- a/modules/key-vault/vault/access-policy/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# Key Vault Access Policies `[Microsoft.KeyVault/vaults/accessPolicies]` - -This module deploys a Key Vault Access Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessPolicies`](#parameter-accesspolicies) | array | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `accessPolicies` - -An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the access policies assignment. | -| `resourceGroupName` | string | The name of the resource group the access policies assignment was created in. | -| `resourceId` | string | The resource ID of the access policies assignment. | - -## Cross-referenced modules - -_None_ diff --git a/modules/key-vault/vault/access-policy/main.bicep b/modules/key-vault/vault/access-policy/main.bicep deleted file mode 100644 index 6eeec78ae5..0000000000 --- a/modules/key-vault/vault/access-policy/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Key Vault Access Policies' -metadata description = 'This module deploys a Key Vault Access Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment.') -param keyVaultName string - -@description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') -param accessPolicies array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedAccessPolicies = [for accessPolicy in accessPolicies: { - applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' - objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' - permissions: accessPolicy.permissions - tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId -}] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: keyVaultName -} - -resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = { - name: 'add' - parent: keyVault - properties: { - accessPolicies: formattedAccessPolicies - } -} - -@description('The name of the resource group the access policies assignment was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the access policies assignment.') -output name string = policies.name - -@description('The resource ID of the access policies assignment.') -output resourceId string = policies.id diff --git a/modules/key-vault/vault/access-policy/main.json b/modules/key-vault/vault/access-policy/main.json deleted file mode 100644 index a17b0dbe18..0000000000 --- a/modules/key-vault/vault/access-policy/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5636934877550105255" - }, - "name": "Key Vault Access Policies", - "description": "This module deploys a Key Vault Access Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(parameters('accessPolicies'))]", - "input": { - "applicationId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'applicationId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'objectId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].objectId, '')]", - "permissions": "[parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'tenantId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), 'add')]", - "properties": { - "accessPolicies": "[variables('formattedAccessPolicies')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the access policies assignment was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the access policies assignment." - }, - "value": "add" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the access policies assignment." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]" - } - } -} \ No newline at end of file diff --git a/modules/key-vault/vault/access-policy/version.json b/modules/key-vault/vault/access-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/key-vault/vault/access-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md deleted file mode 100644 index 56a60ada8c..0000000000 --- a/modules/key-vault/vault/key/README.md +++ /dev/null @@ -1,352 +0,0 @@ -# Key Vault Keys `[Microsoft.KeyVault/vaults/keys]` - -This module deploys a Key Vault Key. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.KeyVault/vaults/keys` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/keys) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the key. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`attributesEnabled`](#parameter-attributesenabled) | bool | Determines whether the object is enabled. | -| [`attributesExp`](#parameter-attributesexp) | int | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | -| [`attributesNbf`](#parameter-attributesnbf) | int | Not before date in seconds since 1970-01-01T00:00:00Z. | -| [`curveName`](#parameter-curvename) | string | The elliptic curve name. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`keyOps`](#parameter-keyops) | array | Array of JsonWebKeyOperation. | -| [`keySize`](#parameter-keysize) | int | The key size in bits. For example: 2048, 3072, or 4096 for RSA. | -| [`kty`](#parameter-kty) | string | The type of the key. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`rotationPolicy`](#parameter-rotationpolicy) | object | Key rotation policy properties object. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -The name of the key. - -- Required: Yes -- Type: string - -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `attributesEnabled` - -Determines whether the object is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `attributesExp` - -Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `attributesNbf` - -Not before date in seconds since 1970-01-01T00:00:00Z. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `curveName` - -The elliptic curve name. - -- Required: No -- Type: string -- Default: `'P-256'` -- Allowed: - ```Bicep - [ - 'P-256' - 'P-256K' - 'P-384' - 'P-521' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `keyOps` - -Array of JsonWebKeyOperation. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'decrypt' - 'encrypt' - 'import' - 'sign' - 'unwrapKey' - 'verify' - 'wrapKey' - ] - ``` - -### Parameter: `keySize` - -The key size in bits. For example: 2048, 3072, or 4096 for RSA. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `kty` - -The type of the key. - -- Required: No -- Type: string -- Default: `'EC'` -- Allowed: - ```Bicep - [ - 'EC' - 'EC-HSM' - 'RSA' - 'RSA-HSM' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `rotationPolicy` - -Key rotation policy properties object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the key. | -| `resourceGroupName` | string | The name of the resource group the key was created in. | -| `resourceId` | string | The resource ID of the key. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `rotationPolicy` - -Configures a [auto-rotation policy](https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation) for the key. -Remarks: - -- The times should use the ISO 8601 duration format, e.g. `P1Y` (1 year), `P2M`, (2 months), `P90D` (90 days). -- The `trigger` property of `lifetimeActions` can contain one of the following properties: - - `timeAfterCreate` - The time duration after key creation to rotate the key. It only applies to rotate. - - `timeBeforeExpiry` - The time duration before key expiring to rotate or notify. To use this, the key must have an expiration date configured. - -

- -Parameter JSON format - -```json -"rotationPolicy": { - "value": { - "attributes": { - "expiryTime": "P2Y" - }, - "lifetimeActions": [ - { - "trigger": { - "timeBeforeExpiry": "P2M" - }, - "action": { - "type": "Rotate" - } - }, - { - "trigger": { - "timeBeforeExpiry": "P30D" - }, - "action": { - "type": "Notify" - } - } - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -rotationPolicy: { - attributes: { - expiryTime: 'P2Y' - } - lifetimeActions: [ - { - trigger: { - timeBeforeExpiry: 'P2M' - } - action: { - type: 'Rotate' - } - } - { - trigger: { - timeBeforeExpiry: 'P30D' - } - action: { - type: 'Notify' - } - } - ] -} -``` - -
-

diff --git a/modules/key-vault/vault/key/main.bicep b/modules/key-vault/vault/key/main.bicep deleted file mode 100644 index 21a15d15f2..0000000000 --- a/modules/key-vault/vault/key/main.bicep +++ /dev/null @@ -1,163 +0,0 @@ -metadata name = 'Key Vault Keys' -metadata description = 'This module deploys a Key Vault Key.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment.') -param keyVaultName string - -@description('Required. The name of the key.') -param name string - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Determines whether the object is enabled.') -param attributesEnabled bool = true - -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') -param attributesExp int = -1 - -@description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') -param attributesNbf int = -1 - -@description('Optional. The elliptic curve name.') -@allowed([ - 'P-256' - 'P-256K' - 'P-384' - 'P-521' -]) -param curveName string = 'P-256' - -@description('Optional. Array of JsonWebKeyOperation.') -@allowed([ - 'decrypt' - 'encrypt' - 'import' - 'sign' - 'unwrapKey' - 'verify' - 'wrapKey' -]) -param keyOps array = [] - -@description('Optional. The key size in bits. For example: 2048, 3072, or 4096 for RSA.') -param keySize int = -1 - -@description('Optional. The type of the key.') -@allowed([ - 'EC' - 'EC-HSM' - 'RSA' - 'RSA-HSM' -]) -param kty string = 'EC' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Key rotation policy properties object.') -param rotationPolicy object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: keyVaultName -} - -resource key 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { - name: name - parent: keyVault - tags: tags - properties: { - attributes: { - enabled: attributesEnabled - exp: attributesExp != -1 ? attributesExp : null - nbf: attributesNbf != -1 ? attributesNbf : null - } - curveName: curveName - keyOps: keyOps - keySize: keySize != -1 ? keySize : null - kty: kty - rotationPolicy: !empty(rotationPolicy) ? rotationPolicy : null - } -} - -resource key_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(key.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: key -}] - -@description('The name of the key.') -output name string = key.name - -@description('The resource ID of the key.') -output resourceId string = key.id - -@description('The name of the resource group the key was created in.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/key-vault/vault/key/main.json b/modules/key-vault/vault/key/main.json deleted file mode 100644 index 3b27f5a930..0000000000 --- a/modules/key-vault/vault/key/main.json +++ /dev/null @@ -1,300 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6556101606252284471" - }, - "name": "Key Vault Keys", - "description": "This module deploys a Key Vault Key.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "attributesEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether the object is enabled." - } - }, - "attributesExp": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible." - } - }, - "attributesNbf": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Not before date in seconds since 1970-01-01T00:00:00Z." - } - }, - "curveName": { - "type": "string", - "defaultValue": "P-256", - "allowedValues": [ - "P-256", - "P-256K", - "P-384", - "P-521" - ], - "metadata": { - "description": "Optional. The elliptic curve name." - } - }, - "keyOps": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "decrypt", - "encrypt", - "import", - "sign", - "unwrapKey", - "verify", - "wrapKey" - ], - "metadata": { - "description": "Optional. Array of JsonWebKeyOperation." - } - }, - "keySize": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The key size in bits. For example: 2048, 3072, or 4096 for RSA." - } - }, - "kty": { - "type": "string", - "defaultValue": "EC", - "allowedValues": [ - "EC", - "EC-HSM", - "RSA", - "RSA-HSM" - ], - "metadata": { - "description": "Optional. The type of the key." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "rotationPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key rotation policy properties object." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('keyVaultName')]" - }, - "key": { - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "attributes": { - "enabled": "[parameters('attributesEnabled')]", - "exp": "[if(not(equals(parameters('attributesExp'), -1)), parameters('attributesExp'), null())]", - "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" - }, - "curveName": "[parameters('curveName')]", - "keyOps": "[parameters('keyOps')]", - "keySize": "[if(not(equals(parameters('keySize'), -1)), parameters('keySize'), null())]", - "kty": "[parameters('kty')]", - "rotationPolicy": "[if(not(empty(parameters('rotationPolicy'))), parameters('rotationPolicy'), null())]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "key_roleAssignments": { - "copy": { - "name": "key_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', parameters('keyVaultName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "key" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the key." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the key." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the key was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/key-vault/vault/key/version.json b/modules/key-vault/vault/key/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/key-vault/vault/key/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep deleted file mode 100644 index f26fb09a52..0000000000 --- a/modules/key-vault/vault/main.bicep +++ /dev/null @@ -1,435 +0,0 @@ -metadata name = 'Key Vaults' -metadata description = 'This module deploys a Key Vault.' -metadata owner = 'Azure/module-maintainers' - -// ================ // -// Parameters // -// ================ // -@description('Required. Name of the Key Vault. Must be globally unique.') -@maxLength(24) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. All access policies to create.') -param accessPolicies array = [] - -@description('Optional. All secrets to create.') -@secure() -param secrets object = {} - -@description('Optional. All keys to create.') -param keys array = [] - -@description('Optional. Specifies if the vault is enabled for deployment by script or compute.') -param enableVaultForDeployment bool = true - -@description('Optional. Specifies if the vault is enabled for a template deployment.') -param enableVaultForTemplateDeployment bool = true - -@description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') -param enableVaultForDiskEncryption bool = true - -@description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') -param enableSoftDelete bool = true - -@description('Optional. softDelete data retention days. It accepts >=7 and <=90.') -param softDeleteRetentionInDays int = 90 - -@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC.') -param enableRbacAuthorization bool = true - -@description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') -param createMode string = 'default' - -@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = true - -@description('Optional. Specifies the SKU for the vault.') -@allowed([ - 'premium' - 'standard' -]) -param vaultSku string = 'premium' - -@description('Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// =========== // -// Variables // -// =========== // - -var formattedAccessPolicies = [for accessPolicy in accessPolicies: { - applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' - objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' - permissions: accessPolicy.permissions - tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId -}] - -var secretList = !empty(secrets) ? secrets.secureList : [] - -var enableReferencedModulesTelemetry = false - -// ============ // -// Dependencies // -// ============ // -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: name - location: location - tags: tags - properties: { - enabledForDeployment: enableVaultForDeployment - enabledForTemplateDeployment: enableVaultForTemplateDeployment - enabledForDiskEncryption: enableVaultForDiskEncryption - enableSoftDelete: enableSoftDelete - softDeleteRetentionInDays: softDeleteRetentionInDays - enableRbacAuthorization: enableRbacAuthorization - createMode: createMode - enablePurgeProtection: enablePurgeProtection ? enablePurgeProtection : null - tenantId: subscription().tenantId - accessPolicies: formattedAccessPolicies - sku: { - name: vaultSku - family: 'A' - } - networkAcls: !empty(networkAcls) ? { - bypass: contains(networkAcls, 'bypass') ? networkAcls.bypass : null - defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : null - virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] - ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] - } : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkAcls) ? 'Disabled' : null) - } -} - -resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: keyVault -} - -resource keyVault_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: keyVault -}] - -module keyVault_accessPolicies 'access-policy/main.bicep' = if (!empty(accessPolicies)) { - name: '${uniqueString(deployment().name, location)}-KeyVault-AccessPolicies' - params: { - keyVaultName: keyVault.name - accessPolicies: formattedAccessPolicies - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module keyVault_secrets 'secret/main.bicep' = [for (secret, index) in secretList: { - name: '${uniqueString(deployment().name, location)}-KeyVault-Secret-${index}' - params: { - name: secret.name - value: secret.value - keyVaultName: keyVault.name - attributesEnabled: contains(secret, 'attributesEnabled') ? secret.attributesEnabled : true - attributesExp: contains(secret, 'attributesExp') ? secret.attributesExp : -1 - attributesNbf: contains(secret, 'attributesNbf') ? secret.attributesNbf : -1 - contentType: contains(secret, 'contentType') ? secret.contentType : '' - tags: secret.?tags ?? tags - roleAssignments: contains(secret, 'roleAssignments') ? secret.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module keyVault_keys 'key/main.bicep' = [for (key, index) in keys: { - name: '${uniqueString(deployment().name, location)}-KeyVault-Key-${index}' - params: { - name: key.name - keyVaultName: keyVault.name - attributesEnabled: contains(key, 'attributesEnabled') ? key.attributesEnabled : true - attributesExp: contains(key, 'attributesExp') ? key.attributesExp : -1 - attributesNbf: contains(key, 'attributesNbf') ? key.attributesNbf : -1 - curveName: contains(key, 'curveName') ? key.curveName : 'P-256' - keyOps: contains(key, 'keyOps') ? key.keyOps : [] - keySize: contains(key, 'keySize') ? key.keySize : -1 - kty: contains(key, 'kty') ? key.kty : 'EC' - tags: key.?tags ?? tags - roleAssignments: contains(key, 'roleAssignments') ? key.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - rotationPolicy: contains(key, 'rotationPolicy') ? key.rotationPolicy : {} - } -}] - -module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'vault' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}' - serviceResourceId: keyVault.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource keyVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: keyVault -}] - -// =========== // -// Outputs // -// =========== // -@description('The resource ID of the key vault.') -output resourceId string = keyVault.id - -@description('The name of the resource group the key vault was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the key vault.') -output name string = keyVault.name - -@description('The URI of the key vault.') -output uri string = keyVault.properties.vaultUri - -@description('The location the resource was deployed into.') -output location string = keyVault.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json deleted file mode 100644 index 49af2cfca8..0000000000 --- a/modules/key-vault/vault/main.json +++ /dev/null @@ -1,2093 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4234651984682220679" - }, - "name": "Key Vaults", - "description": "This module deploys a Key Vault.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. Name of the Key Vault. Must be globally unique." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. All access policies to create." - } - }, - "secrets": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. All secrets to create." - } - }, - "keys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. All keys to create." - } - }, - "enableVaultForDeployment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies if the vault is enabled for deployment by script or compute." - } - }, - "enableVaultForTemplateDeployment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies if the vault is enabled for a template deployment." - } - }, - "enableVaultForDiskEncryption": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios." - } - }, - "enableSoftDelete": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Switch to enable/disable Key Vault's soft delete feature." - } - }, - "softDeleteRetentionInDays": { - "type": "int", - "defaultValue": 90, - "metadata": { - "description": "Optional. softDelete data retention days. It accepts >=7 and <=90." - } - }, - "enableRbacAuthorization": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC." - } - }, - "createMode": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default." - } - }, - "enablePurgeProtection": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Provide 'true' to enable Key Vault's purge protection feature." - } - }, - "vaultSku": { - "type": "string", - "defaultValue": "premium", - "allowedValues": [ - "premium", - "standard" - ], - "metadata": { - "description": "Optional. Specifies the SKU for the vault." - } - }, - "networkAcls": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(parameters('accessPolicies'))]", - "input": { - "applicationId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'applicationId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'objectId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].objectId, '')]", - "permissions": "[parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'tenantId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" - } - } - ], - "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "enabledForDeployment": "[parameters('enableVaultForDeployment')]", - "enabledForTemplateDeployment": "[parameters('enableVaultForTemplateDeployment')]", - "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]", - "enableSoftDelete": "[parameters('enableSoftDelete')]", - "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]", - "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]", - "createMode": "[parameters('createMode')]", - "enablePurgeProtection": "[if(parameters('enablePurgeProtection'), parameters('enablePurgeProtection'), null())]", - "tenantId": "[subscription().tenantId]", - "accessPolicies": "[variables('formattedAccessPolicies')]", - "sku": { - "name": "[parameters('vaultSku')]", - "family": "A" - }, - "networkAcls": "[if(not(empty(parameters('networkAcls'))), createObject('bypass', if(contains(parameters('networkAcls'), 'bypass'), parameters('networkAcls').bypass, null()), 'defaultAction', if(contains(parameters('networkAcls'), 'defaultAction'), parameters('networkAcls').defaultAction, null()), 'virtualNetworkRules', if(contains(parameters('networkAcls'), 'virtualNetworkRules'), parameters('networkAcls').virtualNetworkRules, createArray()), 'ipRules', if(contains(parameters('networkAcls'), 'ipRules'), parameters('networkAcls').ipRules, createArray())), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]" - } - }, - "keyVault_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_diagnosticSettings": { - "copy": { - "name": "keyVault_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_roleAssignments": { - "copy": { - "name": "keyVault_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_accessPolicies": { - "condition": "[not(empty(parameters('accessPolicies')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-AccessPolicies', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyVaultName": { - "value": "[parameters('name')]" - }, - "accessPolicies": { - "value": "[variables('formattedAccessPolicies')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5636934877550105255" - }, - "name": "Key Vault Access Policies", - "description": "This module deploys a Key Vault Access Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(parameters('accessPolicies'))]", - "input": { - "applicationId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'applicationId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'objectId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].objectId, '')]", - "permissions": "[parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(parameters('accessPolicies')[copyIndex('formattedAccessPolicies')], 'tenantId'), parameters('accessPolicies')[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), 'add')]", - "properties": { - "accessPolicies": "[variables('formattedAccessPolicies')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the access policies assignment was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the access policies assignment." - }, - "value": "add" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the access policies assignment." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]" - } - } - } - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_secrets": { - "copy": { - "name": "keyVault_secrets", - "count": "[length(variables('secretList'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-Secret-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('secretList')[copyIndex()].name]" - }, - "value": { - "value": "[variables('secretList')[copyIndex()].value]" - }, - "keyVaultName": { - "value": "[parameters('name')]" - }, - "attributesEnabled": "[if(contains(variables('secretList')[copyIndex()], 'attributesEnabled'), createObject('value', variables('secretList')[copyIndex()].attributesEnabled), createObject('value', true()))]", - "attributesExp": "[if(contains(variables('secretList')[copyIndex()], 'attributesExp'), createObject('value', variables('secretList')[copyIndex()].attributesExp), createObject('value', -1))]", - "attributesNbf": "[if(contains(variables('secretList')[copyIndex()], 'attributesNbf'), createObject('value', variables('secretList')[copyIndex()].attributesNbf), createObject('value', -1))]", - "contentType": "[if(contains(variables('secretList')[copyIndex()], 'contentType'), createObject('value', variables('secretList')[copyIndex()].contentType), createObject('value', ''))]", - "tags": { - "value": "[coalesce(tryGet(variables('secretList')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "roleAssignments": "[if(contains(variables('secretList')[copyIndex()], 'roleAssignments'), createObject('value', variables('secretList')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14408031654729406286" - }, - "name": "Key Vault Secrets", - "description": "This module deploys a Key Vault Secret.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "attributesEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether the object is enabled." - } - }, - "attributesExp": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible." - } - }, - "attributesNbf": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Not before date in seconds since 1970-01-01T00:00:00Z." - } - }, - "contentType": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The content type of the secret." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the secret. NOTE: \"value\" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('keyVaultName')]" - }, - "secret": { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "contentType": "[parameters('contentType')]", - "attributes": { - "enabled": "[parameters('attributesEnabled')]", - "exp": "[if(not(equals(parameters('attributesExp'), -1)), parameters('attributesExp'), null())]", - "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" - }, - "value": "[parameters('value')]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "secret_roleAssignments": { - "copy": { - "name": "secret_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', parameters('keyVaultName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "secret" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the secret." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the secret." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the secret was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_keys": { - "copy": { - "name": "keyVault_keys", - "count": "[length(parameters('keys'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-Key-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('keys')[copyIndex()].name]" - }, - "keyVaultName": { - "value": "[parameters('name')]" - }, - "attributesEnabled": "[if(contains(parameters('keys')[copyIndex()], 'attributesEnabled'), createObject('value', parameters('keys')[copyIndex()].attributesEnabled), createObject('value', true()))]", - "attributesExp": "[if(contains(parameters('keys')[copyIndex()], 'attributesExp'), createObject('value', parameters('keys')[copyIndex()].attributesExp), createObject('value', -1))]", - "attributesNbf": "[if(contains(parameters('keys')[copyIndex()], 'attributesNbf'), createObject('value', parameters('keys')[copyIndex()].attributesNbf), createObject('value', -1))]", - "curveName": "[if(contains(parameters('keys')[copyIndex()], 'curveName'), createObject('value', parameters('keys')[copyIndex()].curveName), createObject('value', 'P-256'))]", - "keyOps": "[if(contains(parameters('keys')[copyIndex()], 'keyOps'), createObject('value', parameters('keys')[copyIndex()].keyOps), createObject('value', createArray()))]", - "keySize": "[if(contains(parameters('keys')[copyIndex()], 'keySize'), createObject('value', parameters('keys')[copyIndex()].keySize), createObject('value', -1))]", - "kty": "[if(contains(parameters('keys')[copyIndex()], 'kty'), createObject('value', parameters('keys')[copyIndex()].kty), createObject('value', 'EC'))]", - "tags": { - "value": "[coalesce(tryGet(parameters('keys')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "roleAssignments": "[if(contains(parameters('keys')[copyIndex()], 'roleAssignments'), createObject('value', parameters('keys')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "rotationPolicy": "[if(contains(parameters('keys')[copyIndex()], 'rotationPolicy'), createObject('value', parameters('keys')[copyIndex()].rotationPolicy), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6556101606252284471" - }, - "name": "Key Vault Keys", - "description": "This module deploys a Key Vault Key.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "attributesEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether the object is enabled." - } - }, - "attributesExp": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible." - } - }, - "attributesNbf": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Not before date in seconds since 1970-01-01T00:00:00Z." - } - }, - "curveName": { - "type": "string", - "defaultValue": "P-256", - "allowedValues": [ - "P-256", - "P-256K", - "P-384", - "P-521" - ], - "metadata": { - "description": "Optional. The elliptic curve name." - } - }, - "keyOps": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "decrypt", - "encrypt", - "import", - "sign", - "unwrapKey", - "verify", - "wrapKey" - ], - "metadata": { - "description": "Optional. Array of JsonWebKeyOperation." - } - }, - "keySize": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The key size in bits. For example: 2048, 3072, or 4096 for RSA." - } - }, - "kty": { - "type": "string", - "defaultValue": "EC", - "allowedValues": [ - "EC", - "EC-HSM", - "RSA", - "RSA-HSM" - ], - "metadata": { - "description": "Optional. The type of the key." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "rotationPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key rotation policy properties object." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('keyVaultName')]" - }, - "key": { - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "attributes": { - "enabled": "[parameters('attributesEnabled')]", - "exp": "[if(not(equals(parameters('attributesExp'), -1)), parameters('attributesExp'), null())]", - "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" - }, - "curveName": "[parameters('curveName')]", - "keyOps": "[parameters('keyOps')]", - "keySize": "[if(not(equals(parameters('keySize'), -1)), parameters('keySize'), null())]", - "kty": "[parameters('kty')]", - "rotationPolicy": "[if(not(empty(parameters('rotationPolicy'))), parameters('rotationPolicy'), null())]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "key_roleAssignments": { - "copy": { - "name": "key_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', parameters('keyVaultName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "key" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the key." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the key." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the key was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "keyVault" - ] - }, - "keyVault_privateEndpoints": { - "copy": { - "name": "keyVault_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-keyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "keyVault" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the key vault." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the key vault was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the key vault." - }, - "value": "[parameters('name')]" - }, - "uri": { - "type": "string", - "metadata": { - "description": "The URI of the key vault." - }, - "value": "[reference('keyVault').vaultUri]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('keyVault', '2022-07-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md deleted file mode 100644 index 781351c2d8..0000000000 --- a/modules/key-vault/vault/secret/README.md +++ /dev/null @@ -1,214 +0,0 @@ -# Key Vault Secrets `[Microsoft.KeyVault/vaults/secrets]` - -This module deploys a Key Vault Secret. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the secret. | -| [`value`](#parameter-value) | securestring | The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`attributesEnabled`](#parameter-attributesenabled) | bool | Determines whether the object is enabled. | -| [`attributesExp`](#parameter-attributesexp) | int | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | -| [`attributesNbf`](#parameter-attributesnbf) | int | Not before date in seconds since 1970-01-01T00:00:00Z. | -| [`contentType`](#parameter-contenttype) | securestring | The content type of the secret. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -The name of the secret. - -- Required: Yes -- Type: string - -### Parameter: `value` - -The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. - -- Required: Yes -- Type: securestring - -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `attributesEnabled` - -Determines whether the object is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `attributesExp` - -Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `attributesNbf` - -Not before date in seconds since 1970-01-01T00:00:00Z. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `contentType` - -The content type of the secret. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the secret. | -| `resourceGroupName` | string | The name of the resource group the secret was created in. | -| `resourceId` | string | The resource ID of the secret. | - -## Cross-referenced modules - -_None_ diff --git a/modules/key-vault/vault/secret/main.bicep b/modules/key-vault/vault/secret/main.bicep deleted file mode 100644 index c58f6f645b..0000000000 --- a/modules/key-vault/vault/secret/main.bicep +++ /dev/null @@ -1,133 +0,0 @@ -metadata name = 'Key Vault Secrets' -metadata description = 'This module deploys a Key Vault Secret.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment.') -param keyVaultName string - -@description('Required. The name of the secret.') -param name string - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Determines whether the object is enabled.') -param attributesEnabled bool = true - -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') -param attributesExp int = -1 - -@description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') -param attributesNbf int = -1 - -@description('Optional. The content type of the secret.') -@secure() -param contentType string = '' - -@description('Required. The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets.') -@secure() -param value string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: keyVaultName -} - -resource secret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = { - name: name - parent: keyVault - tags: tags - properties: { - contentType: contentType - attributes: { - enabled: attributesEnabled - exp: attributesExp != -1 ? attributesExp : null - nbf: attributesNbf != -1 ? attributesNbf : null - } - value: value - } -} - -resource secret_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(secret.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: secret -}] - -@description('The name of the secret.') -output name string = secret.name - -@description('The resource ID of the secret.') -output resourceId string = secret.id - -@description('The name of the resource group the secret was created in.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/key-vault/vault/secret/main.json b/modules/key-vault/vault/secret/main.json deleted file mode 100644 index 0c944e07e2..0000000000 --- a/modules/key-vault/vault/secret/main.json +++ /dev/null @@ -1,254 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14408031654729406286" - }, - "name": "Key Vault Secrets", - "description": "This module deploys a Key Vault Secret.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "attributesEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Determines whether the object is enabled." - } - }, - "attributesExp": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible." - } - }, - "attributesNbf": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Not before date in seconds since 1970-01-01T00:00:00Z." - } - }, - "contentType": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The content type of the secret." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the secret. NOTE: \"value\" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('keyVaultName')]" - }, - "secret": { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "contentType": "[parameters('contentType')]", - "attributes": { - "enabled": "[parameters('attributesEnabled')]", - "exp": "[if(not(equals(parameters('attributesExp'), -1)), parameters('attributesExp'), null())]", - "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" - }, - "value": "[parameters('value')]" - }, - "dependsOn": [ - "keyVault" - ] - }, - "secret_roleAssignments": { - "copy": { - "name": "secret_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', parameters('keyVaultName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "secret" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the secret." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the secret." - }, - "value": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the secret was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/key-vault/vault/secret/version.json b/modules/key-vault/vault/secret/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/key-vault/vault/secret/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep b/modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep deleted file mode 100644 index 152b6bd1bb..0000000000 --- a/modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep +++ /dev/null @@ -1,46 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep b/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep deleted file mode 100644 index 78e0646b07..0000000000 --- a/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep +++ /dev/null @@ -1,135 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvap' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enablePurgeProtection: false - accessPolicies: [ - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - keys: [ - 'get' - 'list' - 'update' - ] - secrets: [ - 'get' - 'list' - ] - } - tenantId: tenant().tenantId - } - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - certificates: [ - 'backup' - 'create' - 'delete' - ] - secrets: [ - 'get' - 'list' - ] - } - } - ] - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep b/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 05bd9adc84..0000000000 --- a/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,51 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - // Only for testing purposes - enablePurgeProtection: false - } -}] diff --git a/modules/key-vault/vault/tests/e2e/max/dependencies.bicep b/modules/key-vault/vault/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 6c3754d07f..0000000000 --- a/modules/key-vault/vault/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,65 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/tests/e2e/max/main.test.bicep b/modules/key-vault/vault/tests/e2e/max/main.test.bicep deleted file mode 100644 index e2df0ea2cd..0000000000 --- a/modules/key-vault/vault/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,190 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - // Only for testing purposes - enablePurgeProtection: false - enableRbacAuthorization: true - keys: [ - { - attributesExp: 1725109032 - attributesNbf: 10000 - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - rotationPolicy: { - attributes: { - expiryTime: 'P2Y' - } - lifetimeActions: [ - { - trigger: { - timeBeforeExpiry: 'P2M' - } - action: { - type: 'Rotate' - } - } - { - trigger: { - timeBeforeExpiry: 'P30D' - } - action: { - type: 'Notify' - } - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'vault' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - secrets: { - secureList: [ - { - attributesExp: 1702648632 - attributesNbf: 10000 - contentType: 'Something' - name: 'secretName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'secretValue' - } - ] - } - softDeleteRetentionInDays: 7 - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/key-vault/vault/tests/e2e/pe/dependencies.bicep b/modules/key-vault/vault/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index b796986047..0000000000 --- a/modules/key-vault/vault/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,54 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/tests/e2e/pe/main.test.bicep b/modules/key-vault/vault/tests/e2e/pe/main.test.bicep deleted file mode 100644 index ec942371bb..0000000000 --- a/modules/key-vault/vault/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,138 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - // Only for testing purposes - enablePurgeProtection: false - enableRbacAuthorization: true - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - name: 'dep-${namePrefix}-pe-${serviceShort}' - service: 'vault' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 6c3754d07f..0000000000 --- a/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,65 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 6e41928c3f..0000000000 --- a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,190 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - // Only for testing purposes - enablePurgeProtection: false - enableRbacAuthorization: true - keys: [ - { - attributesExp: 1725109032 - attributesNbf: 10000 - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - rotationPolicy: { - attributes: { - expiryTime: 'P2Y' - } - lifetimeActions: [ - { - trigger: { - timeBeforeExpiry: 'P2M' - } - action: { - type: 'Rotate' - } - } - { - trigger: { - timeBeforeExpiry: 'P30D' - } - action: { - type: 'Notify' - } - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'vault' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - secrets: { - secureList: [ - { - attributesExp: 1702648632 - attributesNbf: 10000 - contentType: 'Something' - name: 'secretName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'secretValue' - } - ] - } - softDeleteRetentionInDays: 7 - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/key-vault/vault/version.json b/modules/key-vault/vault/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/key-vault/vault/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md b/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 638d8bb08c..f9afac145d 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -1,499 +1,7 @@ -# Kubernetes Configuration Extensions `[Microsoft.KubernetesConfiguration/extensions]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/kubernetes-configuration/extension](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/kubernetes-configuration/extension).** -This module deploys a Kubernetes Configuration Extension. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/kubernetes-configuration/extension). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.extension:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcemin' - params: { - // Required parameters - clusterName: '' - extensionType: 'microsoft.flux' - name: 'kcemin001' - // Non-required parameters - enableDefaultTelemetry: '' - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "extensionType": { - "value": "microsoft.flux" - }, - "name": { - "value": "kcemin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "releaseNamespace": { - "value": "flux-system" - }, - "releaseTrain": { - "value": "Stable" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcemax' - params: { - // Required parameters - clusterName: '' - extensionType: 'microsoft.flux' - name: 'kcemax001' - // Non-required parameters - configurationSettings: { - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'false' - 'source-controller.enabled': 'true' - } - enableDefaultTelemetry: '' - fluxConfigurations: [ - { - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - namespace: 'flux-system' - } - ] - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - version: '0.5.2' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "extensionType": { - "value": "microsoft.flux" - }, - "name": { - "value": "kcemax001" - }, - // Non-required parameters - "configurationSettings": { - "value": { - "image-automation-controller.enabled": "false", - "image-reflector-controller.enabled": "false", - "kustomize-controller.enabled": "true", - "notification-controller.enabled": "false", - "source-controller.enabled": "true" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fluxConfigurations": { - "value": [ - { - "gitRepository": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - }, - "kustomizations": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - }, - "namespace": "flux-system" - } - ] - }, - "releaseNamespace": { - "value": "flux-system" - }, - "releaseTrain": { - "value": "Stable" - }, - "version": { - "value": "0.5.2" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcewaf' - params: { - // Required parameters - clusterName: '' - extensionType: 'microsoft.flux' - name: 'kcewaf001' - // Non-required parameters - configurationSettings: { - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'false' - 'source-controller.enabled': 'true' - } - enableDefaultTelemetry: '' - fluxConfigurations: [ - { - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - namespace: 'flux-system' - } - ] - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - version: '0.5.2' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "extensionType": { - "value": "microsoft.flux" - }, - "name": { - "value": "kcewaf001" - }, - // Non-required parameters - "configurationSettings": { - "value": { - "image-automation-controller.enabled": "false", - "image-reflector-controller.enabled": "false", - "kustomize-controller.enabled": "true", - "notification-controller.enabled": "false", - "source-controller.enabled": "true" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fluxConfigurations": { - "value": [ - { - "gitRepository": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - }, - "kustomizations": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - }, - "namespace": "flux-system" - } - ] - }, - "releaseNamespace": { - "value": "flux-system" - }, - "releaseTrain": { - "value": "Stable" - }, - "version": { - "value": "0.5.2" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`clusterName`](#parameter-clustername) | string | The name of the AKS cluster that should be configured. | -| [`extensionType`](#parameter-extensiontype) | string | Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. | -| [`name`](#parameter-name) | string | The name of the Flux Configuration. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`configurationProtectedSettings`](#parameter-configurationprotectedsettings) | secureObject | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | -| [`configurationSettings`](#parameter-configurationsettings) | object | Configuration settings, as name-value pairs for configuring this extension. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`fluxConfigurations`](#parameter-fluxconfigurations) | array | A list of flux configuraitons. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`releaseNamespace`](#parameter-releasenamespace) | string | Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. | -| [`releaseTrain`](#parameter-releasetrain) | string | ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". | -| [`targetNamespace`](#parameter-targetnamespace) | string | Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. | -| [`version`](#parameter-version) | string | Version of the extension for this extension, if it is "pinned" to a specific version. | - -### Parameter: `clusterName` - -The name of the AKS cluster that should be configured. - -- Required: Yes -- Type: string - -### Parameter: `extensionType` - -Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the Flux Configuration. - -- Required: Yes -- Type: string - -### Parameter: `configurationProtectedSettings` - -Configuration settings that are sensitive, as name-value pairs for configuring this extension. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `configurationSettings` - -Configuration settings, as name-value pairs for configuring this extension. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `fluxConfigurations` - -A list of flux configuraitons. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `releaseNamespace` - -Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `releaseTrain` - -ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". - -- Required: No -- Type: string -- Default: `'Stable'` - -### Parameter: `targetNamespace` - -Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `version` - -Version of the extension for this extension, if it is "pinned" to a specific version. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the extension. | -| `resourceGroupName` | string | The name of the resource group the extension was deployed into. | -| `resourceId` | string | The resource ID of the extension. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/kubernetes-configuration/flux-configuration` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/kubernetes-configuration/extension/main.bicep b/modules/kubernetes-configuration/extension/main.bicep deleted file mode 100644 index 6ea377171d..0000000000 --- a/modules/kubernetes-configuration/extension/main.bicep +++ /dev/null @@ -1,106 +0,0 @@ -metadata name = 'Kubernetes Configuration Extensions' -metadata description = 'This module deploys a Kubernetes Configuration Extension.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Flux Configuration.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. The name of the AKS cluster that should be configured.') -param clusterName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension.') -@secure() -param configurationProtectedSettings object = {} - -@description('Optional. Configuration settings, as name-value pairs for configuring this extension.') -param configurationSettings object = {} - -@description('Required. Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher.') -param extensionType string - -@description('Optional. ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true".') -param releaseTrain string = 'Stable' - -@description('Optional. Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created.') -param releaseNamespace string = '' - -@description('Optional. Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created.') -param targetNamespace string = '' - -@description('Optional. Version of the extension for this extension, if it is "pinned" to a specific version.') -param version string = '' - -@description('Optional. A list of flux configuraitons.') -param fluxConfigurations array = [] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-07-01' existing = { - name: clusterName -} - -resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { - name: name - scope: managedCluster - properties: { - autoUpgradeMinorVersion: !empty(version) ? false : true - configurationProtectedSettings: !empty(configurationProtectedSettings) ? configurationProtectedSettings : {} - configurationSettings: !empty(configurationSettings) ? configurationSettings : {} - extensionType: extensionType - releaseTrain: !empty(releaseTrain) ? releaseTrain : null - scope: { - cluster: !empty(releaseNamespace) ? { - releaseNamespace: releaseNamespace - } : null - namespace: !empty(targetNamespace) ? { - targetNamespace: targetNamespace - } : null - } - version: !empty(version) ? version : null - } -} - -module fluxConfiguration '../../kubernetes-configuration/flux-configuration/main.bicep' = [for (fluxConfiguration, index) in fluxConfigurations: { - name: '${uniqueString(deployment().name, location)}-ManagedCluster-FluxConfiguration${index}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - clusterName: managedCluster.name - scope: fluxConfiguration.scope - namespace: fluxConfiguration.namespace - sourceKind: contains(fluxConfiguration, 'gitRepository') ? 'GitRepository' : 'Bucket' - name: contains(fluxConfiguration, 'name') ? fluxConfiguration.name : toLower('${managedCluster.name}-fluxconfiguration${index}') - bucket: contains(fluxConfiguration, 'bucket') ? fluxConfiguration.bucket : {} - configurationProtectedSettings: contains(fluxConfiguration, 'configurationProtectedSettings') ? fluxConfiguration.configurationProtectedSettings : {} - gitRepository: contains(fluxConfiguration, 'gitRepository') ? fluxConfiguration.gitRepository : {} - kustomizations: contains(fluxConfiguration, 'kustomizations') ? fluxConfiguration.kustomizations : {} - suspend: contains(fluxConfiguration, 'suspend') ? fluxConfiguration.suspend : false - } - dependsOn: [ - extension - ] -}] - -@description('The name of the extension.') -output name string = extension.name - -@description('The resource ID of the extension.') -output resourceId string = extension.id - -@description('The name of the resource group the extension was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/kubernetes-configuration/extension/main.json b/modules/kubernetes-configuration/extension/main.json deleted file mode 100644 index 92daee7616..0000000000 --- a/modules/kubernetes-configuration/extension/main.json +++ /dev/null @@ -1,350 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "548642834195454661" - }, - "name": "Kubernetes Configuration Extensions", - "description": "This module deploys a Kubernetes Configuration Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." - } - }, - "configurationSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings, as name-value pairs for configuring this extension." - } - }, - "extensionType": { - "type": "string", - "metadata": { - "description": "Required. Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher." - } - }, - "releaseTrain": { - "type": "string", - "defaultValue": "Stable", - "metadata": { - "description": "Optional. ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is \"true\"." - } - }, - "releaseNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created." - } - }, - "targetNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created." - } - }, - "version": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of the extension for this extension, if it is \"pinned\" to a specific version." - } - }, - "fluxConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of flux configuraitons." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/extensions", - "apiVersion": "2022-03-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "autoUpgradeMinorVersion": "[if(not(empty(parameters('version'))), false(), true())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "configurationSettings": "[if(not(empty(parameters('configurationSettings'))), parameters('configurationSettings'), createObject())]", - "extensionType": "[parameters('extensionType')]", - "releaseTrain": "[if(not(empty(parameters('releaseTrain'))), parameters('releaseTrain'), null())]", - "scope": { - "cluster": "[if(not(empty(parameters('releaseNamespace'))), createObject('releaseNamespace', parameters('releaseNamespace')), null())]", - "namespace": "[if(not(empty(parameters('targetNamespace'))), createObject('targetNamespace', parameters('targetNamespace')), null())]" - }, - "version": "[if(not(empty(parameters('version'))), parameters('version'), null())]" - } - }, - { - "copy": { - "name": "fluxConfiguration", - "count": "[length(parameters('fluxConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-FluxConfiguration{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[parameters('enableDefaultTelemetry')]" - }, - "clusterName": { - "value": "[parameters('clusterName')]" - }, - "scope": { - "value": "[parameters('fluxConfigurations')[copyIndex()].scope]" - }, - "namespace": { - "value": "[parameters('fluxConfigurations')[copyIndex()].namespace]" - }, - "sourceKind": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', 'GitRepository'), createObject('value', 'Bucket'))]", - "name": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'name'), createObject('value', parameters('fluxConfigurations')[copyIndex()].name), createObject('value', toLower(format('{0}-fluxconfiguration{1}', parameters('clusterName'), copyIndex()))))]", - "bucket": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'bucket'), createObject('value', parameters('fluxConfigurations')[copyIndex()].bucket), createObject('value', createObject()))]", - "configurationProtectedSettings": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'configurationProtectedSettings'), createObject('value', parameters('fluxConfigurations')[copyIndex()].configurationProtectedSettings), createObject('value', createObject()))]", - "gitRepository": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', parameters('fluxConfigurations')[copyIndex()].gitRepository), createObject('value', createObject()))]", - "kustomizations": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'kustomizations'), createObject('value', parameters('fluxConfigurations')[copyIndex()].kustomizations), createObject('value', createObject()))]", - "suspend": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'suspend'), createObject('value', parameters('fluxConfigurations')[copyIndex()].suspend), createObject('value', false()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10031296768791737313" - }, - "name": "Kubernetes Configuration Flux Configurations", - "description": "This module deploys a Kubernetes Configuration Flux Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "bucket": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-value pairs of protected configuration settings for the configuration." - } - }, - "gitRepository": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "kustomizations": { - "type": "object", - "metadata": { - "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." - } - }, - "namespace": { - "type": "string", - "metadata": { - "description": "Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only." - } - }, - "scope": { - "type": "string", - "allowedValues": [ - "cluster", - "namespace" - ], - "metadata": { - "description": "Required. Scope at which the configuration will be installed." - } - }, - "sourceKind": { - "type": "string", - "allowedValues": [ - "Bucket", - "GitRepository" - ], - "metadata": { - "description": "Required. Source Kind to pull the configuration data from." - } - }, - "suspend": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2023-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[parameters('kustomizations')]", - "namespace": "[parameters('namespace')]", - "scope": "[parameters('scope')]", - "sourceKind": "[parameters('sourceKind')]", - "suspend": "[parameters('suspend')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flux configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flux configuration." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/fluxConfigurations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the flux configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the extension was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 0169763539..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,32 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 87d6cd850b..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,62 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcemin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - extensionType: 'microsoft.flux' - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - } -}] diff --git a/modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 0169763539..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,32 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep deleted file mode 100644 index bed927f07f..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcemax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - extensionType: 'microsoft.flux' - configurationSettings: { - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'false' - 'source-controller.enabled': 'true' - } - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - version: '0.5.2' - fluxConfigurations: [ - { - namespace: 'flux-system' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - } - ] - } -}] diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 0169763539..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,32 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 79318166b8..0000000000 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcewaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - extensionType: 'microsoft.flux' - configurationSettings: { - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'false' - 'source-controller.enabled': 'true' - } - releaseNamespace: 'flux-system' - releaseTrain: 'Stable' - version: '0.5.2' - fluxConfigurations: [ - { - namespace: 'flux-system' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - } - ] - } -}] diff --git a/modules/kubernetes-configuration/extension/version.json b/modules/kubernetes-configuration/extension/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/kubernetes-configuration/extension/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md b/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 8f11c31731..efac5065e6 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -1,512 +1,7 @@ -# Kubernetes Configuration Flux Configurations `[Microsoft.KubernetesConfiguration/fluxConfigurations]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/kubernetes-configuration/flux-configuration](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/kubernetes-configuration/flux-configuration).** -This module deploys a Kubernetes Configuration Flux Configuration. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/kubernetes-configuration/flux-configuration). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcfcmin' - params: { - // Required parameters - clusterName: '' - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - postBuild: { - substitute: { - TEST_VAR1: 'foo' - TEST_VAR2: 'bar' - } - } - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - name: 'kcfcmin001' - namespace: 'flux-system' - sourceKind: 'GitRepository' - // Non-required parameters - enableDefaultTelemetry: '' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "postBuild": { - "substitute": { - "TEST_VAR1": "foo", - "TEST_VAR2": "bar" - } - }, - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } - }, - "name": { - "value": "kcfcmin001" - }, - "namespace": { - "value": "flux-system" - }, - "sourceKind": { - "value": "GitRepository" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "gitRepository": { - "value": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - } - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcfcmax' - params: { - // Required parameters - clusterName: '' - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - name: 'kcfcmax001' - namespace: 'flux-system' - sourceKind: 'GitRepository' - // Non-required parameters - enableDefaultTelemetry: '' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } - }, - "name": { - "value": "kcfcmax001" - }, - "namespace": { - "value": "flux-system" - }, - "sourceKind": { - "value": "GitRepository" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "gitRepository": { - "value": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcfcwaf' - params: { - // Required parameters - clusterName: '' - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - name: 'kcfcwaf001' - namespace: 'flux-system' - sourceKind: 'GitRepository' - // Non-required parameters - enableDefaultTelemetry: '' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "clusterName": { - "value": "" - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } - }, - "name": { - "value": "kcfcwaf001" - }, - "namespace": { - "value": "flux-system" - }, - "sourceKind": { - "value": "GitRepository" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "gitRepository": { - "value": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`clusterName`](#parameter-clustername) | string | The name of the AKS cluster that should be configured. | -| [`kustomizations`](#parameter-kustomizations) | object | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | -| [`name`](#parameter-name) | string | The name of the Flux Configuration. | -| [`namespace`](#parameter-namespace) | string | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | -| [`scope`](#parameter-scope) | string | Scope at which the configuration will be installed. | -| [`sourceKind`](#parameter-sourcekind) | string | Source Kind to pull the configuration data from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`bucket`](#parameter-bucket) | object | Parameters to reconcile to the GitRepository source kind type. | -| [`configurationProtectedSettings`](#parameter-configurationprotectedsettings) | secureObject | Key-value pairs of protected configuration settings for the configuration. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`gitRepository`](#parameter-gitrepository) | object | Parameters to reconcile to the GitRepository source kind type. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`suspend`](#parameter-suspend) | bool | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | - -### Parameter: `clusterName` - -The name of the AKS cluster that should be configured. - -- Required: Yes -- Type: string - -### Parameter: `kustomizations` - -Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. - -- Required: Yes -- Type: object - -### Parameter: `name` - -The name of the Flux Configuration. - -- Required: Yes -- Type: string - -### Parameter: `namespace` - -The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. - -- Required: Yes -- Type: string - -### Parameter: `scope` - -Scope at which the configuration will be installed. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'cluster' - 'namespace' - ] - ``` - -### Parameter: `sourceKind` - -Source Kind to pull the configuration data from. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Bucket' - 'GitRepository' - ] - ``` - -### Parameter: `bucket` - -Parameters to reconcile to the GitRepository source kind type. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `configurationProtectedSettings` - -Key-value pairs of protected configuration settings for the configuration. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gitRepository` - -Parameters to reconcile to the GitRepository source kind type. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `suspend` - -Whether this configuration should suspend its reconciliation of its kustomizations and sources. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the flux configuration. | -| `resourceGroupName` | string | The name of the resource group the flux configuration was deployed into. | -| `resourceId` | string | The resource ID of the flux configuration. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/kubernetes-configuration/flux-configuration/main.bicep b/modules/kubernetes-configuration/flux-configuration/main.bicep deleted file mode 100644 index cc2a29c4d0..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/main.bicep +++ /dev/null @@ -1,88 +0,0 @@ -metadata name = 'Kubernetes Configuration Flux Configurations' -metadata description = 'This module deploys a Kubernetes Configuration Flux Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Flux Configuration.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. The name of the AKS cluster that should be configured.') -param clusterName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Parameters to reconcile to the GitRepository source kind type.') -param bucket object = {} - -@description('Optional. Key-value pairs of protected configuration settings for the configuration.') -@secure() -param configurationProtectedSettings object = {} - -@description('Optional. Parameters to reconcile to the GitRepository source kind type.') -param gitRepository object = {} - -@description('Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster.') -param kustomizations object - -@description('Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only.') -param namespace string - -@allowed([ - 'cluster' - 'namespace' -]) -@description('Required. Scope at which the configuration will be installed.') -param scope string - -@allowed([ - 'Bucket' - 'GitRepository' -]) -@description('Required. Source Kind to pull the configuration data from.') -param sourceKind string - -@description('Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources.') -param suspend bool = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-07-01' existing = { - name: clusterName -} - -resource fluxConfiguration 'Microsoft.KubernetesConfiguration/fluxConfigurations@2023-05-01' = { - name: name - scope: managedCluster - properties: { - bucket: !empty(bucket) ? bucket : null - configurationProtectedSettings: !empty(configurationProtectedSettings) ? configurationProtectedSettings : {} - gitRepository: !empty(gitRepository) ? gitRepository : null - kustomizations: kustomizations - namespace: namespace - scope: scope - sourceKind: sourceKind - suspend: suspend - } -} - -@description('The name of the flux configuration.') -output name string = fluxConfiguration.name - -@description('The resource ID of the flux configuration.') -output resourceId string = fluxConfiguration.id - -@description('The name of the resource group the flux configuration was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/kubernetes-configuration/flux-configuration/main.json b/modules/kubernetes-configuration/flux-configuration/main.json deleted file mode 100644 index e8e9b2bf1d..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/main.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10031296768791737313" - }, - "name": "Kubernetes Configuration Flux Configurations", - "description": "This module deploys a Kubernetes Configuration Flux Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "bucket": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-value pairs of protected configuration settings for the configuration." - } - }, - "gitRepository": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "kustomizations": { - "type": "object", - "metadata": { - "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." - } - }, - "namespace": { - "type": "string", - "metadata": { - "description": "Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only." - } - }, - "scope": { - "type": "string", - "allowedValues": [ - "cluster", - "namespace" - ], - "metadata": { - "description": "Required. Scope at which the configuration will be installed." - } - }, - "sourceKind": { - "type": "string", - "allowedValues": [ - "Bucket", - "GitRepository" - ], - "metadata": { - "description": "Required. Source Kind to pull the configuration data from." - } - }, - "suspend": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2023-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[parameters('kustomizations')]", - "namespace": "[parameters('namespace')]", - "scope": "[parameters('scope')]", - "sourceKind": "[parameters('sourceKind')]", - "suspend": "[parameters('suspend')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flux configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flux configuration." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/fluxConfigurations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the flux configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 0bf942bbd1..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster extension to create.') -param clusterExtensionName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { - scope: cluster - name: clusterExtensionName - properties: { - extensionType: 'microsoft.flux' - releaseTrain: 'Stable' - scope: { - cluster: { - releaseNamespace: 'flux-system' - } - } - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 55fa46533f..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,88 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcfcmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterExtensionName: '${namePrefix}${serviceShort}001' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - namespace: 'flux-system' - scope: 'cluster' - sourceKind: 'GitRepository' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - postBuild: { - substitute: { - TEST_VAR1: 'foo' - TEST_VAR2: 'bar' - } - } - } - } - } -}] diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 0bf942bbd1..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster extension to create.') -param clusterExtensionName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { - scope: cluster - name: clusterExtensionName - properties: { - extensionType: 'microsoft.flux' - releaseTrain: 'Stable' - scope: { - cluster: { - releaseNamespace: 'flux-system' - } - } - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep deleted file mode 100644 index fbc4aa7069..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcfcmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterExtensionName: '${namePrefix}${serviceShort}001' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - namespace: 'flux-system' - scope: 'cluster' - sourceKind: 'GitRepository' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - } -}] diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 0bf942bbd1..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the AKS cluster to create.') -param clusterName string - -@description('Required. The name of the AKS cluster extension to create.') -param clusterExtensionName string - -@description('Required. The name of the AKS cluster nodes resource group to create.') -param clusterNodeResourceGroupName string - -resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { - name: clusterName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - dnsPrefix: clusterName - nodeResourceGroup: clusterNodeResourceGroupName - agentPoolProfiles: [ - { - name: 'agentpool' - count: 1 - vmSize: 'Standard_DS2_v2' - osType: 'Linux' - mode: 'System' - } - ] - } -} - -resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { - scope: cluster - name: clusterExtensionName - properties: { - extensionType: 'microsoft.flux' - releaseTrain: 'Stable' - scope: { - cluster: { - releaseNamespace: 'flux-system' - } - } - } -} - -@description('The name of the created AKS cluster.') -output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 858b74642f..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcfcwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - clusterName: 'dep-${namePrefix}-aks-${serviceShort}' - clusterExtensionName: '${namePrefix}${serviceShort}001' - clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - clusterName: nestedDependencies.outputs.clusterName - namespace: 'flux-system' - scope: 'cluster' - sourceKind: 'GitRepository' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } - } -}] diff --git a/modules/kubernetes-configuration/flux-configuration/version.json b/modules/kubernetes-configuration/flux-configuration/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/kubernetes-configuration/flux-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/logic/workflow/MOVED-TO-AVM.md b/modules/logic/workflow/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/logic/workflow/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index a078f14601..774062f923 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -1,978 +1,7 @@ -# Logic Apps (Workflows) `[Microsoft.Logic/workflows]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/logic/workflow](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/logic/workflow).** -This module deploys a Logic App (Workflow). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/logic/workflow). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Logic/workflows` | [2019-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Logic/2019-05-01/workflows) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/logic.workflow:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-lwmax' - params: { - // Required parameters - name: 'lwmax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "lwmax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "workflowActions": { - "value": { - "HTTP": { - "inputs": { - "body": { - "BeginPeakTime": "", - "EndPeakTime": "", - "HostPoolName": "", - "LAWorkspaceName": "", - "LimitSecondsToForceLogOffUser": "", - "LogOffMessageBody": "", - "LogOffMessageTitle": "", - "MinimumNumberOfRDSH": 1, - "ResourceGroupName": "", - "SessionThresholdPerCPU": 1, - "UtcOffset": "" - }, - "method": "POST", - "uri": "https://testStringForValidation.com" - }, - "type": "Http" - } - } - }, - "workflowTriggers": { - "value": { - "Recurrence": { - "recurrence": { - "frequency": "Minute", - "interval": 15 - }, - "type": "Recurrence" - } - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-lwwaf' - params: { - // Required parameters - name: 'lwwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "lwwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "workflowActions": { - "value": { - "HTTP": { - "inputs": { - "body": { - "BeginPeakTime": "", - "EndPeakTime": "", - "HostPoolName": "", - "LAWorkspaceName": "", - "LimitSecondsToForceLogOffUser": "", - "LogOffMessageBody": "", - "LogOffMessageTitle": "", - "MinimumNumberOfRDSH": 1, - "ResourceGroupName": "", - "SessionThresholdPerCPU": 1, - "UtcOffset": "" - }, - "method": "POST", - "uri": "https://testStringForValidation.com" - }, - "type": "Http" - } - } - }, - "workflowTriggers": { - "value": { - "Recurrence": { - "recurrence": { - "frequency": "Minute", - "interval": 15 - }, - "type": "Recurrence" - } - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The logic app workflow name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`actionsAccessControlConfiguration`](#parameter-actionsaccesscontrolconfiguration) | object | The access control configuration for workflow actions. | -| [`connectorEndpointsConfiguration`](#parameter-connectorendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | -| [`contentsAccessControlConfiguration`](#parameter-contentsaccesscontrolconfiguration) | object | The access control configuration for accessing workflow run contents. | -| [`definitionParameters`](#parameter-definitionparameters) | object | Parameters for the definition template. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`integrationAccount`](#parameter-integrationaccount) | object | The integration account. | -| [`integrationServiceEnvironmentResourceId`](#parameter-integrationserviceenvironmentresourceid) | string | The integration service environment Id. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`state`](#parameter-state) | string | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`triggersAccessControlConfiguration`](#parameter-triggersaccesscontrolconfiguration) | object | The access control configuration for invoking workflow triggers. | -| [`workflowActions`](#parameter-workflowactions) | object | The definitions for one or more actions to execute at workflow runtime. | -| [`workflowEndpointsConfiguration`](#parameter-workflowendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | -| [`workflowManagementAccessControlConfiguration`](#parameter-workflowmanagementaccesscontrolconfiguration) | object | The access control configuration for workflow management. | -| [`workflowOutputs`](#parameter-workflowoutputs) | object | The definitions for the outputs to return from a workflow run. | -| [`workflowParameters`](#parameter-workflowparameters) | object | The definitions for one or more parameters that pass the values to use at your logic app's runtime. | -| [`workflowStaticResults`](#parameter-workflowstaticresults) | object | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | -| [`workflowTriggers`](#parameter-workflowtriggers) | object | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | - -### Parameter: `name` - -The logic app workflow name. - -- Required: Yes -- Type: string - -### Parameter: `actionsAccessControlConfiguration` - -The access control configuration for workflow actions. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `connectorEndpointsConfiguration` - -The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `contentsAccessControlConfiguration` - -The access control configuration for accessing workflow run contents. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `definitionParameters` - -Parameters for the definition template. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `integrationAccount` - -The integration account. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `integrationServiceEnvironmentResourceId` - -The integration service environment Id. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `state` - -The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Completed' - 'Deleted' - 'Disabled' - 'Enabled' - 'NotSpecified' - 'Suspended' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `triggersAccessControlConfiguration` - -The access control configuration for invoking workflow triggers. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowActions` - -The definitions for one or more actions to execute at workflow runtime. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowEndpointsConfiguration` - -The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowManagementAccessControlConfiguration` - -The access control configuration for workflow management. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowOutputs` - -The definitions for the outputs to return from a workflow run. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowParameters` - -The definitions for one or more parameters that pass the values to use at your logic app's runtime. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowStaticResults` - -The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workflowTriggers` - -The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the logic app. | -| `resourceGroupName` | string | The resource group the logic app was deployed into. | -| `resourceId` | string | The resource ID of the logic app. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage `AccessControlConfiguration` - -- `actionsAccessControlConfiguration` -- `contentsAccessControlConfiguration` -- `triggersAccessControlConfiguration` -- `workflowManagementAccessControlConfiguration` - -

- -Parameter JSON format - -```json -"AccessControlConfiguration": { - "value": { - "allowedCallerIpAddresses": [ - { - "addressRange": "string" - } - ], - "openAuthenticationPolicies": { - "policies": {} - } - } -} -``` - -
- -
- -Bicep format - -```bicep -'AccessControlConfiguration': { - allowedCallerIpAddresses: [ - { - addressRange: 'string' - } - ] - openAuthenticationPolicies: { - policies: {} - } -} -``` - -
-

- -### Parameter Usage `EndpointsConfiguration` - -- `connectorEndpointsConfiguration` -- `workflowEndpointsConfiguration` - -

- -Parameter JSON format - -```json -"EndpointsConfiguration": { - "value": { - "outgoingIpAddresses": [ - { - "address": "string" - } - ], - "accessEndpointIpAddresses": [ - { - "address": "string" - } - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -'EndpointsConfiguration': { - outgoingIpAddresses: [ - { - address: 'string' - } - ] - accessEndpointIpAddresses: [ - { - address: 'string' - } - ] -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep deleted file mode 100644 index 3dca15ac0c..0000000000 --- a/modules/logic/workflow/main.bicep +++ /dev/null @@ -1,289 +0,0 @@ -metadata name = 'Logic Apps (Workflows)' -metadata description = 'This module deploys a Logic App (Workflow).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The logic app workflow name.') -param name string - -@description('Optional. The access control configuration for workflow actions.') -param actionsAccessControlConfiguration object = {} - -@description('Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the connector.') -param connectorEndpointsConfiguration object = {} - -@description('Optional. The access control configuration for accessing workflow run contents.') -param contentsAccessControlConfiguration object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Parameters for the definition template.') -param definitionParameters object = {} - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -@description('Optional. The integration account.') -param integrationAccount object = {} - -@description('Optional. The integration service environment Id.') -param integrationServiceEnvironmentResourceId string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended.') -@allowed([ - 'NotSpecified' - 'Completed' - 'Enabled' - 'Disabled' - 'Deleted' - 'Suspended' -]) -param state string = 'Enabled' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The access control configuration for invoking workflow triggers.') -param triggersAccessControlConfiguration object = {} - -@description('Optional. The definitions for one or more actions to execute at workflow runtime.') -param workflowActions object = {} - -@description('Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow.') -param workflowEndpointsConfiguration object = {} - -@description('Optional. The access control configuration for workflow management.') -param workflowManagementAccessControlConfiguration object = {} - -@description('Optional. The definitions for the outputs to return from a workflow run.') -param workflowOutputs object = {} - -@description('Optional. The definitions for one or more parameters that pass the values to use at your logic app\'s runtime.') -param workflowParameters object = {} - -@description('Optional. The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults.') -param workflowStaticResults object = {} - -@description('Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer.') -param workflowTriggers object = {} - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = { - name: name - location: location - tags: !empty(tags) ? tags : null - identity: identity - properties: { - state: state - endpointsConfiguration: { - workflow: workflowEndpointsConfiguration - connector: connectorEndpointsConfiguration - } - accessControl: { - triggers: !empty(triggersAccessControlConfiguration) ? triggersAccessControlConfiguration : null - contents: !empty(contentsAccessControlConfiguration) ? contentsAccessControlConfiguration : null - actions: !empty(actionsAccessControlConfiguration) ? actionsAccessControlConfiguration : null - workflowManagement: !empty(workflowManagementAccessControlConfiguration) ? workflowManagementAccessControlConfiguration : null - } - integrationAccount: !empty(integrationAccount) ? integrationAccount : null - integrationServiceEnvironment: !empty(integrationServiceEnvironmentResourceId) ? { - id: integrationServiceEnvironmentResourceId - } : null - - definition: { - '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#' - actions: workflowActions - contentVersion: '1.0.0.0' - outputs: workflowOutputs - parameters: workflowParameters - staticResults: workflowStaticResults - triggers: workflowTriggers - } - parameters: definitionParameters - } -} - -resource logicApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: logicApp -} - -resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: logicApp -}] - -resource logicApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(logicApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: logicApp -}] - -@description('The name of the logic app.') -output name string = logicApp.name - -@description('The resource group the logic app was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the logic app.') -output resourceId string = logicApp.id - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(logicApp.identity, 'principalId') ? logicApp.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = logicApp.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json deleted file mode 100644 index 6f34991d72..0000000000 --- a/modules/logic/workflow/main.json +++ /dev/null @@ -1,561 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8579742468489559790" - }, - "name": "Logic Apps (Workflows)", - "description": "This module deploys a Logic App (Workflow).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The logic app workflow name." - } - }, - "actionsAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for workflow actions." - } - }, - "connectorEndpointsConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the connector." - } - }, - "contentsAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for accessing workflow run contents." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "definitionParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the definition template." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "integrationAccount": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The integration account." - } - }, - "integrationServiceEnvironmentResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The integration service environment Id." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "state": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "NotSpecified", - "Completed", - "Enabled", - "Disabled", - "Deleted", - "Suspended" - ], - "metadata": { - "description": "Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "triggersAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for invoking workflow triggers." - } - }, - "workflowActions": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more actions to execute at workflow runtime." - } - }, - "workflowEndpointsConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow." - } - }, - "workflowManagementAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for workflow management." - } - }, - "workflowOutputs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for the outputs to return from a workflow run." - } - }, - "workflowParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more parameters that pass the values to use at your logic app's runtime." - } - }, - "workflowStaticResults": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults." - } - }, - "workflowTriggers": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "logicApp": { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[if(not(empty(parameters('tags'))), parameters('tags'), null())]", - "identity": "[variables('identity')]", - "properties": { - "state": "[parameters('state')]", - "endpointsConfiguration": { - "workflow": "[parameters('workflowEndpointsConfiguration')]", - "connector": "[parameters('connectorEndpointsConfiguration')]" - }, - "accessControl": { - "triggers": "[if(not(empty(parameters('triggersAccessControlConfiguration'))), parameters('triggersAccessControlConfiguration'), null())]", - "contents": "[if(not(empty(parameters('contentsAccessControlConfiguration'))), parameters('contentsAccessControlConfiguration'), null())]", - "actions": "[if(not(empty(parameters('actionsAccessControlConfiguration'))), parameters('actionsAccessControlConfiguration'), null())]", - "workflowManagement": "[if(not(empty(parameters('workflowManagementAccessControlConfiguration'))), parameters('workflowManagementAccessControlConfiguration'), null())]" - }, - "integrationAccount": "[if(not(empty(parameters('integrationAccount'))), parameters('integrationAccount'), null())]", - "integrationServiceEnvironment": "[if(not(empty(parameters('integrationServiceEnvironmentResourceId'))), createObject('id', parameters('integrationServiceEnvironmentResourceId')), null())]", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": "[parameters('workflowActions')]", - "contentVersion": "1.0.0.0", - "outputs": "[parameters('workflowOutputs')]", - "parameters": "[parameters('workflowParameters')]", - "staticResults": "[parameters('workflowStaticResults')]", - "triggers": "[parameters('workflowTriggers')]" - }, - "parameters": "[parameters('definitionParameters')]" - } - }, - "logicApp_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "logicApp" - ] - }, - "logicApp_diagnosticSettings": { - "copy": { - "name": "logicApp_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "logicApp" - ] - }, - "logicApp_roleAssignments": { - "copy": { - "name": "logicApp_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Logic/workflows', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "logicApp" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the logic app." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the logic app was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the logic app." - }, - "value": "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('logicApp', '2019-05-01', 'full').identity, 'principalId')), reference('logicApp', '2019-05-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('logicApp', '2019-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/logic/workflow/tests/e2e/max/dependencies.bicep b/modules/logic/workflow/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 0f0755a6f4..0000000000 --- a/modules/logic/workflow/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/logic/workflow/tests/e2e/max/main.test.bicep b/modules/logic/workflow/tests/e2e/max/main.test.bicep deleted file mode 100644 index 108fd11c93..0000000000 --- a/modules/logic/workflow/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,137 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'lwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -}] diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 0f0755a6f4..0000000000 --- a/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 315241f110..0000000000 --- a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,137 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'lwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -}] diff --git a/modules/logic/workflow/version.json b/modules/logic/workflow/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/logic/workflow/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/machine-learning-services/workspace/MOVED-TO-AVM.md b/modules/machine-learning-services/workspace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/machine-learning-services/workspace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 1473f76235..0a5f0aa204 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -1,1632 +1,7 @@ -# Machine Learning Services Workspaces `[Microsoft.MachineLearningServices/workspaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/machine-learning-services/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/machine-learning-services/workspace).** -This module deploys a Machine Learning Services Workspace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/machine-learning-services/workspace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.MachineLearningServices/workspaces` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-10-01/workspaces) | -| `Microsoft.MachineLearningServices/workspaces/computes` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-10-01/workspaces/computes) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/machine-learning-services.workspace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmin' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmin001' - sku: 'Basic' - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmin001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswecr' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswecr001' - sku: 'Basic' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswecr001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "amlworkspace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmax' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmax001' - sku: 'Premium' - // Non-required parameters - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - } - ] - description: 'The cake is a lie.' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - discoveryUrl: 'http://example.com' - enableDefaultTelemetry: '' - imageBuildCompute: 'testcompute' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmax001" - }, - "sku": { - "value": "Premium" - }, - // Non-required parameters - "computes": { - "value": [ - { - "computeLocation": "westeurope", - "computeType": "AmlCompute", - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "location": "westeurope", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "DefaultCPU", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - }, - "sku": "Basic" - } - ] - }, - "description": { - "value": "The cake is a lie." - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "discoveryUrl": { - "value": "http://example.com" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageBuildCompute": { - "value": "testcompute" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswwaf' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswwaf001' - sku: 'Premium' - // Non-required parameters - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - } - ] - description: 'The cake is a lie.' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - discoveryUrl: 'http://example.com' - enableDefaultTelemetry: '' - imageBuildCompute: 'testcompute' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswwaf001" - }, - "sku": { - "value": "Premium" - }, - // Non-required parameters - "computes": { - "value": [ - { - "computeLocation": "westeurope", - "computeType": "AmlCompute", - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "location": "westeurope", - "managedIdentities": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - }, - "name": "DefaultCPU", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - }, - "sku": "Basic" - } - ] - }, - "description": { - "value": "The cake is a lie." - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "discoveryUrl": { - "value": "http://example.com" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageBuildCompute": { - "value": "testcompute" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`associatedApplicationInsightsResourceId`](#parameter-associatedapplicationinsightsresourceid) | string | The resource ID of the associated Application Insights. | -| [`associatedKeyVaultResourceId`](#parameter-associatedkeyvaultresourceid) | string | The resource ID of the associated Key Vault. | -| [`associatedStorageAccountResourceId`](#parameter-associatedstorageaccountresourceid) | string | The resource ID of the associated Storage Account. | -| [`name`](#parameter-name) | string | The name of the machine learning workspace. | -| [`sku`](#parameter-sku) | string | Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`primaryUserAssignedIdentity`](#parameter-primaryuserassignedidentity) | string | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowPublicAccessWhenBehindVnet`](#parameter-allowpublicaccesswhenbehindvnet) | bool | The flag to indicate whether to allow public access when behind VNet. | -| [`associatedContainerRegistryResourceId`](#parameter-associatedcontainerregistryresourceid) | string | The resource ID of the associated Container Registry. | -| [`computes`](#parameter-computes) | array | Computes to create respectively attach to the workspace. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`description`](#parameter-description) | string | The description of this workspace. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`discoveryUrl`](#parameter-discoveryurl) | string | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hbiWorkspace`](#parameter-hbiworkspace) | bool | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | -| [`imageBuildCompute`](#parameter-imagebuildcompute) | string | The compute name for image build. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`serviceManagedResourcesSettings`](#parameter-servicemanagedresourcessettings) | object | The service managed resource settings. | -| [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The list of shared private link resources in this workspace. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `associatedApplicationInsightsResourceId` - -The resource ID of the associated Application Insights. - -- Required: Yes -- Type: string - -### Parameter: `associatedKeyVaultResourceId` - -The resource ID of the associated Key Vault. - -- Required: Yes -- Type: string - -### Parameter: `associatedStorageAccountResourceId` - -The resource ID of the associated Storage Account. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the machine learning workspace. - -- Required: Yes -- Type: string - -### Parameter: `sku` - -Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Basic' - 'Free' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `primaryUserAssignedIdentity` - -The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `allowPublicAccessWhenBehindVnet` - -The flag to indicate whether to allow public access when behind VNet. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `associatedContainerRegistryResourceId` - -The resource ID of the associated Container Registry. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `computes` - -Computes to create respectively attach to the workspace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `description` - -The description of this workspace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `discoveryUrl` - -URL for the discovery service to identify regional endpoints for machine learning experimentation services. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hbiWorkspace` - -The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `imageBuildCompute` - -The compute name for image build. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. At least one identity type is required. - -- Required: No -- Type: object -- Default: - ```Bicep - { - systemAssigned: true - } - ``` - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceManagedResourcesSettings` - -The service managed resource settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `sharedPrivateLinkResources` - -The list of shared private link resources in this workspace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the machine learning service. | -| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | -| `resourceId` | string | The resource ID of the machine learning service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `computes` - -Array to specify the compute resources to create respectively attach. -In case you provide a resource ID, it will attach the resource and ignore "properties". In this case "computeLocation", "sku", "systemAssignedIdentity", "userAssignedIdentities" as well as "tags" don't need to be provided respectively are being ignored. -Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML. I.e. for the first run set "deploy" to true, and after successful deployment to false. -For more information see https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep - -

- -Parameter JSON format - -```json -"computes": { - "value": [ - // Attach existing resources - { - "name": "DefaultAKS", - "location": "westeurope", - "description": "Default AKS Cluster", - "disableLocalAuth": false, - "deployCompute": true, - "computeType": "AKS", - "resourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx" - }, - // Create new compute resource - { - "name": "DefaultCPU", - "location": "westeurope", - "computeLocation": "westeurope", - "sku": "Basic", - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {} - }, - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "computeType": "AmlCompute", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -computes: [ - // Attach existing resources - { - name: 'DefaultAKS' - location: 'westeurope' - description: 'Default AKS Cluster' - disableLocalAuth: false - deployCompute: true - computeType: 'AKS' - resourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx' - } - // Create new compute resource - { - name: 'DefaultCPU' - location: 'westeurope' - computeLocation: 'westeurope' - sku: 'Basic' - systemAssignedIdentity: true - userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} - } - description: 'Default CPU Cluster' - disableLocalAuth: false - computeType: 'AmlCompute' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md deleted file mode 100644 index 1eb2928cd4..0000000000 --- a/modules/machine-learning-services/workspace/compute/README.md +++ /dev/null @@ -1,217 +0,0 @@ -# Machine Learning Services Workspaces Computes `[Microsoft.MachineLearningServices/workspaces/computes]` - -This module deploys a Machine Learning Services Workspaces Compute. - -Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`). - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.MachineLearningServices/workspaces/computes` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-10-01/workspaces/computes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`computeType`](#parameter-computetype) | string | Set the object type. | -| [`name`](#parameter-name) | string | Name of the compute. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`machineLearningWorkspaceName`](#parameter-machinelearningworkspacename) | string | The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`computeLocation`](#parameter-computelocation) | string | Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| [`deployCompute`](#parameter-deploycompute) | bool | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | -| [`description`](#parameter-description) | string | The description of the Machine Learning compute. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Specifies the location of the resource. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`properties`](#parameter-properties) | object | The properties of the compute. Will be ignored in case "resourceId" is set. | -| [`resourceId`](#parameter-resourceid) | string | ARM resource ID of the underlying compute. | -| [`sku`](#parameter-sku) | string | Specifies the sku, also referred as "edition". Required for creating a compute resource. | -| [`tags`](#parameter-tags) | object | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | - -### Parameter: `computeType` - -Set the object type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'AKS' - 'AmlCompute' - 'ComputeInstance' - 'Databricks' - 'DataFactory' - 'DataLakeAnalytics' - 'HDInsight' - 'Kubernetes' - 'SynapseSpark' - 'VirtualMachine' - ] - ``` - -### Parameter: `name` - -Name of the compute. - -- Required: Yes -- Type: string - -### Parameter: `machineLearningWorkspaceName` - -The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `computeLocation` - -Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `deployCompute` - -Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `description` - -The description of the Machine Learning compute. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `disableLocalAuth` - -Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Specifies the location of the resource. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `properties` - -The properties of the compute. Will be ignored in case "resourceId" is set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `resourceId` - -ARM resource ID of the underlying compute. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sku` - -Specifies the sku, also referred as "edition". Required for creating a compute resource. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Basic' - 'Free' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the compute. | -| `resourceGroupName` | string | The resource group the compute was deployed into. | -| `resourceId` | string | The resource ID of the compute. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep deleted file mode 100644 index c59f29ba7c..0000000000 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ /dev/null @@ -1,158 +0,0 @@ -metadata name = 'Machine Learning Services Workspaces Computes' -metadata description = '''This module deploys a Machine Learning Services Workspaces Compute. - -Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).''' -metadata owner = 'Azure/module-maintainers' - -// ================ // -// Parameters // -// ================ // - -@sys.description('Conditional. The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment.') -param machineLearningWorkspaceName string - -@sys.description('Required. Name of the compute.') -@minLength(2) -@maxLength(16) -param name string - -@sys.description('Optional. Specifies the location of the resource.') -param location string = resourceGroup().location - -@sys.description('Optional. Specifies the sku, also referred as "edition". Required for creating a compute resource.') -@allowed([ - 'Basic' - 'Free' - 'Premium' - 'Standard' - '' -]) -param sku string = '' - -@sys.description('Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') -param tags object? - -@sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') -param deployCompute bool = true - -@sys.description('Optional. Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') -param computeLocation string = resourceGroup().location - -@sys.description('Optional. The description of the Machine Learning compute.') -param description string = '' - -@sys.description('Optional. Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication.') -param disableLocalAuth bool = false - -@sys.description('Optional. ARM resource ID of the underlying compute.') -param resourceId string = '' - -@sys.description('Required. Set the object type.') -@allowed([ - 'AKS' - 'AmlCompute' - 'ComputeInstance' - 'Databricks' - 'DataFactory' - 'DataLakeAnalytics' - 'HDInsight' - 'Kubernetes' - 'SynapseSpark' - 'VirtualMachine' -]) -param computeType string - -@sys.description('Optional. The properties of the compute. Will be ignored in case "resourceId" is set.') -param properties object = {} - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -// ================// -// Variables // -// ================// - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -// ============================= // -// Existing resources references // -// ============================= // - -resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' existing = { - name: machineLearningWorkspaceName -} - -// ============ // -// Dependencies // -// ============ // -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource machineLearningWorkspaceCompute 'Microsoft.MachineLearningServices/workspaces/computes@2022-10-01' = if (deployCompute == true) { - name: name - location: location - tags: empty(resourceId) ? tags : any(null) - sku: empty(resourceId) ? { - name: sku - tier: sku - } : any(null) - parent: machineLearningWorkspace - identity: empty(resourceId) ? identity : any(null) - properties: union({ - description: description - disableLocalAuth: disableLocalAuth - computeType: computeType - }, (!empty(resourceId) ? { - resourceId: resourceId - } : { - computeLocation: computeLocation - properties: properties - })) -} - -// =========== // -// Outputs // -// =========== // -@sys.description('The name of the compute.') -output name string = machineLearningWorkspaceCompute.name - -@sys.description('The resource ID of the compute.') -output resourceId string = machineLearningWorkspaceCompute.id - -@sys.description('The resource group the compute was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(machineLearningWorkspace.identity, 'principalId') ? machineLearningWorkspace.identity.principalId : '' - -@sys.description('The location the resource was deployed into.') -output location string = machineLearningWorkspaceCompute.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @sys.description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json deleted file mode 100644 index ec121697d2..0000000000 --- a/modules/machine-learning-services/workspace/compute/main.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10790106014691997162" - }, - "name": "Machine Learning Services Workspaces Computes", - "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "machineLearningWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 2, - "maxLength": 16, - "metadata": { - "description": "Required. Name of the compute." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Specifies the location of the resource." - } - }, - "sku": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Basic", - "Free", - "Premium", - "Standard", - "" - ], - "metadata": { - "description": "Optional. Specifies the sku, also referred as \"edition\". Required for creating a compute resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "deployCompute": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." - } - }, - "computeLocation": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the Machine Learning compute." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ARM resource ID of the underlying compute." - } - }, - "computeType": { - "type": "string", - "allowedValues": [ - "AKS", - "AmlCompute", - "ComputeInstance", - "Databricks", - "DataFactory", - "DataLakeAnalytics", - "HDInsight", - "Kubernetes", - "SynapseSpark", - "VirtualMachine" - ], - "metadata": { - "description": "Required. Set the object type." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the compute. Will be ignored in case \"resourceId\" is set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "machineLearningWorkspace": { - "existing": true, - "type": "Microsoft.MachineLearningServices/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('machineLearningWorkspaceName')]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "machineLearningWorkspaceCompute": { - "condition": "[equals(parameters('deployCompute'), true())]", - "type": "Microsoft.MachineLearningServices/workspaces/computes", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('machineLearningWorkspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[if(empty(parameters('resourceId')), parameters('tags'), null())]", - "sku": "[if(empty(parameters('resourceId')), createObject('name', parameters('sku'), 'tier', parameters('sku')), null())]", - "identity": "[if(empty(parameters('resourceId')), variables('identity'), null())]", - "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]", - "dependsOn": [ - "machineLearningWorkspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the compute." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the compute." - }, - "value": "[resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the compute was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('machineLearningWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('machineLearningWorkspace', '2022-10-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/machine-learning-services/workspace/compute/version.json b/modules/machine-learning-services/workspace/compute/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/machine-learning-services/workspace/compute/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep deleted file mode 100644 index a80c313a99..0000000000 --- a/modules/machine-learning-services/workspace/main.bicep +++ /dev/null @@ -1,452 +0,0 @@ -metadata name = 'Machine Learning Services Workspaces' -metadata description = 'This module deploys a Machine Learning Services Workspace.' -metadata owner = 'Azure/module-maintainers' - -// ================ // -// Parameters // -// ================ // -@sys.description('Required. The name of the machine learning workspace.') -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Required. Specifies the SKU, also referred as \'edition\' of the Azure Machine Learning workspace.') -@allowed([ - 'Free' - 'Basic' - 'Standard' - 'Premium' -]) -param sku string - -@sys.description('Required. The resource ID of the associated Storage Account.') -param associatedStorageAccountResourceId string - -@sys.description('Required. The resource ID of the associated Key Vault.') -param associatedKeyVaultResourceId string - -@sys.description('Required. The resource ID of the associated Application Insights.') -param associatedApplicationInsightsResourceId string - -@sys.description('Optional. The resource ID of the associated Container Registry.') -param associatedContainerRegistryResourceId string = '' - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') -param hbiWorkspace bool = false - -@sys.description('Optional. The flag to indicate whether to allow public access when behind VNet.') -param allowPublicAccessWhenBehindVnet bool = false - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@sys.description('Optional. Computes to create respectively attach to the workspace.') -param computes array = [] - -@sys.description('Optional. Resource tags.') -param tags object? - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@sys.description('Optional. The managed identity definition for this resource. At least one identity type is required.') -param managedIdentities managedIdentitiesType = { - systemAssigned: true -} - -// Diagnostic Settings - -@sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@sys.description('Optional. The description of this workspace.') -param description string = '' - -@sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') -param discoveryUrl string = '' - -@sys.description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@sys.description('Optional. The compute name for image build.') -param imageBuildCompute string = '' - -@sys.description('Conditional. The user assigned identity resource ID that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.') -param primaryUserAssignedIdentity string = '' - -@sys.description('Optional. The service managed resource settings.') -param serviceManagedResourcesSettings object = {} - -@sys.description('Optional. The list of shared private link resources in this workspace.') -param sharedPrivateLinkResources array = [] - -@sys.description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -// ================// -// Variables // -// ================// -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -// ================// -// Deployments // -// ================// -var builtInRoleNames = { - 'AzureML Compute Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815') - 'AzureML Data Scientist': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121') - 'AzureML Metrics Writer (preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae') - 'AzureML Registry User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' = { - name: name - location: location - tags: tags - sku: { - name: sku - tier: sku - } - identity: identity - properties: { - friendlyName: name - storageAccount: associatedStorageAccountResourceId - keyVault: associatedKeyVaultResourceId - applicationInsights: associatedApplicationInsightsResourceId - containerRegistry: !empty(associatedContainerRegistryResourceId) ? associatedContainerRegistryResourceId : null - hbiWorkspace: hbiWorkspace - allowPublicAccessWhenBehindVnet: allowPublicAccessWhenBehindVnet - description: description - discoveryUrl: discoveryUrl - encryption: !empty(customerManagedKey) ? { - status: 'Enabled' - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - keyVaultProperties: { - keyVaultArmId: cMKKeyVault.id - keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - } - } : null - imageBuildCompute: imageBuildCompute - primaryUserAssignedIdentity: primaryUserAssignedIdentity - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : 'Enabled') - serviceManagedResourcesSettings: serviceManagedResourcesSettings - sharedPrivateLinkResources: sharedPrivateLinkResources // Note: This property is not idempotent. Neither with [] or `null` - } -} - -module workspace_computes 'compute/main.bicep' = [for compute in computes: { - name: '${workspace.name}-${compute.name}-compute' - params: { - machineLearningWorkspaceName: workspace.name - name: compute.name - location: compute.location - sku: contains(compute, 'sku') ? compute.sku : '' - managedIdentities: contains(compute, 'managedIdentities') ? compute.managedIdentities : null - tags: contains(compute, 'tags') ? compute.tags : {} - deployCompute: contains(compute, 'deployCompute') ? compute.deployCompute : true - computeLocation: contains(compute, 'computeLocation') ? compute.computeLocation : '' - description: contains(compute, 'description') ? compute.description : '' - disableLocalAuth: compute.disableLocalAuth - resourceId: contains(compute, 'resourceId') ? compute.resourceId : '' - computeType: compute.computeType - properties: contains(compute, 'properties') ? compute.properties : {} - } - dependsOn: [ - workspace_privateEndpoints - ] -}] - -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace -} - -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: workspace -}] - -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'amlworkspace' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? 'amlworkspace'}-${index}' - serviceResourceId: workspace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: workspace -}] - -// ================// -// Outputs // -// ================// - -@sys.description('The resource ID of the machine learning service.') -output resourceId string = workspace.id - -@sys.description('The resource group the machine learning service was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The name of the machine learning service.') -output name string = workspace.name - -@sys.description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' - -@sys.description('The location the resource was deployed into.') -output location string = workspace.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @sys.description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -} - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @sys.description('Optional. The name of the private endpoint.') - name: string? - - @sys.description('Optional. The location to deploy the private endpoint to.') - location: string? - - @sys.description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @sys.description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @sys.description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @sys.description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @sys.description('Optional. Custom DNS configurations.') - customDnsConfigs: { - fqdn: string? - ipAddresses: string[] - }[]? - - @sys.description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - name: string - properties: { - groupId: string - memberName: string - privateIPAddress: string - } - }[]? - - @sys.description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @sys.description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @sys.description('Optional. Specify the type of lock.') - lock: lockType - - @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @sys.description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @sys.description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @sys.description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @sys.description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @sys.description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @sys.description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @sys.description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json deleted file mode 100644 index 10c91f2d3c..0000000000 --- a/modules/machine-learning-services/workspace/main.json +++ /dev/null @@ -1,1687 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "262742885593710440" - }, - "name": "Machine Learning Services Workspaces", - "description": "This module deploys a Machine Learning Services Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" - }, - "privateIPAddress": { - "type": "string" - } - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the machine learning workspace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "sku": { - "type": "string", - "allowedValues": [ - "Free", - "Basic", - "Standard", - "Premium" - ], - "metadata": { - "description": "Required. Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace." - } - }, - "associatedStorageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the associated Storage Account." - } - }, - "associatedKeyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the associated Key Vault." - } - }, - "associatedApplicationInsightsResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the associated Application Insights." - } - }, - "associatedContainerRegistryResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the associated Container Registry." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "hbiWorkspace": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service." - } - }, - "allowPublicAccessWhenBehindVnet": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag to indicate whether to allow public access when behind VNet." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "computes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Computes to create respectively attach to the workspace." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "defaultValue": { - "systemAssigned": true - }, - "metadata": { - "description": "Optional. The managed identity definition for this resource. At least one identity type is required." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of this workspace." - } - }, - "discoveryUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "imageBuildCompute": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The compute name for image build." - } - }, - "primaryUserAssignedIdentity": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled." - } - }, - "serviceManagedResourcesSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The service managed resource settings." - } - }, - "sharedPrivateLinkResources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of shared private link resources in this workspace." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", - "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", - "AzureML Metrics Writer (preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae')]", - "AzureML Registry User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "workspace": { - "type": "Microsoft.MachineLearningServices/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('sku')]", - "tier": "[parameters('sku')]" - }, - "identity": "[variables('identity')]", - "properties": { - "friendlyName": "[parameters('name')]", - "storageAccount": "[parameters('associatedStorageAccountResourceId')]", - "keyVault": "[parameters('associatedKeyVaultResourceId')]", - "applicationInsights": "[parameters('associatedApplicationInsightsResourceId')]", - "containerRegistry": "[if(not(empty(parameters('associatedContainerRegistryResourceId'))), parameters('associatedContainerRegistryResourceId'), null())]", - "hbiWorkspace": "[parameters('hbiWorkspace')]", - "allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]", - "description": "[parameters('description')]", - "discoveryUrl": "[parameters('discoveryUrl')]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'Enabled', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyVaultArmId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", - "imageBuildCompute": "[parameters('imageBuildCompute')]", - "primaryUserAssignedIdentity": "[parameters('primaryUserAssignedIdentity')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", - "serviceManagedResourcesSettings": "[parameters('serviceManagedResourcesSettings')]", - "sharedPrivateLinkResources": "[parameters('sharedPrivateLinkResources')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "workspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_diagnosticSettings": { - "copy": { - "name": "workspace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_computes": { - "copy": { - "name": "workspace_computes", - "count": "[length(parameters('computes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-compute', parameters('name'), parameters('computes')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "machineLearningWorkspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('computes')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('computes')[copyIndex()].location]" - }, - "sku": "[if(contains(parameters('computes')[copyIndex()], 'sku'), createObject('value', parameters('computes')[copyIndex()].sku), createObject('value', ''))]", - "managedIdentities": "[if(contains(parameters('computes')[copyIndex()], 'managedIdentities'), createObject('value', parameters('computes')[copyIndex()].managedIdentities), createObject('value', null()))]", - "tags": "[if(contains(parameters('computes')[copyIndex()], 'tags'), createObject('value', parameters('computes')[copyIndex()].tags), createObject('value', createObject()))]", - "deployCompute": "[if(contains(parameters('computes')[copyIndex()], 'deployCompute'), createObject('value', parameters('computes')[copyIndex()].deployCompute), createObject('value', true()))]", - "computeLocation": "[if(contains(parameters('computes')[copyIndex()], 'computeLocation'), createObject('value', parameters('computes')[copyIndex()].computeLocation), createObject('value', ''))]", - "description": "[if(contains(parameters('computes')[copyIndex()], 'description'), createObject('value', parameters('computes')[copyIndex()].description), createObject('value', ''))]", - "disableLocalAuth": { - "value": "[parameters('computes')[copyIndex()].disableLocalAuth]" - }, - "resourceId": "[if(contains(parameters('computes')[copyIndex()], 'resourceId'), createObject('value', parameters('computes')[copyIndex()].resourceId), createObject('value', ''))]", - "computeType": { - "value": "[parameters('computes')[copyIndex()].computeType]" - }, - "properties": "[if(contains(parameters('computes')[copyIndex()], 'properties'), createObject('value', parameters('computes')[copyIndex()].properties), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10790106014691997162" - }, - "name": "Machine Learning Services Workspaces Computes", - "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "machineLearningWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 2, - "maxLength": 16, - "metadata": { - "description": "Required. Name of the compute." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Specifies the location of the resource." - } - }, - "sku": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Basic", - "Free", - "Premium", - "Standard", - "" - ], - "metadata": { - "description": "Optional. Specifies the sku, also referred as \"edition\". Required for creating a compute resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "deployCompute": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." - } - }, - "computeLocation": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the Machine Learning compute." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ARM resource ID of the underlying compute." - } - }, - "computeType": { - "type": "string", - "allowedValues": [ - "AKS", - "AmlCompute", - "ComputeInstance", - "Databricks", - "DataFactory", - "DataLakeAnalytics", - "HDInsight", - "Kubernetes", - "SynapseSpark", - "VirtualMachine" - ], - "metadata": { - "description": "Required. Set the object type." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the compute. Will be ignored in case \"resourceId\" is set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "machineLearningWorkspace": { - "existing": true, - "type": "Microsoft.MachineLearningServices/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('machineLearningWorkspaceName')]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "machineLearningWorkspaceCompute": { - "condition": "[equals(parameters('deployCompute'), true())]", - "type": "Microsoft.MachineLearningServices/workspaces/computes", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('machineLearningWorkspaceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[if(empty(parameters('resourceId')), parameters('tags'), null())]", - "sku": "[if(empty(parameters('resourceId')), createObject('name', parameters('sku'), 'tier', parameters('sku')), null())]", - "identity": "[if(empty(parameters('resourceId')), variables('identity'), null())]", - "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]", - "dependsOn": [ - "machineLearningWorkspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the compute." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the compute." - }, - "value": "[resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the compute was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('machineLearningWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('machineLearningWorkspace', '2022-10-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "workspace", - "workspace_privateEndpoints" - ] - }, - "workspace_privateEndpoints": { - "copy": { - "name": "workspace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'amlworkspace')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'amlworkspace'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the machine learning service." - }, - "value": "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the machine learning service was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the machine learning service." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('workspace', '2022-10-01', 'full').identity, 'principalId')), reference('workspace', '2022-10-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('workspace', '2022-10-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 950a61c9f9..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,54 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Application Insights instance to create.') -param applicationInsightsName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: '' - properties: {} -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created Application Insights instance.') -output applicationInsightsResourceId string = applicationInsights.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 4ad340de5c..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,65 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appI-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId - associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - sku: 'Basic' - managedIdentities: { - systemAssigned: true - } - } -} diff --git a/modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index b4446ffb5c..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,144 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -@minLength(3) -@maxLength(24) -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Insights instance to create.') -param applicationInsightsName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by batch account - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVaultServicePermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Contributor-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} -resource keyVaultDataPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Data-Admin-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: '' - properties: {} -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.api.azureml.ms' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Application Insights instance.') -output applicationInsightsResourceId string = applicationInsights.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 43af630b14..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,97 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswecr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appI-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId - associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - sku: 'Basic' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - privateEndpoints: [ - { - service: 'amlworkspace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - // systemAssigned must be false if `primaryUserAssignedIdentity` is provided - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 4f7b46494d..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,134 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Insights instance to create.') -param applicationInsightsName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVaultServicePermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Contributor-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} -resource keyVaultDataPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Data-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: '' - properties: {} -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.api.azureml.ms' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Application Insights instance.') -output applicationInsightsResourceId string = applicationInsights.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index f09fb15a5c..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,172 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId - associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - sku: 'Premium' - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - // Must be false if `primaryUserAssignedIdentity` is provided - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } - ] - description: 'The cake is a lie.' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - discoveryUrl: 'http://example.com' - imageBuildCompute: 'testcompute' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 4f7b46494d..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,134 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Insights instance to create.') -param applicationInsightsName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVaultServicePermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Contributor-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalType: 'ServicePrincipal' - } -} -resource keyVaultDataPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Data-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: '' - properties: {} -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.api.azureml.ms' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Application Insights instance.') -output applicationInsightsResourceId string = applicationInsights.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 416696a964..0000000000 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,155 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId - associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - sku: 'Premium' - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - // Must be false if `primaryUserAssignedIdentity` is provided - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } - ] - description: 'The cake is a lie.' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - discoveryUrl: 'http://example.com' - imageBuildCompute: 'testcompute' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/machine-learning-services/workspace/version.json b/modules/machine-learning-services/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/machine-learning-services/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md b/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 3cd31f63f0..45e7ef044b 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -1,650 +1,7 @@ -# Maintenance Configurations `[Microsoft.Maintenance/maintenanceConfigurations]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/maintenance/maintenance-configuration](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/maintenance/maintenance-configuration).** -This module deploys a Maintenance Configuration. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/maintenance/maintenance-configuration). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Maintenance/maintenanceConfigurations` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Maintenance/2023-04-01/maintenanceConfigurations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/maintenance.maintenance-configuration:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mmcmin' - params: { - // Required parameters - name: 'mmcmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmcmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mmcmax' - params: { - // Required parameters - name: 'mmcmax001' - // Non-required parameters - enableDefaultTelemetry: '' - extensionProperties: { - InGuestPatchMode: 'User' - } - installPatches: { - linuxParameters: { - classificationsToInclude: '' - packageNameMasksToExclude: '' - packageNameMasksToInclude: '' - } - rebootSetting: 'IfRequired' - windowsParameters: { - classificationsToInclude: [ - 'Critical' - 'Security' - ] - kbNumbersToExclude: '' - kbNumbersToInclude: '' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maintenanceWindow: { - duration: '03:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' - } - namespace: 'mmcmaxns' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - visibility: 'Custom' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmcmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "extensionProperties": { - "value": { - "InGuestPatchMode": "User" - } - }, - "installPatches": { - "value": { - "linuxParameters": { - "classificationsToInclude": "", - "packageNameMasksToExclude": "", - "packageNameMasksToInclude": "" - }, - "rebootSetting": "IfRequired", - "windowsParameters": { - "classificationsToInclude": [ - "Critical", - "Security" - ], - "kbNumbersToExclude": "", - "kbNumbersToInclude": "" - } - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maintenanceWindow": { - "value": { - "duration": "03:00", - "expirationDateTime": "9999-12-31 23:59:59", - "recurEvery": "Day", - "startDateTime": "2022-12-31 13:00", - "timeZone": "W. Europe Standard Time" - } - }, - "namespace": { - "value": "mmcmaxns" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "visibility": { - "value": "Custom" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mmcwaf' - params: { - // Required parameters - name: 'mmcwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - extensionProperties: { - InGuestPatchMode: 'User' - } - installPatches: { - linuxParameters: { - classificationsToInclude: '' - packageNameMasksToExclude: '' - packageNameMasksToInclude: '' - } - rebootSetting: 'IfRequired' - windowsParameters: { - classificationsToInclude: [ - 'Critical' - 'Security' - ] - kbNumbersToExclude: '' - kbNumbersToInclude: '' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maintenanceWindow: { - duration: '03:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' - } - namespace: 'mmcwafns' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - visibility: 'Custom' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmcwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "extensionProperties": { - "value": { - "InGuestPatchMode": "User" - } - }, - "installPatches": { - "value": { - "linuxParameters": { - "classificationsToInclude": "", - "packageNameMasksToExclude": "", - "packageNameMasksToInclude": "" - }, - "rebootSetting": "IfRequired", - "windowsParameters": { - "classificationsToInclude": [ - "Critical", - "Security" - ], - "kbNumbersToExclude": "", - "kbNumbersToInclude": "" - } - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maintenanceWindow": { - "value": { - "duration": "03:00", - "expirationDateTime": "9999-12-31 23:59:59", - "recurEvery": "Day", - "startDateTime": "2022-12-31 13:00", - "timeZone": "W. Europe Standard Time" - } - }, - "namespace": { - "value": "mmcwafns" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "visibility": { - "value": "Custom" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Maintenance Configuration Name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`extensionProperties`](#parameter-extensionproperties) | object | Gets or sets extensionProperties of the maintenanceConfiguration. | -| [`installPatches`](#parameter-installpatches) | object | Configuration settings for VM guest patching with Azure Update Manager. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maintenanceScope`](#parameter-maintenancescope) | string | Gets or sets maintenanceScope of the configuration. | -| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Definition of a MaintenanceWindow. | -| [`namespace`](#parameter-namespace) | string | Gets or sets namespace of the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Gets or sets tags of the resource. | -| [`visibility`](#parameter-visibility) | string | Gets or sets the visibility of the configuration. The default value is 'Custom'. | - -### Parameter: `name` - -Maintenance Configuration Name. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `extensionProperties` - -Gets or sets extensionProperties of the maintenanceConfiguration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `installPatches` - -Configuration settings for VM guest patching with Azure Update Manager. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maintenanceScope` - -Gets or sets maintenanceScope of the configuration. - -- Required: No -- Type: string -- Default: `'Host'` -- Allowed: - ```Bicep - [ - 'Extension' - 'Host' - 'InGuestPatch' - 'OSImage' - 'SQLDB' - 'SQLManagedInstance' - ] - ``` - -### Parameter: `maintenanceWindow` - -Definition of a MaintenanceWindow. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `namespace` - -Gets or sets namespace of the resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Gets or sets tags of the resource. - -- Required: No -- Type: object - -### Parameter: `visibility` - -Gets or sets the visibility of the configuration. The default value is 'Custom'. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Custom' - 'Public' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the Maintenance Configuration was created in. | -| `name` | string | The name of the Maintenance Configuration. | -| `resourceGroupName` | string | The name of the resource group the Maintenance Configuration was created in. | -| `resourceId` | string | The resource ID of the Maintenance Configuration. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep deleted file mode 100644 index 8a885c291f..0000000000 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ /dev/null @@ -1,169 +0,0 @@ -metadata name = 'Maintenance Configurations' -metadata description = 'This module deploys a Maintenance Configuration.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@description('Required. Maintenance Configuration Name.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Gets or sets extensionProperties of the maintenanceConfiguration.') -param extensionProperties object = {} - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Gets or sets maintenanceScope of the configuration.') -@allowed([ - 'Host' - 'OSImage' - 'Extension' - 'InGuestPatch' - 'SQLDB' - 'SQLManagedInstance' -]) -param maintenanceScope string = 'Host' - -@description('Optional. Definition of a MaintenanceWindow.') -param maintenanceWindow object = {} - -@description('Optional. Gets or sets namespace of the resource.') -param namespace string = '' - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Gets or sets tags of the resource.') -param tags object? - -@description('Optional. Gets or sets the visibility of the configuration. The default value is \'Custom\'.') -@allowed([ - '' - 'Custom' - 'Public' -]) -param visibility string = '' - -@description('Optional. Configuration settings for VM guest patching with Azure Update Manager.') -param installPatches object = {} - -// =============== // -// Deployments // -// =============== // - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduled Patching Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2023-04-01' = { - location: location - name: name - tags: tags - properties: { - extensionProperties: extensionProperties - maintenanceScope: maintenanceScope - maintenanceWindow: maintenanceWindow - namespace: namespace - visibility: visibility - installPatches: (maintenanceScope == 'InGuestPatch') ? installPatches : null - } -} - -resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: maintenanceConfiguration -} - -resource maintenanceConfiguration_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(maintenanceConfiguration.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: maintenanceConfiguration -}] - -// =========== // -// Outputs // -// =========== // - -@description('The name of the Maintenance Configuration.') -output name string = maintenanceConfiguration.name - -@description('The resource ID of the Maintenance Configuration.') -output resourceId string = maintenanceConfiguration.id - -@description('The name of the resource group the Maintenance Configuration was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the Maintenance Configuration was created in.') -output location string = maintenanceConfiguration.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json deleted file mode 100644 index 4876cc4f59..0000000000 --- a/modules/maintenance/maintenance-configuration/main.json +++ /dev/null @@ -1,311 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11566518301977789457" - }, - "name": "Maintenance Configurations", - "description": "This module deploys a Maintenance Configuration.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Maintenance Configuration Name." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "extensionProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Gets or sets extensionProperties of the maintenanceConfiguration." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "maintenanceScope": { - "type": "string", - "defaultValue": "Host", - "allowedValues": [ - "Host", - "OSImage", - "Extension", - "InGuestPatch", - "SQLDB", - "SQLManagedInstance" - ], - "metadata": { - "description": "Optional. Gets or sets maintenanceScope of the configuration." - } - }, - "maintenanceWindow": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Definition of a MaintenanceWindow." - } - }, - "namespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Gets or sets namespace of the resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Gets or sets tags of the resource." - } - }, - "visibility": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Custom", - "Public" - ], - "metadata": { - "description": "Optional. Gets or sets the visibility of the configuration. The default value is 'Custom'." - } - }, - "installPatches": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings for VM guest patching with Azure Update Manager." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduled Patching Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "maintenanceConfiguration": { - "type": "Microsoft.Maintenance/maintenanceConfigurations", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "extensionProperties": "[parameters('extensionProperties')]", - "maintenanceScope": "[parameters('maintenanceScope')]", - "maintenanceWindow": "[parameters('maintenanceWindow')]", - "namespace": "[parameters('namespace')]", - "visibility": "[parameters('visibility')]", - "installPatches": "[if(equals(parameters('maintenanceScope'), 'InGuestPatch'), parameters('installPatches'), null())]" - } - }, - "maintenanceConfiguration_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "maintenanceConfiguration" - ] - }, - "maintenanceConfiguration_roleAssignments": { - "copy": { - "name": "maintenanceConfiguration_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "maintenanceConfiguration" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Maintenance Configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Maintenance Configuration." - }, - "value": "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Maintenance Configuration was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the Maintenance Configuration was created in." - }, - "value": "[reference('maintenanceConfiguration', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index b12067c411..0000000000 --- a/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmcmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep deleted file mode 100644 index dc3d91a268..0000000000 --- a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,112 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmcmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - extensionProperties: { - InGuestPatchMode: 'User' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - maintenanceScope: 'InGuestPatch' - maintenanceWindow: { - duration: '03:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' - } - namespace: '${serviceShort}ns' - visibility: 'Custom' - installPatches: { - linuxParameters: { - classificationsToInclude: null - packageNameMasksToExclude: null - packageNameMasksToInclude: null - } - rebootSetting: 'IfRequired' - windowsParameters: { - classificationsToInclude: [ - 'Critical' - 'Security' - ] - kbNumbersToExclude: null - kbNumbersToInclude: null - } - } - } -}] diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 19697a964c..0000000000 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmcwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - extensionProperties: { - InGuestPatchMode: 'User' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - maintenanceScope: 'InGuestPatch' - maintenanceWindow: { - duration: '03:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' - } - namespace: '${serviceShort}ns' - visibility: 'Custom' - installPatches: { - linuxParameters: { - classificationsToInclude: null - packageNameMasksToExclude: null - packageNameMasksToInclude: null - } - rebootSetting: 'IfRequired' - windowsParameters: { - classificationsToInclude: [ - 'Critical' - 'Security' - ] - kbNumbersToExclude: null - kbNumbersToInclude: null - } - } - } -}] diff --git a/modules/maintenance/maintenance-configuration/version.json b/modules/maintenance/maintenance-configuration/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/maintenance/maintenance-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md b/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 0e9abdef58..54da259cdd 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -1,481 +1,7 @@ -# User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/managed-identity/user-assigned-identity](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/managed-identity/user-assigned-identity).** -This module deploys a User Assigned Identity. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/managed-identity/user-assigned-identity). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities) | -| `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities/federatedIdentityCredentials) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/managed-identity.user-assigned-identity:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaimin' - params: { - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaimax' - params: { - enableDefaultTelemetry: '' - federatedIdentityCredentials: [ - { - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: '' - name: 'test-fed-cred-miuaimax-001' - subject: 'system:serviceaccount:default:workload-identity-sa' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - name: 'miuaimax001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "federatedIdentityCredentials": { - "value": [ - { - "audiences": [ - "api://AzureADTokenExchange" - ], - "issuer": "", - "name": "test-fed-cred-miuaimax-001", - "subject": "system:serviceaccount:default:workload-identity-sa" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "name": { - "value": "miuaimax001" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaiwaf' - params: { - enableDefaultTelemetry: '' - federatedIdentityCredentials: [ - { - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: '' - name: 'test-fed-cred-miuaiwaf-001' - subject: 'system:serviceaccount:default:workload-identity-sa' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - name: 'miuaiwaf001' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "federatedIdentityCredentials": { - "value": [ - { - "audiences": [ - "api://AzureADTokenExchange" - ], - "issuer": "", - "name": "test-fed-cred-miuaiwaf-001", - "subject": "system:serviceaccount:default:workload-identity-sa" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "name": { - "value": "miuaiwaf001" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`federatedIdentityCredentials`](#parameter-federatedidentitycredentials) | array | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`name`](#parameter-name) | string | Name of the User Assigned Identity. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `federatedIdentityCredentials` - -The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `name` - -Name of the User Assigned Identity. - -- Required: No -- Type: string -- Default: `[guid(resourceGroup().id)]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `clientId` | string | The client ID (application ID) of the user assigned identity. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the user assigned identity. | -| `principalId` | string | The principal ID (object ID) of the user assigned identity. | -| `resourceGroupName` | string | The resource group the user assigned identity was deployed into. | -| `resourceId` | string | The resource ID of the user assigned identity. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md deleted file mode 100644 index a9483eb2d7..0000000000 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# User Assigned Identity Federated Identity Credential `[Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials]` - -This module deploys a User Assigned Identity Federated Identity Credential. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities/federatedIdentityCredentials) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`audiences`](#parameter-audiences) | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. | -| [`issuer`](#parameter-issuer) | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. | -| [`name`](#parameter-name) | string | The name of the secret. | -| [`subject`](#parameter-subject) | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedIdentityName`](#parameter-userassignedidentityname) | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `audiences` - -The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. - -- Required: Yes -- Type: array - -### Parameter: `issuer` - -The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the secret. - -- Required: Yes -- Type: string - -### Parameter: `subject` - -The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. - -- Required: Yes -- Type: string - -### Parameter: `userAssignedIdentityName` - -The name of the parent user assigned identity. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the federated identity credential. | -| `resourceGroupName` | string | The name of the resource group the federated identity credential was created in. | -| `resourceId` | string | The resource ID of the federated identity credential. | - -## Cross-referenced modules - -_None_ diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep deleted file mode 100644 index b1b0165c47..0000000000 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'User Assigned Identity Federated Identity Credential' -metadata description = 'This module deploys a User Assigned Identity Federated Identity Credential.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment.') -param userAssignedIdentityName string - -@description('Required. The name of the secret.') -param name string - -@description('Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token.') -param audiences array - -@description('Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged.') -param issuer string - -@description('Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD.') -param subject string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { - name: userAssignedIdentityName -} - -resource federatedIdentityCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = { - name: name - parent: userAssignedIdentity - properties: { - audiences: audiences - issuer: issuer - subject: subject - } -} - -@description('The name of the federated identity credential.') -output name string = federatedIdentityCredential.name - -@description('The resource ID of the federated identity credential.') -output resourceId string = federatedIdentityCredential.id - -@description('The name of the resource group the federated identity credential was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json deleted file mode 100644 index ac48d00ac2..0000000000 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16507829721467583096" - }, - "name": "User Assigned Identity Federated Identity Credential", - "description": "This module deploys a User Assigned Identity Federated Identity Credential.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "userAssignedIdentityName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret." - } - }, - "audiences": { - "type": "array", - "metadata": { - "description": "Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token." - } - }, - "issuer": { - "type": "string", - "metadata": { - "description": "Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged." - } - }, - "subject": { - "type": "string", - "metadata": { - "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('userAssignedIdentityName'), parameters('name'))]", - "properties": { - "audiences": "[parameters('audiences')]", - "issuer": "[parameters('issuer')]", - "subject": "[parameters('subject')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the federated identity credential." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the federated identity credential." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentityName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the federated identity credential was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep deleted file mode 100644 index 19afb3549c..0000000000 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ /dev/null @@ -1,142 +0,0 @@ -metadata name = 'User Assigned Identities' -metadata description = 'This module deploys a User Assigned Identity.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Name of the User Assigned Identity.') -param name string = guid(resourceGroup().id) - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object.') -param federatedIdentityCredentials array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: name - location: location - tags: tags -} - -resource userMsi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: userAssignedIdentity -} - -module userMsi_federatedIdentityCredentials 'federated-identity-credential/main.bicep' = [for (federatedIdentityCredential, index) in federatedIdentityCredentials: { - name: '${uniqueString(deployment().name, location)}-UserMSI-FederatedIdentityCredential-${index}' - params: { - name: federatedIdentityCredential.name - userAssignedIdentityName: userAssignedIdentity.name - audiences: federatedIdentityCredential.audiences - issuer: federatedIdentityCredential.issuer - subject: federatedIdentityCredential.subject - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource userMsi_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(userAssignedIdentity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: userAssignedIdentity -}] - -@description('The name of the user assigned identity.') -output name string = userAssignedIdentity.name - -@description('The resource ID of the user assigned identity.') -output resourceId string = userAssignedIdentity.id - -@description('The principal ID (object ID) of the user assigned identity.') -output principalId string = userAssignedIdentity.properties.principalId - -@description('The client ID (application ID) of the user assigned identity.') -output clientId string = userAssignedIdentity.properties.clientId - -@description('The resource group the user assigned identity was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = userAssignedIdentity.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json deleted file mode 100644 index b143e7a16b..0000000000 --- a/modules/managed-identity/user-assigned-identity/main.json +++ /dev/null @@ -1,412 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13454855788862691467" - }, - "name": "User Assigned Identities", - "description": "This module deploys a User Assigned Identity.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[guid(resourceGroup().id)]", - "metadata": { - "description": "Optional. Name of the User Assigned Identity." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "federatedIdentityCredentials": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "userAssignedIdentity": { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - "userMsi_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "userAssignedIdentity" - ] - }, - "userMsi_roleAssignments": { - "copy": { - "name": "userMsi_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "userAssignedIdentity" - ] - }, - "userMsi_federatedIdentityCredentials": { - "copy": { - "name": "userMsi_federatedIdentityCredentials", - "count": "[length(parameters('federatedIdentityCredentials'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-UserMSI-FederatedIdentityCredential-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].name]" - }, - "userAssignedIdentityName": { - "value": "[parameters('name')]" - }, - "audiences": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].audiences]" - }, - "issuer": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].issuer]" - }, - "subject": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].subject]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16507829721467583096" - }, - "name": "User Assigned Identity Federated Identity Credential", - "description": "This module deploys a User Assigned Identity Federated Identity Credential.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "userAssignedIdentityName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret." - } - }, - "audiences": { - "type": "array", - "metadata": { - "description": "Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token." - } - }, - "issuer": { - "type": "string", - "metadata": { - "description": "Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged." - } - }, - "subject": { - "type": "string", - "metadata": { - "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('userAssignedIdentityName'), parameters('name'))]", - "properties": { - "audiences": "[parameters('audiences')]", - "issuer": "[parameters('issuer')]", - "subject": "[parameters('subject')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the federated identity credential." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the federated identity credential." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentityName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the federated identity credential was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "userAssignedIdentity" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the user assigned identity." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the user assigned identity." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "The principal ID (object ID) of the user assigned identity." - }, - "value": "[reference('userAssignedIdentity').principalId]" - }, - "clientId": { - "type": "string", - "metadata": { - "description": "The client ID (application ID) of the user assigned identity." - }, - "value": "[reference('userAssignedIdentity').clientId]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the user assigned identity was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('userAssignedIdentity', '2023-01-31', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index fba55f1303..0000000000 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaimin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep deleted file mode 100644 index f633bc4d28..0000000000 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,93 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaimax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - federatedIdentityCredentials: [ - { - name: 'test-fed-cred-${serviceShort}-001' - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/' - subject: 'system:serviceaccount:default:workload-identity-sa' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 17904d21b4..0000000000 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,76 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaiwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - federatedIdentityCredentials: [ - { - name: 'test-fed-cred-${serviceShort}-001' - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/' - subject: 'system:serviceaccount:default:workload-identity-sa' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/managed-identity/user-assigned-identity/version.json b/modules/managed-identity/user-assigned-identity/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/managed-identity/user-assigned-identity/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/managed-services/registration-definition/.bicep/nested_registrationAssignment.bicep b/modules/managed-services/registration-definition/.bicep/nested_registrationAssignment.bicep deleted file mode 100644 index eed777ecb5..0000000000 --- a/modules/managed-services/registration-definition/.bicep/nested_registrationAssignment.bicep +++ /dev/null @@ -1,15 +0,0 @@ -param registrationDefinitionId string -param registrationAssignmentId string - -resource registrationAssignment 'Microsoft.ManagedServices/registrationAssignments@2019-09-01' = { - name: registrationAssignmentId - properties: { - registrationDefinitionId: registrationDefinitionId - } -} - -@description('The name of the registration assignment.') -output name string = registrationAssignment.name - -@description('The resource ID of the registration assignment.') -output resourceId string = registrationAssignment.id diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index c60cb76100..4e96720637 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -1,440 +1,7 @@ -# Registration Definitions `[Microsoft.ManagedServices/registrationDefinitions]` +

⚠️ Moved to AVM ⚠️

-This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation') -on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is -assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where -the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a -remote/managing tenant. +**This module has been evolved into the following AVM module: [avm/res/managed-services/registration-definition](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/managed-services/registration-definition).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/managed-services/registration-definition). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ManagedServices/registrationAssignments` | [2019-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationAssignments) | -| `Microsoft.ManagedServices/registrationDefinitions` | [2019-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationDefinitions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/managed-services.registration-definition:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Rg](#example-2-rg) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-msrdmax' - params: { - // Required parameters - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - name: 'Component Validation - msrdmax Subscription assignment' - registrationDescription: 'Managed by Lighthouse' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "authorizations": { - "value": [ - { - "principalId": "<< SET YOUR PRINCIPAL ID 1 HERE >>", - "principalIdDisplayName": "ResourceModules-Reader", - "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 2 HERE >>", - "principalIdDisplayName": "ResourceModules-Contributor", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 3 HERE >>", - "principalIdDisplayName": "ResourceModules-LHManagement", - "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" - } - ] - }, - "managedByTenantId": { - "value": "<< SET YOUR TENANT ID HERE >>" - }, - "name": { - "value": "Component Validation - msrdmax Subscription assignment" - }, - "registrationDescription": { - "value": "Managed by Lighthouse" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Rg_ - -

- -via Bicep module - -```bicep -module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-msrdrg' - params: { - // Required parameters - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - name: 'Component Validation - msrdrg Resource group assignment' - registrationDescription: 'Managed by Lighthouse' - // Non-required parameters - enableDefaultTelemetry: '' - resourceGroupName: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "authorizations": { - "value": [ - { - "principalId": "<< SET YOUR PRINCIPAL ID 1 HERE >>", - "principalIdDisplayName": "ResourceModules-Reader", - "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 2 HERE >>", - "principalIdDisplayName": "ResourceModules-Contributor", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 3 HERE >>", - "principalIdDisplayName": "ResourceModules-LHManagement", - "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" - } - ] - }, - "managedByTenantId": { - "value": "<< SET YOUR TENANT ID HERE >>" - }, - "name": { - "value": "Component Validation - msrdrg Resource group assignment" - }, - "registrationDescription": { - "value": "Managed by Lighthouse" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "resourceGroupName": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-msrdwaf' - params: { - // Required parameters - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - name: 'Component Validation - msrdwaf Subscription assignment' - registrationDescription: 'Managed by Lighthouse' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "authorizations": { - "value": [ - { - "principalId": "<< SET YOUR PRINCIPAL ID 1 HERE >>", - "principalIdDisplayName": "ResourceModules-Reader", - "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 2 HERE >>", - "principalIdDisplayName": "ResourceModules-Contributor", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "<< SET YOUR PRINCIPAL ID 3 HERE >>", - "principalIdDisplayName": "ResourceModules-LHManagement", - "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" - } - ] - }, - "managedByTenantId": { - "value": "<< SET YOUR TENANT ID HERE >>" - }, - "name": { - "value": "Component Validation - msrdwaf Subscription assignment" - }, - "registrationDescription": { - "value": "Managed by Lighthouse" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizations`](#parameter-authorizations) | array | Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | -| [`managedByTenantId`](#parameter-managedbytenantid) | string | Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | -| [`name`](#parameter-name) | string | Specify a unique name for your offer/registration. i.e ' - - '. | -| [`registrationDescription`](#parameter-registrationdescription) | string | Description of the offer/registration. i.e. 'Managed by '. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | - -### Parameter: `authorizations` - -Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. - -- Required: Yes -- Type: array - -### Parameter: `managedByTenantId` - -Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Specify a unique name for your offer/registration. i.e ' - - '. - -- Required: Yes -- Type: string - -### Parameter: `registrationDescription` - -Description of the offer/registration. i.e. 'Managed by '. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `resourceGroupName` - -Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `assignmentResourceId` | string | The registration assignment resource ID. | -| `name` | string | The name of the registration definition. | -| `resourceId` | string | The resource ID of the registration definition. | -| `subscriptionName` | string | The subscription the registration definition was deployed into. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Considerations - -This module can be deployed both at subscription and resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. - -#### Permissions required to create delegations - -This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, -such as [`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). - -If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. - - -#### Permissions required to remove delegations - -##### From customer side - -Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as -[`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider -access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers -page of the Azure portal and delete the delegation. - -##### From managing tenant side - -Users in a managing tenant can remove access to delegated resources if they were granted the -[`Managed Services Registration Assignment Delete Role`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) -for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be -removed by a user in the customer's tenant. - -#### Limitations with Lighthouse and resource delegation - -There are a couple of limitations that you should be aware of with Lighthouse: - -- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. -- Only supports delegation of control plane permissions. Excludes data plane access. -- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. -- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/managed-services/registration-definition/main.bicep b/modules/managed-services/registration-definition/main.bicep deleted file mode 100644 index 81dcaefa41..0000000000 --- a/modules/managed-services/registration-definition/main.bicep +++ /dev/null @@ -1,83 +0,0 @@ -metadata name = 'Registration Definitions' -metadata description = '''This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation') -on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is -assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where -the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a -remote/managing tenant.''' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Required. Specify a unique name for your offer/registration. i.e \' - - \'.') -param name string - -@description('Required. Description of the offer/registration. i.e. \'Managed by \'.') -param registrationDescription string - -@description('Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to.') -param managedByTenantId string - -@description('Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider\'s Active Directory and the principalIdDisplayName is visible to customers.') -param authorizations array - -@description('Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription.') -param resourceGroupName string = '' - -@description('Optional. Location deployment metadata.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var registrationId = empty(resourceGroupName) ? guid(managedByTenantId, subscription().tenantId, subscription().subscriptionId) : guid(managedByTenantId, subscription().tenantId, subscription().subscriptionId, resourceGroupName) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource registrationDefinition 'Microsoft.ManagedServices/registrationDefinitions@2019-09-01' = { - name: registrationId - properties: { - registrationDefinitionName: name - description: registrationDescription - managedByTenantId: managedByTenantId - authorizations: authorizations - } -} - -resource registrationAssignment_sub 'Microsoft.ManagedServices/registrationAssignments@2019-09-01' = if (empty(resourceGroupName)) { - name: registrationId - properties: { - registrationDefinitionId: registrationDefinition.id - } -} - -module registrationAssignment_rg '.bicep/nested_registrationAssignment.bicep' = if (!empty(resourceGroupName)) { - name: '${uniqueString(deployment().name)}-RegDef-RegAssignment' - scope: resourceGroup(resourceGroupName) - params: { - registrationDefinitionId: registrationDefinition.id - registrationAssignmentId: registrationId - } -} - -@description('The name of the registration definition.') -output name string = registrationDefinition.name - -@description('The resource ID of the registration definition.') -output resourceId string = registrationDefinition.id - -@description('The subscription the registration definition was deployed into.') -output subscriptionName string = subscription().displayName - -@description('The registration assignment resource ID.') -output assignmentResourceId string = empty(resourceGroupName) ? registrationAssignment_sub.id : registrationAssignment_rg.outputs.resourceId diff --git a/modules/managed-services/registration-definition/main.json b/modules/managed-services/registration-definition/main.json deleted file mode 100644 index 5c0ad2afbd..0000000000 --- a/modules/managed-services/registration-definition/main.json +++ /dev/null @@ -1,203 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13729611017288752561" - }, - "name": "Registration Definitions", - "description": "This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')\non subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is\nassigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where\nthe Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a\nremote/managing tenant.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specify a unique name for your offer/registration. i.e ' - - '." - } - }, - "registrationDescription": { - "type": "string", - "metadata": { - "description": "Required. Description of the offer/registration. i.e. 'Managed by '." - } - }, - "managedByTenantId": { - "type": "string", - "metadata": { - "description": "Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to." - } - }, - "authorizations": { - "type": "array", - "metadata": { - "description": "Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "registrationId": "[if(empty(parameters('resourceGroupName')), guid(parameters('managedByTenantId'), subscription().tenantId, subscription().subscriptionId), guid(parameters('managedByTenantId'), subscription().tenantId, subscription().subscriptionId, parameters('resourceGroupName')))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ManagedServices/registrationDefinitions", - "apiVersion": "2019-09-01", - "name": "[variables('registrationId')]", - "properties": { - "registrationDefinitionName": "[parameters('name')]", - "description": "[parameters('registrationDescription')]", - "managedByTenantId": "[parameters('managedByTenantId')]", - "authorizations": "[parameters('authorizations')]" - } - }, - { - "condition": "[empty(parameters('resourceGroupName'))]", - "type": "Microsoft.ManagedServices/registrationAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('registrationId')]", - "properties": { - "registrationDefinitionId": "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions', variables('registrationId'))]" - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions', variables('registrationId'))]" - ] - }, - { - "condition": "[not(empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RegDef-RegAssignment', uniqueString(deployment().name))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "registrationDefinitionId": { - "value": "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions', variables('registrationId'))]" - }, - "registrationAssignmentId": { - "value": "[variables('registrationId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3802628714549364686" - } - }, - "parameters": { - "registrationDefinitionId": { - "type": "string" - }, - "registrationAssignmentId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.ManagedServices/registrationAssignments", - "apiVersion": "2019-09-01", - "name": "[parameters('registrationAssignmentId')]", - "properties": { - "registrationDefinitionId": "[parameters('registrationDefinitionId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the registration assignment." - }, - "value": "[parameters('registrationAssignmentId')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the registration assignment." - }, - "value": "[resourceId('Microsoft.ManagedServices/registrationAssignments', parameters('registrationAssignmentId'))]" - } - } - } - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions', variables('registrationId'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the registration definition." - }, - "value": "[variables('registrationId')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the registration definition." - }, - "value": "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions', variables('registrationId'))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The subscription the registration definition was deployed into." - }, - "value": "[subscription().displayName]" - }, - "assignmentResourceId": { - "type": "string", - "metadata": { - "description": "The registration assignment resource ID." - }, - "value": "[if(empty(parameters('resourceGroupName')), subscriptionResourceId('Microsoft.ManagedServices/registrationAssignments', variables('registrationId')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RegDef-RegAssignment', uniqueString(deployment().name))), '2022-09-01').outputs.resourceId.value)]" - } - } -} \ No newline at end of file diff --git a/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep deleted file mode 100644 index 703eb9a46e..0000000000 --- a/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'msrdmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - registrationDescription: 'Managed by Lighthouse' - } -}] diff --git a/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep deleted file mode 100644 index f3407db0d1..0000000000 --- a/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep +++ /dev/null @@ -1,65 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-managedservices.registrationdefinitions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'msrdrg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'Component Validation - ${namePrefix}${serviceShort} Resource group assignment' - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - registrationDescription: 'Managed by Lighthouse' - resourceGroupName: resourceGroup.name - } -}] diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f28e22d49b..0000000000 --- a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'msrdwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' - authorizations: [ - { - principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' - principalIdDisplayName: 'ResourceModules-Reader' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' - principalIdDisplayName: 'ResourceModules-Contributor' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' - principalIdDisplayName: 'ResourceModules-LHManagement' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } - ] - managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - registrationDescription: 'Managed by Lighthouse' - } -}] diff --git a/modules/managed-services/registration-definition/version.json b/modules/managed-services/registration-definition/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/managed-services/registration-definition/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/management/management-group/MOVED-TO-AVM.md b/modules/management/management-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/management/management-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 395715c7c5..e581ac7f32 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -1,285 +1,7 @@ -# Management Groups `[Microsoft.Management/managementGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/management/management-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/management/management-group).** -This template will prepare the management group structure based on the provided parameter. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/management/management-group). -This module has some known **limitations**: -- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID) -- It can't manage the Root (/) management group - -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Management/managementGroups` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Management/2021-04-01/managementGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/management.management-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-mmgmin' - params: { - // Required parameters - name: 'mmgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-mmgmax' - params: { - // Required parameters - name: 'mmgmax001' - // Non-required parameters - displayName: 'Test MG' - enableDefaultTelemetry: '' - parentId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmgmax001" - }, - // Non-required parameters - "displayName": { - "value": "Test MG" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "parentId": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-mmgwaf' - params: { - // Required parameters - name: 'mmgwaf001' - // Non-required parameters - displayName: 'Test MG' - enableDefaultTelemetry: '' - parentId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmgwaf001" - }, - // Non-required parameters - "displayName": { - "value": "Test MG" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "parentId": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The group ID of the Management group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`displayName`](#parameter-displayname) | string | The friendly name of the management group. If no value is passed then this field will be set to the group ID. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`parentId`](#parameter-parentid) | string | The management group parent ID. Defaults to current scope. | - -### Parameter: `name` - -The group ID of the Management group. - -- Required: Yes -- Type: string - -### Parameter: `displayName` - -The friendly name of the management group. If no value is passed then this field will be set to the group ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `parentId` - -The management group parent ID. Defaults to current scope. - -- Required: No -- Type: string -- Default: `[last(split(managementGroup().id, '/'))]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the management group. | -| `resourceId` | string | The resource ID of the management group. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Considerations - -This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) - -If owner access is excessive, the following rights roles will grant enough rights: - -- **Automation Job Operator** at **tenant** level (scope '/') -- **Management Group Contributor** at the top management group that needs to be managed - -Consider using the following script: - -```powershell -$PrincipalID = "" -$TopMGID = "" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" -``` +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/management/management-group/main.bicep b/modules/management/management-group/main.bicep deleted file mode 100644 index 7f68991076..0000000000 --- a/modules/management/management-group/main.bicep +++ /dev/null @@ -1,61 +0,0 @@ -metadata name = 'Management Groups' -metadata description = '''This template will prepare the management group structure based on the provided parameter. - -This module has some known **limitations**: -- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID) -- It can't manage the Root (/) management group''' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@description('Required. The group ID of the Management group.') -param name string - -@description('Optional. The friendly name of the management group. If no value is passed then this field will be set to the group ID.') -param displayName string = '' - -@description('Optional. The management group parent ID. Defaults to current scope.') -param parentId string = last(split(az.managementGroup().id, '/'))! - -@description('Optional. Location deployment metadata.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource parentManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' existing = { - name: parentId - scope: tenant() -} - -resource managementGroup 'Microsoft.Management/managementGroups@2021-04-01' = { - name: name - scope: tenant() - properties: { - displayName: displayName - details: !empty(parentId) ? { - parent: { - id: parentManagementGroup.id - } - } : null - } -} - -@description('The name of the management group.') -output name string = managementGroup.name - -@description('The resource ID of the management group.') -output resourceId string = managementGroup.id diff --git a/modules/management/management-group/main.json b/modules/management/management-group/main.json deleted file mode 100644 index 532fdd84b8..0000000000 --- a/modules/management/management-group/main.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9848271619799259955" - }, - "name": "Management Groups", - "description": "This template will prepare the management group structure based on the provided parameter.\n\nThis module has some known **limitations**:\n- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID)\n- It can't manage the Root (/) management group", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The group ID of the Management group." - } - }, - "displayName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The friendly name of the management group. If no value is passed then this field will be set to the group ID." - } - }, - "parentId": { - "type": "string", - "defaultValue": "[last(split(managementGroup().id, '/'))]", - "metadata": { - "description": "Optional. The management group parent ID. Defaults to current scope." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Management/managementGroups", - "apiVersion": "2021-04-01", - "scope": "/", - "name": "[parameters('name')]", - "properties": { - "displayName": "[parameters('displayName')]", - "details": "[if(not(empty(parameters('parentId'))), createObject('parent', createObject('id', tenantResourceId('Microsoft.Management/managementGroups', parameters('parentId')))), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the management group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the management group." - }, - "value": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/management/management-group/tests/e2e/defaults/main.test.bicep b/modules/management/management-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 14872bf2d3..0000000000 --- a/modules/management/management-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,30 +0,0 @@ -targetScope = 'managementGroup' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/management/management-group/tests/e2e/max/main.test.bicep b/modules/management/management-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index c47632027d..0000000000 --- a/modules/management/management-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,32 +0,0 @@ -targetScope = 'managementGroup' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - displayName: 'Test MG' - parentId: last(split(managementGroup().id, '/')) - } -}] diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 93652e6765..0000000000 --- a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,32 +0,0 @@ -targetScope = 'managementGroup' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - displayName: 'Test MG' - parentId: last(split(managementGroup().id, '/')) - } -}] diff --git a/modules/management/management-group/version.json b/modules/management/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/management/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/net-app/net-app-account/MOVED-TO-AVM.md b/modules/net-app/net-app-account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/net-app/net-app-account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index c2bc9668f6..9439bc2799 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -1,851 +1,7 @@ -# Azure NetApp Files `[Microsoft.NetApp/netAppAccounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/net-app/net-app-account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/net-app/net-app-account).** -This module deploys an Azure NetApp File. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/net-app/net-app-account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/net-app.net-app-account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Nfs3](#example-2-nfs3) -- [Nfs41](#example-3-nfs41) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nanaamin' - params: { - // Required parameters - name: 'nanaamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nanaamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Nfs3_ - -

- -via Bicep module - -```bicep -module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nanaanfs3' - params: { - // Required parameters - name: 'nanaanfs3001' - // Non-required parameters - capacityPools: [ - { - name: 'nanaanfs3-cp-001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [ - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: true - nfsv41: false - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: 'nanaanfs3-vol-001' - protocolTypes: [ - 'NFSv3' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - subnetResourceId: '' - usageThreshold: 107374182400 - } - { - name: 'nanaanfs3-vol-002' - protocolTypes: [ - 'NFSv3' - ] - subnetResourceId: '' - usageThreshold: 107374182400 - } - ] - } - { - name: 'nanaanfs3-cp-002' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [] - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Contact: 'test.user@testcompany.com' - CostCenter: '7890' - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - PurchaseOrder: '1234' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nanaanfs3001" - }, - // Non-required parameters - "capacityPools": { - "value": [ - { - "name": "nanaanfs3-cp-001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "serviceLevel": "Premium", - "size": 4398046511104, - "volumes": [ - { - "exportPolicyRules": [ - { - "allowedClients": "0.0.0.0/0", - "nfsv3": true, - "nfsv41": false, - "ruleIndex": 1, - "unixReadOnly": false, - "unixReadWrite": true - } - ], - "name": "nanaanfs3-vol-001", - "protocolTypes": [ - "NFSv3" - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "subnetResourceId": "", - "usageThreshold": 107374182400 - }, - { - "name": "nanaanfs3-vol-002", - "protocolTypes": [ - "NFSv3" - ], - "subnetResourceId": "", - "usageThreshold": 107374182400 - } - ] - }, - { - "name": "nanaanfs3-cp-002", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "serviceLevel": "Premium", - "size": 4398046511104, - "volumes": [] - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Contact": "test.user@testcompany.com", - "CostCenter": "7890", - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "PurchaseOrder": "1234", - "Role": "DeploymentValidation", - "ServiceName": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Nfs41_ - -

- -via Bicep module - -```bicep -module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nanaanfs41' - params: { - // Required parameters - name: 'nanaanfs41001' - // Non-required parameters - capacityPools: [ - { - name: 'nanaanfs41-cp-001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [ - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: false - nfsv41: true - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: 'nanaanfs41-vol-001' - protocolTypes: [ - 'NFSv4.1' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - subnetResourceId: '' - usageThreshold: 107374182400 - } - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: false - nfsv41: true - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: 'nanaanfs41-vol-002' - protocolTypes: [ - 'NFSv4.1' - ] - subnetResourceId: '' - usageThreshold: 107374182400 - } - ] - } - { - name: 'nanaanfs41-cp-002' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [] - } - ] - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Contact: 'test.user@testcompany.com' - CostCenter: '7890' - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - PurchaseOrder: '1234' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nanaanfs41001" - }, - // Non-required parameters - "capacityPools": { - "value": [ - { - "name": "nanaanfs41-cp-001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "serviceLevel": "Premium", - "size": 4398046511104, - "volumes": [ - { - "exportPolicyRules": [ - { - "allowedClients": "0.0.0.0/0", - "nfsv3": false, - "nfsv41": true, - "ruleIndex": 1, - "unixReadOnly": false, - "unixReadWrite": true - } - ], - "name": "nanaanfs41-vol-001", - "protocolTypes": [ - "NFSv4.1" - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "subnetResourceId": "", - "usageThreshold": 107374182400 - }, - { - "exportPolicyRules": [ - { - "allowedClients": "0.0.0.0/0", - "nfsv3": false, - "nfsv41": true, - "ruleIndex": 1, - "unixReadOnly": false, - "unixReadWrite": true - } - ], - "name": "nanaanfs41-vol-002", - "protocolTypes": [ - "NFSv4.1" - ], - "subnetResourceId": "", - "usageThreshold": 107374182400 - } - ] - }, - { - "name": "nanaanfs41-cp-002", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "serviceLevel": "Premium", - "size": 4398046511104, - "volumes": [] - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Contact": "test.user@testcompany.com", - "CostCenter": "7890", - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "PurchaseOrder": "1234", - "Role": "DeploymentValidation", - "ServiceName": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the NetApp account. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`capacityPools`](#parameter-capacitypools) | array | Capacity pools to create. | -| [`dnsServers`](#parameter-dnsservers) | string | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | -| [`domainJoinOU`](#parameter-domainjoinou) | string | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | -| [`domainJoinPassword`](#parameter-domainjoinpassword) | securestring | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | -| [`domainJoinUser`](#parameter-domainjoinuser) | string | Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | -| [`domainName`](#parameter-domainname) | string | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | -| [`tags`](#parameter-tags) | object | Tags for all resources. | - -### Parameter: `name` - -The name of the NetApp account. - -- Required: Yes -- Type: string - -### Parameter: `capacityPools` - -Capacity pools to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dnsServers` - -Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `domainJoinOU` - -Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `domainJoinPassword` - -Required if domainName is specified. Password of the user specified in domainJoinUser parameter. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `domainJoinUser` - -Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `domainName` - -Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `smbServerNamePrefix` - -Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags for all resources. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the NetApp account. | -| `resourceGroupName` | string | The name of the Resource Group the NetApp account was created in. | -| `resourceId` | string | The Resource ID of the NetApp account. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md deleted file mode 100644 index 381674df79..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ /dev/null @@ -1,257 +0,0 @@ -# Azure NetApp Files Capacity Pools `[Microsoft.NetApp/netAppAccounts/capacityPools]` - -This module deploys an Azure NetApp Files Capacity Pool. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the capacity pool. | -| [`size`](#parameter-size) | int | Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`coolAccess`](#parameter-coolaccess) | bool | If enabled (true) the pool can contain cool Access enabled volumes. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionType`](#parameter-encryptiontype) | string | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | -| [`location`](#parameter-location) | string | Location of the pool volume. | -| [`qosType`](#parameter-qostype) | string | The qos type of the pool. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. | -| [`tags`](#parameter-tags) | object | Tags for all resources. | -| [`volumes`](#parameter-volumes) | array | List of volumnes to create in the capacity pool. | - -### Parameter: `name` - -The name of the capacity pool. - -- Required: Yes -- Type: string - -### Parameter: `size` - -Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). - -- Required: Yes -- Type: int - -### Parameter: `netAppAccountName` - -The name of the parent NetApp account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `coolAccess` - -If enabled (true) the pool can contain cool Access enabled volumes. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionType` - -Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. - -- Required: No -- Type: string -- Default: `'Single'` -- Allowed: - ```Bicep - [ - 'Double' - 'Single' - ] - ``` - -### Parameter: `location` - -Location of the pool volume. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `qosType` - -The qos type of the pool. - -- Required: No -- Type: string -- Default: `'Auto'` -- Allowed: - ```Bicep - [ - 'Auto' - 'Manual' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceLevel` - -The pool service level. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Premium' - 'Standard' - 'StandardZRS' - 'Ultra' - ] - ``` - -### Parameter: `tags` - -Tags for all resources. - -- Required: No -- Type: object - -### Parameter: `volumes` - -List of volumnes to create in the capacity pool. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Capacity Pool. | -| `resourceGroupName` | string | The name of the Resource Group the Capacity Pool was created in. | -| `resourceId` | string | The resource ID of the Capacity Pool. | - -## Cross-referenced modules - -_None_ diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep deleted file mode 100644 index 213245ba7e..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ /dev/null @@ -1,164 +0,0 @@ -metadata name = 'Azure NetApp Files Capacity Pools' -metadata description = 'This module deploys an Azure NetApp Files Capacity Pool.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment.') -param netAppAccountName string - -@description('Required. The name of the capacity pool.') -param name string - -@description('Optional. Location of the pool volume.') -param location string = resourceGroup().location - -@description('Optional. Tags for all resources.') -param tags object? - -@description('Optional. The pool service level.') -@allowed([ - 'Premium' - 'Standard' - 'StandardZRS' - 'Ultra' -]) -param serviceLevel string = 'Standard' - -@description('Required. Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104).') -param size int - -@description('Optional. The qos type of the pool.') -@allowed([ - 'Auto' - 'Manual' -]) -param qosType string = 'Auto' - -@description('Optional. List of volumnes to create in the capacity pool.') -param volumes array = [] - -@description('Optional. If enabled (true) the pool can contain cool Access enabled volumes.') -param coolAccess bool = false - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.') -@allowed([ - 'Double' - 'Single' -]) -param encryptionType string = 'Single' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { - name: netAppAccountName -} - -resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-11-01' = { - name: name - parent: netAppAccount - location: location - tags: tags - properties: { - serviceLevel: serviceLevel - size: size - qosType: qosType - coolAccess: coolAccess - encryptionType: encryptionType - } -} - -@batchSize(1) -module capacityPool_volumes 'volume/main.bicep' = [for (volume, index) in volumes: { - name: '${deployment().name}-Vol-${index}' - params: { - netAppAccountName: netAppAccount.name - capacityPoolName: capacityPool.name - name: volume.name - location: location - serviceLevel: serviceLevel - creationToken: contains(volume, 'creationToken') ? volume.creationToken : volume.name - usageThreshold: volume.usageThreshold - protocolTypes: contains(volume, 'protocolTypes') ? volume.protocolTypes : [] - subnetResourceId: volume.subnetResourceId - exportPolicyRules: contains(volume, 'exportPolicyRules') ? volume.exportPolicyRules : [] - roleAssignments: contains(volume, 'roleAssignments') ? volume.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource capacityPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(capacityPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: capacityPool -}] - -@description('The name of the Capacity Pool.') -output name string = capacityPool.name - -@description('The resource ID of the Capacity Pool.') -output resourceId string = capacityPool.id - -@description('The name of the Resource Group the Capacity Pool was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = capacityPool.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json deleted file mode 100644 index 464a90fcd8..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ /dev/null @@ -1,609 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15353329491336313807" - }, - "name": "Azure NetApp Files Capacity Pools", - "description": "This module deploys an Azure NetApp Files Capacity Pool.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "netAppAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the capacity pool." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the pool volume." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "serviceLevel": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard", - "StandardZRS", - "Ultra" - ], - "metadata": { - "description": "Optional. The pool service level." - } - }, - "size": { - "type": "int", - "metadata": { - "description": "Required. Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104)." - } - }, - "qosType": { - "type": "string", - "defaultValue": "Auto", - "allowedValues": [ - "Auto", - "Manual" - ], - "metadata": { - "description": "Optional. The qos type of the pool." - } - }, - "volumes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of volumnes to create in the capacity pool." - } - }, - "coolAccess": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If enabled (true) the pool can contain cool Access enabled volumes." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "encryptionType": { - "type": "string", - "defaultValue": "Single", - "allowedValues": [ - "Double", - "Single" - ], - "metadata": { - "description": "Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('netAppAccountName')]" - }, - "capacityPool": { - "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "serviceLevel": "[parameters('serviceLevel')]", - "size": "[parameters('size')]", - "qosType": "[parameters('qosType')]", - "coolAccess": "[parameters('coolAccess')]", - "encryptionType": "[parameters('encryptionType')]" - }, - "dependsOn": [ - "netAppAccount" - ] - }, - "capacityPool_roleAssignments": { - "copy": { - "name": "capacityPool_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "capacityPool" - ] - }, - "capacityPool_volumes": { - "copy": { - "name": "capacityPool_volumes", - "count": "[length(parameters('volumes'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Vol-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "netAppAccountName": { - "value": "[parameters('netAppAccountName')]" - }, - "capacityPoolName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('volumes')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "serviceLevel": { - "value": "[parameters('serviceLevel')]" - }, - "creationToken": "[if(contains(parameters('volumes')[copyIndex()], 'creationToken'), createObject('value', parameters('volumes')[copyIndex()].creationToken), createObject('value', parameters('volumes')[copyIndex()].name))]", - "usageThreshold": { - "value": "[parameters('volumes')[copyIndex()].usageThreshold]" - }, - "protocolTypes": "[if(contains(parameters('volumes')[copyIndex()], 'protocolTypes'), createObject('value', parameters('volumes')[copyIndex()].protocolTypes), createObject('value', createArray()))]", - "subnetResourceId": { - "value": "[parameters('volumes')[copyIndex()].subnetResourceId]" - }, - "exportPolicyRules": "[if(contains(parameters('volumes')[copyIndex()], 'exportPolicyRules'), createObject('value', parameters('volumes')[copyIndex()].exportPolicyRules), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('volumes')[copyIndex()], 'roleAssignments'), createObject('value', parameters('volumes')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3662331312918191126" - }, - "name": "Azure NetApp Files Capacity Pool Volumes", - "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "netAppAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment." - } - }, - "capacityPoolName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent capacity pool. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the pool volume." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the pool volume." - } - }, - "serviceLevel": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard", - "StandardZRS", - "Ultra" - ], - "metadata": { - "description": "Optional. The pool service level. Must match the one of the parent capacity pool." - } - }, - "creationToken": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription." - } - }, - "usageThreshold": { - "type": "int", - "metadata": { - "description": "Required. Maximum storage quota allowed for a file system in bytes." - } - }, - "protocolTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Set of protocol types." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes." - } - }, - "exportPolicyRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Export policy rules." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "netAppAccount::capacityPool": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", - "dependsOn": [ - "netAppAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('netAppAccountName')]" - }, - "volume": { - "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "serviceLevel": "[parameters('serviceLevel')]", - "creationToken": "[parameters('creationToken')]", - "usageThreshold": "[parameters('usageThreshold')]", - "protocolTypes": "[parameters('protocolTypes')]", - "subnetId": "[parameters('subnetResourceId')]", - "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - }, - "dependsOn": [ - "netAppAccount::capacityPool" - ] - }, - "volume_roleAssignments": { - "copy": { - "name": "volume_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "volume" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Volume." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the Volume." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Volume was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('volume', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "capacityPool", - "netAppAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Capacity Pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Capacity Pool." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Capacity Pool was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('capacityPool', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/net-app/net-app-account/capacity-pool/version.json b/modules/net-app/net-app-account/capacity-pool/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md deleted file mode 100644 index bf17feb0a2..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ /dev/null @@ -1,241 +0,0 @@ -# Azure NetApp Files Capacity Pool Volumes `[Microsoft.NetApp/netAppAccounts/capacityPools/volumes]` - -This module deploys an Azure NetApp Files Capacity Pool Volume. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the pool volume. | -| [`subnetResourceId`](#parameter-subnetresourceid) | string | The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. | -| [`usageThreshold`](#parameter-usagethreshold) | int | Maximum storage quota allowed for a file system in bytes. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`capacityPoolName`](#parameter-capacitypoolname) | string | The name of the parent capacity pool. Required if the template is used in a standalone deployment. | -| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`creationToken`](#parameter-creationtoken) | string | A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. | -| [`location`](#parameter-location) | string | Location of the pool volume. | -| [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. | - -### Parameter: `name` - -The name of the pool volume. - -- Required: Yes -- Type: string - -### Parameter: `subnetResourceId` - -The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. - -- Required: Yes -- Type: string - -### Parameter: `usageThreshold` - -Maximum storage quota allowed for a file system in bytes. - -- Required: Yes -- Type: int - -### Parameter: `capacityPoolName` - -The name of the parent capacity pool. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `netAppAccountName` - -The name of the parent NetApp account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `creationToken` - -A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. - -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `exportPolicyRules` - -Export policy rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location of the pool volume. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `protocolTypes` - -Set of protocol types. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceLevel` - -The pool service level. Must match the one of the parent capacity pool. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Premium' - 'Standard' - 'StandardZRS' - 'Ultra' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Volume. | -| `resourceGroupName` | string | The name of the Resource Group the Volume was created in. | -| `resourceId` | string | The Resource ID of the Volume. | - -## Cross-referenced modules - -_None_ diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep deleted file mode 100644 index 5870382621..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep +++ /dev/null @@ -1,141 +0,0 @@ -metadata name = 'Azure NetApp Files Capacity Pool Volumes' -metadata description = 'This module deploys an Azure NetApp Files Capacity Pool Volume.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment.') -param netAppAccountName string - -@description('Conditional. The name of the parent capacity pool. Required if the template is used in a standalone deployment.') -param capacityPoolName string - -@description('Required. The name of the pool volume.') -param name string - -@description('Optional. Location of the pool volume.') -param location string = resourceGroup().location - -@description('Optional. The pool service level. Must match the one of the parent capacity pool.') -@allowed([ - 'Premium' - 'Standard' - 'StandardZRS' - 'Ultra' -]) -param serviceLevel string = 'Standard' - -@description('Optional. A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription.') -param creationToken string = name - -@description('Required. Maximum storage quota allowed for a file system in bytes.') -param usageThreshold int - -@description('Optional. Set of protocol types.') -param protocolTypes array = [] - -@description('Required. The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes.') -param subnetResourceId string - -@description('Optional. Export policy rules.') -param exportPolicyRules array = [] - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { - name: netAppAccountName - - resource capacityPool 'capacityPools@2022-11-01' existing = { - name: capacityPoolName - } -} - -resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-01' = { - name: name - parent: netAppAccount::capacityPool - location: location - properties: { - serviceLevel: serviceLevel - creationToken: creationToken - usageThreshold: usageThreshold - protocolTypes: protocolTypes - subnetId: subnetResourceId - exportPolicy: !empty(exportPolicyRules) ? { - rules: exportPolicyRules - } : null - } -} - -resource volume_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(volume.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: volume -}] - -@description('The name of the Volume.') -output name string = volume.name - -@description('The Resource ID of the Volume.') -output resourceId string = volume.id - -@description('The name of the Resource Group the Volume was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = volume.location -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.json b/modules/net-app/net-app-account/capacity-pool/volume/main.json deleted file mode 100644 index 5e0f1b20ef..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.json +++ /dev/null @@ -1,278 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3662331312918191126" - }, - "name": "Azure NetApp Files Capacity Pool Volumes", - "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "netAppAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment." - } - }, - "capacityPoolName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent capacity pool. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the pool volume." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the pool volume." - } - }, - "serviceLevel": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard", - "StandardZRS", - "Ultra" - ], - "metadata": { - "description": "Optional. The pool service level. Must match the one of the parent capacity pool." - } - }, - "creationToken": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription." - } - }, - "usageThreshold": { - "type": "int", - "metadata": { - "description": "Required. Maximum storage quota allowed for a file system in bytes." - } - }, - "protocolTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Set of protocol types." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes." - } - }, - "exportPolicyRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Export policy rules." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "netAppAccount::capacityPool": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", - "dependsOn": [ - "netAppAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('netAppAccountName')]" - }, - "volume": { - "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "serviceLevel": "[parameters('serviceLevel')]", - "creationToken": "[parameters('creationToken')]", - "usageThreshold": "[parameters('usageThreshold')]", - "protocolTypes": "[parameters('protocolTypes')]", - "subnetId": "[parameters('subnetResourceId')]", - "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - }, - "dependsOn": [ - "netAppAccount::capacityPool" - ] - }, - "volume_roleAssignments": { - "copy": { - "name": "volume_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "volume" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Volume." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the Volume." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Volume was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('volume', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/net-app/net-app-account/capacity-pool/volume/version.json b/modules/net-app/net-app-account/capacity-pool/volume/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/volume/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep deleted file mode 100644 index 2fc4c5833d..0000000000 --- a/modules/net-app/net-app-account/main.bicep +++ /dev/null @@ -1,189 +0,0 @@ -metadata name = 'Azure NetApp Files' -metadata description = 'This module deploys an Azure NetApp File.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the NetApp account.') -param name string - -@description('Optional. Fully Qualified Active Directory DNS Domain Name (e.g. \'contoso.com\').') -param domainName string = '' - -@description('Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain.') -param domainJoinUser string = '' - -@description('Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter.') -@secure() -param domainJoinPassword string = '' - -@description('Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. \'OU=SecondLevel,OU=FirstLevel\').') -param domainJoinOU string = '' - -@description('Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed.') -param dnsServers string = '' - -@description('Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes.') -param smbServerNamePrefix string = '' - -@description('Optional. Capacity pools to create.') -param capacityPools array = [] - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags for all resources.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var activeDirectoryConnectionProperties = [ - { - username: !empty(domainName) ? domainJoinUser : null - password: !empty(domainName) ? domainJoinPassword : null - domain: !empty(domainName) ? domainName : null - dns: !empty(domainName) ? dnsServers : null - smbServerName: !empty(domainName) ? smbServerNamePrefix : null - organizationalUnit: !empty(domainJoinOU) ? domainJoinOU : null - } -] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = { - name: name - tags: tags - identity: identity - location: location - properties: { - activeDirectories: !empty(domainName) ? activeDirectoryConnectionProperties : null - } -} - -resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: netAppAccount -} - -resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(netAppAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: netAppAccount -}] - -module netAppAccount_capacityPools 'capacity-pool/main.bicep' = [for (capacityPool, index) in capacityPools: { - name: '${uniqueString(deployment().name, location)}-ANFAccount-CapPool-${index}' - params: { - netAppAccountName: netAppAccount.name - name: capacityPool.name - location: location - size: capacityPool.size - serviceLevel: contains(capacityPool, 'serviceLevel') ? capacityPool.serviceLevel : 'Standard' - qosType: contains(capacityPool, 'qosType') ? capacityPool.qosType : 'Auto' - volumes: contains(capacityPool, 'volumes') ? capacityPool.volumes : [] - coolAccess: contains(capacityPool, 'coolAccess') ? capacityPool.coolAccess : false - roleAssignments: contains(capacityPool, 'roleAssignments') ? capacityPool.roleAssignments : [] - encryptionType: contains(capacityPool, 'encryptionType') ? capacityPool.encryptionType : 'Single' - tags: capacityPool.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the NetApp account.') -output name string = netAppAccount.name - -@description('The Resource ID of the NetApp account.') -output resourceId string = netAppAccount.id - -@description('The name of the Resource Group the NetApp account was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = netAppAccount.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json deleted file mode 100644 index 862b3c67db..0000000000 --- a/modules/net-app/net-app-account/main.json +++ /dev/null @@ -1,987 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8081072067801758787" - }, - "name": "Azure NetApp Files", - "description": "This module deploys an Azure NetApp File.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NetApp account." - } - }, - "domainName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com')." - } - }, - "domainJoinUser": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain." - } - }, - "domainJoinPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter." - } - }, - "domainJoinOU": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel')." - } - }, - "dnsServers": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed." - } - }, - "smbServerNamePrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes." - } - }, - "capacityPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Capacity pools to create." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "activeDirectoryConnectionProperties": [ - { - "username": "[if(not(empty(parameters('domainName'))), parameters('domainJoinUser'), null())]", - "password": "[if(not(empty(parameters('domainName'))), parameters('domainJoinPassword'), null())]", - "domain": "[if(not(empty(parameters('domainName'))), parameters('domainName'), null())]", - "dns": "[if(not(empty(parameters('domainName'))), parameters('dnsServers'), null())]", - "smbServerName": "[if(not(empty(parameters('domainName'))), parameters('smbServerNamePrefix'), null())]", - "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]" - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "location": "[parameters('location')]", - "properties": { - "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]" - } - }, - "netAppAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "netAppAccount" - ] - }, - "netAppAccount_roleAssignments": { - "copy": { - "name": "netAppAccount_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "netAppAccount" - ] - }, - "netAppAccount_capacityPools": { - "copy": { - "name": "netAppAccount_capacityPools", - "count": "[length(parameters('capacityPools'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ANFAccount-CapPool-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "netAppAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('capacityPools')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "size": { - "value": "[parameters('capacityPools')[copyIndex()].size]" - }, - "serviceLevel": "[if(contains(parameters('capacityPools')[copyIndex()], 'serviceLevel'), createObject('value', parameters('capacityPools')[copyIndex()].serviceLevel), createObject('value', 'Standard'))]", - "qosType": "[if(contains(parameters('capacityPools')[copyIndex()], 'qosType'), createObject('value', parameters('capacityPools')[copyIndex()].qosType), createObject('value', 'Auto'))]", - "volumes": "[if(contains(parameters('capacityPools')[copyIndex()], 'volumes'), createObject('value', parameters('capacityPools')[copyIndex()].volumes), createObject('value', createArray()))]", - "coolAccess": "[if(contains(parameters('capacityPools')[copyIndex()], 'coolAccess'), createObject('value', parameters('capacityPools')[copyIndex()].coolAccess), createObject('value', false()))]", - "roleAssignments": "[if(contains(parameters('capacityPools')[copyIndex()], 'roleAssignments'), createObject('value', parameters('capacityPools')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "encryptionType": "[if(contains(parameters('capacityPools')[copyIndex()], 'encryptionType'), createObject('value', parameters('capacityPools')[copyIndex()].encryptionType), createObject('value', 'Single'))]", - "tags": { - "value": "[coalesce(tryGet(parameters('capacityPools')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15353329491336313807" - }, - "name": "Azure NetApp Files Capacity Pools", - "description": "This module deploys an Azure NetApp Files Capacity Pool.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "netAppAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the capacity pool." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the pool volume." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for all resources." - } - }, - "serviceLevel": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard", - "StandardZRS", - "Ultra" - ], - "metadata": { - "description": "Optional. The pool service level." - } - }, - "size": { - "type": "int", - "metadata": { - "description": "Required. Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104)." - } - }, - "qosType": { - "type": "string", - "defaultValue": "Auto", - "allowedValues": [ - "Auto", - "Manual" - ], - "metadata": { - "description": "Optional. The qos type of the pool." - } - }, - "volumes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of volumnes to create in the capacity pool." - } - }, - "coolAccess": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If enabled (true) the pool can contain cool Access enabled volumes." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "encryptionType": { - "type": "string", - "defaultValue": "Single", - "allowedValues": [ - "Double", - "Single" - ], - "metadata": { - "description": "Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('netAppAccountName')]" - }, - "capacityPool": { - "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "serviceLevel": "[parameters('serviceLevel')]", - "size": "[parameters('size')]", - "qosType": "[parameters('qosType')]", - "coolAccess": "[parameters('coolAccess')]", - "encryptionType": "[parameters('encryptionType')]" - }, - "dependsOn": [ - "netAppAccount" - ] - }, - "capacityPool_roleAssignments": { - "copy": { - "name": "capacityPool_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "capacityPool" - ] - }, - "capacityPool_volumes": { - "copy": { - "name": "capacityPool_volumes", - "count": "[length(parameters('volumes'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Vol-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "netAppAccountName": { - "value": "[parameters('netAppAccountName')]" - }, - "capacityPoolName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('volumes')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "serviceLevel": { - "value": "[parameters('serviceLevel')]" - }, - "creationToken": "[if(contains(parameters('volumes')[copyIndex()], 'creationToken'), createObject('value', parameters('volumes')[copyIndex()].creationToken), createObject('value', parameters('volumes')[copyIndex()].name))]", - "usageThreshold": { - "value": "[parameters('volumes')[copyIndex()].usageThreshold]" - }, - "protocolTypes": "[if(contains(parameters('volumes')[copyIndex()], 'protocolTypes'), createObject('value', parameters('volumes')[copyIndex()].protocolTypes), createObject('value', createArray()))]", - "subnetResourceId": { - "value": "[parameters('volumes')[copyIndex()].subnetResourceId]" - }, - "exportPolicyRules": "[if(contains(parameters('volumes')[copyIndex()], 'exportPolicyRules'), createObject('value', parameters('volumes')[copyIndex()].exportPolicyRules), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('volumes')[copyIndex()], 'roleAssignments'), createObject('value', parameters('volumes')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3662331312918191126" - }, - "name": "Azure NetApp Files Capacity Pool Volumes", - "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "netAppAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment." - } - }, - "capacityPoolName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent capacity pool. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the pool volume." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the pool volume." - } - }, - "serviceLevel": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard", - "StandardZRS", - "Ultra" - ], - "metadata": { - "description": "Optional. The pool service level. Must match the one of the parent capacity pool." - } - }, - "creationToken": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription." - } - }, - "usageThreshold": { - "type": "int", - "metadata": { - "description": "Required. Maximum storage quota allowed for a file system in bytes." - } - }, - "protocolTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Set of protocol types." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes." - } - }, - "exportPolicyRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Export policy rules." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "netAppAccount::capacityPool": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", - "dependsOn": [ - "netAppAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "netAppAccount": { - "existing": true, - "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", - "name": "[parameters('netAppAccountName')]" - }, - "volume": { - "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "serviceLevel": "[parameters('serviceLevel')]", - "creationToken": "[parameters('creationToken')]", - "usageThreshold": "[parameters('usageThreshold')]", - "protocolTypes": "[parameters('protocolTypes')]", - "subnetId": "[parameters('subnetResourceId')]", - "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - }, - "dependsOn": [ - "netAppAccount::capacityPool" - ] - }, - "volume_roleAssignments": { - "copy": { - "name": "volume_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "volume" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Volume." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the Volume." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Volume was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('volume', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "capacityPool", - "netAppAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Capacity Pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Capacity Pool." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Capacity Pool was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('capacityPool', '2022-11-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "netAppAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NetApp account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the NetApp account." - }, - "value": "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the NetApp account was created in." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('netAppAccount', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 5a4111f482..0000000000 --- a/modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nanaamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -} diff --git a/modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep deleted file mode 100644 index 71e1d77e16..0000000000 --- a/modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep deleted file mode 100644 index dc2b95f9b3..0000000000 --- a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nanaanfs3' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacityPools: [ - { - name: '${namePrefix}-${serviceShort}-cp-001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [ - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: true - nfsv41: false - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: '${namePrefix}-${serviceShort}-vol-001' - protocolTypes: [ - 'NFSv3' - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - usageThreshold: 107374182400 - } - { - name: '${namePrefix}-${serviceShort}-vol-002' - protocolTypes: [ - 'NFSv3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - usageThreshold: 107374182400 - } - ] - } - { - name: '${namePrefix}-${serviceShort}-cp-002' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Contact: 'test.user@testcompany.com' - CostCenter: '7890' - Environment: 'Non-Prod' - PurchaseOrder: '1234' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - } -} diff --git a/modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep deleted file mode 100644 index d0c6383547..0000000000 --- a/modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep +++ /dev/null @@ -1,52 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep deleted file mode 100644 index a751b084cc..0000000000 --- a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep +++ /dev/null @@ -1,157 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nanaanfs41' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacityPools: [ - { - name: '${namePrefix}-${serviceShort}-cp-001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [ - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: false - nfsv41: true - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: '${namePrefix}-${serviceShort}-vol-001' - protocolTypes: [ - 'NFSv4.1' - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - usageThreshold: 107374182400 - } - { - exportPolicyRules: [ - { - allowedClients: '0.0.0.0/0' - nfsv3: false - nfsv41: true - ruleIndex: 1 - unixReadOnly: false - unixReadWrite: true - } - ] - name: '${namePrefix}-${serviceShort}-vol-002' - protocolTypes: [ - 'NFSv4.1' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - usageThreshold: 107374182400 - } - ] - } - { - name: '${namePrefix}-${serviceShort}-cp-002' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - serviceLevel: 'Premium' - size: 4398046511104 - volumes: [] - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Contact: 'test.user@testcompany.com' - CostCenter: '7890' - Environment: 'Non-Prod' - PurchaseOrder: '1234' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - } -} diff --git a/modules/net-app/net-app-account/version.json b/modules/net-app/net-app-account/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/net-app/net-app-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/application-gateway-web-application-firewall-policy/MOVED-TO-AVM.md b/modules/network/application-gateway-web-application-firewall-policy/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index aad5d0d155..0ffbd5f044 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -1,322 +1,7 @@ -# Application Gateway Web Application Firewall (WAF) Policies `[Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/application-gateway-web-application-firewall-policy](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/application-gateway-web-application-firewall-policy).** -This module deploys an Application Gateway Web Application Firewall (WAF) Policy. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/application-gateway-web-application-firewall-policy). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/ApplicationGatewayWebApplicationFirewallPolicies) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpmax' - params: { - // Required parameters - name: 'nagwafpmax001' - // Non-required parameters - enableDefaultTelemetry: '' - managedRules: { - managedRuleSets: [ - { - ruleGroupOverrides: [] - ruleSetType: 'OWASP' - ruleSetVersion: '3.2' - } - { - ruleGroupOverrides: [] - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '0.1' - } - ] - } - policySettings: { - fileUploadLimitInMb: 10 - mode: 'Prevention' - state: 'Enabled' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedRules": { - "value": { - "managedRuleSets": [ - { - "ruleGroupOverrides": [], - "ruleSetType": "OWASP", - "ruleSetVersion": "3.2" - }, - { - "ruleGroupOverrides": [], - "ruleSetType": "Microsoft_BotManagerRuleSet", - "ruleSetVersion": "0.1" - } - ] - } - }, - "policySettings": { - "value": { - "fileUploadLimitInMb": 10, - "mode": "Prevention", - "state": "Enabled" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' - params: { - // Required parameters - name: 'nagwafpwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - managedRules: { - managedRuleSets: [ - { - ruleGroupOverrides: [] - ruleSetType: 'OWASP' - ruleSetVersion: '3.2' - } - { - ruleGroupOverrides: [] - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '0.1' - } - ] - } - policySettings: { - fileUploadLimitInMb: 10 - mode: 'Prevention' - state: 'Enabled' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedRules": { - "value": { - "managedRuleSets": [ - { - "ruleGroupOverrides": [], - "ruleSetType": "OWASP", - "ruleSetVersion": "3.2" - }, - { - "ruleGroupOverrides": [], - "ruleSetType": "Microsoft_BotManagerRuleSet", - "ruleSetVersion": "0.1" - } - ] - } - }, - "policySettings": { - "value": { - "fileUploadLimitInMb": 10, - "mode": "Prevention", - "state": "Enabled" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Application Gateway WAF policy. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customRules`](#parameter-customrules) | array | The custom rules inside the policy. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | -| [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -Name of the Application Gateway WAF policy. - -- Required: Yes -- Type: string - -### Parameter: `customRules` - -The custom rules inside the policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `managedRules` - -Describes the managedRules structure. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `policySettings` - -The PolicySettings for policy. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application gateway WAF policy. | -| `resourceGroupName` | string | The resource group the application gateway WAF policy was deployed into. | -| `resourceId` | string | The resource ID of the application gateway WAF policy. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.bicep b/modules/network/application-gateway-web-application-firewall-policy/main.bicep deleted file mode 100644 index d59777c07c..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/main.bicep +++ /dev/null @@ -1,59 +0,0 @@ -metadata name = 'Application Gateway Web Application Firewall (WAF) Policies' -metadata description = 'This module deploys an Application Gateway Web Application Firewall (WAF) Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Application Gateway WAF policy.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Describes the managedRules structure.') -param managedRules object = {} - -@description('Optional. The custom rules inside the policy.') -param customRules array = [] - -@description('Optional. The PolicySettings for policy.') -param policySettings object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource applicationGatewayWAFPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-11-01' = { - name: name - location: location - tags: tags - properties: { - managedRules: managedRules - customRules: customRules - policySettings: policySettings - } -} - -@description('The name of the application gateway WAF policy.') -output name string = applicationGatewayWAFPolicy.name - -@description('The resource ID of the application gateway WAF policy.') -output resourceId string = applicationGatewayWAFPolicy.id - -@description('The resource group the application gateway WAF policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = applicationGatewayWAFPolicy.location diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.json b/modules/network/application-gateway-web-application-firewall-policy/main.json deleted file mode 100644 index 3d860d9883..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/main.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2444407542563544390" - }, - "name": "Application Gateway Web Application Firewall (WAF) Policies", - "description": "This module deploys an Application Gateway Web Application Firewall (WAF) Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application Gateway WAF policy." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedRules": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes the managedRules structure." - } - }, - "customRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The custom rules inside the policy." - } - }, - "policySettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The PolicySettings for policy." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "applicationGatewayWAFPolicy": { - "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "managedRules": "[parameters('managedRules')]", - "customRules": "[parameters('customRules')]", - "policySettings": "[parameters('policySettings')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the application gateway WAF policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the application gateway WAF policy." - }, - "value": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the application gateway WAF policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('applicationGatewayWAFPolicy', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep deleted file mode 100644 index 6d6e62eff2..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policySettings: { - fileUploadLimitInMb: 10 - state: 'Enabled' - mode: 'Prevention' - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'OWASP' - ruleSetVersion: '3.2' - ruleGroupOverrides: [] - } - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '0.1' - ruleGroupOverrides: [] - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 5ef5d817c3..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policySettings: { - fileUploadLimitInMb: 10 - state: 'Enabled' - mode: 'Prevention' - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'OWASP' - ruleSetVersion: '3.2' - ruleGroupOverrides: [] - } - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '0.1' - ruleGroupOverrides: [] - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-gateway-web-application-firewall-policy/version.json b/modules/network/application-gateway-web-application-firewall-policy/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/application-gateway-web-application-firewall-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 8848ba6a2e..5142c88b61 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1,2871 +1,7 @@ -# Network Application Gateways `[Microsoft.Network/applicationGateways]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Network Application Gateway. +**This module has been evolved into the following AVM module: [avm/res/network/application-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/application-gateway).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/application-gateway). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/applicationGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/applicationGateways) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagmax' - params: { - // Required parameters - name: '' - // Non-required parameters - backendAddressPools: [ - { - name: 'appServiceBackendPool' - properties: { - backendAddresses: [ - { - fqdn: 'aghapp.azurewebsites.net' - } - ] - } - } - { - name: 'privateVmBackendPool' - properties: { - backendAddresses: [ - { - ipAddress: '10.0.0.4' - } - ] - } - } - ] - backendHttpSettingsCollection: [ - { - name: 'appServiceBackendHttpsSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: true - port: 443 - protocol: 'Https' - requestTimeout: 30 - } - } - { - name: 'privateVmHttpSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - port: 80 - probe: { - id: '' - } - protocol: 'Http' - requestTimeout: 30 - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableHttp2: true - frontendIPConfigurations: [ - { - name: 'private' - properties: { - privateIPAddress: '10.0.0.20' - privateIPAllocationMethod: 'Static' - subnet: { - id: '' - } - } - } - { - name: 'public' - properties: { - privateIPAllocationMethod: 'Dynamic' - privateLinkConfiguration: { - id: '' - } - publicIPAddress: { - id: '' - } - } - } - ] - frontendPorts: [ - { - name: 'port443' - properties: { - port: 443 - } - } - { - name: 'port4433' - properties: { - port: 4433 - } - } - { - name: 'port80' - properties: { - port: 80 - } - } - { - name: 'port8080' - properties: { - port: 8080 - } - } - ] - gatewayIPConfigurations: [ - { - name: 'apw-ip-configuration' - properties: { - subnet: { - id: '' - } - } - } - ] - httpListeners: [ - { - name: 'public443' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '' - } - } - } - { - name: 'private4433' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '' - } - } - } - { - name: 'httpRedirect80' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - { - name: 'httpRedirect8080' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'public' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - privateLinkConfigurations: [ - { - id: '' - name: 'pvtlink01' - properties: { - ipConfigurations: [ - { - id: '' - name: 'privateLinkIpConfig1' - properties: { - primary: false - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '' - } - } - } - ] - } - } - ] - probes: [ - { - name: 'privateVmHttpSettingProbe' - properties: { - host: '10.0.0.4' - interval: 60 - match: { - statusCodes: [ - '200' - '401' - ] - } - minServers: 3 - path: '/' - pickHostNameFromBackendHttpSettings: false - protocol: 'Http' - timeout: 15 - unhealthyThreshold: 5 - } - } - ] - redirectConfigurations: [ - { - name: 'httpRedirect80' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '' - } - ] - targetListener: { - id: '' - } - } - } - { - name: 'httpRedirect8080' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '' - } - ] - targetListener: { - id: '' - } - } - } - ] - requestRoutingRules: [ - { - name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' - properties: { - backendAddressPool: { - id: '' - } - backendHttpSettings: { - id: '' - } - httpListener: { - id: '' - } - priority: 200 - ruleType: 'Basic' - } - } - { - name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' - properties: { - backendAddressPool: { - id: '' - } - backendHttpSettings: { - id: '' - } - httpListener: { - id: '' - } - priority: 250 - ruleType: 'Basic' - } - } - { - name: 'httpRedirect80-public443' - properties: { - httpListener: { - id: '' - } - priority: 300 - redirectConfiguration: { - id: '' - } - ruleType: 'Basic' - } - } - { - name: 'httpRedirect8080-private4433' - properties: { - httpListener: { - id: '' - } - priority: 350 - redirectConfiguration: { - id: '' - } - rewriteRuleSet: { - id: '' - } - ruleType: 'Basic' - } - } - ] - rewriteRuleSets: [ - { - id: '' - name: 'customRewrite' - properties: { - rewriteRules: [ - { - actionSet: { - requestHeaderConfigurations: [ - { - headerName: 'Content-Type' - headerValue: 'JSON' - } - { - headerName: 'someheader' - } - ] - responseHeaderConfigurations: [] - } - conditions: [] - name: 'NewRewrite' - ruleSequence: 100 - } - ] - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sku: 'WAF_v2' - sslCertificates: [ - { - name: 'az-apgw-x-001-ssl-certificate' - properties: { - keyVaultSecretId: '' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - webApplicationFirewallConfiguration: { - disabledRuleGroups: [ - { - ruleGroupName: 'Known-CVEs' - } - { - ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' - } - { - ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' - } - ] - enabled: true - exclusions: [ - { - matchVariable: 'RequestHeaderNames' - selector: 'hola' - selectorMatchOperator: 'StartsWith' - } - ] - fileUploadLimitInMb: 100 - firewallMode: 'Detection' - maxRequestBodySizeInKb: 128 - requestBodyCheck: true - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "backendAddressPools": { - "value": [ - { - "name": "appServiceBackendPool", - "properties": { - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] - } - }, - { - "name": "privateVmBackendPool", - "properties": { - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" - } - ] - } - } - ] - }, - "backendHttpSettingsCollection": { - "value": [ - { - "name": "appServiceBackendHttpsSetting", - "properties": { - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "port": 443, - "protocol": "Https", - "requestTimeout": 30 - } - }, - { - "name": "privateVmHttpSetting", - "properties": { - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "port": 80, - "probe": { - "id": "" - }, - "protocol": "Http", - "requestTimeout": 30 - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableHttp2": { - "value": true - }, - "frontendIPConfigurations": { - "value": [ - { - "name": "private", - "properties": { - "privateIPAddress": "10.0.0.20", - "privateIPAllocationMethod": "Static", - "subnet": { - "id": "" - } - } - }, - { - "name": "public", - "properties": { - "privateIPAllocationMethod": "Dynamic", - "privateLinkConfiguration": { - "id": "" - }, - "publicIPAddress": { - "id": "" - } - } - } - ] - }, - "frontendPorts": { - "value": [ - { - "name": "port443", - "properties": { - "port": 443 - } - }, - { - "name": "port4433", - "properties": { - "port": 4433 - } - }, - { - "name": "port80", - "properties": { - "port": 80 - } - }, - { - "name": "port8080", - "properties": { - "port": 8080 - } - } - ] - }, - "gatewayIPConfigurations": { - "value": [ - { - "name": "apw-ip-configuration", - "properties": { - "subnet": { - "id": "" - } - } - } - ] - }, - "httpListeners": { - "value": [ - { - "name": "public443", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "https", - "requireServerNameIndication": false, - "sslCertificate": { - "id": "" - } - } - }, - { - "name": "private4433", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "https", - "requireServerNameIndication": false, - "sslCertificate": { - "id": "" - } - } - }, - { - "name": "httpRedirect80", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "Http", - "requireServerNameIndication": false - } - }, - { - "name": "httpRedirect8080", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "Http", - "requireServerNameIndication": false - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "public", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - ] - }, - "privateLinkConfigurations": { - "value": [ - { - "id": "", - "name": "pvtlink01", - "properties": { - "ipConfigurations": [ - { - "id": "", - "name": "privateLinkIpConfig1", - "properties": { - "primary": false, - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "" - } - } - } - ] - } - } - ] - }, - "probes": { - "value": [ - { - "name": "privateVmHttpSettingProbe", - "properties": { - "host": "10.0.0.4", - "interval": 60, - "match": { - "statusCodes": [ - "200", - "401" - ] - }, - "minServers": 3, - "path": "/", - "pickHostNameFromBackendHttpSettings": false, - "protocol": "Http", - "timeout": 15, - "unhealthyThreshold": 5 - } - } - ] - }, - "redirectConfigurations": { - "value": [ - { - "name": "httpRedirect80", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "" - } - ], - "targetListener": { - "id": "" - } - } - }, - { - "name": "httpRedirect8080", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "" - } - ], - "targetListener": { - "id": "" - } - } - } - ] - }, - "requestRoutingRules": { - "value": [ - { - "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", - "properties": { - "backendAddressPool": { - "id": "" - }, - "backendHttpSettings": { - "id": "" - }, - "httpListener": { - "id": "" - }, - "priority": 200, - "ruleType": "Basic" - } - }, - { - "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", - "properties": { - "backendAddressPool": { - "id": "" - }, - "backendHttpSettings": { - "id": "" - }, - "httpListener": { - "id": "" - }, - "priority": 250, - "ruleType": "Basic" - } - }, - { - "name": "httpRedirect80-public443", - "properties": { - "httpListener": { - "id": "" - }, - "priority": 300, - "redirectConfiguration": { - "id": "" - }, - "ruleType": "Basic" - } - }, - { - "name": "httpRedirect8080-private4433", - "properties": { - "httpListener": { - "id": "" - }, - "priority": 350, - "redirectConfiguration": { - "id": "" - }, - "rewriteRuleSet": { - "id": "" - }, - "ruleType": "Basic" - } - } - ] - }, - "rewriteRuleSets": { - "value": [ - { - "id": "", - "name": "customRewrite", - "properties": { - "rewriteRules": [ - { - "actionSet": { - "requestHeaderConfigurations": [ - { - "headerName": "Content-Type", - "headerValue": "JSON" - }, - { - "headerName": "someheader" - } - ], - "responseHeaderConfigurations": [] - }, - "conditions": [], - "name": "NewRewrite", - "ruleSequence": 100 - } - ] - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sku": { - "value": "WAF_v2" - }, - "sslCertificates": { - "value": [ - { - "name": "az-apgw-x-001-ssl-certificate", - "properties": { - "keyVaultSecretId": "" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "webApplicationFirewallConfiguration": { - "value": { - "disabledRuleGroups": [ - { - "ruleGroupName": "Known-CVEs" - }, - { - "ruleGroupName": "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" - }, - { - "ruleGroupName": "REQUEST-941-APPLICATION-ATTACK-XSS" - } - ], - "enabled": true, - "exclusions": [ - { - "matchVariable": "RequestHeaderNames", - "selector": "hola", - "selectorMatchOperator": "StartsWith" - } - ], - "fileUploadLimitInMb": 100, - "firewallMode": "Detection", - "maxRequestBodySizeInKb": 128, - "requestBodyCheck": true, - "ruleSetType": "OWASP", - "ruleSetVersion": "3.0" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwaf' - params: { - // Required parameters - name: '' - // Non-required parameters - backendAddressPools: [ - { - name: 'appServiceBackendPool' - properties: { - backendAddresses: [ - { - fqdn: 'aghapp.azurewebsites.net' - } - ] - } - } - { - name: 'privateVmBackendPool' - properties: { - backendAddresses: [ - { - ipAddress: '10.0.0.4' - } - ] - } - } - ] - backendHttpSettingsCollection: [ - { - name: 'appServiceBackendHttpsSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: true - port: 443 - protocol: 'Https' - requestTimeout: 30 - } - } - { - name: 'privateVmHttpSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - port: 80 - probe: { - id: '' - } - protocol: 'Http' - requestTimeout: 30 - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableHttp2: true - frontendIPConfigurations: [ - { - name: 'private' - properties: { - privateIPAddress: '10.0.0.20' - privateIPAllocationMethod: 'Static' - subnet: { - id: '' - } - } - } - { - name: 'public' - properties: { - privateIPAllocationMethod: 'Dynamic' - privateLinkConfiguration: { - id: '' - } - publicIPAddress: { - id: '' - } - } - } - ] - frontendPorts: [ - { - name: 'port443' - properties: { - port: 443 - } - } - { - name: 'port4433' - properties: { - port: 4433 - } - } - { - name: 'port80' - properties: { - port: 80 - } - } - { - name: 'port8080' - properties: { - port: 8080 - } - } - ] - gatewayIPConfigurations: [ - { - name: 'apw-ip-configuration' - properties: { - subnet: { - id: '' - } - } - } - ] - httpListeners: [ - { - name: 'public443' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '' - } - } - } - { - name: 'private4433' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '' - } - } - } - { - name: 'httpRedirect80' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - { - name: 'httpRedirect8080' - properties: { - frontendIPConfiguration: { - id: '' - } - frontendPort: { - id: '' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'public' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - privateLinkConfigurations: [ - { - id: '' - name: 'pvtlink01' - properties: { - ipConfigurations: [ - { - id: '' - name: 'privateLinkIpConfig1' - properties: { - primary: false - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '' - } - } - } - ] - } - } - ] - probes: [ - { - name: 'privateVmHttpSettingProbe' - properties: { - host: '10.0.0.4' - interval: 60 - match: { - statusCodes: [ - '200' - '401' - ] - } - minServers: 3 - path: '/' - pickHostNameFromBackendHttpSettings: false - protocol: 'Http' - timeout: 15 - unhealthyThreshold: 5 - } - } - ] - redirectConfigurations: [ - { - name: 'httpRedirect80' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '' - } - ] - targetListener: { - id: '' - } - } - } - { - name: 'httpRedirect8080' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '' - } - ] - targetListener: { - id: '' - } - } - } - ] - requestRoutingRules: [ - { - name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' - properties: { - backendAddressPool: { - id: '' - } - backendHttpSettings: { - id: '' - } - httpListener: { - id: '' - } - priority: 200 - ruleType: 'Basic' - } - } - { - name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' - properties: { - backendAddressPool: { - id: '' - } - backendHttpSettings: { - id: '' - } - httpListener: { - id: '' - } - priority: 250 - ruleType: 'Basic' - } - } - { - name: 'httpRedirect80-public443' - properties: { - httpListener: { - id: '' - } - priority: 300 - redirectConfiguration: { - id: '' - } - ruleType: 'Basic' - } - } - { - name: 'httpRedirect8080-private4433' - properties: { - httpListener: { - id: '' - } - priority: 350 - redirectConfiguration: { - id: '' - } - rewriteRuleSet: { - id: '' - } - ruleType: 'Basic' - } - } - ] - rewriteRuleSets: [ - { - id: '' - name: 'customRewrite' - properties: { - rewriteRules: [ - { - actionSet: { - requestHeaderConfigurations: [ - { - headerName: 'Content-Type' - headerValue: 'JSON' - } - { - headerName: 'someheader' - } - ] - responseHeaderConfigurations: [] - } - conditions: [] - name: 'NewRewrite' - ruleSequence: 100 - } - ] - } - } - ] - sku: 'WAF_v2' - sslCertificates: [ - { - name: 'az-apgw-x-001-ssl-certificate' - properties: { - keyVaultSecretId: '' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - webApplicationFirewallConfiguration: { - disabledRuleGroups: [ - { - ruleGroupName: 'Known-CVEs' - } - { - ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' - } - { - ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' - } - ] - enabled: true - exclusions: [ - { - matchVariable: 'RequestHeaderNames' - selector: 'hola' - selectorMatchOperator: 'StartsWith' - } - ] - fileUploadLimitInMb: 100 - firewallMode: 'Detection' - maxRequestBodySizeInKb: 128 - requestBodyCheck: true - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "backendAddressPools": { - "value": [ - { - "name": "appServiceBackendPool", - "properties": { - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] - } - }, - { - "name": "privateVmBackendPool", - "properties": { - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" - } - ] - } - } - ] - }, - "backendHttpSettingsCollection": { - "value": [ - { - "name": "appServiceBackendHttpsSetting", - "properties": { - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "port": 443, - "protocol": "Https", - "requestTimeout": 30 - } - }, - { - "name": "privateVmHttpSetting", - "properties": { - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "port": 80, - "probe": { - "id": "" - }, - "protocol": "Http", - "requestTimeout": 30 - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableHttp2": { - "value": true - }, - "frontendIPConfigurations": { - "value": [ - { - "name": "private", - "properties": { - "privateIPAddress": "10.0.0.20", - "privateIPAllocationMethod": "Static", - "subnet": { - "id": "" - } - } - }, - { - "name": "public", - "properties": { - "privateIPAllocationMethod": "Dynamic", - "privateLinkConfiguration": { - "id": "" - }, - "publicIPAddress": { - "id": "" - } - } - } - ] - }, - "frontendPorts": { - "value": [ - { - "name": "port443", - "properties": { - "port": 443 - } - }, - { - "name": "port4433", - "properties": { - "port": 4433 - } - }, - { - "name": "port80", - "properties": { - "port": 80 - } - }, - { - "name": "port8080", - "properties": { - "port": 8080 - } - } - ] - }, - "gatewayIPConfigurations": { - "value": [ - { - "name": "apw-ip-configuration", - "properties": { - "subnet": { - "id": "" - } - } - } - ] - }, - "httpListeners": { - "value": [ - { - "name": "public443", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "https", - "requireServerNameIndication": false, - "sslCertificate": { - "id": "" - } - } - }, - { - "name": "private4433", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "https", - "requireServerNameIndication": false, - "sslCertificate": { - "id": "" - } - } - }, - { - "name": "httpRedirect80", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "Http", - "requireServerNameIndication": false - } - }, - { - "name": "httpRedirect8080", - "properties": { - "frontendIPConfiguration": { - "id": "" - }, - "frontendPort": { - "id": "" - }, - "hostNames": [], - "protocol": "Http", - "requireServerNameIndication": false - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "public", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - ] - }, - "privateLinkConfigurations": { - "value": [ - { - "id": "", - "name": "pvtlink01", - "properties": { - "ipConfigurations": [ - { - "id": "", - "name": "privateLinkIpConfig1", - "properties": { - "primary": false, - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "" - } - } - } - ] - } - } - ] - }, - "probes": { - "value": [ - { - "name": "privateVmHttpSettingProbe", - "properties": { - "host": "10.0.0.4", - "interval": 60, - "match": { - "statusCodes": [ - "200", - "401" - ] - }, - "minServers": 3, - "path": "/", - "pickHostNameFromBackendHttpSettings": false, - "protocol": "Http", - "timeout": 15, - "unhealthyThreshold": 5 - } - } - ] - }, - "redirectConfigurations": { - "value": [ - { - "name": "httpRedirect80", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "" - } - ], - "targetListener": { - "id": "" - } - } - }, - { - "name": "httpRedirect8080", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "" - } - ], - "targetListener": { - "id": "" - } - } - } - ] - }, - "requestRoutingRules": { - "value": [ - { - "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", - "properties": { - "backendAddressPool": { - "id": "" - }, - "backendHttpSettings": { - "id": "" - }, - "httpListener": { - "id": "" - }, - "priority": 200, - "ruleType": "Basic" - } - }, - { - "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", - "properties": { - "backendAddressPool": { - "id": "" - }, - "backendHttpSettings": { - "id": "" - }, - "httpListener": { - "id": "" - }, - "priority": 250, - "ruleType": "Basic" - } - }, - { - "name": "httpRedirect80-public443", - "properties": { - "httpListener": { - "id": "" - }, - "priority": 300, - "redirectConfiguration": { - "id": "" - }, - "ruleType": "Basic" - } - }, - { - "name": "httpRedirect8080-private4433", - "properties": { - "httpListener": { - "id": "" - }, - "priority": 350, - "redirectConfiguration": { - "id": "" - }, - "rewriteRuleSet": { - "id": "" - }, - "ruleType": "Basic" - } - } - ] - }, - "rewriteRuleSets": { - "value": [ - { - "id": "", - "name": "customRewrite", - "properties": { - "rewriteRules": [ - { - "actionSet": { - "requestHeaderConfigurations": [ - { - "headerName": "Content-Type", - "headerValue": "JSON" - }, - { - "headerName": "someheader" - } - ], - "responseHeaderConfigurations": [] - }, - "conditions": [], - "name": "NewRewrite", - "ruleSequence": 100 - } - ] - } - } - ] - }, - "sku": { - "value": "WAF_v2" - }, - "sslCertificates": { - "value": [ - { - "name": "az-apgw-x-001-ssl-certificate", - "properties": { - "keyVaultSecretId": "" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "webApplicationFirewallConfiguration": { - "value": { - "disabledRuleGroups": [ - { - "ruleGroupName": "Known-CVEs" - }, - { - "ruleGroupName": "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" - }, - { - "ruleGroupName": "REQUEST-941-APPLICATION-ATTACK-XSS" - } - ], - "enabled": true, - "exclusions": [ - { - "matchVariable": "RequestHeaderNames", - "selector": "hola", - "selectorMatchOperator": "StartsWith" - } - ], - "fileUploadLimitInMb": 100, - "firewallMode": "Detection", - "maxRequestBodySizeInKb": 128, - "requestBodyCheck": true, - "ruleSetType": "OWASP", - "ruleSetVersion": "3.0" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Application Gateway. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authenticationCertificates`](#parameter-authenticationcertificates) | array | Authentication certificates of the application gateway resource. | -| [`autoscaleMaxCapacity`](#parameter-autoscalemaxcapacity) | int | Upper bound on number of Application Gateway capacity. | -| [`autoscaleMinCapacity`](#parameter-autoscalemincapacity) | int | Lower bound on number of Application Gateway capacity. | -| [`backendAddressPools`](#parameter-backendaddresspools) | array | Backend address pool of the application gateway resource. | -| [`backendHttpSettingsCollection`](#parameter-backendhttpsettingscollection) | array | Backend http settings of the application gateway resource. | -| [`backendSettingsCollection`](#parameter-backendsettingscollection) | array | Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | -| [`capacity`](#parameter-capacity) | int | The number of Application instances to be configured. | -| [`customErrorConfigurations`](#parameter-customerrorconfigurations) | array | Custom error configurations of the application gateway resource. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableFips`](#parameter-enablefips) | bool | Whether FIPS is enabled on the application gateway resource. | -| [`enableHttp2`](#parameter-enablehttp2) | bool | Whether HTTP2 is enabled on the application gateway resource. | -| [`enableRequestBuffering`](#parameter-enablerequestbuffering) | bool | Enable request buffering. | -| [`enableResponseBuffering`](#parameter-enableresponsebuffering) | bool | Enable response buffering. | -| [`firewallPolicyId`](#parameter-firewallpolicyid) | string | The resource ID of an associated firewall policy. Should be configured for security reasons. | -| [`frontendIPConfigurations`](#parameter-frontendipconfigurations) | array | Frontend IP addresses of the application gateway resource. | -| [`frontendPorts`](#parameter-frontendports) | array | Frontend ports of the application gateway resource. | -| [`gatewayIPConfigurations`](#parameter-gatewayipconfigurations) | array | Subnets of the application gateway resource. | -| [`httpListeners`](#parameter-httplisteners) | array | Http listeners of the application gateway resource. | -| [`listeners`](#parameter-listeners) | array | Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | -| [`loadDistributionPolicies`](#parameter-loaddistributionpolicies) | array | Load distribution policies of the application gateway resource. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`privateLinkConfigurations`](#parameter-privatelinkconfigurations) | array | PrivateLink configurations on application gateway. | -| [`probes`](#parameter-probes) | array | Probes of the application gateway resource. | -| [`redirectConfigurations`](#parameter-redirectconfigurations) | array | Redirect configurations of the application gateway resource. | -| [`requestRoutingRules`](#parameter-requestroutingrules) | array | Request routing rules of the application gateway resource. | -| [`rewriteRuleSets`](#parameter-rewriterulesets) | array | Rewrite rules for the application gateway resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`routingRules`](#parameter-routingrules) | array | Routing rules of the application gateway resource. | -| [`sku`](#parameter-sku) | string | The name of the SKU for the Application Gateway. | -| [`sslCertificates`](#parameter-sslcertificates) | array | SSL certificates of the application gateway resource. | -| [`sslPolicyCipherSuites`](#parameter-sslpolicyciphersuites) | array | Ssl cipher suites to be enabled in the specified order to application gateway. | -| [`sslPolicyMinProtocolVersion`](#parameter-sslpolicyminprotocolversion) | string | Ssl protocol enums. | -| [`sslPolicyName`](#parameter-sslpolicyname) | string | Ssl predefined policy name enums. | -| [`sslPolicyType`](#parameter-sslpolicytype) | string | Type of Ssl Policy. | -| [`sslProfiles`](#parameter-sslprofiles) | array | SSL profiles of the application gateway resource. | -| [`tags`](#parameter-tags) | object | Resource tags. | -| [`trustedClientCertificates`](#parameter-trustedclientcertificates) | array | Trusted client certificates of the application gateway resource. | -| [`trustedRootCertificates`](#parameter-trustedrootcertificates) | array | Trusted Root certificates of the application gateway resource. | -| [`urlPathMaps`](#parameter-urlpathmaps) | array | URL path map of the application gateway resource. | -| [`webApplicationFirewallConfiguration`](#parameter-webapplicationfirewallconfiguration) | object | Application gateway web application firewall configuration. Should be configured for security reasons. | -| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | - -### Parameter: `name` - -Name of the Application Gateway. - -- Required: Yes -- Type: string - -### Parameter: `authenticationCertificates` - -Authentication certificates of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `autoscaleMaxCapacity` - -Upper bound on number of Application Gateway capacity. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `autoscaleMinCapacity` - -Lower bound on number of Application Gateway capacity. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `backendAddressPools` - -Backend address pool of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `backendHttpSettingsCollection` - -Backend http settings of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `backendSettingsCollection` - -Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `capacity` - -The number of Application instances to be configured. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `customErrorConfigurations` - -Custom error configurations of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableFips` - -Whether FIPS is enabled on the application gateway resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableHttp2` - -Whether HTTP2 is enabled on the application gateway resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableRequestBuffering` - -Enable request buffering. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableResponseBuffering` - -Enable response buffering. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `firewallPolicyId` - -The resource ID of an associated firewall policy. Should be configured for security reasons. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `frontendIPConfigurations` - -Frontend IP addresses of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `frontendPorts` - -Frontend ports of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `gatewayIPConfigurations` - -Subnets of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `httpListeners` - -Http listeners of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `listeners` - -Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `loadDistributionPolicies` - -Load distribution policies of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `privateLinkConfigurations` - -PrivateLink configurations on application gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `probes` - -Probes of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `redirectConfigurations` - -Redirect configurations of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `requestRoutingRules` - -Request routing rules of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `rewriteRuleSets` - -Rewrite rules for the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `routingRules` - -Routing rules of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sku` - -The name of the SKU for the Application Gateway. - -- Required: No -- Type: string -- Default: `'WAF_Medium'` -- Allowed: - ```Bicep - [ - 'Standard_Large' - 'Standard_Medium' - 'Standard_Small' - 'Standard_v2' - 'WAF_Large' - 'WAF_Medium' - 'WAF_v2' - ] - ``` - -### Parameter: `sslCertificates` - -SSL certificates of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sslPolicyCipherSuites` - -Ssl cipher suites to be enabled in the specified order to application gateway. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' - ] - ``` -- Allowed: - ```Bicep - [ - 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' - 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' - 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' - 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' - 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' - 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' - 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' - 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' - 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' - 'TLS_RSA_WITH_AES_128_CBC_SHA' - 'TLS_RSA_WITH_AES_128_CBC_SHA256' - 'TLS_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_RSA_WITH_AES_256_CBC_SHA' - 'TLS_RSA_WITH_AES_256_CBC_SHA256' - 'TLS_RSA_WITH_AES_256_GCM_SHA384' - ] - ``` - -### Parameter: `sslPolicyMinProtocolVersion` - -Ssl protocol enums. - -- Required: No -- Type: string -- Default: `'TLSv1_2'` -- Allowed: - ```Bicep - [ - 'TLSv1_0' - 'TLSv1_1' - 'TLSv1_2' - 'TLSv1_3' - ] - ``` - -### Parameter: `sslPolicyName` - -Ssl predefined policy name enums. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AppGwSslPolicy20150501' - 'AppGwSslPolicy20170401' - 'AppGwSslPolicy20170401S' - 'AppGwSslPolicy20220101' - 'AppGwSslPolicy20220101S' - ] - ``` - -### Parameter: `sslPolicyType` - -Type of Ssl Policy. - -- Required: No -- Type: string -- Default: `'Custom'` -- Allowed: - ```Bicep - [ - 'Custom' - 'CustomV2' - 'Predefined' - ] - ``` - -### Parameter: `sslProfiles` - -SSL profiles of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - -### Parameter: `trustedClientCertificates` - -Trusted client certificates of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `trustedRootCertificates` - -Trusted Root certificates of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `urlPathMaps` - -URL path map of the application gateway resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `webApplicationFirewallConfiguration` - -Application gateway web application firewall configuration. Should be configured for security reasons. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `zones` - -A list of availability zones denoting where the resource needs to come from. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application gateway. | -| `resourceGroupName` | string | The resource group the application gateway was deployed into. | -| `resourceId` | string | The resource ID of the application gateway. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep deleted file mode 100644 index ddcb2e145b..0000000000 --- a/modules/network/application-gateway/main.bicep +++ /dev/null @@ -1,528 +0,0 @@ -metadata name = 'Network Application Gateways' -metadata description = 'This module deploys a Network Application Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Application Gateway.') -@maxLength(80) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Authentication certificates of the application gateway resource.') -param authenticationCertificates array = [] - -@description('Optional. Upper bound on number of Application Gateway capacity.') -param autoscaleMaxCapacity int = -1 - -@description('Optional. Lower bound on number of Application Gateway capacity.') -param autoscaleMinCapacity int = -1 - -@description('Optional. Backend address pool of the application gateway resource.') -param backendAddressPools array = [] - -@description('Optional. Backend http settings of the application gateway resource.') -param backendHttpSettingsCollection array = [] - -@description('Optional. Custom error configurations of the application gateway resource.') -param customErrorConfigurations array = [] - -@description('Optional. Whether FIPS is enabled on the application gateway resource.') -param enableFips bool = false - -@description('Optional. Whether HTTP2 is enabled on the application gateway resource.') -param enableHttp2 bool = false - -@description('Optional. The resource ID of an associated firewall policy. Should be configured for security reasons.') -param firewallPolicyId string = '' - -@description('Optional. Frontend IP addresses of the application gateway resource.') -param frontendIPConfigurations array = [] - -@description('Optional. Frontend ports of the application gateway resource.') -param frontendPorts array = [] - -@description('Optional. Subnets of the application gateway resource.') -param gatewayIPConfigurations array = [] - -@description('Optional. Enable request buffering.') -param enableRequestBuffering bool = false - -@description('Optional. Enable response buffering.') -param enableResponseBuffering bool = false - -@description('Optional. Http listeners of the application gateway resource.') -param httpListeners array = [] - -@description('Optional. Load distribution policies of the application gateway resource.') -param loadDistributionPolicies array = [] - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. PrivateLink configurations on application gateway.') -param privateLinkConfigurations array = [] - -@description('Optional. Probes of the application gateway resource.') -param probes array = [] - -@description('Optional. Redirect configurations of the application gateway resource.') -param redirectConfigurations array = [] - -@description('Optional. Request routing rules of the application gateway resource.') -param requestRoutingRules array = [] - -@description('Optional. Rewrite rules for the application gateway resource.') -param rewriteRuleSets array = [] - -@description('Optional. The name of the SKU for the Application Gateway.') -@allowed([ - 'Standard_Small' - 'Standard_Medium' - 'Standard_Large' - 'WAF_Medium' - 'WAF_Large' - 'Standard_v2' - 'WAF_v2' -]) -param sku string = 'WAF_Medium' - -@description('Optional. The number of Application instances to be configured.') -@minValue(1) -@maxValue(10) -param capacity int = 2 - -@description('Optional. SSL certificates of the application gateway resource.') -param sslCertificates array = [] - -@description('Optional. Ssl cipher suites to be enabled in the specified order to application gateway.') -@allowed([ - 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' - 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' - 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' - 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' - 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' - 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' - 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' - 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' - 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' - 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' - 'TLS_RSA_WITH_AES_128_CBC_SHA' - 'TLS_RSA_WITH_AES_128_CBC_SHA256' - 'TLS_RSA_WITH_AES_128_GCM_SHA256' - 'TLS_RSA_WITH_AES_256_CBC_SHA' - 'TLS_RSA_WITH_AES_256_CBC_SHA256' - 'TLS_RSA_WITH_AES_256_GCM_SHA384' -]) -param sslPolicyCipherSuites array = [ - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' -] - -@description('Optional. Ssl protocol enums.') -@allowed([ - 'TLSv1_0' - 'TLSv1_1' - 'TLSv1_2' - 'TLSv1_3' -]) -param sslPolicyMinProtocolVersion string = 'TLSv1_2' - -@description('Optional. Ssl predefined policy name enums.') -@allowed([ - 'AppGwSslPolicy20150501' - 'AppGwSslPolicy20170401' - 'AppGwSslPolicy20170401S' - 'AppGwSslPolicy20220101' - 'AppGwSslPolicy20220101S' - '' -]) -param sslPolicyName string = '' - -@description('Optional. Type of Ssl Policy.') -@allowed([ - 'Custom' - 'CustomV2' - 'Predefined' -]) -param sslPolicyType string = 'Custom' - -@description('Optional. SSL profiles of the application gateway resource.') -param sslProfiles array = [] - -@description('Optional. Trusted client certificates of the application gateway resource.') -param trustedClientCertificates array = [] - -@description('Optional. Trusted Root certificates of the application gateway resource.') -param trustedRootCertificates array = [] - -@description('Optional. URL path map of the application gateway resource.') -param urlPathMaps array = [] - -@description('Optional. Application gateway web application firewall configuration. Should be configured for security reasons.') -param webApplicationFirewallConfiguration object = {} - -@description('Optional. A list of availability zones denoting where the resource needs to come from.') -param zones array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits).') -param backendSettingsCollection array = [] - -@description('Optional. Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits).') -param listeners array = [] - -@description('Optional. Routing rules of the application gateway resource.') -param routingRules array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' = { - name: name - location: location - tags: tags - identity: identity - properties: union({ - authenticationCertificates: authenticationCertificates - autoscaleConfiguration: autoscaleMaxCapacity > 0 && autoscaleMinCapacity >= 0 ? { - maxCapacity: autoscaleMaxCapacity - minCapacity: autoscaleMinCapacity - } : null - backendAddressPools: backendAddressPools - backendHttpSettingsCollection: backendHttpSettingsCollection - backendSettingsCollection: backendSettingsCollection - customErrorConfigurations: customErrorConfigurations - enableHttp2: enableHttp2 - firewallPolicy: !empty(firewallPolicyId) ? { - id: firewallPolicyId - } : null - forceFirewallPolicyAssociation: !empty(firewallPolicyId) - frontendIPConfigurations: frontendIPConfigurations - frontendPorts: frontendPorts - gatewayIPConfigurations: gatewayIPConfigurations - globalConfiguration: endsWith(sku, 'v2') ? { - enableRequestBuffering: enableRequestBuffering - enableResponseBuffering: enableResponseBuffering - } : null - httpListeners: httpListeners - loadDistributionPolicies: loadDistributionPolicies - listeners: listeners - privateLinkConfigurations: privateLinkConfigurations - probes: probes - redirectConfigurations: redirectConfigurations - requestRoutingRules: requestRoutingRules - routingRules: routingRules - rewriteRuleSets: rewriteRuleSets - sku: { - name: sku - tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) - capacity: autoscaleMaxCapacity > 0 && autoscaleMinCapacity >= 0 ? null : capacity - } - sslCertificates: sslCertificates - sslPolicy: sslPolicyType != 'Predefined' ? { - cipherSuites: sslPolicyCipherSuites - minProtocolVersion: sslPolicyMinProtocolVersion - policyName: empty(sslPolicyName) ? null : sslPolicyName - policyType: sslPolicyType - } : { - policyName: empty(sslPolicyName) ? null : sslPolicyName - policyType: sslPolicyType - } - sslProfiles: sslProfiles - trustedClientCertificates: trustedClientCertificates - trustedRootCertificates: trustedRootCertificates - urlPathMaps: urlPathMaps - }, (enableFips ? { - enableFips: enableFips - } : {}), - (!empty(webApplicationFirewallConfiguration) ? { webApplicationFirewallConfiguration: webApplicationFirewallConfiguration } : {}) - ) - zones: zones -} - -resource applicationGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: applicationGateway -} - -resource applicationGateway_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: applicationGateway -}] - -module applicationGateway_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-applicationGateway-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(applicationGateway.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}' - serviceResourceId: applicationGateway.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource applicationGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(applicationGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: applicationGateway -}] - -@description('The name of the application gateway.') -output name string = applicationGateway.name - -@description('The resource ID of the application gateway.') -output resourceId string = applicationGateway.id - -@description('The resource group the application gateway was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = applicationGateway.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json deleted file mode 100644 index c2301f3546..0000000000 --- a/modules/network/application-gateway/main.json +++ /dev/null @@ -1,1528 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12788892286757802636" - }, - "name": "Network Application Gateways", - "description": "This module deploys a Network Application Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 80, - "metadata": { - "description": "Required. Name of the Application Gateway." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "authenticationCertificates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Authentication certificates of the application gateway resource." - } - }, - "autoscaleMaxCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Upper bound on number of Application Gateway capacity." - } - }, - "autoscaleMinCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Lower bound on number of Application Gateway capacity." - } - }, - "backendAddressPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Backend address pool of the application gateway resource." - } - }, - "backendHttpSettingsCollection": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Backend http settings of the application gateway resource." - } - }, - "customErrorConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Custom error configurations of the application gateway resource." - } - }, - "enableFips": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether FIPS is enabled on the application gateway resource." - } - }, - "enableHttp2": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether HTTP2 is enabled on the application gateway resource." - } - }, - "firewallPolicyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of an associated firewall policy. Should be configured for security reasons." - } - }, - "frontendIPConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Frontend IP addresses of the application gateway resource." - } - }, - "frontendPorts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Frontend ports of the application gateway resource." - } - }, - "gatewayIPConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Subnets of the application gateway resource." - } - }, - "enableRequestBuffering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable request buffering." - } - }, - "enableResponseBuffering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable response buffering." - } - }, - "httpListeners": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Http listeners of the application gateway resource." - } - }, - "loadDistributionPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Load distribution policies of the application gateway resource." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "privateLinkConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. PrivateLink configurations on application gateway." - } - }, - "probes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Probes of the application gateway resource." - } - }, - "redirectConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Redirect configurations of the application gateway resource." - } - }, - "requestRoutingRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Request routing rules of the application gateway resource." - } - }, - "rewriteRuleSets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Rewrite rules for the application gateway resource." - } - }, - "sku": { - "type": "string", - "defaultValue": "WAF_Medium", - "allowedValues": [ - "Standard_Small", - "Standard_Medium", - "Standard_Large", - "WAF_Medium", - "WAF_Large", - "Standard_v2", - "WAF_v2" - ], - "metadata": { - "description": "Optional. The name of the SKU for the Application Gateway." - } - }, - "capacity": { - "type": "int", - "defaultValue": 2, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. The number of Application instances to be configured." - } - }, - "sslCertificates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. SSL certificates of the application gateway resource." - } - }, - "sslPolicyCipherSuites": { - "type": "array", - "defaultValue": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - ], - "allowedValues": [ - "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384" - ], - "metadata": { - "description": "Optional. Ssl cipher suites to be enabled in the specified order to application gateway." - } - }, - "sslPolicyMinProtocolVersion": { - "type": "string", - "defaultValue": "TLSv1_2", - "allowedValues": [ - "TLSv1_0", - "TLSv1_1", - "TLSv1_2", - "TLSv1_3" - ], - "metadata": { - "description": "Optional. Ssl protocol enums." - } - }, - "sslPolicyName": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AppGwSslPolicy20150501", - "AppGwSslPolicy20170401", - "AppGwSslPolicy20170401S", - "AppGwSslPolicy20220101", - "AppGwSslPolicy20220101S", - "" - ], - "metadata": { - "description": "Optional. Ssl predefined policy name enums." - } - }, - "sslPolicyType": { - "type": "string", - "defaultValue": "Custom", - "allowedValues": [ - "Custom", - "CustomV2", - "Predefined" - ], - "metadata": { - "description": "Optional. Type of Ssl Policy." - } - }, - "sslProfiles": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. SSL profiles of the application gateway resource." - } - }, - "trustedClientCertificates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Trusted client certificates of the application gateway resource." - } - }, - "trustedRootCertificates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Trusted Root certificates of the application gateway resource." - } - }, - "urlPathMaps": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. URL path map of the application gateway resource." - } - }, - "webApplicationFirewallConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Application gateway web application firewall configuration. Should be configured for security reasons." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting where the resource needs to come from." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "backendSettingsCollection": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits)." - } - }, - "listeners": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits)." - } - }, - "routingRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Routing rules of the application gateway resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "applicationGateway": { - "type": "Microsoft.Network/applicationGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": "[union(createObject('authenticationCertificates', parameters('authenticationCertificates'), 'autoscaleConfiguration', if(and(greater(parameters('autoscaleMaxCapacity'), 0), greaterOrEquals(parameters('autoscaleMinCapacity'), 0)), createObject('maxCapacity', parameters('autoscaleMaxCapacity'), 'minCapacity', parameters('autoscaleMinCapacity')), null()), 'backendAddressPools', parameters('backendAddressPools'), 'backendHttpSettingsCollection', parameters('backendHttpSettingsCollection'), 'backendSettingsCollection', parameters('backendSettingsCollection'), 'customErrorConfigurations', parameters('customErrorConfigurations'), 'enableHttp2', parameters('enableHttp2'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'forceFirewallPolicyAssociation', not(empty(parameters('firewallPolicyId'))), 'frontendIPConfigurations', parameters('frontendIPConfigurations'), 'frontendPorts', parameters('frontendPorts'), 'gatewayIPConfigurations', parameters('gatewayIPConfigurations'), 'globalConfiguration', if(endsWith(parameters('sku'), 'v2'), createObject('enableRequestBuffering', parameters('enableRequestBuffering'), 'enableResponseBuffering', parameters('enableResponseBuffering')), null()), 'httpListeners', parameters('httpListeners'), 'loadDistributionPolicies', parameters('loadDistributionPolicies'), 'listeners', parameters('listeners'), 'privateLinkConfigurations', parameters('privateLinkConfigurations'), 'probes', parameters('probes'), 'redirectConfigurations', parameters('redirectConfigurations'), 'requestRoutingRules', parameters('requestRoutingRules'), 'routingRules', parameters('routingRules'), 'rewriteRuleSets', parameters('rewriteRuleSets'), 'sku', createObject('name', parameters('sku'), 'tier', if(endsWith(parameters('sku'), 'v2'), parameters('sku'), substring(parameters('sku'), 0, indexOf(parameters('sku'), '_'))), 'capacity', if(and(greater(parameters('autoscaleMaxCapacity'), 0), greaterOrEquals(parameters('autoscaleMinCapacity'), 0)), null(), parameters('capacity'))), 'sslCertificates', parameters('sslCertificates'), 'sslPolicy', if(not(equals(parameters('sslPolicyType'), 'Predefined')), createObject('cipherSuites', parameters('sslPolicyCipherSuites'), 'minProtocolVersion', parameters('sslPolicyMinProtocolVersion'), 'policyName', if(empty(parameters('sslPolicyName')), null(), parameters('sslPolicyName')), 'policyType', parameters('sslPolicyType')), createObject('policyName', if(empty(parameters('sslPolicyName')), null(), parameters('sslPolicyName')), 'policyType', parameters('sslPolicyType'))), 'sslProfiles', parameters('sslProfiles'), 'trustedClientCertificates', parameters('trustedClientCertificates'), 'trustedRootCertificates', parameters('trustedRootCertificates'), 'urlPathMaps', parameters('urlPathMaps')), if(parameters('enableFips'), createObject('enableFips', parameters('enableFips')), createObject()), if(not(empty(parameters('webApplicationFirewallConfiguration'))), createObject('webApplicationFirewallConfiguration', parameters('webApplicationFirewallConfiguration')), createObject()))]", - "zones": "[parameters('zones')]" - }, - "applicationGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "applicationGateway" - ] - }, - "applicationGateway_diagnosticSettings": { - "copy": { - "name": "applicationGateway_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "applicationGateway" - ] - }, - "applicationGateway_roleAssignments": { - "copy": { - "name": "applicationGateway_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/applicationGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "applicationGateway" - ] - }, - "applicationGateway_privateEndpoints": { - "copy": { - "name": "applicationGateway_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-applicationGateway-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Network/applicationGateways', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "applicationGateway" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the application gateway." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the application gateway." - }, - "value": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the application gateway was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('applicationGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/application-gateway/tests/e2e/max/dependencies.bicep b/modules/network/application-gateway/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 2de1a81653..0000000000 --- a/modules/network/application-gateway/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,146 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Deployment Script to create for the Certificate generation.') -param certDeploymentScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, 0) - } - } - { - name: 'privateLinkSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, 1) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.appgateway.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: certDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-KeyVaultName "${keyVault.name}" -CertName "applicationGatewaySslCertificate"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') - } -} - -@description('The resource ID of the created Virtual Network default subnet.') -output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Virtual Network private link subnet.') -output privateLinkSubnetResourceId string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The URL of the created certificate.') -output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/network/application-gateway/tests/e2e/max/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep deleted file mode 100644 index eed5a5bb44..0000000000 --- a/modules/network/application-gateway/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,509 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var appGWName = '${namePrefix}${serviceShort}001' -var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: appGWName - backendAddressPools: [ - { - name: 'appServiceBackendPool' - properties: { - backendAddresses: [ - { - fqdn: 'aghapp.azurewebsites.net' - } - ] - } - } - { - name: 'privateVmBackendPool' - properties: { - backendAddresses: [ - { - ipAddress: '10.0.0.4' - } - ] - } - } - ] - backendHttpSettingsCollection: [ - { - name: 'appServiceBackendHttpsSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: true - port: 443 - protocol: 'Https' - requestTimeout: 30 - } - } - { - name: 'privateVmHttpSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - port: 80 - probe: { - id: '${appGWExpectedResourceID}/probes/privateVmHttpSettingProbe' - } - protocol: 'Http' - requestTimeout: 30 - } - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableHttp2: true - privateLinkConfigurations: [ - { - name: 'pvtlink01' - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' - properties: { - ipConfigurations: [ - { - name: 'privateLinkIpConfig1' - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01/ipConfigurations/privateLinkIpConfig1' - properties: { - privateIPAllocationMethod: 'Dynamic' - primary: false - subnet: { - id: nestedDependencies.outputs.privateLinkSubnetResourceId - } - } - } - ] - } - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'public' - subnetResourceId: nestedDependencies.outputs.privateLinkSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - frontendIPConfigurations: [ - { - name: 'private' - properties: { - privateIPAddress: '10.0.0.20' - privateIPAllocationMethod: 'Static' - subnet: { - id: nestedDependencies.outputs.defaultSubnetResourceId - } - } - } - { - name: 'public' - properties: { - privateIPAllocationMethod: 'Dynamic' - publicIPAddress: { - id: nestedDependencies.outputs.publicIPResourceId - } - privateLinkConfiguration: { - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' - } - } - } - ] - frontendPorts: [ - { - name: 'port443' - properties: { - port: 443 - } - } - { - name: 'port4433' - properties: { - port: 4433 - } - } - { - name: 'port80' - properties: { - port: 80 - } - } - { - name: 'port8080' - properties: { - port: 8080 - } - } - ] - gatewayIPConfigurations: [ - { - name: 'apw-ip-configuration' - properties: { - subnet: { - id: nestedDependencies.outputs.defaultSubnetResourceId - } - } - } - ] - httpListeners: [ - { - name: 'public443' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port443' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' - } - } - } - { - name: 'private4433' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port4433' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' - } - } - } - { - name: 'httpRedirect80' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port80' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - { - name: 'httpRedirect8080' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port8080' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - probes: [ - { - name: 'privateVmHttpSettingProbe' - properties: { - host: '10.0.0.4' - interval: 60 - match: { - statusCodes: [ - '200' - '401' - ] - } - minServers: 3 - path: '/' - pickHostNameFromBackendHttpSettings: false - protocol: 'Http' - timeout: 15 - unhealthyThreshold: 5 - } - } - ] - redirectConfigurations: [ - { - name: 'httpRedirect80' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect80-public443' - } - ] - targetListener: { - id: '${appGWExpectedResourceID}/httpListeners/public443' - } - } - } - { - name: 'httpRedirect8080' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect8080-private4433' - } - ] - targetListener: { - id: '${appGWExpectedResourceID}/httpListeners/private4433' - } - } - } - ] - requestRoutingRules: [ - { - name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' - properties: { - backendAddressPool: { - id: '${appGWExpectedResourceID}/backendAddressPools/appServiceBackendPool' - } - backendHttpSettings: { - id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/appServiceBackendHttpsSetting' - } - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/public443' - } - priority: 200 - ruleType: 'Basic' - } - } - { - name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' - properties: { - backendAddressPool: { - id: '${appGWExpectedResourceID}/backendAddressPools/privateVmBackendPool' - } - backendHttpSettings: { - id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/privateVmHttpSetting' - } - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/private4433' - } - priority: 250 - ruleType: 'Basic' - } - } - { - name: 'httpRedirect80-public443' - properties: { - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/httpRedirect80' - } - priority: 300 - redirectConfiguration: { - id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect80' - } - ruleType: 'Basic' - } - } - { - name: 'httpRedirect8080-private4433' - properties: { - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/httpRedirect8080' - } - priority: 350 - redirectConfiguration: { - id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect8080' - } - ruleType: 'Basic' - rewriteRuleSet: { - id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' - } - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'WAF_v2' - sslCertificates: [ - { - name: '${namePrefix}-az-apgw-x-001-ssl-certificate' - properties: { - keyVaultSecretId: nestedDependencies.outputs.certificateSecretUrl - } - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - rewriteRuleSets: [ - { - name: 'customRewrite' - id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' - properties: { - rewriteRules: [ - { - ruleSequence: 100 - conditions: [] - name: 'NewRewrite' - actionSet: { - requestHeaderConfigurations: [ - { - headerName: 'Content-Type' - headerValue: 'JSON' - } - { - headerName: 'someheader' - } - ] - responseHeaderConfigurations: [] - } - } - ] - } - } - ] - webApplicationFirewallConfiguration: { - enabled: true - fileUploadLimitInMb: 100 - firewallMode: 'Detection' - maxRequestBodySizeInKb: 128 - requestBodyCheck: true - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - disabledRuleGroups: [ - { - ruleGroupName: 'Known-CVEs' - } - { - ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' - } - { - ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' - } - ] - exclusions: [ - { - matchVariable: 'RequestHeaderNames' - selectorMatchOperator: 'StartsWith' - selector: 'hola' - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 2de1a81653..0000000000 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,146 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Deployment Script to create for the Certificate generation.') -param certDeploymentScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, 0) - } - } - { - name: 'privateLinkSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, 1) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.appgateway.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: certDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-KeyVaultName "${keyVault.name}" -CertName "applicationGatewaySslCertificate"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') - } -} - -@description('The resource ID of the created Virtual Network default subnet.') -output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Virtual Network private link subnet.') -output privateLinkSubnetResourceId string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The URL of the created certificate.') -output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index be6d16d560..0000000000 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,492 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var appGWName = '${namePrefix}${serviceShort}001' -var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: appGWName - backendAddressPools: [ - { - name: 'appServiceBackendPool' - properties: { - backendAddresses: [ - { - fqdn: 'aghapp.azurewebsites.net' - } - ] - } - } - { - name: 'privateVmBackendPool' - properties: { - backendAddresses: [ - { - ipAddress: '10.0.0.4' - } - ] - } - } - ] - backendHttpSettingsCollection: [ - { - name: 'appServiceBackendHttpsSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: true - port: 443 - protocol: 'Https' - requestTimeout: 30 - } - } - { - name: 'privateVmHttpSetting' - properties: { - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - port: 80 - probe: { - id: '${appGWExpectedResourceID}/probes/privateVmHttpSettingProbe' - } - protocol: 'Http' - requestTimeout: 30 - } - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableHttp2: true - privateLinkConfigurations: [ - { - name: 'pvtlink01' - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' - properties: { - ipConfigurations: [ - { - name: 'privateLinkIpConfig1' - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01/ipConfigurations/privateLinkIpConfig1' - properties: { - privateIPAllocationMethod: 'Dynamic' - primary: false - subnet: { - id: nestedDependencies.outputs.privateLinkSubnetResourceId - } - } - } - ] - } - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'public' - subnetResourceId: nestedDependencies.outputs.privateLinkSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - frontendIPConfigurations: [ - { - name: 'private' - properties: { - privateIPAddress: '10.0.0.20' - privateIPAllocationMethod: 'Static' - subnet: { - id: nestedDependencies.outputs.defaultSubnetResourceId - } - } - } - { - name: 'public' - properties: { - privateIPAllocationMethod: 'Dynamic' - publicIPAddress: { - id: nestedDependencies.outputs.publicIPResourceId - } - privateLinkConfiguration: { - id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' - } - } - } - ] - frontendPorts: [ - { - name: 'port443' - properties: { - port: 443 - } - } - { - name: 'port4433' - properties: { - port: 4433 - } - } - { - name: 'port80' - properties: { - port: 80 - } - } - { - name: 'port8080' - properties: { - port: 8080 - } - } - ] - gatewayIPConfigurations: [ - { - name: 'apw-ip-configuration' - properties: { - subnet: { - id: nestedDependencies.outputs.defaultSubnetResourceId - } - } - } - ] - httpListeners: [ - { - name: 'public443' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port443' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' - } - } - } - { - name: 'private4433' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port4433' - } - hostNames: [] - protocol: 'https' - requireServerNameIndication: false - sslCertificate: { - id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' - } - } - } - { - name: 'httpRedirect80' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port80' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - { - name: 'httpRedirect8080' - properties: { - frontendIPConfiguration: { - id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' - } - frontendPort: { - id: '${appGWExpectedResourceID}/frontendPorts/port8080' - } - hostNames: [] - protocol: 'Http' - requireServerNameIndication: false - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - probes: [ - { - name: 'privateVmHttpSettingProbe' - properties: { - host: '10.0.0.4' - interval: 60 - match: { - statusCodes: [ - '200' - '401' - ] - } - minServers: 3 - path: '/' - pickHostNameFromBackendHttpSettings: false - protocol: 'Http' - timeout: 15 - unhealthyThreshold: 5 - } - } - ] - redirectConfigurations: [ - { - name: 'httpRedirect80' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect80-public443' - } - ] - targetListener: { - id: '${appGWExpectedResourceID}/httpListeners/public443' - } - } - } - { - name: 'httpRedirect8080' - properties: { - includePath: true - includeQueryString: true - redirectType: 'Permanent' - requestRoutingRules: [ - { - id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect8080-private4433' - } - ] - targetListener: { - id: '${appGWExpectedResourceID}/httpListeners/private4433' - } - } - } - ] - requestRoutingRules: [ - { - name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' - properties: { - backendAddressPool: { - id: '${appGWExpectedResourceID}/backendAddressPools/appServiceBackendPool' - } - backendHttpSettings: { - id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/appServiceBackendHttpsSetting' - } - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/public443' - } - priority: 200 - ruleType: 'Basic' - } - } - { - name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' - properties: { - backendAddressPool: { - id: '${appGWExpectedResourceID}/backendAddressPools/privateVmBackendPool' - } - backendHttpSettings: { - id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/privateVmHttpSetting' - } - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/private4433' - } - priority: 250 - ruleType: 'Basic' - } - } - { - name: 'httpRedirect80-public443' - properties: { - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/httpRedirect80' - } - priority: 300 - redirectConfiguration: { - id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect80' - } - ruleType: 'Basic' - } - } - { - name: 'httpRedirect8080-private4433' - properties: { - httpListener: { - id: '${appGWExpectedResourceID}/httpListeners/httpRedirect8080' - } - priority: 350 - redirectConfiguration: { - id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect8080' - } - ruleType: 'Basic' - rewriteRuleSet: { - id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' - } - } - } - ] - sku: 'WAF_v2' - sslCertificates: [ - { - name: '${namePrefix}-az-apgw-x-001-ssl-certificate' - properties: { - keyVaultSecretId: nestedDependencies.outputs.certificateSecretUrl - } - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - rewriteRuleSets: [ - { - name: 'customRewrite' - id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' - properties: { - rewriteRules: [ - { - ruleSequence: 100 - conditions: [] - name: 'NewRewrite' - actionSet: { - requestHeaderConfigurations: [ - { - headerName: 'Content-Type' - headerValue: 'JSON' - } - { - headerName: 'someheader' - } - ] - responseHeaderConfigurations: [] - } - } - ] - } - } - ] - webApplicationFirewallConfiguration: { - enabled: true - fileUploadLimitInMb: 100 - firewallMode: 'Detection' - maxRequestBodySizeInKb: 128 - requestBodyCheck: true - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - disabledRuleGroups: [ - { - ruleGroupName: 'Known-CVEs' - } - { - ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' - } - { - ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' - } - ] - exclusions: [ - { - matchVariable: 'RequestHeaderNames' - selectorMatchOperator: 'StartsWith' - selector: 'hola' - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-gateway/version.json b/modules/network/application-gateway/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/application-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/application-security-group/MOVED-TO-AVM.md b/modules/network/application-security-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/application-security-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 97b17de678..cd6c22e9b1 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -1,396 +1,7 @@ -# Application Security Groups (ASG) `[Microsoft.Network/applicationSecurityGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/application-security-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/application-security-group).** -This module deploys an Application Security Group (ASG). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/application-security-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/applicationSecurityGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/applicationSecurityGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-security-group:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nasgmax' - params: { - // Required parameters - name: 'nasgmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nasgmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nasgwaf' - params: { - // Required parameters - name: 'nasgwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nasgwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Application Security Group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Application Security Group. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application security group. | -| `resourceGroupName` | string | The resource group the application security group was deployed into. | -| `resourceId` | string | The resource ID of the application security group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep deleted file mode 100644 index 61539b0fba..0000000000 --- a/modules/network/application-security-group/main.bicep +++ /dev/null @@ -1,118 +0,0 @@ -metadata name = 'Application Security Groups (ASG)' -metadata description = 'This module deploys an Application Security Group (ASG).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Application Security Group.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: name - location: location - tags: tags - properties: {} -} - -resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: applicationSecurityGroup -} - -resource applicationSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(applicationSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: applicationSecurityGroup -}] - -@description('The resource group the application security group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the application security group.') -output resourceId string = applicationSecurityGroup.id - -@description('The name of the application security group.') -output name string = applicationSecurityGroup.name - -@description('The location the resource was deployed into.') -output location string = applicationSecurityGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json deleted file mode 100644 index 96b1855d26..0000000000 --- a/modules/network/application-security-group/main.json +++ /dev/null @@ -1,248 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10321097929330960711" - }, - "name": "Application Security Groups (ASG)", - "description": "This module deploys an Application Security Group (ASG).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application Security Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "applicationSecurityGroup": { - "type": "Microsoft.Network/applicationSecurityGroups", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": {} - }, - "applicationSecurityGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "applicationSecurityGroup" - ] - }, - "applicationSecurityGroup_roleAssignments": { - "copy": { - "name": "applicationSecurityGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "applicationSecurityGroup" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the application security group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the application security group." - }, - "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the application security group." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('applicationSecurityGroup', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/application-security-group/tests/e2e/max/dependencies.bicep b/modules/network/application-security-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/application-security-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/application-security-group/tests/e2e/max/main.test.bicep b/modules/network/application-security-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index 8adbe4a43e..0000000000 --- a/modules/network/application-security-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,83 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecuritygroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nasgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index b4cec250c2..0000000000 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,66 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecuritygroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nasgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/application-security-group/version.json b/modules/network/application-security-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/application-security-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 59e663c6da..69d0521c82 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -1,1512 +1,7 @@ -# Azure Firewalls `[Microsoft.Network/azureFirewalls]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Azure Firewall. +**This module has been evolved into the following AVM module: [avm/res/network/azure-firewall](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/azure-firewall).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/azure-firewall). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/azureFirewalls` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/azureFirewalls) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.azure-firewall:1.0.0`. - -- [Addpip](#example-1-addpip) -- [Custompip](#example-2-custompip) -- [Using only defaults](#example-3-using-only-defaults) -- [Hubcommon](#example-4-hubcommon) -- [Hubmin](#example-5-hubmin) -- [Using large parameter set](#example-6-using-large-parameter-set) -- [WAF-aligned](#example-7-waf-aligned) - -### Example 1: _Addpip_ - -
- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafaddpip' - params: { - // Required parameters - name: 'nafaddpip001' - // Non-required parameters - additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '' - } - ] - azureSkuTier: 'Basic' - enableDefaultTelemetry: '' - managementIPAddressObject: { - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafaddpip001" - }, - // Non-required parameters - "additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "" - } - ] - }, - "azureSkuTier": { - "value": "Basic" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managementIPAddressObject": { - "value": { - "publicIPAllocationMethod": "Static", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetId": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Custompip_ - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafcstpip' - params: { - // Required parameters - name: 'nafcstpip001' - // Non-required parameters - enableDefaultTelemetry: '' - publicIPAddressObject: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'new-pip-nafcstpip' - publicIPAllocationMethod: 'Static' - publicIPPrefixResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - skuTier: 'Regional' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafcstpip001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "publicIPAddressObject": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "new-pip-nafcstpip", - "publicIPAllocationMethod": "Static", - "publicIPPrefixResourceId": "", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "skuName": "Standard", - "skuTier": "Regional" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetId": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafmin' - params: { - // Required parameters - name: 'nafmin001' - // Non-required parameters - enableDefaultTelemetry: '' - vNetId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "vNetId": { - "value": "" - } - } -} -``` - -
-

- -### Example 4: _Hubcommon_ - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafhubcom' - params: { - // Required parameters - name: 'nafhubcom001' - // Non-required parameters - enableDefaultTelemetry: '' - firewallPolicyId: '' - hubIPAddresses: { - publicIPs: { - count: 1 - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualHubId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafhubcom001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "firewallPolicyId": { - "value": "" - }, - "hubIPAddresses": { - "value": { - "publicIPs": { - "count": 1 - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualHubId": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Hubmin_ - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafhubmin' - params: { - // Required parameters - name: 'nafhubmin001' - // Non-required parameters - enableDefaultTelemetry: '' - hubIPAddresses: { - publicIPs: { - count: 1 - } - } - virtualHubId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafhubmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "hubIPAddresses": { - "value": { - "publicIPs": { - "count": 1 - } - } - }, - "virtualHubId": { - "value": "" - } - } -} -``` - -
-

- -### Example 6: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafmax' - params: { - // Required parameters - name: 'nafmax001' - // Non-required parameters - applicationRuleCollections: [ - { - name: 'allow-app-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - fqdnTags: [ - 'AppServiceEnvironment' - 'WindowsUpdate' - ] - name: 'allow-ase-tags' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - } - { - name: 'allow-ase-management' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - targetFqdns: [ - 'bing.com' - ] - } - ] - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleCollections: [ - { - name: 'allow-network-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationPorts: [ - '12000' - '123' - ] - name: 'allow-ntp' - protocols: [ - 'Any' - ] - sourceAddresses: [ - '*' - ] - } - ] - } - } - ] - publicIPResourceID: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetId: '' - zones: [ - '1' - '2' - '3' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafmax001" - }, - // Non-required parameters - "applicationRuleCollections": { - "value": [ - { - "name": "allow-app-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ - { - "fqdnTags": [ - "AppServiceEnvironment", - "WindowsUpdate" - ], - "name": "allow-ase-tags", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ] - }, - { - "name": "allow-ase-management", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ], - "targetFqdns": [ - "bing.com" - ] - } - ] - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkRuleCollections": { - "value": [ - { - "name": "allow-network-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ - { - "destinationAddresses": [ - "*" - ], - "destinationPorts": [ - "12000", - "123" - ], - "name": "allow-ntp", - "protocols": [ - "Any" - ], - "sourceAddresses": [ - "*" - ] - } - ] - } - } - ] - }, - "publicIPResourceID": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetId": { - "value": "" - }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } - } -} -``` - -
-

- -### Example 7: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafwaf' - params: { - // Required parameters - name: 'nafwaf001' - // Non-required parameters - applicationRuleCollections: [ - { - name: 'allow-app-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - fqdnTags: [ - 'AppServiceEnvironment' - 'WindowsUpdate' - ] - name: 'allow-ase-tags' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - } - { - name: 'allow-ase-management' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - targetFqdns: [ - 'bing.com' - ] - } - ] - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleCollections: [ - { - name: 'allow-network-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationPorts: [ - '12000' - '123' - ] - name: 'allow-ntp' - protocols: [ - 'Any' - ] - sourceAddresses: [ - '*' - ] - } - ] - } - } - ] - publicIPResourceID: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetId: '' - zones: [ - '1' - '2' - '3' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafwaf001" - }, - // Non-required parameters - "applicationRuleCollections": { - "value": [ - { - "name": "allow-app-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ - { - "fqdnTags": [ - "AppServiceEnvironment", - "WindowsUpdate" - ], - "name": "allow-ase-tags", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ] - }, - { - "name": "allow-ase-management", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ], - "targetFqdns": [ - "bing.com" - ] - } - ] - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkRuleCollections": { - "value": [ - { - "name": "allow-network-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ - { - "destinationAddresses": [ - "*" - ], - "destinationPorts": [ - "12000", - "123" - ], - "name": "allow-ntp", - "protocols": [ - "Any" - ], - "sourceAddresses": [ - "*" - ] - } - ] - } - } - ] - }, - "publicIPResourceID": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetId": { - "value": "" - }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Firewall. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hubIPAddresses`](#parameter-hubipaddresses) | object | IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. | -| [`virtualHubId`](#parameter-virtualhubid) | string | The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. | -| [`vNetId`](#parameter-vnetid) | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`additionalPublicIpConfigurations`](#parameter-additionalpublicipconfigurations) | array | This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. | -| [`applicationRuleCollections`](#parameter-applicationrulecollections) | array | Collection of application rule collections used by Azure Firewall. | -| [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managementIPAddressObject`](#parameter-managementipaddressobject) | object | Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. | -| [`managementIPResourceID`](#parameter-managementipresourceid) | string | The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. | -| [`natRuleCollections`](#parameter-natrulecollections) | array | Collection of NAT rule collections used by Azure Firewall. | -| [`networkRuleCollections`](#parameter-networkrulecollections) | array | Collection of network rule collections used by Azure Firewall. | -| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. | -| [`publicIPResourceID`](#parameter-publicipresourceid) | string | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the Azure Firewall resource. | -| [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | -| [`zones`](#parameter-zones) | array | Zone numbers e.g. 1,2,3. | - -### Parameter: `name` - -Name of the Azure Firewall. - -- Required: Yes -- Type: string - -### Parameter: `hubIPAddresses` - -IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `virtualHubId` - -The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vNetId` - -Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `additionalPublicIpConfigurations` - -This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `applicationRuleCollections` - -Collection of application rule collections used by Azure Firewall. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `azureSkuTier` - -Tier of an Azure Firewall. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `firewallPolicyId` - -Resource ID of the Firewall Policy that should be attached. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managementIPAddressObject` - -Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `managementIPResourceID` - -The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `natRuleCollections` - -Collection of NAT rule collections used by Azure Firewall. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `networkRuleCollections` - -Collection of network rule collections used by Azure Firewall. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicIPAddressObject` - -Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. - -- Required: No -- Type: object -- Default: - ```Bicep - { - name: '[format(\'{0}-pip\', parameters(\'name\'))]' - } - ``` - -### Parameter: `publicIPResourceID` - -The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the Azure Firewall resource. - -- Required: No -- Type: object - -### Parameter: `threatIntelMode` - -The operation mode for Threat Intel. - -- Required: No -- Type: string -- Default: `'Deny'` -- Allowed: - ```Bicep - [ - 'Alert' - 'Deny' - 'Off' - ] - ``` - -### Parameter: `zones` - -Zone numbers e.g. 1,2,3. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - '1' - '2' - '3' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `applicationRuleCollections` | array | List of Application Rule Collections. | -| `ipConfAzureFirewallSubnet` | object | The Public IP configuration object for the Azure Firewall Subnet. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Azure Firewall. | -| `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall. | -| `networkRuleCollections` | array | List of Network Rule Collections. | -| `privateIp` | string | The private IP of the Azure firewall. | -| `resourceGroupName` | string | The resource group the Azure firewall was deployed into. | -| `resourceId` | string | The resource ID of the Azure Firewall. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/public-ip-address` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep deleted file mode 100644 index 4e804feab2..0000000000 --- a/modules/network/azure-firewall/main.bicep +++ /dev/null @@ -1,381 +0,0 @@ -metadata name = 'Azure Firewalls' -metadata description = 'This module deploys an Azure Firewall.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure Firewall.') -param name string - -@description('Optional. Tier of an Azure Firewall.') -@allowed([ - 'Basic' - 'Standard' - 'Premium' -]) -param azureSkuTier string = 'Standard' - -@description('Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty.') -param vNetId string = '' - -@description('Optional. The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet.') -param publicIPResourceID string = '' - -@description('Optional. This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration.') -param additionalPublicIpConfigurations array = [] - -@description('Optional. Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided.') -param publicIPAddressObject object = { - name: '${name}-pip' -} - -@description('Optional. The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet.') -param managementIPResourceID string = '' - -@description('Optional. Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it\'s not provided and managementIPResourceID is empty, a \'-mip\' suffix will be appended to the Firewall\'s name.') -param managementIPAddressObject object = {} - -@description('Optional. Collection of application rule collections used by Azure Firewall.') -param applicationRuleCollections array = [] - -@description('Optional. Collection of network rule collections used by Azure Firewall.') -param networkRuleCollections array = [] - -@description('Optional. Collection of NAT rule collections used by Azure Firewall.') -param natRuleCollections array = [] - -@description('Optional. Resource ID of the Firewall Policy that should be attached.') -param firewallPolicyId string = '' - -@description('Conditional. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied.') -param hubIPAddresses object = {} - -@description('Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty.') -param virtualHubId string = '' - -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -@description('Optional. The operation mode for Threat Intel.') -param threatIntelMode string = 'Deny' - -@description('Optional. Zone numbers e.g. 1,2,3.') -param zones array = [ - '1' - '2' - '3' -] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the Azure Firewall resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var azureSkuName = empty(vNetId) ? 'AZFW_Hub' : 'AZFW_VNet' -var requiresManagementIp = azureSkuTier == 'Basic' ? true : false -var isCreateDefaultManagementIP = empty(managementIPResourceID) && requiresManagementIp - -// ---------------------------------------------------------------------------- -// Prep ipConfigurations object AzureFirewallSubnet for different uses cases: -// 1. Use existing Public IP -// 2. Use new Public IP created in this module -// 3. Do not use a Public IP if publicIPAddressObject is empty - -var additionalPublicIpConfigurationsVar = [for ipConfiguration in additionalPublicIpConfigurations: { - name: ipConfiguration.name - properties: { - publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { - id: ipConfiguration.publicIPAddressResourceId - } : null - } -}] -var ipConfigurations = concat([ - { - name: !empty(publicIPResourceID) ? last(split(publicIPResourceID, '/')) : publicIPAddress.outputs.name - properties: union({ - subnet: { - id: '${vNetId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet - } - }, (!empty(publicIPResourceID) || !empty(publicIPAddressObject)) ? { - //Use existing Public IP, new Public IP created in this module, or none if neither - publicIPAddress: { - id: !empty(publicIPResourceID) ? publicIPResourceID : publicIPAddress.outputs.resourceId - } - } : {}) - } - ], additionalPublicIpConfigurationsVar) - -// ---------------------------------------------------------------------------- -// Prep managementIPConfiguration object for different uses cases: -// 1. Use existing Management Public IP -// 2. Use new Management Public IP created in this module - -var managementIPConfiguration = { - name: !empty(managementIPResourceID) ? last(split(managementIPResourceID, '/')) : managementIPAddress.outputs.name - properties: union({ - subnet: { - id: '${vNetId}/subnets/AzureFirewallManagementSubnet' // The subnet name must be AzureFirewallManagementSubnet for a 'Basic' SKU tier firewall - } - }, (!empty(publicIPResourceID) || !empty(managementIPAddressObject)) ? { - // Use existing Management Public IP, new Management Public IP created in this module, or none if neither - publicIPAddress: { - id: !empty(managementIPResourceID) ? managementIPResourceID : managementIPAddress.outputs.resourceId - } - } : {}) -} - -// ---------------------------------------------------------------------------- - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module publicIPAddress '../../network/public-ip-address/main.bicep' = if (empty(publicIPResourceID) && azureSkuName == 'AZFW_VNet') { - name: '${uniqueString(deployment().name, location)}-Firewall-PIP' - params: { - name: publicIPAddressObject.name - publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : '' - publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static' - skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard' - skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional' - roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : [] - diagnosticSettings: publicIPAddressObject.?diagnosticSettings - location: location - lock: lock - tags: publicIPAddressObject.?tags ?? tags - zones: zones - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -// create a Management Public IP address if one is not provided and the flag is true -module managementIPAddress '../../network/public-ip-address/main.bicep' = if (isCreateDefaultManagementIP && azureSkuName == 'AZFW_VNet') { - name: '${uniqueString(deployment().name, location)}-Firewall-MIP' - params: { - name: contains(managementIPAddressObject, 'name') ? (!(empty(managementIPAddressObject.name)) ? managementIPAddressObject.name : '${name}-mip') : '${name}-mip' - publicIPPrefixResourceId: contains(managementIPAddressObject, 'managementIPPrefixResourceId') ? (!(empty(managementIPAddressObject.publicIPPrefixResourceId)) ? managementIPAddressObject.publicIPPrefixResourceId : '') : '' - publicIPAllocationMethod: contains(managementIPAddressObject, 'managementIPAllocationMethod') ? (!(empty(managementIPAddressObject.publicIPAllocationMethod)) ? managementIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static' - skuName: contains(managementIPAddressObject, 'skuName') ? (!(empty(managementIPAddressObject.skuName)) ? managementIPAddressObject.skuName : 'Standard') : 'Standard' - skuTier: contains(managementIPAddressObject, 'skuTier') ? (!(empty(managementIPAddressObject.skuTier)) ? managementIPAddressObject.skuTier : 'Regional') : 'Regional' - roleAssignments: contains(managementIPAddressObject, 'roleAssignments') ? (!empty(managementIPAddressObject.roleAssignments) ? managementIPAddressObject.roleAssignments : []) : [] - diagnosticSettings: managementIPAddressObject.?diagnosticSettings - location: location - tags: managementIPAddressObject.?tags ?? tags - zones: zones - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource azureFirewall 'Microsoft.Network/azureFirewalls@2023-04-01' = { - name: name - location: location - zones: length(zones) == 0 ? null : zones - tags: tags - properties: azureSkuName == 'AZFW_VNet' ? { - threatIntelMode: threatIntelMode - firewallPolicy: !empty(firewallPolicyId) ? { - id: firewallPolicyId - } : null - ipConfigurations: ipConfigurations - managementIpConfiguration: requiresManagementIp ? managementIPConfiguration : null - sku: { - name: azureSkuName - tier: azureSkuTier - } - applicationRuleCollections: applicationRuleCollections - natRuleCollections: natRuleCollections - networkRuleCollections: networkRuleCollections - } : { - firewallPolicy: !empty(firewallPolicyId) ? { - id: firewallPolicyId - } : null - sku: { - name: azureSkuName - tier: azureSkuTier - } - hubIPAddresses: !empty(hubIPAddresses) ? hubIPAddresses : null - virtualHub: !empty(virtualHubId) ? { - id: virtualHubId - } : null - } -} - -resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: azureFirewall -} - -resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: azureFirewall -}] - -resource azureFirewall_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(azureFirewall.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: azureFirewall -}] - -@description('The resource ID of the Azure Firewall.') -output resourceId string = azureFirewall.id - -@description('The name of the Azure Firewall.') -output name string = azureFirewall.name - -@description('The resource group the Azure firewall was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The private IP of the Azure firewall.') -output privateIp string = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' - -@description('The Public IP configuration object for the Azure Firewall Subnet.') -output ipConfAzureFirewallSubnet object = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0] : {} - -@description('List of Application Rule Collections.') -output applicationRuleCollections array = applicationRuleCollections - -@description('List of Network Rule Collections.') -output networkRuleCollections array = networkRuleCollections - -@description('Collection of NAT rule collections used by Azure Firewall.') -output natRuleCollections array = natRuleCollections - -@description('The location the resource was deployed into.') -output location string = azureFirewall.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json deleted file mode 100644 index 2b0ceaa962..0000000000 --- a/modules/network/azure-firewall/main.json +++ /dev/null @@ -1,1627 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11269425307217554818" - }, - "name": "Azure Firewalls", - "description": "This module deploys an Azure Firewall.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Firewall." - } - }, - "azureSkuTier": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard", - "Premium" - ], - "metadata": { - "description": "Optional. Tier of an Azure Firewall." - } - }, - "vNetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty." - } - }, - "publicIPResourceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet." - } - }, - "additionalPublicIpConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration." - } - }, - "publicIPAddressObject": { - "type": "object", - "defaultValue": { - "name": "[format('{0}-pip', parameters('name'))]" - }, - "metadata": { - "description": "Optional. Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided." - } - }, - "managementIPResourceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet." - } - }, - "managementIPAddressObject": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name." - } - }, - "applicationRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of application rule collections used by Azure Firewall." - } - }, - "networkRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of network rule collections used by Azure Firewall." - } - }, - "natRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of NAT rule collections used by Azure Firewall." - } - }, - "firewallPolicyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Firewall Policy that should be attached." - } - }, - "hubIPAddresses": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied." - } - }, - "virtualHubId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty." - } - }, - "threatIntelMode": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ], - "metadata": { - "description": "Optional. The operation mode for Threat Intel." - } - }, - "zones": { - "type": "array", - "defaultValue": [ - "1", - "2", - "3" - ], - "metadata": { - "description": "Optional. Zone numbers e.g. 1,2,3." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Azure Firewall resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "additionalPublicIpConfigurationsVar", - "count": "[length(parameters('additionalPublicIpConfigurations'))]", - "input": { - "name": "[parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')].name]", - "properties": { - "publicIPAddress": "[if(contains(parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')], 'publicIPAddressResourceId'), createObject('id', parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')].publicIPAddressResourceId), null())]" - } - } - } - ], - "azureSkuName": "[if(empty(parameters('vNetId')), 'AZFW_Hub', 'AZFW_VNet')]", - "requiresManagementIp": "[if(equals(parameters('azureSkuTier'), 'Basic'), true(), false())]", - "isCreateDefaultManagementIP": "[and(empty(parameters('managementIPResourceID')), variables('requiresManagementIp'))]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "azureFirewall": { - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "zones": "[if(equals(length(parameters('zones')), 0), null(), parameters('zones'))]", - "tags": "[parameters('tags')]", - "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallSubnet', parameters('vNetId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('publicIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('publicIPResourceID'))), parameters('publicIPResourceID'), reference('publicIPAddress').outputs.resourceId.value))), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallManagementSubnet', parameters('vNetId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('managementIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('managementIPResourceID'))), parameters('managementIPResourceID'), reference('managementIPAddress').outputs.resourceId.value))), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", - "dependsOn": [ - "managementIPAddress", - "publicIPAddress" - ] - }, - "azureFirewall_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "azureFirewall" - ] - }, - "azureFirewall_diagnosticSettings": { - "copy": { - "name": "azureFirewall_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "azureFirewall" - ] - }, - "azureFirewall_roleAssignments": { - "copy": { - "name": "azureFirewall_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "azureFirewall" - ] - }, - "publicIPAddress": { - "condition": "[and(empty(parameters('publicIPResourceID')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('publicIPAddressObject').name]" - }, - "publicIPPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), if(not(empty(parameters('publicIPAddressObject').publicIPPrefixResourceId)), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', '')), createObject('value', ''))]", - "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), if(not(empty(parameters('publicIPAddressObject').publicIPAllocationMethod)), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static')), createObject('value', 'Static'))]", - "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), if(not(empty(parameters('publicIPAddressObject').skuName)), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", - "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), if(not(empty(parameters('publicIPAddressObject').skuTier)), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional')), createObject('value', 'Regional'))]", - "roleAssignments": "[if(contains(parameters('publicIPAddressObject'), 'roleAssignments'), if(not(empty(parameters('publicIPAddressObject').roleAssignments)), createObject('value', parameters('publicIPAddressObject').roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" - }, - "zones": { - "value": "[parameters('zones')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - }, - "managementIPAddress": { - "condition": "[and(variables('isCreateDefaultManagementIP'), equals(variables('azureSkuName'), 'AZFW_VNet'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Firewall-MIP', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(parameters('managementIPAddressObject'), 'name'), if(not(empty(parameters('managementIPAddressObject').name)), createObject('value', parameters('managementIPAddressObject').name), createObject('value', format('{0}-mip', parameters('name')))), createObject('value', format('{0}-mip', parameters('name'))))]", - "publicIPPrefixResourceId": "[if(contains(parameters('managementIPAddressObject'), 'managementIPPrefixResourceId'), if(not(empty(parameters('managementIPAddressObject').publicIPPrefixResourceId)), createObject('value', parameters('managementIPAddressObject').publicIPPrefixResourceId), createObject('value', '')), createObject('value', ''))]", - "publicIPAllocationMethod": "[if(contains(parameters('managementIPAddressObject'), 'managementIPAllocationMethod'), if(not(empty(parameters('managementIPAddressObject').publicIPAllocationMethod)), createObject('value', parameters('managementIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static')), createObject('value', 'Static'))]", - "skuName": "[if(contains(parameters('managementIPAddressObject'), 'skuName'), if(not(empty(parameters('managementIPAddressObject').skuName)), createObject('value', parameters('managementIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", - "skuTier": "[if(contains(parameters('managementIPAddressObject'), 'skuTier'), if(not(empty(parameters('managementIPAddressObject').skuTier)), createObject('value', parameters('managementIPAddressObject').skuTier), createObject('value', 'Regional')), createObject('value', 'Regional'))]", - "roleAssignments": "[if(contains(parameters('managementIPAddressObject'), 'roleAssignments'), if(not(empty(parameters('managementIPAddressObject').roleAssignments)), createObject('value', parameters('managementIPAddressObject').roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('managementIPAddressObject'), 'diagnosticSettings')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('managementIPAddressObject'), 'tags'), parameters('tags'))]" - }, - "zones": { - "value": "[parameters('zones')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Azure Firewall." - }, - "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Azure Firewall." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Azure firewall was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "privateIp": { - "type": "string", - "metadata": { - "description": "The private IP of the Azure firewall." - }, - "value": "[if(contains(reference('azureFirewall'), 'ipConfigurations'), reference('azureFirewall').ipConfigurations[0].properties.privateIPAddress, '')]" - }, - "ipConfAzureFirewallSubnet": { - "type": "object", - "metadata": { - "description": "The Public IP configuration object for the Azure Firewall Subnet." - }, - "value": "[if(contains(reference('azureFirewall'), 'ipConfigurations'), reference('azureFirewall').ipConfigurations[0], createObject())]" - }, - "applicationRuleCollections": { - "type": "array", - "metadata": { - "description": "List of Application Rule Collections." - }, - "value": "[parameters('applicationRuleCollections')]" - }, - "networkRuleCollections": { - "type": "array", - "metadata": { - "description": "List of Network Rule Collections." - }, - "value": "[parameters('networkRuleCollections')]" - }, - "natRuleCollections": { - "type": "array", - "metadata": { - "description": "Collection of NAT rule collections used by Azure Firewall." - }, - "value": "[parameters('natRuleCollections')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('azureFirewall', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep deleted file mode 100644 index cf2cb1747a..0000000000 --- a/modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 0) - } - } - { - name: 'AzureFirewallManagementSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 20, 1) - } - } - ] - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep deleted file mode 100644 index 61b216c4a3..0000000000 --- a/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep +++ /dev/null @@ -1,79 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafaddpip' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: nestedDependencies.outputs.publicIPResourceId - } - ] - azureSkuTier: 'Basic' - managementIPAddressObject: { - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep deleted file mode 100644 index 5d14b0b91c..0000000000 --- a/modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep deleted file mode 100644 index 37fb6178bc..0000000000 --- a/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep +++ /dev/null @@ -1,103 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafcstpip' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - publicIPAddressObject: { - name: 'new-${namePrefix}-pip-${serviceShort}' - publicIPAllocationMethod: 'Static' - publicIPPrefixResourceId: '' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - skuTier: 'Regional' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 4d1cd2e6aa..0000000000 --- a/modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,29 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep b/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 7530eeedd1..0000000000 --- a/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep deleted file mode 100644 index 0dc2f1d9a2..0000000000 --- a/modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep +++ /dev/null @@ -1,46 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual WAN to create.') -param virtualWanName string - -@description('Required. The name of the Virtual Hub to create.') -param virtualHubName string - -@description('Required. The name of the Firewall Policy to create.') -param firewallPolicyName string - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWanName - location: location - properties: { - disableVpnEncryption: false - allowBranchToBranchTraffic: true - type: 'Standard' - } -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2021-08-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: '10.1.0.0/16' - virtualWan: { - id: virtualWan.id - } - } -} - -resource policy 'Microsoft.Network/firewallPolicies@2023-04-01' = { - name: firewallPolicyName - location: location - properties: { - threatIntelMode: 'Alert' - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id - -@description('The resource ID of the created Firewall Policy.') -output firewallPolicyResourceId string = policy.id diff --git a/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep deleted file mode 100644 index 5870bd2081..0000000000 --- a/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep +++ /dev/null @@ -1,68 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafhubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWanName: 'dep-${namePrefix}-vwan-${serviceShort}' - virtualHubName: 'dep-${namePrefix}-vhub-${serviceShort}' - firewallPolicyName: 'dep-${namePrefix}-afwp-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - firewallPolicyId: nestedDependencies.outputs.firewallPolicyResourceId - virtualHubId: nestedDependencies.outputs.virtualHubResourceId - hubIPAddresses: { - publicIPs: { - count: 1 - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep deleted file mode 100644 index eceb77c39e..0000000000 --- a/modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep +++ /dev/null @@ -1,32 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual WAN to create.') -param virtualWanName string - -@description('Required. The name of the Virtual Hub to create.') -param virtualHubName string - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWanName - location: location - properties: { - disableVpnEncryption: false - allowBranchToBranchTraffic: true - type: 'Standard' - } -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2021-08-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: '10.1.0.0/16' - virtualWan: { - id: virtualWan.id - } - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id diff --git a/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep deleted file mode 100644 index dd3dd67364..0000000000 --- a/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep +++ /dev/null @@ -1,61 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafhubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWanName: 'dep-${namePrefix}-vwan-${serviceShort}' - virtualHubName: 'dep-${namePrefix}-vhub-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualHubId: nestedDependencies.outputs.virtualHubResourceId - hubIPAddresses: { - publicIPs: { - count: 1 - } - } - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/max/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/max/dependencies.bicep deleted file mode 100644 index de9bfec4ea..0000000000 --- a/modules/network/azure-firewall/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,64 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep deleted file mode 100644 index 6952eb7b58..0000000000 --- a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,201 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - applicationRuleCollections: [ - { - name: 'allow-app-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - fqdnTags: [ - 'AppServiceEnvironment' - 'WindowsUpdate' - ] - name: 'allow-ase-tags' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - } - { - name: 'allow-ase-management' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - targetFqdns: [ - 'bing.com' - ] - } - ] - } - } - ] - publicIPResourceID: nestedDependencies.outputs.publicIPResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleCollections: [ - { - name: 'allow-network-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationPorts: [ - '12000' - '123' - ] - name: 'allow-ntp' - protocols: [ - 'Any' - ] - sourceAddresses: [ - '*' - ] - } - ] - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index de9bfec4ea..0000000000 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,64 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureFirewallSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 12b95314ae..0000000000 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,184 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - applicationRuleCollections: [ - { - name: 'allow-app-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - fqdnTags: [ - 'AppServiceEnvironment' - 'WindowsUpdate' - ] - name: 'allow-ase-tags' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - } - { - name: 'allow-ase-management' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - targetFqdns: [ - 'bing.com' - ] - } - ] - } - } - ] - publicIPResourceID: nestedDependencies.outputs.publicIPResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleCollections: [ - { - name: 'allow-network-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationPorts: [ - '12000' - '123' - ] - name: 'allow-ntp' - protocols: [ - 'Any' - ] - sourceAddresses: [ - '*' - ] - } - ] - } - } - ] - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/azure-firewall/version.json b/modules/network/azure-firewall/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/azure-firewall/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/bastion-host/MOVED-TO-AVM.md b/modules/network/bastion-host/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/bastion-host/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 84cd231586..9ab341cd52 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -1,875 +1,7 @@ -# Bastion Hosts `[Microsoft.Network/bastionHosts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/bastion-host](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/bastion-host).** -This module deploys a Bastion Host. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/bastion-host). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/bastionHosts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/bastionHosts) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.bastion-host:1.0.0`. - -- [Custompip](#example-1-custompip) -- [Using only defaults](#example-2-using-only-defaults) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Custompip_ - -
- -via Bicep module - -```bicep -module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nbhctmpip' - params: { - // Required parameters - name: 'nbhctmpip001' - vNetId: '' - // Non-required parameters - enableDefaultTelemetry: '' - publicIPAddressObject: { - allocationMethod: 'Static' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'nbhctmpip001-pip' - publicIPPrefixResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nbhctmpip001" - }, - "vNetId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "publicIPAddressObject": { - "value": { - "allocationMethod": "Static", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "nbhctmpip001-pip", - "publicIPPrefixResourceId": "", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "skuName": "Standard", - "skuTier": "Regional", - "zones": [ - "1", - "2", - "3" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nbhmin' - params: { - // Required parameters - name: 'nbhmin001' - vNetId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nbhmin001" - }, - "vNetId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nbhmax' - params: { - // Required parameters - name: 'nbhmax001' - vNetId: '' - // Non-required parameters - bastionSubnetPublicIpResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableCopyPaste: true - enableDefaultTelemetry: '' - enableFileCopy: false - enableIpConnect: false - enableShareableLink: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - scaleUnits: 4 - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nbhmax001" - }, - "vNetId": { - "value": "" - }, - // Non-required parameters - "bastionSubnetPublicIpResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableCopyPaste": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableFileCopy": { - "value": false - }, - "enableIpConnect": { - "value": false - }, - "enableShareableLink": { - "value": false - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "scaleUnits": { - "value": 4 - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nbhwaf' - params: { - // Required parameters - name: 'nbhwaf001' - vNetId: '' - // Non-required parameters - bastionSubnetPublicIpResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableCopyPaste: true - enableDefaultTelemetry: '' - enableFileCopy: false - enableIpConnect: false - enableShareableLink: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - scaleUnits: 4 - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nbhwaf001" - }, - "vNetId": { - "value": "" - }, - // Non-required parameters - "bastionSubnetPublicIpResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableCopyPaste": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableFileCopy": { - "value": false - }, - "enableIpConnect": { - "value": false - }, - "enableShareableLink": { - "value": false - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "scaleUnits": { - "value": 4 - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Bastion resource. | -| [`vNetId`](#parameter-vnetid) | string | Shared services Virtual Network resource identifier. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. | -| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. | -| [`enableKerberos`](#parameter-enablekerberos) | bool | Choose to disable or enable Kerberos authentication. | -| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | -| [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Azure Bastion resource. - -- Required: Yes -- Type: string - -### Parameter: `vNetId` - -Shared services Virtual Network resource identifier. - -- Required: Yes -- Type: string - -### Parameter: `bastionSubnetPublicIpResourceId` - -The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableCopyPaste` - -Choose to disable or enable Copy Paste. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableFileCopy` - -Choose to disable or enable File Copy. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableIpConnect` - -Choose to disable or enable IP Connect. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableKerberos` - -Choose to disable or enable Kerberos authentication. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableShareableLink` - -Choose to disable or enable Shareable Link. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicIPAddressObject` - -Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. - -- Required: No -- Type: object -- Default: - ```Bicep - { - name: '[format(\'{0}-pip\', parameters(\'name\'))]' - } - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scaleUnits` - -The scale units for the Bastion Host resource. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `skuName` - -The SKU of this Bastion Host. - -- Required: No -- Type: string -- Default: `'Basic'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `ipConfAzureBastionSubnet` | object | The Public IPconfiguration object for the AzureBastionSubnet. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name the Azure Bastion. | -| `resourceGroupName` | string | The resource group the Azure Bastion was deployed into. | -| `resourceId` | string | The resource ID the Azure Bastion. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/public-ip-address` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep deleted file mode 100644 index 6c04ffdd8d..0000000000 --- a/modules/network/bastion-host/main.bicep +++ /dev/null @@ -1,270 +0,0 @@ -metadata name = 'Bastion Hosts' -metadata description = 'This module deploys a Bastion Host.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure Bastion resource.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. Shared services Virtual Network resource identifier.') -param vNetId string - -@description('Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.') -param bastionSubnetPublicIpResourceId string = '' - -@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided.') -param publicIPAddressObject object = { - name: '${name}-pip' -} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@allowed([ - 'Basic' - 'Standard' -]) -@description('Optional. The SKU of this Bastion Host.') -param skuName string = 'Basic' - -@description('Optional. Choose to disable or enable Copy Paste.') -param disableCopyPaste bool = false - -@description('Optional. Choose to disable or enable File Copy.') -param enableFileCopy bool = true - -@description('Optional. Choose to disable or enable IP Connect.') -param enableIpConnect bool = false - -@description('Optional. Choose to disable or enable Kerberos authentication.') -param enableKerberos bool = false - -@description('Optional. Choose to disable or enable Shareable Link.') -param enableShareableLink bool = false - -@description('Optional. The scale units for the Bastion Host resource.') -param scaleUnits int = 2 - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// ---------------------------------------------------------------------------- -// Prep ipConfigurations object AzureBastionSubnet for different uses cases: -// 1. Use existing Public IP -// 2. Use new Public IP created in this module -var ipConfigurations = [ - { - name: 'IpConfAzureBastionSubnet' - properties: union({ - subnet: { - id: '${vNetId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet - } - }, { - //Use existing Public IP, new Public IP created in this module - publicIPAddress: { - id: !empty(bastionSubnetPublicIpResourceId) ? bastionSubnetPublicIpResourceId : publicIPAddress.outputs.resourceId - } - }) - } -] - -var enableReferencedModulesTelemetry = false - -// ---------------------------------------------------------------------------- - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module publicIPAddress '../public-ip-address/main.bicep' = if (empty(bastionSubnetPublicIpResourceId)) { - name: '${uniqueString(deployment().name, location)}-Bastion-PIP' - params: { - name: publicIPAddressObject.name - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - lock: lock - diagnosticSettings: publicIPAddressObject.?diagnosticSettings - publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' - publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? publicIPAddressObject.publicIPAllocationMethod : 'Static' - publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' - roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] - skuName: contains(publicIPAddressObject, 'skuName') ? publicIPAddressObject.skuName : 'Standard' - skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' - tags: publicIPAddressObject.?tags ?? tags - zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] - } -} - -var bastionpropertiesVar = union({ - scaleUnits: skuName == 'Basic' ? 2 : scaleUnits - ipConfigurations: ipConfigurations - enableKerberos: enableKerberos - }, (skuName == 'Standard' ? { - enableTunneling: skuName == 'Standard' - disableCopyPaste: disableCopyPaste - enableFileCopy: enableFileCopy - enableIpConnect: enableIpConnect - enableShareableLink: enableShareableLink - } : {}) -) - -resource azureBastion 'Microsoft.Network/bastionHosts@2022-11-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - } - properties: bastionpropertiesVar -} - -resource azureBastion_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: azureBastion -} - -resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: azureBastion -}] - -resource azureBastion_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(azureBastion.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: azureBastion -}] - -@description('The resource group the Azure Bastion was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name the Azure Bastion.') -output name string = azureBastion.name - -@description('The resource ID the Azure Bastion.') -output resourceId string = azureBastion.id - -@description('The location the resource was deployed into.') -output location string = azureBastion.location - -@description('The Public IPconfiguration object for the AzureBastionSubnet.') -output ipConfAzureBastionSubnet object = azureBastion.properties.ipConfigurations[0] - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json deleted file mode 100644 index 6e0ee971c0..0000000000 --- a/modules/network/bastion-host/main.json +++ /dev/null @@ -1,988 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7116007649539447611" - }, - "name": "Bastion Hosts", - "description": "This module deploys a Bastion Host.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Bastion resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "vNetId": { - "type": "string", - "metadata": { - "description": "Required. Shared services Virtual Network resource identifier." - } - }, - "bastionSubnetPublicIpResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet." - } - }, - "publicIPAddressObject": { - "type": "object", - "defaultValue": { - "name": "[format('{0}-pip', parameters('name'))]" - }, - "metadata": { - "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. The SKU of this Bastion Host." - } - }, - "disableCopyPaste": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Choose to disable or enable Copy Paste." - } - }, - "enableFileCopy": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Choose to disable or enable File Copy." - } - }, - "enableIpConnect": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Choose to disable or enable IP Connect." - } - }, - "enableKerberos": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Choose to disable or enable Kerberos authentication." - } - }, - "enableShareableLink": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Choose to disable or enable Shareable Link." - } - }, - "scaleUnits": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The scale units for the Bastion Host resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "azureBastion": { - "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('vNetId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]", - "dependsOn": [ - "publicIPAddress" - ] - }, - "azureBastion_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "azureBastion" - ] - }, - "azureBastion_diagnosticSettings": { - "copy": { - "name": "azureBastion_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "azureBastion" - ] - }, - "azureBastion_roleAssignments": { - "copy": { - "name": "azureBastion_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/bastionHosts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "azureBastion" - ] - }, - "publicIPAddress": { - "condition": "[empty(parameters('bastionSubnetPublicIpResourceId'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('publicIPAddressObject').name]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" - }, - "publicIPAddressVersion": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAddressVersion'), createObject('value', parameters('publicIPAddressObject').publicIPAddressVersion), createObject('value', 'IPv4'))]", - "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static'))]", - "publicIPPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('publicIPAddressObject'), 'roleAssignments'), createObject('value', parameters('publicIPAddressObject').roleAssignments), createObject('value', createArray()))]", - "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard'))]", - "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional'))]", - "tags": { - "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" - }, - "zones": "[if(contains(parameters('publicIPAddressObject'), 'zones'), createObject('value', parameters('publicIPAddressObject').zones), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Azure Bastion was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name the Azure Bastion." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID the Azure Bastion." - }, - "value": "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('azureBastion', '2022-11-01', 'full').location]" - }, - "ipConfAzureBastionSubnet": { - "type": "object", - "metadata": { - "description": "The Public IPconfiguration object for the AzureBastionSubnet." - }, - "value": "[reference('azureBastion').ipConfigurations[0]]" - } - } -} \ No newline at end of file diff --git a/modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep b/modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep deleted file mode 100644 index efadbb5134..0000000000 --- a/modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureBastionSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep b/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep deleted file mode 100644 index 0db344d679..0000000000 --- a/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep +++ /dev/null @@ -1,108 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhctmpip' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - publicIPAddressObject: { - name: '${namePrefix}${serviceShort}001-pip' - allocationMethod: 'Static' - publicIPPrefixResourceId: '' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep b/modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 40255471c0..0000000000 --- a/modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureBastionSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep b/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index dd96e2e579..0000000000 --- a/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - } -}] diff --git a/modules/network/bastion-host/tests/e2e/max/dependencies.bicep b/modules/network/bastion-host/tests/e2e/max/dependencies.bicep deleted file mode 100644 index c25af5e3e7..0000000000 --- a/modules/network/bastion-host/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,59 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureBastionSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/bastion-host/tests/e2e/max/main.test.bicep b/modules/network/bastion-host/tests/e2e/max/main.test.bicep deleted file mode 100644 index f7b87a0177..0000000000 --- a/modules/network/bastion-host/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,116 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - disableCopyPaste: true - enableFileCopy: false - enableIpConnect: false - enableShareableLink: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - scaleUnits: 4 - skuName: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index c25af5e3e7..0000000000 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,59 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'AzureBastionSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index a8095f58e2..0000000000 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,99 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vNetId: nestedDependencies.outputs.virtualNetworkResourceId - bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - disableCopyPaste: true - enableFileCopy: false - enableIpConnect: false - enableShareableLink: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - scaleUnits: 4 - skuName: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/bastion-host/version.json b/modules/network/bastion-host/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/bastion-host/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/connection/MOVED-TO-AVM.md b/modules/network/connection/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/connection/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index b861bde26c..d97c60b12c 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -1,562 +1,7 @@ -# Virtual Network Gateway Connections `[Microsoft.Network/connections]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/connection](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/connection).** -This module deploys a Virtual Network Gateway Connection. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/connection). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Network/connections` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/connections) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.connection:1.0.0`. - -- [Vnet2vnet](#example-1-vnet2vnet) - -### Example 1: _Vnet2vnet_ - -
- -via Bicep module - -```bicep -module connection 'br:bicep/modules/network.connection:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ncvtv' - params: { - // Required parameters - name: 'ncvtv001' - virtualNetworkGateway1: { - id: '' - } - // Non-required parameters - connectionType: 'Vnet2Vnet' - enableBgp: false - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualNetworkGateway2: { - id: '' - } - vpnSharedKey: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ncvtv001" - }, - "virtualNetworkGateway1": { - "value": { - "id": "" - } - }, - // Non-required parameters - "connectionType": { - "value": "Vnet2Vnet" - }, - "enableBgp": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualNetworkGateway2": { - "value": { - "id": "" - } - }, - "vpnSharedKey": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Remote connection name. | -| [`virtualNetworkGateway1`](#parameter-virtualnetworkgateway1) | object | The primary Virtual Network Gateway. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationKey`](#parameter-authorizationkey) | securestring | The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. | -| [`connectionMode`](#parameter-connectionmode) | string | The connection connectionMode for this connection. Available for IPSec connections. | -| [`connectionProtocol`](#parameter-connectionprotocol) | string | Connection connectionProtocol used for this connection. Available for IPSec connections. | -| [`connectionType`](#parameter-connectiontype) | string | Gateway connection connectionType. | -| [`customIPSecPolicy`](#parameter-customipsecpolicy) | object | The IPSec Policies to be considered by this connection. | -| [`dpdTimeoutSeconds`](#parameter-dpdtimeoutseconds) | int | The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. | -| [`enableBgp`](#parameter-enablebgp) | bool | Value to specify if BGP is enabled or not. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enablePrivateLinkFastPath`](#parameter-enableprivatelinkfastpath) | bool | Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. | -| [`expressRouteGatewayBypass`](#parameter-expressroutegatewaybypass) | bool | Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. | -| [`localNetworkGateway2`](#parameter-localnetworkgateway2) | object | The local network gateway. Used for connection type [IPsec]. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`peer`](#parameter-peer) | object | The remote peer. Used for connection connectionType [ExpressRoute]. | -| [`routingWeight`](#parameter-routingweight) | int | The weight added to routes learned from this BGP speaker. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`useLocalAzureIpAddress`](#parameter-uselocalazureipaddress) | bool | Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. | -| [`usePolicyBasedTrafficSelectors`](#parameter-usepolicybasedtrafficselectors) | bool | Enable policy-based traffic selectors. | -| [`virtualNetworkGateway2`](#parameter-virtualnetworkgateway2) | object | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | -| [`vpnSharedKey`](#parameter-vpnsharedkey) | securestring | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | - -### Parameter: `name` - -Remote connection name. - -- Required: Yes -- Type: string - -### Parameter: `virtualNetworkGateway1` - -The primary Virtual Network Gateway. - -- Required: Yes -- Type: object - -### Parameter: `authorizationKey` - -The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `connectionMode` - -The connection connectionMode for this connection. Available for IPSec connections. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'InitiatorOnly' - 'ResponderOnly' - ] - ``` - -### Parameter: `connectionProtocol` - -Connection connectionProtocol used for this connection. Available for IPSec connections. - -- Required: No -- Type: string -- Default: `'IKEv2'` -- Allowed: - ```Bicep - [ - 'IKEv1' - 'IKEv2' - ] - ``` - -### Parameter: `connectionType` - -Gateway connection connectionType. - -- Required: No -- Type: string -- Default: `'IPsec'` -- Allowed: - ```Bicep - [ - 'ExpressRoute' - 'IPsec' - 'Vnet2Vnet' - 'VPNClient' - ] - ``` - -### Parameter: `customIPSecPolicy` - -The IPSec Policies to be considered by this connection. - -- Required: No -- Type: object -- Default: - ```Bicep - { - dhGroup: '' - ikeEncryption: '' - ikeIntegrity: '' - ipsecEncryption: '' - ipsecIntegrity: '' - pfsGroup: '' - saDataSizeKilobytes: 0 - saLifeTimeSeconds: 0 - } - ``` - -### Parameter: `dpdTimeoutSeconds` - -The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. - -- Required: No -- Type: int -- Default: `45` - -### Parameter: `enableBgp` - -Value to specify if BGP is enabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enablePrivateLinkFastPath` - -Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `expressRouteGatewayBypass` - -Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `localNetworkGateway2` - -The local network gateway. Used for connection type [IPsec]. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `peer` - -The remote peer. Used for connection connectionType [ExpressRoute]. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `routingWeight` - -The weight added to routes learned from this BGP speaker. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `useLocalAzureIpAddress` - -Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `usePolicyBasedTrafficSelectors` - -Enable policy-based traffic selectors. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `virtualNetworkGateway2` - -The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `vpnSharedKey` - -Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. - -- Required: No -- Type: securestring -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remote connection. | -| `resourceGroupName` | string | The resource group the remote connection was deployed into. | -| `resourceId` | string | The resource ID of the remote connection. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `localNetworkGateway2` - -The local virtual network gateway object. - -

- -Parameter JSON format - -```json -"localNetworkGateway2": { - "value": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/localNetworkGateways/myGateway" - } -} -``` - -
- -
- -Bicep format - -```bicep -localNetworkGateway2: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/localNetworkGateways/myGateway' -} -``` - -
-

- -### Parameter Usage: `peer` - -The remote peer object used for ExpressRoute connections - -

- -Parameter JSON format - -```json -"peer": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/expressRouteCircuits/expressRoute" -} -``` - -
- -
- -Bicep format - -```bicep -'peer': { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/expressRouteCircuits/expressRoute' -} -``` - -
-

- -### Parameter Usage: `customIPSecPolicy` - -If ipsecEncryption parameter is empty, customIPSecPolicy will not be deployed. The parameter file should look like below. - -

- -Parameter JSON format - -```json -"customIPSecPolicy": { - "value": { - "saLifeTimeSeconds": 0, - "saDataSizeKilobytes": 0, - "ipsecEncryption": "", - "ipsecIntegrity": "", - "ikeEncryption": "", - "ikeIntegrity": "", - "dhGroup": "", - "pfsGroup": "" - } -} -``` - -
- -
- -Bicep format - -```bicep -customIPSecPolicy: { - saLifeTimeSeconds: 0 - saDataSizeKilobytes: 0 - ipsecEncryption: '' - ipsecIntegrity: '' - ikeEncryption: '' - ikeIntegrity: '' - dhGroup: '' - pfsGroup: '' -} -``` - -
-

- -Format of the full customIPSecPolicy parameter in parameter file. - -

- -Parameter JSON format - -```json -"customIPSecPolicy": { - "value": { - "saLifeTimeSeconds": 28800, - "saDataSizeKilobytes": 102400000, - "ipsecEncryption": "AES256", - "ipsecIntegrity": "SHA256", - "ikeEncryption": "AES256", - "ikeIntegrity": "SHA256", - "dhGroup": "DHGroup14", - "pfsGroup": "None" - } -} -``` - -
- -
- -Bicep format - -```bicep -customIPSecPolicy: { - saLifeTimeSeconds: 28800 - saDataSizeKilobytes: 102400000 - ipsecEncryption: 'AES256' - ipsecIntegrity: 'SHA256' - ikeEncryption: 'AES256' - ikeIntegrity: 'SHA256' - dhGroup: 'DHGroup14' - pfsGroup: 'None' -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/connection/main.bicep b/modules/network/connection/main.bicep deleted file mode 100644 index 9668f3762c..0000000000 --- a/modules/network/connection/main.bicep +++ /dev/null @@ -1,178 +0,0 @@ -metadata name = 'Virtual Network Gateway Connections' -metadata description = 'This module deploys a Virtual Network Gateway Connection.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Remote connection name.') -param name string - -@description('Optional. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways.') -@secure() -param vpnSharedKey string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Gateway connection connectionType.') -@allowed([ - 'IPsec' - 'Vnet2Vnet' - 'ExpressRoute' - 'VPNClient' -]) -param connectionType string = 'IPsec' - -@description('Optional. Value to specify if BGP is enabled or not.') -param enableBgp bool = false - -@allowed([ - 'Default' - 'InitiatorOnly' - 'ResponderOnly' -]) -@description('Optional. The connection connectionMode for this connection. Available for IPSec connections.') -param connectionMode string = 'Default' - -@allowed([ - 'IKEv1' - 'IKEv2' -]) -@description('Optional. Connection connectionProtocol used for this connection. Available for IPSec connections.') -param connectionProtocol string = 'IKEv2' - -@minValue(9) -@maxValue(3600) -@description('Optional. The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds.') -param dpdTimeoutSeconds int = 45 - -@description('Optional. Enable policy-based traffic selectors.') -param usePolicyBasedTrafficSelectors bool = false - -@description('Optional. Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route.') -param enablePrivateLinkFastPath bool = false - -@description('Optional. Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route.') -param expressRouteGatewayBypass bool = false - -@description('Optional. Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property.') -param useLocalAzureIpAddress bool = false - -@description('Optional. The IPSec Policies to be considered by this connection.') -param customIPSecPolicy object = { - saLifeTimeSeconds: 0 - saDataSizeKilobytes: 0 - ipsecEncryption: '' - ipsecIntegrity: '' - ikeEncryption: '' - ikeIntegrity: '' - dhGroup: '' - pfsGroup: '' -} - -@description('Optional. The weight added to routes learned from this BGP speaker.') -param routingWeight int = -1 - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. The primary Virtual Network Gateway.') -param virtualNetworkGateway1 object - -@description('Optional. The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet].') -param virtualNetworkGateway2 object = {} - -@description('Optional. The remote peer. Used for connection connectionType [ExpressRoute].') -param peer object = {} - -@description('Optional. The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute].') -@secure() -param authorizationKey string = '' - -@description('Optional. The local network gateway. Used for connection type [IPsec].') -param localNetworkGateway2 object = {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource connection 'Microsoft.Network/connections@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - connectionType: connectionType - connectionMode: connectionType == 'IPsec' ? connectionMode : null - connectionProtocol: connectionType == 'IPsec' ? connectionProtocol : null - dpdTimeoutSeconds: connectionType == 'IPsec' ? dpdTimeoutSeconds : null - enablePrivateLinkFastPath: connectionType == 'ExpressRoute' ? enablePrivateLinkFastPath : null - expressRouteGatewayBypass: connectionType == 'ExpressRoute' ? expressRouteGatewayBypass : null - virtualNetworkGateway1: virtualNetworkGateway1 - virtualNetworkGateway2: connectionType == 'Vnet2Vnet' ? virtualNetworkGateway2 : null - localNetworkGateway2: connectionType == 'IPsec' ? localNetworkGateway2 : null - peer: connectionType == 'ExpressRoute' ? peer : null - authorizationKey: connectionType == 'ExpressRoute' && !empty(authorizationKey) ? authorizationKey : null - sharedKey: connectionType != 'ExpressRoute' ? vpnSharedKey : null - usePolicyBasedTrafficSelectors: usePolicyBasedTrafficSelectors - ipsecPolicies: !empty(customIPSecPolicy.ipsecEncryption) ? [ - { - saLifeTimeSeconds: customIPSecPolicy.saLifeTimeSeconds - saDataSizeKilobytes: customIPSecPolicy.saDataSizeKilobytes - ipsecEncryption: customIPSecPolicy.ipsecEncryption - ipsecIntegrity: customIPSecPolicy.ipsecIntegrity - ikeEncryption: customIPSecPolicy.ikeEncryption - ikeIntegrity: customIPSecPolicy.ikeIntegrity - dhGroup: customIPSecPolicy.dhGroup - pfsGroup: customIPSecPolicy.pfsGroup - } - ] : customIPSecPolicy.ipsecEncryption - routingWeight: routingWeight != -1 ? routingWeight : null - enableBgp: enableBgp - useLocalAzureIpAddress: connectionType == 'IPsec' ? useLocalAzureIpAddress : null - } -} - -resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: connection -} - -@description('The resource group the remote connection was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the remote connection.') -output name string = connection.name - -@description('The resource ID of the remote connection.') -output resourceId string = connection.id - -@description('The location the resource was deployed into.') -output location string = connection.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? diff --git a/modules/network/connection/main.json b/modules/network/connection/main.json deleted file mode 100644 index 9c15afa676..0000000000 --- a/modules/network/connection/main.json +++ /dev/null @@ -1,307 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13101983309900723680" - }, - "name": "Virtual Network Gateway Connections", - "description": "This module deploys a Virtual Network Gateway Connection.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Remote connection name." - } - }, - "vpnSharedKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "connectionType": { - "type": "string", - "defaultValue": "IPsec", - "allowedValues": [ - "IPsec", - "Vnet2Vnet", - "ExpressRoute", - "VPNClient" - ], - "metadata": { - "description": "Optional. Gateway connection connectionType." - } - }, - "enableBgp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Value to specify if BGP is enabled or not." - } - }, - "connectionMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "InitiatorOnly", - "ResponderOnly" - ], - "metadata": { - "description": "Optional. The connection connectionMode for this connection. Available for IPSec connections." - } - }, - "connectionProtocol": { - "type": "string", - "defaultValue": "IKEv2", - "allowedValues": [ - "IKEv1", - "IKEv2" - ], - "metadata": { - "description": "Optional. Connection connectionProtocol used for this connection. Available for IPSec connections." - } - }, - "dpdTimeoutSeconds": { - "type": "int", - "defaultValue": 45, - "minValue": 9, - "maxValue": 3600, - "metadata": { - "description": "Optional. The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds." - } - }, - "usePolicyBasedTrafficSelectors": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable policy-based traffic selectors." - } - }, - "enablePrivateLinkFastPath": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route." - } - }, - "expressRouteGatewayBypass": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route." - } - }, - "useLocalAzureIpAddress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property." - } - }, - "customIPSecPolicy": { - "type": "object", - "defaultValue": { - "saLifeTimeSeconds": 0, - "saDataSizeKilobytes": 0, - "ipsecEncryption": "", - "ipsecIntegrity": "", - "ikeEncryption": "", - "ikeIntegrity": "", - "dhGroup": "", - "pfsGroup": "" - }, - "metadata": { - "description": "Optional. The IPSec Policies to be considered by this connection." - } - }, - "routingWeight": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The weight added to routes learned from this BGP speaker." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "virtualNetworkGateway1": { - "type": "object", - "metadata": { - "description": "Required. The primary Virtual Network Gateway." - } - }, - "virtualNetworkGateway2": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]." - } - }, - "peer": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The remote peer. Used for connection connectionType [ExpressRoute]." - } - }, - "authorizationKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]." - } - }, - "localNetworkGateway2": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The local network gateway. Used for connection type [IPsec]." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "connection": { - "type": "Microsoft.Network/connections", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "connectionType": "[parameters('connectionType')]", - "connectionMode": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('connectionMode'), null())]", - "connectionProtocol": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('connectionProtocol'), null())]", - "dpdTimeoutSeconds": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('dpdTimeoutSeconds'), null())]", - "enablePrivateLinkFastPath": "[if(equals(parameters('connectionType'), 'ExpressRoute'), parameters('enablePrivateLinkFastPath'), null())]", - "expressRouteGatewayBypass": "[if(equals(parameters('connectionType'), 'ExpressRoute'), parameters('expressRouteGatewayBypass'), null())]", - "virtualNetworkGateway1": "[parameters('virtualNetworkGateway1')]", - "virtualNetworkGateway2": "[if(equals(parameters('connectionType'), 'Vnet2Vnet'), parameters('virtualNetworkGateway2'), null())]", - "localNetworkGateway2": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('localNetworkGateway2'), null())]", - "peer": "[if(equals(parameters('connectionType'), 'ExpressRoute'), parameters('peer'), null())]", - "authorizationKey": "[if(and(equals(parameters('connectionType'), 'ExpressRoute'), not(empty(parameters('authorizationKey')))), parameters('authorizationKey'), null())]", - "sharedKey": "[if(not(equals(parameters('connectionType'), 'ExpressRoute')), parameters('vpnSharedKey'), null())]", - "usePolicyBasedTrafficSelectors": "[parameters('usePolicyBasedTrafficSelectors')]", - "ipsecPolicies": "[if(not(empty(parameters('customIPSecPolicy').ipsecEncryption)), createArray(createObject('saLifeTimeSeconds', parameters('customIPSecPolicy').saLifeTimeSeconds, 'saDataSizeKilobytes', parameters('customIPSecPolicy').saDataSizeKilobytes, 'ipsecEncryption', parameters('customIPSecPolicy').ipsecEncryption, 'ipsecIntegrity', parameters('customIPSecPolicy').ipsecIntegrity, 'ikeEncryption', parameters('customIPSecPolicy').ikeEncryption, 'ikeIntegrity', parameters('customIPSecPolicy').ikeIntegrity, 'dhGroup', parameters('customIPSecPolicy').dhGroup, 'pfsGroup', parameters('customIPSecPolicy').pfsGroup)), parameters('customIPSecPolicy').ipsecEncryption)]", - "routingWeight": "[if(not(equals(parameters('routingWeight'), -1)), parameters('routingWeight'), null())]", - "enableBgp": "[parameters('enableBgp')]", - "useLocalAzureIpAddress": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('useLocalAzureIpAddress'), null())]" - } - }, - "connection_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/connections/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "connection" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the remote connection was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the remote connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remote connection." - }, - "value": "[resourceId('Microsoft.Network/connections', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('connection', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep b/modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep deleted file mode 100644 index a8398dc99e..0000000000 --- a/modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep +++ /dev/null @@ -1,132 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the primary Public IP to create.') -param primaryPublicIPName string - -@description('Required. The name of the primary VNET to create.') -param primaryVirtualNetworkName string - -@description('Required. The name of the primary Virtual Network Gateway to create.') -param primaryVirtualNetworkGatewayName string - -@description('Required. The name of the secondary Public IP to create.') -param secondaryPublicIPName string - -@description('Required. The name of the secondary VNET to create.') -param secondaryVirtualNetworkName string - -@description('Required. The name of the secondary Virtual Network Gateway to create.') -param secondaryVirtualNetworkGatewayName string - -resource primaryVirtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: primaryVirtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - '10.0.0.0/24' - ] - } - subnets: [ - { - name: 'GatewaySubnet' - properties: { - addressPrefix: '10.0.0.0/24' - } - } - ] - } -} - -resource primaryPublicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: primaryPublicIPName - location: location -} - -resource primaryVNETGateway 'Microsoft.Network/virtualNetworkGateways@2023-04-01' = { - name: primaryVirtualNetworkGatewayName - location: location - properties: { - gatewayType: 'Vpn' - ipConfigurations: [ - { - name: 'default' - properties: { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: primaryVirtualNetwork.properties.subnets[0].id - } - publicIPAddress: { - id: primaryPublicIP.id - } - } - } - ] - vpnType: 'RouteBased' - vpnGatewayGeneration: 'Generation2' - sku: { - name: 'VpnGw2' - tier: 'VpnGw2' - } - } -} - -resource secondaryVirtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: secondaryVirtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - '10.0.1.0/24' - ] - } - subnets: [ - { - name: 'GatewaySubnet' - properties: { - addressPrefix: '10.0.1.0/24' - } - } - ] - } -} - -resource secondaryPublicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: secondaryPublicIPName - location: location -} - -resource secondaryVNETGateway 'Microsoft.Network/virtualNetworkGateways@2023-04-01' = { - name: secondaryVirtualNetworkGatewayName - location: location - properties: { - gatewayType: 'Vpn' - ipConfigurations: [ - { - name: 'default' - properties: { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: secondaryVirtualNetwork.properties.subnets[0].id - } - publicIPAddress: { - id: secondaryPublicIP.id - } - } - } - ] - vpnType: 'RouteBased' - vpnGatewayGeneration: 'Generation2' - sku: { - name: 'VpnGw2' - tier: 'VpnGw2' - } - } -} - -@description('The resource ID of the created primary Virtual Network Gateway.') -output primaryVNETGatewayResourceID string = primaryVNETGateway.id - -@description('The resource ID of the created secondary Virtual Network Gateway.') -output secondaryVNETGatewayResourceID string = secondaryVNETGateway.id diff --git a/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep b/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep deleted file mode 100644 index 5ead06960a..0000000000 --- a/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep +++ /dev/null @@ -1,81 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.connections-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ncvtv' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - primaryPublicIPName: 'dep-${namePrefix}-pip-${serviceShort}-1' - primaryVirtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}-1' - primaryVirtualNetworkGatewayName: 'dep-${namePrefix}-vpn-gw-${serviceShort}-1' - secondaryPublicIPName: 'dep-${namePrefix}-pip-${serviceShort}-2' - secondaryVirtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}-2' - secondaryVirtualNetworkGatewayName: 'dep-${namePrefix}-vpn-gw-${serviceShort}-2' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualNetworkGateway1: { - id: nestedDependencies.outputs.primaryVNETGatewayResourceID - } - enableBgp: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - virtualNetworkGateway2: { - id: nestedDependencies.outputs.secondaryVNETGatewayResourceID - } - connectionType: 'Vnet2Vnet' - vpnSharedKey: password - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/connection/version.json b/modules/network/connection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/ddos-protection-plan/MOVED-TO-AVM.md b/modules/network/ddos-protection-plan/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/ddos-protection-plan/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index d91d84721b..d04db45b80 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -1,445 +1,7 @@ -# DDoS Protection Plans `[Microsoft.Network/ddosProtectionPlans]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/ddos-protection-plan](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/ddos-protection-plan).** -This module deploys a DDoS Protection Plan. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/ddos-protection-plan). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/ddosProtectionPlans` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/ddosProtectionPlans) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ddos-protection-plan:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndppmin' - params: { - // Required parameters - name: 'ndppmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndppmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndppmax' - params: { - // Required parameters - name: 'ndppmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndppmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndppwaf' - params: { - // Required parameters - name: 'ndppwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndppwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the DDoS protection plan to assign the VNET to. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the DDoS protection plan to assign the VNET to. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DDOS protection plan. | -| `resourceGroupName` | string | The resource group the DDOS protection plan was deployed into. | -| `resourceId` | string | The resource ID of the DDOS protection plan. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep deleted file mode 100644 index 3f9b8b415d..0000000000 --- a/modules/network/ddos-protection-plan/main.bicep +++ /dev/null @@ -1,119 +0,0 @@ -metadata name = 'DDoS Protection Plans' -metadata description = 'This module deploys a DDoS Protection Plan.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the DDoS protection plan to assign the VNET to.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-04-01' = { - name: name - location: location - tags: tags - properties: {} -} - -resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: ddosProtectionPlan -} - -resource ddosProtectionPlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(ddosProtectionPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: ddosProtectionPlan -}] - -@description('The resource group the DDOS protection plan was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the DDOS protection plan.') -output resourceId string = ddosProtectionPlan.id - -@description('The name of the DDOS protection plan.') -output name string = ddosProtectionPlan.name - -@description('The location the resource was deployed into.') -output location string = ddosProtectionPlan.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json deleted file mode 100644 index 3d92c7a798..0000000000 --- a/modules/network/ddos-protection-plan/main.json +++ /dev/null @@ -1,249 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13726158545733724947" - }, - "name": "DDoS Protection Plans", - "description": "This module deploys a DDoS Protection Plan.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the DDoS protection plan to assign the VNET to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "ddosProtectionPlan": { - "type": "Microsoft.Network/ddosProtectionPlans", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": {} - }, - "ddosProtectionPlan_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "ddosProtectionPlan" - ] - }, - "ddosProtectionPlan_roleAssignments": { - "copy": { - "name": "ddosProtectionPlan_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "ddosProtectionPlan" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the DDOS protection plan was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the DDOS protection plan." - }, - "value": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the DDOS protection plan." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('ddosProtectionPlan', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 1d0010eb9c..0000000000 --- a/modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndppmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -} diff --git a/modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep deleted file mode 100644 index e020dc11a8..0000000000 --- a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndppmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 593e44c39b..0000000000 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,65 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndppwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/ddos-protection-plan/version.json b/modules/network/ddos-protection-plan/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/ddos-protection-plan/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md b/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 77a9d2fe37..97e40f64e1 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -1,565 +1,7 @@ -# Dns Forwarding Rulesets `[Microsoft.Network/dnsForwardingRulesets]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/dns-forwarding-ruleset](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/dns-forwarding-ruleset).** -This template deploys an dns forwarding ruleset. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/dns-forwarding-ruleset). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsForwardingRulesets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets) | -| `Microsoft.Network/dnsForwardingRulesets/forwardingRules` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/forwardingRules) | -| `Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/virtualNetworkLinks) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-forwarding-ruleset:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrsmin' - params: { - // Required parameters - dnsResolverOutboundEndpointResourceIds: [ - '' - ] - name: 'ndfrsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dnsResolverOutboundEndpointResourceIds": { - "value": [ - "" - ] - }, - "name": { - "value": "ndfrsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrsmax' - params: { - // Required parameters - dnsResolverOutboundEndpointResourceIds: [ - '' - ] - name: 'ndfrsmax001' - // Non-required parameters - enableDefaultTelemetry: '' - forwardingRules: [ - { - domainName: 'contoso.' - forwardingRuleState: 'Enabled' - name: 'rule1' - targetDnsServers: [ - { - ipAddress: '192.168.0.1' - port: '53' - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetLinks: [ - '' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dnsResolverOutboundEndpointResourceIds": { - "value": [ - "" - ] - }, - "name": { - "value": "ndfrsmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "forwardingRules": { - "value": [ - { - "domainName": "contoso.", - "forwardingRuleState": "Enabled", - "name": "rule1", - "targetDnsServers": [ - { - "ipAddress": "192.168.0.1", - "port": "53" - } - ] - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetLinks": { - "value": [ - "" - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrswaf' - params: { - // Required parameters - dnsResolverOutboundEndpointResourceIds: [ - '' - ] - name: 'ndfrswaf001' - // Non-required parameters - enableDefaultTelemetry: '' - forwardingRules: [ - { - domainName: 'contoso.' - forwardingRuleState: 'Enabled' - name: 'rule1' - targetDnsServers: [ - { - ipAddress: '192.168.0.1' - port: '53' - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetLinks: [ - '' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dnsResolverOutboundEndpointResourceIds": { - "value": [ - "" - ] - }, - "name": { - "value": "ndfrswaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "forwardingRules": { - "value": [ - { - "domainName": "contoso.", - "forwardingRuleState": "Enabled", - "name": "rule1", - "targetDnsServers": [ - { - "ipAddress": "192.168.0.1", - "port": "53" - } - ] - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetLinks": { - "value": [ - "" - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsResolverOutboundEndpointResourceIds`](#parameter-dnsresolveroutboundendpointresourceids) | array | The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. | -| [`name`](#parameter-name) | string | Name of the DNS Forwarding Ruleset. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`forwardingRules`](#parameter-forwardingrules) | array | Array of forwarding rules. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vNetLinks`](#parameter-vnetlinks) | array | Array of virtual network links. | - -### Parameter: `dnsResolverOutboundEndpointResourceIds` - -The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name of the DNS Forwarding Ruleset. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `forwardingRules` - -Array of forwarding rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vNetLinks` - -Array of virtual network links. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DNS Forwarding Ruleset. | -| `resourceGroupName` | string | The resource group the DNS Forwarding Ruleset was deployed into. | -| `resourceId` | string | The resource ID of the DNS Forwarding Ruleset. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md deleted file mode 100644 index 64a7cf0a97..0000000000 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md +++ /dev/null @@ -1,121 +0,0 @@ -# Dns Forwarding Rulesets Forwarding Rules `[Microsoft.Network/dnsForwardingRulesets/forwardingRules]` - -This template deploys Forwarding Rule in a Dns Forwarding Ruleset. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/dnsForwardingRulesets/forwardingRules` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/forwardingRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`domainName`](#parameter-domainname) | string | The domain name for the forwarding rule. | -| [`name`](#parameter-name) | string | Name of the Forwarding Rule. | -| [`targetDnsServers`](#parameter-targetdnsservers) | array | DNS servers to forward the DNS query to. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsForwardingRulesetName`](#parameter-dnsforwardingrulesetname) | string | Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`forwardingRuleState`](#parameter-forwardingrulestate) | string | The state of forwarding rule. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`metadata`](#parameter-metadata) | object | Metadata attached to the forwarding rule. | - -### Parameter: `domainName` - -The domain name for the forwarding rule. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Forwarding Rule. - -- Required: Yes -- Type: string - -### Parameter: `targetDnsServers` - -DNS servers to forward the DNS query to. - -- Required: Yes -- Type: array - -### Parameter: `dnsForwardingRulesetName` - -Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `forwardingRuleState` - -The state of forwarding rule. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `metadata` - -Metadata attached to the forwarding rule. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Forwarding Rule. | -| `resourceGroupName` | string | The resource group the Forwarding Rule was deployed into. | -| `resourceId` | string | The resource ID of the Forwarding Rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.bicep b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.bicep deleted file mode 100644 index ec3d49bbdc..0000000000 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.bicep +++ /dev/null @@ -1,68 +0,0 @@ -metadata name = 'Dns Forwarding Rulesets Forwarding Rules' -metadata description = 'This template deploys Forwarding Rule in a Dns Forwarding Ruleset.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Forwarding Rule.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Conditional. Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment.') -param dnsForwardingRulesetName string - -@description('Required. The domain name for the forwarding rule.') -param domainName string - -@description('Optional. The state of forwarding rule.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param forwardingRuleState string = 'Enabled' - -@description('Optional. Metadata attached to the forwarding rule.') -param metadata object = {} - -@description('Required. DNS servers to forward the DNS query to.') -param targetDnsServers array - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsForwardingRuleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' existing = { - name: dnsForwardingRulesetName -} - -resource forwardingRule 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = { - name: name - parent: dnsForwardingRuleset - properties: { - domainName: domainName - forwardingRuleState: forwardingRuleState - metadata: metadata - targetDnsServers: targetDnsServers - } -} - -@description('The resource group the Forwarding Rule was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Forwarding Rule.') -output resourceId string = forwardingRule.id - -@description('The name of the Forwarding Rule.') -output name string = forwardingRule.name diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json deleted file mode 100644 index aa3b317b11..0000000000 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15853222260858972029" - }, - "name": "Dns Forwarding Rulesets Forwarding Rules", - "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Forwarding Rule." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "dnsForwardingRulesetName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment." - } - }, - "domainName": { - "type": "string", - "metadata": { - "description": "Required. The domain name for the forwarding rule." - } - }, - "forwardingRuleState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. The state of forwarding rule." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Metadata attached to the forwarding rule." - } - }, - "targetDnsServers": { - "type": "array", - "metadata": { - "description": "Required. DNS servers to forward the DNS query to." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/dnsForwardingRulesets/forwardingRules", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('dnsForwardingRulesetName'), parameters('name'))]", - "properties": { - "domainName": "[parameters('domainName')]", - "forwardingRuleState": "[parameters('forwardingRuleState')]", - "metadata": "[parameters('metadata')]", - "targetDnsServers": "[parameters('targetDnsServers')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Forwarding Rule was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Forwarding Rule." - }, - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets/forwardingRules', parameters('dnsForwardingRulesetName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Forwarding Rule." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/version.json b/modules/network/dns-forwarding-ruleset/forwarding-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-forwarding-ruleset/main.bicep b/modules/network/dns-forwarding-ruleset/main.bicep deleted file mode 100644 index d54a554eed..0000000000 --- a/modules/network/dns-forwarding-ruleset/main.bicep +++ /dev/null @@ -1,155 +0,0 @@ -metadata name = 'Dns Forwarding Rulesets' -metadata description = 'This template deploys an dns forwarding ruleset.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the DNS Forwarding Ruleset.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Required. The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers.') -param dnsResolverOutboundEndpointResourceIds array - -@description('Optional. Array of forwarding rules.') -param forwardingRules array = [] - -@description('Optional. Array of virtual network links.') -param vNetLinks array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsForwardingRuleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = { - name: name - location: location - tags: tags - properties: { - dnsResolverOutboundEndpoints: [for dnsResolverOutboundEndpointResourceId in dnsResolverOutboundEndpointResourceIds: { - id: dnsResolverOutboundEndpointResourceId - }] - } -} - -module dnsForwardingRuleset_forwardingRule 'forwarding-rule/main.bicep' = [for (forwardingRule, index) in forwardingRules: { - name: '${uniqueString(deployment().name, location)}-forwardingRule-${index}' - params: { - dnsForwardingRulesetName: dnsForwardingRuleset.name - name: forwardingRule.name - forwardingRuleState: forwardingRule.forwardingRuleState - domainName: forwardingRule.domainName - targetDnsServers: forwardingRule.targetDnsServers - } -}] - -module dnsForwardingRuleset_virtualNetworkLinks 'virtual-network-link/main.bicep' = [for (vnetId, index) in vNetLinks: { - name: '${uniqueString(deployment().name, location)}-virtualNetworkLink-${index}' - params: { - dnsForwardingRulesetName: dnsForwardingRuleset.name - virtualNetworkResourceId: !empty(vNetLinks) ? vnetId : null - } -}] - -resource dnsForwardingRuleset_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dnsForwardingRuleset -} - -resource dnsForwardingRuleset_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dnsForwardingRuleset.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dnsForwardingRuleset -}] - -@description('The resource group the DNS Forwarding Ruleset was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the DNS Forwarding Ruleset.') -output resourceId string = dnsForwardingRuleset.id - -@description('The name of the DNS Forwarding Ruleset.') -output name string = dnsForwardingRuleset.name - -@description('The location the resource was deployed into.') -output location string = dnsForwardingRuleset.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json deleted file mode 100644 index 438e3ce462..0000000000 --- a/modules/network/dns-forwarding-ruleset/main.json +++ /dev/null @@ -1,563 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6102897897413870050" - }, - "name": "Dns Forwarding Rulesets", - "description": "This template deploys an dns forwarding ruleset.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the DNS Forwarding Ruleset." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "dnsResolverOutboundEndpointResourceIds": { - "type": "array", - "metadata": { - "description": "Required. The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers." - } - }, - "forwardingRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of forwarding rules." - } - }, - "vNetLinks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of virtual network links." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsForwardingRuleset": { - "type": "Microsoft.Network/dnsForwardingRulesets", - "apiVersion": "2022-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "dnsResolverOutboundEndpoints", - "count": "[length(parameters('dnsResolverOutboundEndpointResourceIds'))]", - "input": { - "id": "[parameters('dnsResolverOutboundEndpointResourceIds')[copyIndex('dnsResolverOutboundEndpoints')]]" - } - } - ] - } - }, - "dnsForwardingRuleset_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/dnsForwardingRulesets/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dnsForwardingRuleset" - ] - }, - "dnsForwardingRuleset_roleAssignments": { - "copy": { - "name": "dnsForwardingRuleset_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsForwardingRulesets/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dnsForwardingRuleset" - ] - }, - "dnsForwardingRuleset_forwardingRule": { - "copy": { - "name": "dnsForwardingRuleset_forwardingRule", - "count": "[length(parameters('forwardingRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-forwardingRule-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsForwardingRulesetName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('forwardingRules')[copyIndex()].name]" - }, - "forwardingRuleState": { - "value": "[parameters('forwardingRules')[copyIndex()].forwardingRuleState]" - }, - "domainName": { - "value": "[parameters('forwardingRules')[copyIndex()].domainName]" - }, - "targetDnsServers": { - "value": "[parameters('forwardingRules')[copyIndex()].targetDnsServers]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15853222260858972029" - }, - "name": "Dns Forwarding Rulesets Forwarding Rules", - "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Forwarding Rule." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "dnsForwardingRulesetName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment." - } - }, - "domainName": { - "type": "string", - "metadata": { - "description": "Required. The domain name for the forwarding rule." - } - }, - "forwardingRuleState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. The state of forwarding rule." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Metadata attached to the forwarding rule." - } - }, - "targetDnsServers": { - "type": "array", - "metadata": { - "description": "Required. DNS servers to forward the DNS query to." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/dnsForwardingRulesets/forwardingRules", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('dnsForwardingRulesetName'), parameters('name'))]", - "properties": { - "domainName": "[parameters('domainName')]", - "forwardingRuleState": "[parameters('forwardingRuleState')]", - "metadata": "[parameters('metadata')]", - "targetDnsServers": "[parameters('targetDnsServers')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Forwarding Rule was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Forwarding Rule." - }, - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets/forwardingRules', parameters('dnsForwardingRulesetName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Forwarding Rule." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "dnsForwardingRuleset" - ] - }, - "dnsForwardingRuleset_virtualNetworkLinks": { - "copy": { - "name": "dnsForwardingRuleset_virtualNetworkLinks", - "count": "[length(parameters('vNetLinks'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-virtualNetworkLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsForwardingRulesetName": { - "value": "[parameters('name')]" - }, - "virtualNetworkResourceId": "[if(not(empty(parameters('vNetLinks'))), createObject('value', parameters('vNetLinks')[copyIndex()]), createObject('value', null()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10716706455477062359" - }, - "name": "Dns Forwarding Rulesets Virtual Network Links", - "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dnsForwardingRulesetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the virtual network link." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Required. Link to another virtual network resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('dnsForwardingRulesetName'), parameters('name'))]", - "properties": { - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network link." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network link." - }, - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks', parameters('dnsForwardingRulesetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network link." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsForwardingRuleset" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the DNS Forwarding Ruleset was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the DNS Forwarding Ruleset." - }, - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the DNS Forwarding Ruleset." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dnsForwardingRuleset', '2022-07-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 41fbb37c7e..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the DNS Resolver to create.') -param dnsResolverName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 25, i) - delegations: [ - { - name: 'dnsdel' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } - }) - } -} - -resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { - name: dnsResolverName - location: location - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - } -} - -resource outboundEndpoints 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = { - name: 'pdnsout' - location: location - parent: dnsResolver - properties: { - subnet: { - id: virtualNetwork.properties.subnets[1].id - } - } -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created DNS Resolver.') -output dnsResolverOutboundEndpointsResourceId string = outboundEndpoints.id diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index fa68f8b9b4..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,62 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndfrsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - dnsResolverName: 'dep-${namePrefix}-ndr-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dnsResolverOutboundEndpointResourceIds: [ - nestedDependencies.outputs.dnsResolverOutboundEndpointsResourceId - ] - } -}] diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep deleted file mode 100644 index d1fb3445ee..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,81 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the DNS Resolver to create.') -param dnsResolverName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 25, i) - delegations: [ - { - name: 'dnsdel' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } - }) - } -} - -resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { - name: dnsResolverName - location: location - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - - } -} - -resource outboundEndpoints 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = { - name: 'pdnsout' - location: location - parent: dnsResolver - properties: { - subnet: { - id: virtualNetwork.properties.subnets[1].id - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created DNS Resolver.') -output dnsResolverOutboundEndpointsId string = outboundEndpoints.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep deleted file mode 100644 index 58a5b8b7cd..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndfrsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - dnsResolverName: 'dep-${namePrefix}-ndr-${serviceShort}' - location: location - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dnsResolverOutboundEndpointResourceIds: [ - nestedDependencies.outputs.dnsResolverOutboundEndpointsId - ] - vNetLinks: [ - nestedDependencies.outputs.virtualNetworkResourceId - ] - forwardingRules: [ - { - name: 'rule1' - forwardingRuleState: 'Enabled' - domainName: 'contoso.' - targetDnsServers: [ - { - ipAddress: '192.168.0.1' - port: '53' - } - ] - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index d1fb3445ee..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,81 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the DNS Resolver to create.') -param dnsResolverName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 25, i) - delegations: [ - { - name: 'dnsdel' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } - }) - } -} - -resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { - name: dnsResolverName - location: location - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - - } -} - -resource outboundEndpoints 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = { - name: 'pdnsout' - location: location - parent: dnsResolver - properties: { - subnet: { - id: virtualNetwork.properties.subnets[1].id - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created DNS Resolver.') -output dnsResolverOutboundEndpointsId string = outboundEndpoints.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 37eca099f6..0000000000 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndfrswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - dnsResolverName: 'dep-${namePrefix}-ndr-${serviceShort}' - location: location - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dnsResolverOutboundEndpointResourceIds: [ - nestedDependencies.outputs.dnsResolverOutboundEndpointsId - ] - vNetLinks: [ - nestedDependencies.outputs.virtualNetworkResourceId - ] - forwardingRules: [ - { - name: 'rule1' - forwardingRuleState: 'Enabled' - domainName: 'contoso.' - targetDnsServers: [ - { - ipAddress: '192.168.0.1' - port: '53' - } - ] - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-forwarding-ruleset/version.json b/modules/network/dns-forwarding-ruleset/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/dns-forwarding-ruleset/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md b/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md deleted file mode 100644 index 90efca7cd6..0000000000 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Dns Forwarding Rulesets Virtual Network Links `[Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks]` - -This template deploys Virtual Network Link in a Dns Forwarding Ruleset. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/virtualNetworkLinks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Link to another virtual network resource ID. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsForwardingRulesetName`](#parameter-dnsforwardingrulesetname) | string | The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | -| [`name`](#parameter-name) | string | The name of the virtual network link. | - -### Parameter: `virtualNetworkResourceId` - -Link to another virtual network resource ID. - -- Required: Yes -- Type: string - -### Parameter: `dnsForwardingRulesetName` - -The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location of the PrivateDNSZone. Should be global. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `name` - -The name of the virtual network link. - -- Required: No -- Type: string -- Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed virtual network link. | -| `resourceGroupName` | string | The resource group of the deployed virtual network link. | -| `resourceId` | string | The resource ID of the deployed virtual network link. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.bicep b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.bicep deleted file mode 100644 index 7b5b7d12ea..0000000000 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.bicep +++ /dev/null @@ -1,53 +0,0 @@ -metadata name = 'Dns Forwarding Rulesets Virtual Network Links' -metadata description = 'This template deploys Virtual Network Link in a Dns Forwarding Ruleset.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment.') -param dnsForwardingRulesetName string - -@description('Optional. The name of the virtual network link.') -param name string = '${last(split(virtualNetworkResourceId, '/'))}-vnetlink' - -@description('Optional. The location of the PrivateDNSZone. Should be global.') -param location string = 'global' - -@description('Required. Link to another virtual network resource ID.') -param virtualNetworkResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsForwardingRuleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' existing = { - name: dnsForwardingRulesetName -} - -resource virtualNetworkLink 'Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks@2022-07-01' = { - name: name - parent: dnsForwardingRuleset - properties: { - virtualNetwork: { - id: virtualNetworkResourceId - } - } -} - -@description('The name of the deployed virtual network link.') -output name string = virtualNetworkLink.name - -@description('The resource ID of the deployed virtual network link.') -output resourceId string = virtualNetworkLink.id - -@description('The resource group of the deployed virtual network link.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json deleted file mode 100644 index 8171b67084..0000000000 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10716706455477062359" - }, - "name": "Dns Forwarding Rulesets Virtual Network Links", - "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "dnsForwardingRulesetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the virtual network link." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Required. Link to another virtual network resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('dnsForwardingRulesetName'), parameters('name'))]", - "properties": { - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network link." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network link." - }, - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks', parameters('dnsForwardingRulesetName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network link." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/version.json b/modules/network/dns-forwarding-ruleset/virtual-network-link/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-resolver/MOVED-TO-AVM.md b/modules/network/dns-resolver/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/dns-resolver/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 70ca712dfc..74b48b737a 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -1,432 +1,7 @@ -# DNS Resolvers `[Microsoft.Network/dnsResolvers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/dns-resolver](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/dns-resolver).** -This module deploys a DNS Resolver. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/dns-resolver). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsResolvers` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsResolvers) | -| `Microsoft.Network/dnsResolvers/inboundEndpoints` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsResolvers/inboundEndpoints) | -| `Microsoft.Network/dnsResolvers/outboundEndpoints` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsResolvers/outboundEndpoints) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-resolver:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndrmax' - params: { - // Required parameters - name: 'ndrmax001' - virtualNetworkId: '' - // Non-required parameters - enableDefaultTelemetry: '' - inboundEndpoints: [ - { - name: 'az-pdnsin-x-001' - subnetId: '' - } - ] - outboundEndpoints: [ - { - name: 'az-pdnsout-x-001' - subnetId: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndrmax001" - }, - "virtualNetworkId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "inboundEndpoints": { - "value": [ - { - "name": "az-pdnsin-x-001", - "subnetId": "" - } - ] - }, - "outboundEndpoints": { - "value": [ - { - "name": "az-pdnsout-x-001", - "subnetId": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndrwaf' - params: { - // Required parameters - name: 'ndrwaf001' - virtualNetworkId: '' - // Non-required parameters - enableDefaultTelemetry: '' - inboundEndpoints: [ - { - name: 'az-pdnsin-x-001' - subnetId: '' - } - ] - outboundEndpoints: [ - { - name: 'az-pdnsout-x-001' - subnetId: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndrwaf001" - }, - "virtualNetworkId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "inboundEndpoints": { - "value": [ - { - "name": "az-pdnsin-x-001", - "subnetId": "" - } - ] - }, - "outboundEndpoints": { - "value": [ - { - "name": "az-pdnsout-x-001", - "subnetId": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Private DNS Resolver. | -| [`virtualNetworkId`](#parameter-virtualnetworkid) | string | ResourceId of the virtual network to attach the Private DNS Resolver to. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`inboundEndpoints`](#parameter-inboundendpoints) | array | Inbound Endpoints for Private DNS Resolver. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`outboundEndpoints`](#parameter-outboundendpoints) | array | Outbound Endpoints for Private DNS Resolver. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Private DNS Resolver. - -- Required: Yes -- Type: string - -### Parameter: `virtualNetworkId` - -ResourceId of the virtual network to attach the Private DNS Resolver to. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `inboundEndpoints` - -Inbound Endpoints for Private DNS Resolver. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `outboundEndpoints` - -Outbound Endpoints for Private DNS Resolver. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Private DNS Resolver. | -| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | -| `resourceId` | string | The resource ID of the Private DNS Resolver. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/dns-resolver/main.bicep b/modules/network/dns-resolver/main.bicep deleted file mode 100644 index b733320a97..0000000000 --- a/modules/network/dns-resolver/main.bicep +++ /dev/null @@ -1,166 +0,0 @@ -metadata name = 'DNS Resolvers' -metadata description = 'This module deploys a DNS Resolver.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Private DNS Resolver.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Required. ResourceId of the virtual network to attach the Private DNS Resolver to.') -param virtualNetworkId string - -@description('Optional. Outbound Endpoints for Private DNS Resolver.') -param outboundEndpoints array = [] - -@description('Optional. Inbound Endpoints for Private DNS Resolver.') -param inboundEndpoints array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { - name: name - location: location - tags: tags - properties: { - virtualNetwork: { - id: virtualNetworkId - } - } -} - -resource dnsResolver_inboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = [for inboundEndpoint in inboundEndpoints: { - name: inboundEndpoint.name - parent: dnsResolver - location: location - tags: tags - properties: { - ipConfigurations: [ - { - subnet: { - id: inboundEndpoint.subnetId - } - } - ] - } -}] - -resource dnsResolver_outboundEndpoint 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = [for outboundEndpoint in outboundEndpoints: { - name: outboundEndpoint.name - parent: dnsResolver - location: location - tags: tags - properties: { - subnet: { - id: outboundEndpoint.subnetId - } - } -}] - -resource dnsResolver_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dnsResolver -} - -resource dnsResolver_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dnsResolver.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dnsResolver -}] - -@description('The resource group the Private DNS Resolver was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Private DNS Resolver.') -output resourceId string = dnsResolver.id - -@description('The name of the Private DNS Resolver.') -output name string = dnsResolver.name - -@description('The location the resource was deployed into.') -output location string = dnsResolver.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json deleted file mode 100644 index 95fa4fc6e0..0000000000 --- a/modules/network/dns-resolver/main.json +++ /dev/null @@ -1,321 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5702313837113326877" - }, - "name": "DNS Resolvers", - "description": "This module deploys a DNS Resolver.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Private DNS Resolver." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "virtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. ResourceId of the virtual network to attach the Private DNS Resolver to." - } - }, - "outboundEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Outbound Endpoints for Private DNS Resolver." - } - }, - "inboundEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Inbound Endpoints for Private DNS Resolver." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsResolver": { - "type": "Microsoft.Network/dnsResolvers", - "apiVersion": "2022-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "virtualNetwork": { - "id": "[parameters('virtualNetworkId')]" - } - } - }, - "dnsResolver_inboundEndpoint": { - "copy": { - "name": "dnsResolver_inboundEndpoint", - "count": "[length(parameters('inboundEndpoints'))]" - }, - "type": "Microsoft.Network/dnsResolvers/inboundEndpoints", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('name'), parameters('inboundEndpoints')[copyIndex()].name)]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": [ - { - "subnet": { - "id": "[parameters('inboundEndpoints')[copyIndex()].subnetId]" - } - } - ] - }, - "dependsOn": [ - "dnsResolver" - ] - }, - "dnsResolver_outboundEndpoint": { - "copy": { - "name": "dnsResolver_outboundEndpoint", - "count": "[length(parameters('outboundEndpoints'))]" - }, - "type": "Microsoft.Network/dnsResolvers/outboundEndpoints", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('name'), parameters('outboundEndpoints')[copyIndex()].name)]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "subnet": { - "id": "[parameters('outboundEndpoints')[copyIndex()].subnetId]" - } - }, - "dependsOn": [ - "dnsResolver" - ] - }, - "dnsResolver_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/dnsResolvers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dnsResolver" - ] - }, - "dnsResolver_roleAssignments": { - "copy": { - "name": "dnsResolver_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsResolvers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsResolvers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dnsResolver" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Private DNS Resolver was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Private DNS Resolver." - }, - "value": "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Private DNS Resolver." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dnsResolver', '2022-07-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-resolver/tests/e2e/max/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 7a174f0fc2..0000000000 --- a/modules/network/dns-resolver/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 25, i) - delegations: [ - { - name: 'dnsdel' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } - }) - } -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkId string = virtualNetwork.id - -@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id diff --git a/modules/network/dns-resolver/tests/e2e/max/main.test.bicep b/modules/network/dns-resolver/tests/e2e/max/main.test.bicep deleted file mode 100644 index 563c9295ba..0000000000 --- a/modules/network/dns-resolver/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,76 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndrmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualNetworkId: nestedDependencies.outputs.virtualNetworkId - inboundEndpoints: [ - { - name: '${namePrefix}-az-pdnsin-x-001' - subnetId: nestedDependencies.outputs.subnetResourceId_dnsIn - } - ] - outboundEndpoints: [ - { - name: '${namePrefix}-az-pdnsout-x-001' - subnetId: nestedDependencies.outputs.subnetResourceId_dnsOut - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 7a174f0fc2..0000000000 --- a/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 25, i) - delegations: [ - { - name: 'dnsdel' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } - }) - } -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkId string = virtualNetwork.id - -@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') -output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 972297e6cf..0000000000 --- a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,76 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndrwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualNetworkId: nestedDependencies.outputs.virtualNetworkId - inboundEndpoints: [ - { - name: '${namePrefix}-az-pdnsin-x-001' - subnetId: nestedDependencies.outputs.subnetResourceId_dnsIn - } - ] - outboundEndpoints: [ - { - name: '${namePrefix}-az-pdnsout-x-001' - subnetId: nestedDependencies.outputs.subnetResourceId_dnsOut - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-resolver/version.json b/modules/network/dns-resolver/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/dns-resolver/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/MOVED-TO-AVM.md b/modules/network/dns-zone/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/dns-zone/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 4d7a11a4e4..4f784d1660 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -1,1169 +1,7 @@ -# Public DNS Zones `[Microsoft.Network/dnsZones]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/dns-zone](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/dns-zone).** -This module deploys a Public DNS zone. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/dns-zone). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones) | -| `Microsoft.Network/dnsZones/A` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/A) | -| `Microsoft.Network/dnsZones/AAAA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/AAAA) | -| `Microsoft.Network/dnsZones/CAA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/CAA) | -| `Microsoft.Network/dnsZones/CNAME` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/CNAME) | -| `Microsoft.Network/dnsZones/MX` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/MX) | -| `Microsoft.Network/dnsZones/NS` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/NS) | -| `Microsoft.Network/dnsZones/PTR` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/PTR) | -| `Microsoft.Network/dnsZones/SOA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/SOA) | -| `Microsoft.Network/dnsZones/SRV` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/SRV) | -| `Microsoft.Network/dnsZones/TXT` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/TXT) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-zone:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndzmin' - params: { - // Required parameters - name: 'ndzmin001.com' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndzmin001.com" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndzmax' - params: { - // Required parameters - name: 'ndzmax001.com' - // Non-required parameters - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - { - name: 'CNAME_aliasRecordSet' - targetResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soaRecord: { - email: 'azuredns-hostmaster.microsoft.com' - expireTime: 2419200 - host: 'ns1-04.azure-dns.com.' - minimumTtl: 300 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndzmax001.com" - }, - // Non-required parameters - "a": { - "value": [ - { - "aRecords": [ - { - "ipv4Address": "10.240.4.4" - } - ], - "name": "A_10.240.4.4", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "aaaa": { - "value": [ - { - "aaaaRecords": [ - { - "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" - } - ], - "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", - "ttl": 3600 - } - ] - }, - "cname": { - "value": [ - { - "cnameRecord": { - "cname": "test" - }, - "name": "CNAME_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - }, - { - "name": "CNAME_aliasRecordSet", - "targetResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "mx": { - "value": [ - { - "mxRecords": [ - { - "exchange": "contoso.com", - "preference": 100 - } - ], - "name": "MX_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "ptr": { - "value": [ - { - "name": "PTR_contoso", - "ptrRecords": [ - { - "ptrdname": "contoso.com" - } - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "soa": { - "value": [ - { - "name": "@", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "soaRecord": { - "email": "azuredns-hostmaster.microsoft.com", - "expireTime": 2419200, - "host": "ns1-04.azure-dns.com.", - "minimumTtl": 300, - "refreshTime": 3600, - "retryTime": 300, - "serialNumber": "1" - }, - "ttl": 3600 - } - ] - }, - "srv": { - "value": [ - { - "name": "SRV_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "srvRecords": [ - { - "port": 9332, - "priority": 0, - "target": "test.contoso.com", - "weight": 0 - } - ], - "ttl": 3600 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "txt": { - "value": [ - { - "name": "TXT_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600, - "txtRecords": [ - { - "value": [ - "test" - ] - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndzwaf' - params: { - // Required parameters - name: 'ndzwaf001.com' - // Non-required parameters - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - { - name: 'CNAME_aliasRecordSet' - targetResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soaRecord: { - email: 'azuredns-hostmaster.microsoft.com' - expireTime: 2419200 - host: 'ns1-04.azure-dns.com.' - minimumTtl: 300 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndzwaf001.com" - }, - // Non-required parameters - "a": { - "value": [ - { - "aRecords": [ - { - "ipv4Address": "10.240.4.4" - } - ], - "name": "A_10.240.4.4", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "aaaa": { - "value": [ - { - "aaaaRecords": [ - { - "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" - } - ], - "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", - "ttl": 3600 - } - ] - }, - "cname": { - "value": [ - { - "cnameRecord": { - "cname": "test" - }, - "name": "CNAME_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - }, - { - "name": "CNAME_aliasRecordSet", - "targetResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "mx": { - "value": [ - { - "mxRecords": [ - { - "exchange": "contoso.com", - "preference": 100 - } - ], - "name": "MX_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "ptr": { - "value": [ - { - "name": "PTR_contoso", - "ptrRecords": [ - { - "ptrdname": "contoso.com" - } - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "soa": { - "value": [ - { - "name": "@", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "soaRecord": { - "email": "azuredns-hostmaster.microsoft.com", - "expireTime": 2419200, - "host": "ns1-04.azure-dns.com.", - "minimumTtl": 300, - "refreshTime": 3600, - "retryTime": 300, - "serialNumber": "1" - }, - "ttl": 3600 - } - ] - }, - "srv": { - "value": [ - { - "name": "SRV_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "srvRecords": [ - { - "port": 9332, - "priority": 0, - "target": "test.contoso.com", - "weight": 0 - } - ], - "ttl": 3600 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "txt": { - "value": [ - { - "name": "TXT_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600, - "txtRecords": [ - { - "value": [ - "test" - ] - } - ] - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | DNS zone name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`a`](#parameter-a) | array | Array of A records. | -| [`aaaa`](#parameter-aaaa) | array | Array of AAAA records. | -| [`caa`](#parameter-caa) | array | Array of CAA records. | -| [`cname`](#parameter-cname) | array | Array of CNAME records. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location of the dnsZone. Should be global. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`mx`](#parameter-mx) | array | Array of MX records. | -| [`ns`](#parameter-ns) | array | Array of NS records. | -| [`ptr`](#parameter-ptr) | array | Array of PTR records. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`soa`](#parameter-soa) | array | Array of SOA records. | -| [`srv`](#parameter-srv) | array | Array of SRV records. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`txt`](#parameter-txt) | array | Array of TXT records. | - -### Parameter: `name` - -DNS zone name. - -- Required: Yes -- Type: string - -### Parameter: `a` - -Array of A records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `aaaa` - -Array of AAAA records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `caa` - -Array of CAA records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `cname` - -Array of CNAME records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location of the dnsZone. Should be global. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `mx` - -Array of MX records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ns` - -Array of NS records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ptr` - -Array of PTR records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `soa` - -Array of SOA records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `srv` - -Array of SRV records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `txt` - -Array of TXT records. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DNS zone. | -| `resourceGroupName` | string | The resource group the DNS zone was deployed into. | -| `resourceId` | string | The resource ID of the DNS zone. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md deleted file mode 100644 index 99577d607a..0000000000 --- a/modules/network/dns-zone/a/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Public DNS Zone A record `[Microsoft.Network/dnsZones/A]` - -This module deploys a Public DNS Zone A record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/A` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/A) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the A record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aRecords`](#parameter-arecords) | array | The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the A record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `aRecords` - -The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `targetResourceId` - -A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed A record. | -| `resourceGroupName` | string | The resource group of the deployed A record. | -| `resourceId` | string | The resource ID of the deployed A record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/a/main.bicep b/modules/network/dns-zone/a/main.bicep deleted file mode 100644 index 8f75c9d10e..0000000000 --- a/modules/network/dns-zone/a/main.bicep +++ /dev/null @@ -1,119 +0,0 @@ -metadata name = 'Public DNS Zone A record' -metadata description = 'This module deploys a Public DNS Zone A record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the A record.') -param name string - -@description('Optional. The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property.') -param aRecords array = [] - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property.') -param targetResourceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource A 'Microsoft.Network/dnsZones/A@2018-05-01' = { - name: name - parent: dnsZone - properties: { - ARecords: !empty(aRecords) ? aRecords : null - metadata: metadata - TTL: ttl - targetResource: !empty(targetResourceId) ? { - id: targetResourceId - } : null - } -} - -resource A_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(A.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: A -}] - -@description('The name of the deployed A record.') -output name string = A.name - -@description('The resource ID of the deployed A record.') -output resourceId string = A.id - -@description('The resource group of the deployed A record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/a/main.json b/modules/network/dns-zone/a/main.json deleted file mode 100644 index 2ed01910e3..0000000000 --- a/modules/network/dns-zone/a/main.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9611074560358227947" - }, - "name": "Public DNS Zone A record", - "description": "This module deploys a Public DNS Zone A record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the A record." - } - }, - "aRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of A records in the record set. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "A": { - "type": "Microsoft.Network/dnsZones/A", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "ARecords": "[if(not(empty(parameters('aRecords'))), parameters('aRecords'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "A_roleAssignments": { - "copy": { - "name": "A_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "A" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed A record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed A record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed A record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/a/version.json b/modules/network/dns-zone/a/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/a/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md deleted file mode 100644 index aa68ea3696..0000000000 --- a/modules/network/dns-zone/aaaa/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Public DNS Zone AAAA record `[Microsoft.Network/dnsZones/AAAA]` - -This module deploys a Public DNS Zone AAAA record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/AAAA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/AAAA) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the AAAA record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aaaaRecords`](#parameter-aaaarecords) | array | The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the AAAA record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `aaaaRecords` - -The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `targetResourceId` - -A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed AAAA record. | -| `resourceGroupName` | string | The resource group of the deployed AAAA record. | -| `resourceId` | string | The resource ID of the deployed AAAA record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/aaaa/main.bicep b/modules/network/dns-zone/aaaa/main.bicep deleted file mode 100644 index a0d88a4f60..0000000000 --- a/modules/network/dns-zone/aaaa/main.bicep +++ /dev/null @@ -1,119 +0,0 @@ -metadata name = 'Public DNS Zone AAAA record' -metadata description = 'This module deploys a Public DNS Zone AAAA record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the AAAA record.') -param name string - -@description('Optional. The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property.') -param aaaaRecords array = [] - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property.') -param targetResourceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource AAAA 'Microsoft.Network/dnsZones/AAAA@2018-05-01' = { - name: name - parent: dnsZone - properties: { - AAAARecords: !empty(aaaaRecords) ? aaaaRecords : null - metadata: metadata - TTL: ttl - targetResource: !empty(targetResourceId) ? { - id: targetResourceId - } : null - } -} - -resource AAAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(AAAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: AAAA -}] - -@description('The name of the deployed AAAA record.') -output name string = AAAA.name - -@description('The resource ID of the deployed AAAA record.') -output resourceId string = AAAA.id - -@description('The resource group of the deployed AAAA record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/aaaa/main.json b/modules/network/dns-zone/aaaa/main.json deleted file mode 100644 index 274e115628..0000000000 --- a/modules/network/dns-zone/aaaa/main.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14864971256419465724" - }, - "name": "Public DNS Zone AAAA record", - "description": "This module deploys a Public DNS Zone AAAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AAAA record." - } - }, - "aaaaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AAAA records in the record set. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "AAAA": { - "type": "Microsoft.Network/dnsZones/AAAA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "AAAARecords": "[if(not(empty(parameters('aaaaRecords'))), parameters('aaaaRecords'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "AAAA_roleAssignments": { - "copy": { - "name": "AAAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "AAAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed AAAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed AAAA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed AAAA record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/aaaa/version.json b/modules/network/dns-zone/aaaa/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/aaaa/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md deleted file mode 100644 index 4d72be6d76..0000000000 --- a/modules/network/dns-zone/caa/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone CAA record `[Microsoft.Network/dnsZones/CAA]` - -This module deploys a Public DNS Zone CAA record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/CAA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/CAA) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the CAA record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`caaRecords`](#parameter-caarecords) | array | The list of CAA records in the record set. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the CAA record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `caaRecords` - -The list of CAA records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed CAA record. | -| `resourceGroupName` | string | The resource group of the deployed CAA record. | -| `resourceId` | string | The resource ID of the deployed CAA record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/caa/main.bicep b/modules/network/dns-zone/caa/main.bicep deleted file mode 100644 index 5456341ee7..0000000000 --- a/modules/network/dns-zone/caa/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone CAA record' -metadata description = 'This module deploys a Public DNS Zone CAA record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the CAA record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of CAA records in the record set.') -param caaRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource CAA 'Microsoft.Network/dnsZones/CAA@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - caaRecords: caaRecords - TTL: ttl - } -} - -resource CAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(CAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: CAA -}] - -@description('The name of the deployed CAA record.') -output name string = CAA.name - -@description('The resource ID of the deployed CAA record.') -output resourceId string = CAA.id - -@description('The resource group of the deployed CAA record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/caa/main.json b/modules/network/dns-zone/caa/main.json deleted file mode 100644 index e264524581..0000000000 --- a/modules/network/dns-zone/caa/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "334963919740395938" - }, - "name": "Public DNS Zone CAA record", - "description": "This module deploys a Public DNS Zone CAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CAA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "caaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of CAA records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "CAA": { - "type": "Microsoft.Network/dnsZones/CAA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "caaRecords": "[parameters('caaRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "CAA_roleAssignments": { - "copy": { - "name": "CAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CAA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CAA record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/caa/version.json b/modules/network/dns-zone/caa/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/caa/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md deleted file mode 100644 index a89e2c97a6..0000000000 --- a/modules/network/dns-zone/cname/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Public DNS Zone CNAME record `[Microsoft.Network/dnsZones/CNAME]` - -This module deploys a Public DNS Zone CNAME record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/CNAME` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/CNAME) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the CNAME record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cnameRecord`](#parameter-cnamerecord) | object | A CNAME record. Cannot be used in conjuction with the "targetResource" property. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the CNAME record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `cnameRecord` - -A CNAME record. Cannot be used in conjuction with the "targetResource" property. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `targetResourceId` - -A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed CNAME record. | -| `resourceGroupName` | string | The resource group of the deployed CNAME record. | -| `resourceId` | string | The resource ID of the deployed CNAME record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/cname/main.bicep b/modules/network/dns-zone/cname/main.bicep deleted file mode 100644 index db68c48d7f..0000000000 --- a/modules/network/dns-zone/cname/main.bicep +++ /dev/null @@ -1,119 +0,0 @@ -metadata name = 'Public DNS Zone CNAME record' -metadata description = 'This module deploys a Public DNS Zone CNAME record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the CNAME record.') -param name string - -@description('Optional. A CNAME record. Cannot be used in conjuction with the "targetResource" property.') -param cnameRecord object = {} - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property.') -param targetResourceId string = '' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource CNAME 'Microsoft.Network/dnsZones/CNAME@2018-05-01' = { - name: name - parent: dnsZone - properties: { - CNAMERecord: !empty(cnameRecord) ? cnameRecord : null - metadata: metadata - TTL: ttl - targetResource: !empty(targetResourceId) ? { - id: targetResourceId - } : null - } -} - -resource CNAME_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(CNAME.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: CNAME -}] - -@description('The name of the deployed CNAME record.') -output name string = CNAME.name - -@description('The resource ID of the deployed CNAME record.') -output resourceId string = CNAME.id - -@description('The resource group of the deployed CNAME record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/cname/main.json b/modules/network/dns-zone/cname/main.json deleted file mode 100644 index 8ebb91fc6a..0000000000 --- a/modules/network/dns-zone/cname/main.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1267823163217140681" - }, - "name": "Public DNS Zone CNAME record", - "description": "This module deploys a Public DNS Zone CNAME record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CNAME record." - } - }, - "cnameRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A CNAME record. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "CNAME": { - "type": "Microsoft.Network/dnsZones/CNAME", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "CNAMERecord": "[if(not(empty(parameters('cnameRecord'))), parameters('cnameRecord'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "CNAME_roleAssignments": { - "copy": { - "name": "CNAME_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CNAME" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CNAME record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CNAME record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CNAME record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/cname/version.json b/modules/network/dns-zone/cname/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/cname/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/main.bicep b/modules/network/dns-zone/main.bicep deleted file mode 100644 index c5b7880355..0000000000 --- a/modules/network/dns-zone/main.bicep +++ /dev/null @@ -1,293 +0,0 @@ -metadata name = 'Public DNS Zones' -metadata description = 'This module deploys a Public DNS zone.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. DNS zone name.') -@minLength(1) -@maxLength(63) -param name string - -@description('Optional. Array of A records.') -param a array = [] - -@description('Optional. Array of AAAA records.') -param aaaa array = [] - -@description('Optional. Array of CNAME records.') -param cname array = [] - -@description('Optional. Array of CAA records.') -param caa array = [] - -@description('Optional. Array of MX records.') -param mx array = [] - -@description('Optional. Array of NS records.') -param ns array = [] - -@description('Optional. Array of PTR records.') -param ptr array = [] - -@description('Optional. Array of SOA records.') -param soa array = [] - -@description('Optional. Array of SRV records.') -param srv array = [] - -@description('Optional. Array of TXT records.') -param txt array = [] - -@description('Optional. The location of the dnsZone. Should be global.') -param location string = 'global' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = { - name: name - location: location - tags: tags - properties: { - zoneType: 'Public' - } -} - -module dnsZone_A 'a/main.bicep' = [for (aRecord, index) in a: { - name: '${uniqueString(deployment().name, location)}-dnsZone-ARecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: aRecord.name - aRecords: contains(aRecord, 'aRecords') ? aRecord.aRecords : [] - metadata: contains(aRecord, 'metadata') ? aRecord.metadata : {} - ttl: contains(aRecord, 'ttl') ? aRecord.ttl : 3600 - targetResourceId: contains(aRecord, 'targetResourceId') ? aRecord.targetResourceId : '' - roleAssignments: contains(aRecord, 'roleAssignments') ? aRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_AAAA 'aaaa/main.bicep' = [for (aaaaRecord, index) in aaaa: { - name: '${uniqueString(deployment().name, location)}-dnsZone-AAAARecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: aaaaRecord.name - aaaaRecords: contains(aaaaRecord, 'aaaaRecords') ? aaaaRecord.aaaaRecords : [] - metadata: contains(aaaaRecord, 'metadata') ? aaaaRecord.metadata : {} - ttl: contains(aaaaRecord, 'ttl') ? aaaaRecord.ttl : 3600 - targetResourceId: contains(aaaaRecord, 'targetResourceId') ? aaaaRecord.targetResourceId : '' - roleAssignments: contains(aaaaRecord, 'roleAssignments') ? aaaaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_CNAME 'cname/main.bicep' = [for (cnameRecord, index) in cname: { - name: '${uniqueString(deployment().name, location)}-dnsZone-CNAMERecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: cnameRecord.name - cnameRecord: contains(cnameRecord, 'cnameRecord') ? cnameRecord.cnameRecord : {} - metadata: contains(cnameRecord, 'metadata') ? cnameRecord.metadata : {} - ttl: contains(cnameRecord, 'ttl') ? cnameRecord.ttl : 3600 - targetResourceId: contains(cnameRecord, 'targetResourceId') ? cnameRecord.targetResourceId : '' - roleAssignments: contains(cnameRecord, 'roleAssignments') ? cnameRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_CAA 'caa/main.bicep' = [for (caaRecord, index) in caa: { - name: '${uniqueString(deployment().name, location)}-dnsZone-CAARecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: caaRecord.name - metadata: contains(caaRecord, 'metadata') ? caaRecord.metadata : {} - caaRecords: contains(caaRecord, 'caaRecords') ? caaRecord.caaRecords : [] - ttl: contains(caaRecord, 'ttl') ? caaRecord.ttl : 3600 - roleAssignments: contains(caaRecord, 'roleAssignments') ? caaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_MX 'mx/main.bicep' = [for (mxRecord, index) in mx: { - name: '${uniqueString(deployment().name, location)}-dnsZone-MXRecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: mxRecord.name - metadata: contains(mxRecord, 'metadata') ? mxRecord.metadata : {} - mxRecords: contains(mxRecord, 'mxRecords') ? mxRecord.mxRecords : [] - ttl: contains(mxRecord, 'ttl') ? mxRecord.ttl : 3600 - roleAssignments: contains(mxRecord, 'roleAssignments') ? mxRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_NS 'ns/main.bicep' = [for (nsRecord, index) in ns: { - name: '${uniqueString(deployment().name, location)}-dnsZone-NSRecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: nsRecord.name - metadata: contains(nsRecord, 'metadata') ? nsRecord.metadata : {} - nsRecords: contains(nsRecord, 'nsRecords') ? nsRecord.nsRecords : [] - ttl: contains(nsRecord, 'ttl') ? nsRecord.ttl : 3600 - roleAssignments: contains(nsRecord, 'roleAssignments') ? nsRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_PTR 'ptr/main.bicep' = [for (ptrRecord, index) in ptr: { - name: '${uniqueString(deployment().name, location)}-dnsZone-PTRRecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: ptrRecord.name - metadata: contains(ptrRecord, 'metadata') ? ptrRecord.metadata : {} - ptrRecords: contains(ptrRecord, 'ptrRecords') ? ptrRecord.ptrRecords : [] - ttl: contains(ptrRecord, 'ttl') ? ptrRecord.ttl : 3600 - roleAssignments: contains(ptrRecord, 'roleAssignments') ? ptrRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_SOA 'soa/main.bicep' = [for (soaRecord, index) in soa: { - name: '${uniqueString(deployment().name, location)}-dnsZone-SOARecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: soaRecord.name - metadata: contains(soaRecord, 'metadata') ? soaRecord.metadata : {} - soaRecord: contains(soaRecord, 'soaRecord') ? soaRecord.soaRecord : {} - ttl: contains(soaRecord, 'ttl') ? soaRecord.ttl : 3600 - roleAssignments: contains(soaRecord, 'roleAssignments') ? soaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_SRV 'srv/main.bicep' = [for (srvRecord, index) in srv: { - name: '${uniqueString(deployment().name, location)}-dnsZone-SRVRecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: srvRecord.name - metadata: contains(srvRecord, 'metadata') ? srvRecord.metadata : {} - srvRecords: contains(srvRecord, 'srvRecords') ? srvRecord.srvRecords : [] - ttl: contains(srvRecord, 'ttl') ? srvRecord.ttl : 3600 - roleAssignments: contains(srvRecord, 'roleAssignments') ? srvRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module dnsZone_TXT 'txt/main.bicep' = [for (txtRecord, index) in txt: { - name: '${uniqueString(deployment().name, location)}-dnsZone-TXTRecord-${index}' - params: { - dnsZoneName: dnsZone.name - name: txtRecord.name - metadata: contains(txtRecord, 'metadata') ? txtRecord.metadata : {} - txtRecords: contains(txtRecord, 'txtRecords') ? txtRecord.txtRecords : [] - ttl: contains(txtRecord, 'ttl') ? txtRecord.ttl : 3600 - roleAssignments: contains(txtRecord, 'roleAssignments') ? txtRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource dnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: dnsZone -} - -resource dnsZone_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(dnsZone.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: dnsZone -}] - -@description('The resource group the DNS zone was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the DNS zone.') -output name string = dnsZone.name - -@description('The resource ID of the DNS zone.') -output resourceId string = dnsZone.id - -@description('The location the resource was deployed into.') -output location string = dnsZone.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json deleted file mode 100644 index 73ab825aba..0000000000 --- a/modules/network/dns-zone/main.json +++ /dev/null @@ -1,2946 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "192131081135137851" - }, - "name": "Public DNS Zones", - "description": "This module deploys a Public DNS zone.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 63, - "metadata": { - "description": "Required. DNS zone name." - } - }, - "a": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of A records." - } - }, - "aaaa": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of AAAA records." - } - }, - "cname": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of CNAME records." - } - }, - "caa": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of CAA records." - } - }, - "mx": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of MX records." - } - }, - "ns": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of NS records." - } - }, - "ptr": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of PTR records." - } - }, - "soa": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of SOA records." - } - }, - "srv": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of SRV records." - } - }, - "txt": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of TXT records." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the dnsZone. Should be global." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "zoneType": "Public" - } - }, - "dnsZone_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_roleAssignments": { - "copy": { - "name": "dnsZone_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_A": { - "copy": { - "name": "dnsZone_A", - "count": "[length(parameters('a'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-ARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('a')[copyIndex()].name]" - }, - "aRecords": "[if(contains(parameters('a')[copyIndex()], 'aRecords'), createObject('value', parameters('a')[copyIndex()].aRecords), createObject('value', createArray()))]", - "metadata": "[if(contains(parameters('a')[copyIndex()], 'metadata'), createObject('value', parameters('a')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('a')[copyIndex()], 'ttl'), createObject('value', parameters('a')[copyIndex()].ttl), createObject('value', 3600))]", - "targetResourceId": "[if(contains(parameters('a')[copyIndex()], 'targetResourceId'), createObject('value', parameters('a')[copyIndex()].targetResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('a')[copyIndex()], 'roleAssignments'), createObject('value', parameters('a')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9611074560358227947" - }, - "name": "Public DNS Zone A record", - "description": "This module deploys a Public DNS Zone A record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the A record." - } - }, - "aRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of A records in the record set. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "A": { - "type": "Microsoft.Network/dnsZones/A", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "ARecords": "[if(not(empty(parameters('aRecords'))), parameters('aRecords'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "A_roleAssignments": { - "copy": { - "name": "A_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "A" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed A record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed A record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed A record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_AAAA": { - "copy": { - "name": "dnsZone_AAAA", - "count": "[length(parameters('aaaa'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-AAAARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('aaaa')[copyIndex()].name]" - }, - "aaaaRecords": "[if(contains(parameters('aaaa')[copyIndex()], 'aaaaRecords'), createObject('value', parameters('aaaa')[copyIndex()].aaaaRecords), createObject('value', createArray()))]", - "metadata": "[if(contains(parameters('aaaa')[copyIndex()], 'metadata'), createObject('value', parameters('aaaa')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('aaaa')[copyIndex()], 'ttl'), createObject('value', parameters('aaaa')[copyIndex()].ttl), createObject('value', 3600))]", - "targetResourceId": "[if(contains(parameters('aaaa')[copyIndex()], 'targetResourceId'), createObject('value', parameters('aaaa')[copyIndex()].targetResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('aaaa')[copyIndex()], 'roleAssignments'), createObject('value', parameters('aaaa')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14864971256419465724" - }, - "name": "Public DNS Zone AAAA record", - "description": "This module deploys a Public DNS Zone AAAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AAAA record." - } - }, - "aaaaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AAAA records in the record set. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "AAAA": { - "type": "Microsoft.Network/dnsZones/AAAA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "AAAARecords": "[if(not(empty(parameters('aaaaRecords'))), parameters('aaaaRecords'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "AAAA_roleAssignments": { - "copy": { - "name": "AAAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "AAAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed AAAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed AAAA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed AAAA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_CNAME": { - "copy": { - "name": "dnsZone_CNAME", - "count": "[length(parameters('cname'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-CNAMERecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('cname')[copyIndex()].name]" - }, - "cnameRecord": "[if(contains(parameters('cname')[copyIndex()], 'cnameRecord'), createObject('value', parameters('cname')[copyIndex()].cnameRecord), createObject('value', createObject()))]", - "metadata": "[if(contains(parameters('cname')[copyIndex()], 'metadata'), createObject('value', parameters('cname')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('cname')[copyIndex()], 'ttl'), createObject('value', parameters('cname')[copyIndex()].ttl), createObject('value', 3600))]", - "targetResourceId": "[if(contains(parameters('cname')[copyIndex()], 'targetResourceId'), createObject('value', parameters('cname')[copyIndex()].targetResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('cname')[copyIndex()], 'roleAssignments'), createObject('value', parameters('cname')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1267823163217140681" - }, - "name": "Public DNS Zone CNAME record", - "description": "This module deploys a Public DNS Zone CNAME record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CNAME record." - } - }, - "cnameRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A CNAME record. Cannot be used in conjuction with the \"targetResource\" property." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "targetResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the \"aRecords\" property." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "CNAME": { - "type": "Microsoft.Network/dnsZones/CNAME", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "CNAMERecord": "[if(not(empty(parameters('cnameRecord'))), parameters('cnameRecord'), null())]", - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "CNAME_roleAssignments": { - "copy": { - "name": "CNAME_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CNAME" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CNAME record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CNAME record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CNAME record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_CAA": { - "copy": { - "name": "dnsZone_CAA", - "count": "[length(parameters('caa'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-CAARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('caa')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('caa')[copyIndex()], 'metadata'), createObject('value', parameters('caa')[copyIndex()].metadata), createObject('value', createObject()))]", - "caaRecords": "[if(contains(parameters('caa')[copyIndex()], 'caaRecords'), createObject('value', parameters('caa')[copyIndex()].caaRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('caa')[copyIndex()], 'ttl'), createObject('value', parameters('caa')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('caa')[copyIndex()], 'roleAssignments'), createObject('value', parameters('caa')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "334963919740395938" - }, - "name": "Public DNS Zone CAA record", - "description": "This module deploys a Public DNS Zone CAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CAA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "caaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of CAA records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "CAA": { - "type": "Microsoft.Network/dnsZones/CAA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "caaRecords": "[parameters('caaRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "CAA_roleAssignments": { - "copy": { - "name": "CAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CAA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CAA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_MX": { - "copy": { - "name": "dnsZone_MX", - "count": "[length(parameters('mx'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-MXRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('mx')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('mx')[copyIndex()], 'metadata'), createObject('value', parameters('mx')[copyIndex()].metadata), createObject('value', createObject()))]", - "mxRecords": "[if(contains(parameters('mx')[copyIndex()], 'mxRecords'), createObject('value', parameters('mx')[copyIndex()].mxRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('mx')[copyIndex()], 'ttl'), createObject('value', parameters('mx')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('mx')[copyIndex()], 'roleAssignments'), createObject('value', parameters('mx')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "913365561266018486" - }, - "name": "Public DNS Zone MX record", - "description": "This module deploys a Public DNS Zone MX record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "mxRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of MX records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "MX": { - "type": "Microsoft.Network/dnsZones/MX", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "MXRecords": "[parameters('mxRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "MX_roleAssignments": { - "copy": { - "name": "MX_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "MX" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MX record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MX record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MX record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_NS": { - "copy": { - "name": "dnsZone_NS", - "count": "[length(parameters('ns'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-NSRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ns')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('ns')[copyIndex()], 'metadata'), createObject('value', parameters('ns')[copyIndex()].metadata), createObject('value', createObject()))]", - "nsRecords": "[if(contains(parameters('ns')[copyIndex()], 'nsRecords'), createObject('value', parameters('ns')[copyIndex()].nsRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('ns')[copyIndex()], 'ttl'), createObject('value', parameters('ns')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('ns')[copyIndex()], 'roleAssignments'), createObject('value', parameters('ns')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14921767837432456957" - }, - "name": "Public DNS Zone NS record", - "description": "This module deploys a Public DNS Zone NS record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NS record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "nsRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of NS records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "NS": { - "type": "Microsoft.Network/dnsZones/NS", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "NSRecords": "[parameters('nsRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "NS_roleAssignments": { - "copy": { - "name": "NS_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "NS" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed NS record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed NS record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed NS record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_PTR": { - "copy": { - "name": "dnsZone_PTR", - "count": "[length(parameters('ptr'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-PTRRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ptr')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('ptr')[copyIndex()], 'metadata'), createObject('value', parameters('ptr')[copyIndex()].metadata), createObject('value', createObject()))]", - "ptrRecords": "[if(contains(parameters('ptr')[copyIndex()], 'ptrRecords'), createObject('value', parameters('ptr')[copyIndex()].ptrRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('ptr')[copyIndex()], 'ttl'), createObject('value', parameters('ptr')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('ptr')[copyIndex()], 'roleAssignments'), createObject('value', parameters('ptr')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1781674036442480125" - }, - "name": "Public DNS Zone PTR record", - "description": "This module deploys a Public DNS Zone PTR record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PTR record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ptrRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of PTR records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "PTR": { - "type": "Microsoft.Network/dnsZones/PTR", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "PTRRecords": "[parameters('ptrRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "PTR_roleAssignments": { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "PTR" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PTR record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PTR record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PTR record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_SOA": { - "copy": { - "name": "dnsZone_SOA", - "count": "[length(parameters('soa'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-SOARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('soa')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('soa')[copyIndex()], 'metadata'), createObject('value', parameters('soa')[copyIndex()].metadata), createObject('value', createObject()))]", - "soaRecord": "[if(contains(parameters('soa')[copyIndex()], 'soaRecord'), createObject('value', parameters('soa')[copyIndex()].soaRecord), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('soa')[copyIndex()], 'ttl'), createObject('value', parameters('soa')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('soa')[copyIndex()], 'roleAssignments'), createObject('value', parameters('soa')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15508005336915398346" - }, - "name": "Public DNS Zone SOA record", - "description": "This module deploys a Public DNS Zone SOA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SOA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "soaRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A SOA record." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "SOA": { - "type": "Microsoft.Network/dnsZones/SOA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "SOARecord": "[parameters('soaRecord')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "SOA_roleAssignments": { - "copy": { - "name": "SOA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SOA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SOA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SOA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SOA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_SRV": { - "copy": { - "name": "dnsZone_SRV", - "count": "[length(parameters('srv'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-SRVRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('srv')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('srv')[copyIndex()], 'metadata'), createObject('value', parameters('srv')[copyIndex()].metadata), createObject('value', createObject()))]", - "srvRecords": "[if(contains(parameters('srv')[copyIndex()], 'srvRecords'), createObject('value', parameters('srv')[copyIndex()].srvRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('srv')[copyIndex()], 'ttl'), createObject('value', parameters('srv')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('srv')[copyIndex()], 'roleAssignments'), createObject('value', parameters('srv')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12022158765353146053" - }, - "name": "Public DNS Zone SRV record", - "description": "This module deploys a Public DNS Zone SRV record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SRV record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "srvRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SRV records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "SRV": { - "type": "Microsoft.Network/dnsZones/SRV", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "SRVRecords": "[parameters('srvRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "SRV_roleAssignments": { - "copy": { - "name": "SRV_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SRV" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SRV record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SRV record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SRV record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - }, - "dnsZone_TXT": { - "copy": { - "name": "dnsZone_TXT", - "count": "[length(parameters('txt'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-TXTRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "dnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('txt')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('txt')[copyIndex()], 'metadata'), createObject('value', parameters('txt')[copyIndex()].metadata), createObject('value', createObject()))]", - "txtRecords": "[if(contains(parameters('txt')[copyIndex()], 'txtRecords'), createObject('value', parameters('txt')[copyIndex()].txtRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('txt')[copyIndex()], 'ttl'), createObject('value', parameters('txt')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('txt')[copyIndex()], 'roleAssignments'), createObject('value', parameters('txt')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12802491396062490027" - }, - "name": "Public DNS Zone TXT record", - "description": "This module deploys a Public DNS Zone TXT record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the TXT record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "txtRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of TXT records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "TXT": { - "type": "Microsoft.Network/dnsZones/TXT", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "TXTRecords": "[parameters('txtRecords')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "TXT_roleAssignments": { - "copy": { - "name": "TXT_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "TXT" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed TXT record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed TXT record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed TXT record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "dnsZone" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the DNS zone was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the DNS zone." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the DNS zone." - }, - "value": "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('dnsZone', '2018-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md deleted file mode 100644 index bea5e827f7..0000000000 --- a/modules/network/dns-zone/mx/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone MX record `[Microsoft.Network/dnsZones/MX]` - -This module deploys a Public DNS Zone MX record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/MX` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/MX) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the MX record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`mxRecords`](#parameter-mxrecords) | array | The list of MX records in the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the MX record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `mxRecords` - -The list of MX records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed MX record. | -| `resourceGroupName` | string | The resource group of the deployed MX record. | -| `resourceId` | string | The resource ID of the deployed MX record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/mx/main.bicep b/modules/network/dns-zone/mx/main.bicep deleted file mode 100644 index 710a244cd3..0000000000 --- a/modules/network/dns-zone/mx/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone MX record' -metadata description = 'This module deploys a Public DNS Zone MX record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the MX record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of MX records in the record set.') -param mxRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource MX 'Microsoft.Network/dnsZones/MX@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - MXRecords: mxRecords - TTL: ttl - } -} - -resource MX_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(MX.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: MX -}] - -@description('The name of the deployed MX record.') -output name string = MX.name - -@description('The resource ID of the deployed MX record.') -output resourceId string = MX.id - -@description('The resource group of the deployed MX record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/mx/main.json b/modules/network/dns-zone/mx/main.json deleted file mode 100644 index 19169c06c3..0000000000 --- a/modules/network/dns-zone/mx/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "913365561266018486" - }, - "name": "Public DNS Zone MX record", - "description": "This module deploys a Public DNS Zone MX record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "mxRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of MX records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "MX": { - "type": "Microsoft.Network/dnsZones/MX", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "MXRecords": "[parameters('mxRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "MX_roleAssignments": { - "copy": { - "name": "MX_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "MX" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MX record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MX record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MX record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/mx/version.json b/modules/network/dns-zone/mx/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/mx/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md deleted file mode 100644 index 8035417f4b..0000000000 --- a/modules/network/dns-zone/ns/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone NS record `[Microsoft.Network/dnsZones/NS]` - -This module deploys a Public DNS Zone NS record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/NS` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/NS) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the NS record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`nsRecords`](#parameter-nsrecords) | array | The list of NS records in the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the NS record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `nsRecords` - -The list of NS records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed NS record. | -| `resourceGroupName` | string | The resource group of the deployed NS record. | -| `resourceId` | string | The resource ID of the deployed NS record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/ns/main.bicep b/modules/network/dns-zone/ns/main.bicep deleted file mode 100644 index a3a98d5302..0000000000 --- a/modules/network/dns-zone/ns/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone NS record' -metadata description = 'This module deploys a Public DNS Zone NS record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the NS record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of NS records in the record set.') -param nsRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource NS 'Microsoft.Network/dnsZones/NS@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - NSRecords: nsRecords - TTL: ttl - } -} - -resource NS_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(NS.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: NS -}] - -@description('The name of the deployed NS record.') -output name string = NS.name - -@description('The resource ID of the deployed NS record.') -output resourceId string = NS.id - -@description('The resource group of the deployed NS record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/ns/main.json b/modules/network/dns-zone/ns/main.json deleted file mode 100644 index 4d7b270aae..0000000000 --- a/modules/network/dns-zone/ns/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14921767837432456957" - }, - "name": "Public DNS Zone NS record", - "description": "This module deploys a Public DNS Zone NS record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NS record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "nsRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of NS records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "NS": { - "type": "Microsoft.Network/dnsZones/NS", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "NSRecords": "[parameters('nsRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "NS_roleAssignments": { - "copy": { - "name": "NS_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "NS" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed NS record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed NS record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed NS record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/ns/version.json b/modules/network/dns-zone/ns/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/ns/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md deleted file mode 100644 index 68258a9035..0000000000 --- a/modules/network/dns-zone/ptr/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone PTR record `[Microsoft.Network/dnsZones/PTR]` - -This module deploys a Public DNS Zone PTR record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/PTR` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/PTR) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the PTR record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`ptrRecords`](#parameter-ptrrecords) | array | The list of PTR records in the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the PTR record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `ptrRecords` - -The list of PTR records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed PTR record. | -| `resourceGroupName` | string | The resource group of the deployed PTR record. | -| `resourceId` | string | The resource ID of the deployed PTR record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/ptr/main.bicep b/modules/network/dns-zone/ptr/main.bicep deleted file mode 100644 index 3363462440..0000000000 --- a/modules/network/dns-zone/ptr/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone PTR record' -metadata description = 'This module deploys a Public DNS Zone PTR record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the PTR record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of PTR records in the record set.') -param ptrRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource PTR 'Microsoft.Network/dnsZones/PTR@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - PTRRecords: ptrRecords - TTL: ttl - } -} - -resource PTR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(PTR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: PTR -}] - -@description('The name of the deployed PTR record.') -output name string = PTR.name - -@description('The resource ID of the deployed PTR record.') -output resourceId string = PTR.id - -@description('The resource group of the deployed PTR record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/ptr/main.json b/modules/network/dns-zone/ptr/main.json deleted file mode 100644 index 52d8ea8776..0000000000 --- a/modules/network/dns-zone/ptr/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1781674036442480125" - }, - "name": "Public DNS Zone PTR record", - "description": "This module deploys a Public DNS Zone PTR record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PTR record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ptrRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of PTR records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "PTR": { - "type": "Microsoft.Network/dnsZones/PTR", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "PTRRecords": "[parameters('ptrRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "PTR_roleAssignments": { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "PTR" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PTR record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PTR record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PTR record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/ptr/version.json b/modules/network/dns-zone/ptr/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/ptr/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md deleted file mode 100644 index 3b8577a68c..0000000000 --- a/modules/network/dns-zone/soa/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone SOA record `[Microsoft.Network/dnsZones/SOA]` - -This module deploys a Public DNS Zone SOA record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/SOA` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/SOA) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SOA record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`soaRecord`](#parameter-soarecord) | object | A SOA record. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the SOA record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `soaRecord` - -A SOA record. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed SOA record. | -| `resourceGroupName` | string | The resource group of the deployed SOA record. | -| `resourceId` | string | The resource ID of the deployed SOA record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/soa/main.bicep b/modules/network/dns-zone/soa/main.bicep deleted file mode 100644 index 6a7fbe7acf..0000000000 --- a/modules/network/dns-zone/soa/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone SOA record' -metadata description = 'This module deploys a Public DNS Zone SOA record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the SOA record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. A SOA record.') -param soaRecord object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource SOA 'Microsoft.Network/dnsZones/SOA@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - SOARecord: soaRecord - TTL: ttl - } -} - -resource SOA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(SOA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: SOA -}] - -@description('The name of the deployed SOA record.') -output name string = SOA.name - -@description('The resource ID of the deployed SOA record.') -output resourceId string = SOA.id - -@description('The resource group of the deployed SOA record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/soa/main.json b/modules/network/dns-zone/soa/main.json deleted file mode 100644 index da09092353..0000000000 --- a/modules/network/dns-zone/soa/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15508005336915398346" - }, - "name": "Public DNS Zone SOA record", - "description": "This module deploys a Public DNS Zone SOA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SOA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "soaRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A SOA record." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "SOA": { - "type": "Microsoft.Network/dnsZones/SOA", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "SOARecord": "[parameters('soaRecord')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "SOA_roleAssignments": { - "copy": { - "name": "SOA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SOA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SOA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SOA record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SOA record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/soa/version.json b/modules/network/dns-zone/soa/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/soa/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md deleted file mode 100644 index 6650830d14..0000000000 --- a/modules/network/dns-zone/srv/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone SRV record `[Microsoft.Network/dnsZones/SRV]` - -This module deploys a Public DNS Zone SRV record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/SRV` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/SRV) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SRV record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the SRV record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `srvRecords` - -The list of SRV records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed SRV record. | -| `resourceGroupName` | string | The resource group of the deployed SRV record. | -| `resourceId` | string | The resource ID of the deployed SRV record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/srv/main.bicep b/modules/network/dns-zone/srv/main.bicep deleted file mode 100644 index c56b257c59..0000000000 --- a/modules/network/dns-zone/srv/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone SRV record' -metadata description = 'This module deploys a Public DNS Zone SRV record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the SRV record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of SRV records in the record set.') -param srvRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource SRV 'Microsoft.Network/dnsZones/SRV@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - SRVRecords: srvRecords - TTL: ttl - } -} - -resource SRV_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(SRV.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: SRV -}] - -@description('The name of the deployed SRV record.') -output name string = SRV.name - -@description('The resource ID of the deployed SRV record.') -output resourceId string = SRV.id - -@description('The resource group of the deployed SRV record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/srv/main.json b/modules/network/dns-zone/srv/main.json deleted file mode 100644 index d0e0b82fe7..0000000000 --- a/modules/network/dns-zone/srv/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12022158765353146053" - }, - "name": "Public DNS Zone SRV record", - "description": "This module deploys a Public DNS Zone SRV record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SRV record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "srvRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SRV records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "SRV": { - "type": "Microsoft.Network/dnsZones/SRV", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "SRVRecords": "[parameters('srvRecords')]", - "TTL": "[parameters('ttl')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "SRV_roleAssignments": { - "copy": { - "name": "SRV_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SRV" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SRV record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SRV record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SRV record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/srv/version.json b/modules/network/dns-zone/srv/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/srv/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep b/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 2f820dd353..0000000000 --- a/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndzmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - } -}] diff --git a/modules/network/dns-zone/tests/e2e/max/dependencies.bicep b/modules/network/dns-zone/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 22bd417624..0000000000 --- a/modules/network/dns-zone/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,37 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Traffic Manager Profile to create.') -param trafficManagerProfileName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01-preview' = { - name: trafficManagerProfileName - location: 'global' - properties: { - trafficRoutingMethod: 'Performance' - maxReturn: 0 - dnsConfig: { - relativeName: trafficManagerProfileName - ttl: 60 - } - monitorConfig: { - protocol: 'HTTP' - port: 80 - path: '/' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Traffic Manager Profile.') -output trafficManagerProfileResourceId string = trafficManagerProfile.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-zone/tests/e2e/max/main.test.bicep b/modules/network/dns-zone/tests/e2e/max/main.test.bicep deleted file mode 100644 index 3e016759eb..0000000000 --- a/modules/network/dns-zone/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,223 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndzmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - trafficManagerProfileName: 'dep-${namePrefix}-tmp-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - { - name: 'CNAME_aliasRecordSet' - targetResourceId: nestedDependencies.outputs.trafficManagerProfileResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soaRecord: { - email: 'azuredns-hostmaster.microsoft.com' - expireTime: 2419200 - host: 'ns1-04.azure-dns.com.' - minimumTtl: 300 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 22bd417624..0000000000 --- a/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,37 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Traffic Manager Profile to create.') -param trafficManagerProfileName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01-preview' = { - name: trafficManagerProfileName - location: 'global' - properties: { - trafficRoutingMethod: 'Performance' - maxReturn: 0 - dnsConfig: { - relativeName: trafficManagerProfileName - ttl: 60 - } - monitorConfig: { - protocol: 'HTTP' - port: 80 - path: '/' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Traffic Manager Profile.') -output trafficManagerProfileResourceId string = trafficManagerProfile.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index a1b86c65e9..0000000000 --- a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,223 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndzwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - trafficManagerProfileName: 'dep-${namePrefix}-tmp-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - { - name: 'CNAME_aliasRecordSet' - targetResourceId: nestedDependencies.outputs.trafficManagerProfileResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soaRecord: { - email: 'azuredns-hostmaster.microsoft.com' - expireTime: 2419200 - host: 'ns1-04.azure-dns.com.' - minimumTtl: 300 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md deleted file mode 100644 index 101e48bca4..0000000000 --- a/modules/network/dns-zone/txt/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Public DNS Zone TXT record `[Microsoft.Network/dnsZones/TXT]` - -This module deploys a Public DNS Zone TXT record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/dnsZones/TXT` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/TXT) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the TXT record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -| [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | - -### Parameter: `name` - -The name of the TXT record. - -- Required: Yes -- Type: string - -### Parameter: `dnsZoneName` - -The name of the parent DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - -### Parameter: `txtRecords` - -The list of TXT records in the record set. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed TXT record. | -| `resourceGroupName` | string | The resource group of the deployed TXT record. | -| `resourceId` | string | The resource ID of the deployed TXT record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/dns-zone/txt/main.bicep b/modules/network/dns-zone/txt/main.bicep deleted file mode 100644 index f2ceb2c1ac..0000000000 --- a/modules/network/dns-zone/txt/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Public DNS Zone TXT record' -metadata description = 'This module deploys a Public DNS Zone TXT record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment.') -param dnsZoneName string - -@description('Required. The name of the TXT record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. The list of TXT records in the record set.') -param txtRecords array = [] - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: dnsZoneName -} - -resource TXT 'Microsoft.Network/dnsZones/TXT@2018-05-01' = { - name: name - parent: dnsZone - properties: { - metadata: metadata - TTL: ttl - TXTRecords: txtRecords - } -} - -resource TXT_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(TXT.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: TXT -}] - -@description('The name of the deployed TXT record.') -output name string = TXT.name - -@description('The resource ID of the deployed TXT record.') -output resourceId string = TXT.id - -@description('The resource group of the deployed TXT record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/dns-zone/txt/main.json b/modules/network/dns-zone/txt/main.json deleted file mode 100644 index 11dc4de054..0000000000 --- a/modules/network/dns-zone/txt/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12802491396062490027" - }, - "name": "Public DNS Zone TXT record", - "description": "This module deploys a Public DNS Zone TXT record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "dnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the TXT record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "txtRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of TXT records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "dnsZone": { - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[parameters('dnsZoneName')]" - }, - "TXT": { - "type": "Microsoft.Network/dnsZones/TXT", - "apiVersion": "2018-05-01", - "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "TTL": "[parameters('ttl')]", - "TXTRecords": "[parameters('txtRecords')]" - }, - "dependsOn": [ - "dnsZone" - ] - }, - "TXT_roleAssignments": { - "copy": { - "name": "TXT_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', parameters('dnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "TXT" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed TXT record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed TXT record." - }, - "value": "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed TXT record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/dns-zone/txt/version.json b/modules/network/dns-zone/txt/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/txt/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/dns-zone/version.json b/modules/network/dns-zone/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/dns-zone/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/express-route-circuit/MOVED-TO-AVM.MD b/modules/network/express-route-circuit/MOVED-TO-AVM.MD deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/express-route-circuit/MOVED-TO-AVM.MD +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 0252c375f3..290fcbfbce 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -1,822 +1,7 @@ -# ExpressRoute Circuits `[Microsoft.Network/expressRouteCircuits]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/express-route-circuit](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/express-route-circuit).** -This module deploys an Express Route Circuit. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/express-route-circuit). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/expressRouteCircuits` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteCircuits) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-circuit:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nercmin' - params: { - // Required parameters - bandwidthInMbps: 50 - name: 'nercmin001' - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "bandwidthInMbps": { - "value": 50 - }, - "name": { - "value": "nercmin001" - }, - "peeringLocation": { - "value": "Amsterdam" - }, - "serviceProviderName": { - "value": "Equinix" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nercmax' - params: { - // Required parameters - bandwidthInMbps: 50 - name: 'nercmax001' - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - // Non-required parameters - allowClassicOperations: true - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuFamily: 'MeteredData' - skuTier: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "bandwidthInMbps": { - "value": 50 - }, - "name": { - "value": "nercmax001" - }, - "peeringLocation": { - "value": "Amsterdam" - }, - "serviceProviderName": { - "value": "Equinix" - }, - // Non-required parameters - "allowClassicOperations": { - "value": true - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuFamily": { - "value": "MeteredData" - }, - "skuTier": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nercwaf' - params: { - // Required parameters - bandwidthInMbps: 50 - name: 'nercwaf001' - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - // Non-required parameters - allowClassicOperations: true - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuFamily: 'MeteredData' - skuTier: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "bandwidthInMbps": { - "value": 50 - }, - "name": { - "value": "nercwaf001" - }, - "peeringLocation": { - "value": "Amsterdam" - }, - "serviceProviderName": { - "value": "Equinix" - }, - // Non-required parameters - "allowClassicOperations": { - "value": true - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "skuFamily": { - "value": "MeteredData" - }, - "skuTier": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`bandwidthInMbps`](#parameter-bandwidthinmbps) | int | This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | -| [`name`](#parameter-name) | string | This is the name of the ExpressRoute circuit. | -| [`peeringLocation`](#parameter-peeringlocation) | string | This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | -| [`serviceProviderName`](#parameter-serviceprovidername) | string | This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowClassicOperations`](#parameter-allowclassicoperations) | bool | Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. | -| [`bandwidthInGbps`](#parameter-bandwidthingbps) | int | The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`expressRoutePortResourceId`](#parameter-expressrouteportresourceid) | string | The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. | -| [`globalReachEnabled`](#parameter-globalreachenabled) | bool | Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`peerASN`](#parameter-peerasn) | int | The autonomous system number of the customer/connectivity provider. | -| [`peering`](#parameter-peering) | bool | Enabled BGP peering type for the Circuit. | -| [`peeringType`](#parameter-peeringtype) | string | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | -| [`primaryPeerAddressPrefix`](#parameter-primarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link1. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`secondaryPeerAddressPrefix`](#parameter-secondarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link2. | -| [`sharedKey`](#parameter-sharedkey) | string | The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | -| [`skuFamily`](#parameter-skufamily) | string | Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | -| [`skuTier`](#parameter-skutier) | string | Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vlanId`](#parameter-vlanid) | int | Specifies the identifier that is used to identify the customer. | - -### Parameter: `bandwidthInMbps` - -This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. - -- Required: Yes -- Type: int - -### Parameter: `name` - -This is the name of the ExpressRoute circuit. - -- Required: Yes -- Type: string - -### Parameter: `peeringLocation` - -This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. - -- Required: Yes -- Type: string - -### Parameter: `serviceProviderName` - -This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. - -- Required: Yes -- Type: string - -### Parameter: `allowClassicOperations` - -Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `bandwidthInGbps` - -The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `expressRoutePortResourceId` - -The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `globalReachEnabled` - -Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `peerASN` - -The autonomous system number of the customer/connectivity provider. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `peering` - -Enabled BGP peering type for the Circuit. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `peeringType` - -BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. - -- Required: No -- Type: string -- Default: `'AzurePrivatePeering'` -- Allowed: - ```Bicep - [ - 'AzurePrivatePeering' - 'MicrosoftPeering' - ] - ``` - -### Parameter: `primaryPeerAddressPrefix` - -A /30 subnet used to configure IP addresses for interfaces on Link1. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `secondaryPeerAddressPrefix` - -A /30 subnet used to configure IP addresses for interfaces on Link2. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sharedKey` - -The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuFamily` - -Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. - -- Required: No -- Type: string -- Default: `'MeteredData'` -- Allowed: - ```Bicep - [ - 'MeteredData' - 'UnlimitedData' - ] - ``` - -### Parameter: `skuTier` - -Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Local' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vlanId` - -Specifies the identifier that is used to identify the customer. - -- Required: No -- Type: int -- Default: `0` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of express route curcuit. | -| `resourceGroupName` | string | The resource group the express route curcuit was deployed into. | -| `resourceId` | string | The resource ID of express route curcuit. | -| `serviceKey` | string | The service key of the express route circuit. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep deleted file mode 100644 index 523d957700..0000000000 --- a/modules/network/express-route-circuit/main.bicep +++ /dev/null @@ -1,282 +0,0 @@ -metadata name = 'ExpressRoute Circuits' -metadata description = 'This module deploys an Express Route Circuit.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. This is the name of the ExpressRoute circuit.') -param name string - -@description('Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call.') -param serviceProviderName string - -@description('Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call.') -param peeringLocation string - -@description('Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call.') -param bandwidthInMbps int - -@description('Optional. Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers.') -@allowed([ - 'Local' - 'Standard' - 'Premium' -]) -param skuTier string = 'Standard' - -@description('Optional. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families.') -@allowed([ - 'MeteredData' - 'UnlimitedData' -]) -param skuFamily string = 'MeteredData' - -@description('Optional. Enabled BGP peering type for the Circuit.') -param peering bool = false - -@description('Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering.') -@allowed([ - 'AzurePrivatePeering' - 'MicrosoftPeering' -]) -param peeringType string = 'AzurePrivatePeering' - -@description('Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required.') -param sharedKey string = '' - -@description('Optional. The autonomous system number of the customer/connectivity provider.') -param peerASN int = 0 - -@description('Optional. A /30 subnet used to configure IP addresses for interfaces on Link1.') -param primaryPeerAddressPrefix string = '' - -@description('Optional. A /30 subnet used to configure IP addresses for interfaces on Link2.') -param secondaryPeerAddressPrefix string = '' - -@description('Optional. Specifies the identifier that is used to identify the customer.') -param vlanId int = 0 - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true.') -param allowClassicOperations bool = false - -@description('Optional. The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null.') -param bandwidthInGbps int = 0 - -@description('Optional. The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct.') -param expressRoutePortResourceId string = '' - -@description('Optional. Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU.') -param globalReachEnabled bool = false - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var peeringConfiguration = [ - { - name: peeringType - properties: { - peeringType: peeringType - sharedKey: sharedKey - peerASN: peerASN - primaryPeerAddressPrefix: primaryPeerAddressPrefix - secondaryPeerAddressPrefix: secondaryPeerAddressPrefix - vlanId: vlanId - } - } -] - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource expressRouteCircuits 'Microsoft.Network/expressRouteCircuits@2023-04-01' = { - name: name - location: location - tags: tags - sku: { - name: '${skuTier}_${skuFamily}' - tier: skuTier - family: skuTier == 'Local' ? 'UnlimitedData' : skuFamily - } - properties: { - allowClassicOperations: allowClassicOperations - globalReachEnabled: globalReachEnabled - bandwidthInGbps: bandwidthInGbps != 0 ? bandwidthInGbps : null - expressRoutePort: !empty(expressRoutePortResourceId) ? { - id: expressRoutePortResourceId - } : null - serviceProviderProperties: { - serviceProviderName: serviceProviderName - peeringLocation: peeringLocation - bandwidthInMbps: bandwidthInMbps - } - peerings: peering ? peeringConfiguration : null - } -} - -resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: expressRouteCircuits -} - -resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: expressRouteCircuits -}] - -resource expressRouteCircuits_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(expressRouteCircuits.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: expressRouteCircuits -}] - -@description('The resource ID of express route curcuit.') -output resourceId string = expressRouteCircuits.id - -@description('The resource group the express route curcuit was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of express route curcuit.') -output name string = expressRouteCircuits.name - -@description('The service key of the express route circuit.') -output serviceKey string = reference(expressRouteCircuits.id, '2021-02-01').serviceKey - -@description('The location the resource was deployed into.') -output location string = expressRouteCircuits.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json deleted file mode 100644 index bc213c59d2..0000000000 --- a/modules/network/express-route-circuit/main.json +++ /dev/null @@ -1,542 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5050638438810286539" - }, - "name": "ExpressRoute Circuits", - "description": "This module deploys an Express Route Circuit.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the ExpressRoute circuit." - } - }, - "serviceProviderName": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call." - } - }, - "peeringLocation": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call." - } - }, - "bandwidthInMbps": { - "type": "int", - "metadata": { - "description": "Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Local", - "Standard", - "Premium" - ], - "metadata": { - "description": "Optional. Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers." - } - }, - "skuFamily": { - "type": "string", - "defaultValue": "MeteredData", - "allowedValues": [ - "MeteredData", - "UnlimitedData" - ], - "metadata": { - "description": "Optional. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families." - } - }, - "peering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enabled BGP peering type for the Circuit." - } - }, - "peeringType": { - "type": "string", - "defaultValue": "AzurePrivatePeering", - "allowedValues": [ - "AzurePrivatePeering", - "MicrosoftPeering" - ], - "metadata": { - "description": "Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering." - } - }, - "sharedKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required." - } - }, - "peerASN": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The autonomous system number of the customer/connectivity provider." - } - }, - "primaryPeerAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link1." - } - }, - "secondaryPeerAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link2." - } - }, - "vlanId": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Specifies the identifier that is used to identify the customer." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "allowClassicOperations": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true." - } - }, - "bandwidthInGbps": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null." - } - }, - "expressRoutePortResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct." - } - }, - "globalReachEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "peeringConfiguration": [ - { - "name": "[parameters('peeringType')]", - "properties": { - "peeringType": "[parameters('peeringType')]", - "sharedKey": "[parameters('sharedKey')]", - "peerASN": "[parameters('peerASN')]", - "primaryPeerAddressPrefix": "[parameters('primaryPeerAddressPrefix')]", - "secondaryPeerAddressPrefix": "[parameters('secondaryPeerAddressPrefix')]", - "vlanId": "[parameters('vlanId')]" - } - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "expressRouteCircuits": { - "type": "Microsoft.Network/expressRouteCircuits", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[format('{0}_{1}', parameters('skuTier'), parameters('skuFamily'))]", - "tier": "[parameters('skuTier')]", - "family": "[if(equals(parameters('skuTier'), 'Local'), 'UnlimitedData', parameters('skuFamily'))]" - }, - "properties": { - "allowClassicOperations": "[parameters('allowClassicOperations')]", - "globalReachEnabled": "[parameters('globalReachEnabled')]", - "bandwidthInGbps": "[if(not(equals(parameters('bandwidthInGbps'), 0)), parameters('bandwidthInGbps'), null())]", - "expressRoutePort": "[if(not(empty(parameters('expressRoutePortResourceId'))), createObject('id', parameters('expressRoutePortResourceId')), null())]", - "serviceProviderProperties": { - "serviceProviderName": "[parameters('serviceProviderName')]", - "peeringLocation": "[parameters('peeringLocation')]", - "bandwidthInMbps": "[parameters('bandwidthInMbps')]" - }, - "peerings": "[if(parameters('peering'), variables('peeringConfiguration'), null())]" - } - }, - "expressRouteCircuits_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "expressRouteCircuits" - ] - }, - "expressRouteCircuits_diagnosticSettings": { - "copy": { - "name": "expressRouteCircuits_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "expressRouteCircuits" - ] - }, - "expressRouteCircuits_roleAssignments": { - "copy": { - "name": "expressRouteCircuits_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "expressRouteCircuits" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of express route curcuit." - }, - "value": "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the express route curcuit was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of express route curcuit." - }, - "value": "[parameters('name')]" - }, - "serviceKey": { - "type": "string", - "metadata": { - "description": "The service key of the express route circuit." - }, - "value": "[reference(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), '2021-02-01').serviceKey]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('expressRouteCircuits', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 1296f33399..0000000000 --- a/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,52 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nercmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - bandwidthInMbps: 50 - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - } -}] diff --git a/modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep deleted file mode 100644 index 705af9e25a..0000000000 --- a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,117 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nercmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - bandwidthInMbps: 50 - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuFamily: 'MeteredData' - skuTier: 'Standard' - allowClassicOperations: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index afcdd32c69..0000000000 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,100 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nercwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - bandwidthInMbps: 50 - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuFamily: 'MeteredData' - skuTier: 'Standard' - allowClassicOperations: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/express-route-circuit/version.json b/modules/network/express-route-circuit/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/express-route-circuit/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/express-route-gateway/MOVED-TO-AVM.MD b/modules/network/express-route-gateway/MOVED-TO-AVM.MD deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/express-route-gateway/MOVED-TO-AVM.MD +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index c2084076e9..0370f131b0 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -1,513 +1,7 @@ -# Express Route Gateways `[Microsoft.Network/expressRouteGateways]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/express-route-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/express-route-gateway).** -This module deploys an Express Route Gateway. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/express-route-gateway). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/expressRouteGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteGateways) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-gateway:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nergmin' - params: { - // Required parameters - name: 'nergmin001' - virtualHubId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nergmin001" - }, - "virtualHubId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nergmax' - params: { - // Required parameters - name: 'nergmax001' - virtualHubId: '' - // Non-required parameters - autoScaleConfigurationBoundsMax: 3 - autoScaleConfigurationBoundsMin: 2 - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - hello: 'world' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nergmax001" - }, - "virtualHubId": { - "value": "" - }, - // Non-required parameters - "autoScaleConfigurationBoundsMax": { - "value": 3 - }, - "autoScaleConfigurationBoundsMin": { - "value": 2 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hello": "world", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nergwaf' - params: { - // Required parameters - name: 'nergwaf001' - virtualHubId: '' - // Non-required parameters - autoScaleConfigurationBoundsMax: 3 - autoScaleConfigurationBoundsMin: 2 - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - hello: 'world' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nergwaf001" - }, - "virtualHubId": { - "value": "" - }, - // Non-required parameters - "autoScaleConfigurationBoundsMax": { - "value": 3 - }, - "autoScaleConfigurationBoundsMin": { - "value": 2 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "hello": "world", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Express Route Gateway. | -| [`virtualHubId`](#parameter-virtualhubid) | string | Resource ID of the Virtual Wan Hub. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowNonVirtualWanTraffic`](#parameter-allownonvirtualwantraffic) | bool | Configures this gateway to accept traffic from non Virtual WAN networks. | -| [`autoScaleConfigurationBoundsMax`](#parameter-autoscaleconfigurationboundsmax) | int | Maximum number of scale units deployed for ExpressRoute gateway. | -| [`autoScaleConfigurationBoundsMin`](#parameter-autoscaleconfigurationboundsmin) | int | Minimum number of scale units deployed for ExpressRoute gateway. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | - -### Parameter: `name` - -Name of the Express Route Gateway. - -- Required: Yes -- Type: string - -### Parameter: `virtualHubId` - -Resource ID of the Virtual Wan Hub. - -- Required: Yes -- Type: string - -### Parameter: `allowNonVirtualWanTraffic` - -Configures this gateway to accept traffic from non Virtual WAN networks. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `autoScaleConfigurationBoundsMax` - -Maximum number of scale units deployed for ExpressRoute gateway. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `autoScaleConfigurationBoundsMin` - -Minimum number of scale units deployed for ExpressRoute gateway. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `expressRouteConnections` - -List of ExpressRoute connections to the ExpressRoute gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the Firewall policy resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the ExpressRoute Gateway. | -| `resourceGroupName` | string | The resource group of the ExpressRoute Gateway was deployed into. | -| `resourceId` | string | The resource ID of the ExpressRoute Gateway. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep deleted file mode 100644 index 3c092e14f1..0000000000 --- a/modules/network/express-route-gateway/main.bicep +++ /dev/null @@ -1,146 +0,0 @@ -metadata name = 'Express Route Gateways' -metadata description = 'This module deploys an Express Route Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Express Route Gateway.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the Firewall policy resource.') -param tags object? - -@description('Optional. Configures this gateway to accept traffic from non Virtual WAN networks.') -param allowNonVirtualWanTraffic bool = false - -@description('Optional. Maximum number of scale units deployed for ExpressRoute gateway.') -param autoScaleConfigurationBoundsMax int = 2 - -@description('Optional. Minimum number of scale units deployed for ExpressRoute gateway.') -param autoScaleConfigurationBoundsMin int = 2 - -@description('Optional. List of ExpressRoute connections to the ExpressRoute gateway.') -param expressRouteConnections array = [] - -@description('Required. Resource ID of the Virtual Wan Hub.') -param virtualHubId string - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - allowNonVirtualWanTraffic: allowNonVirtualWanTraffic - autoScaleConfiguration: { - bounds: { - max: autoScaleConfigurationBoundsMax - min: autoScaleConfigurationBoundsMin - } - } - expressRouteConnections: expressRouteConnections - virtualHub: { - id: virtualHubId - } - } -} - -resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: expressRouteGateway -} - -resource expressRouteGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(expressRouteGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: expressRouteGateway -}] - -@description('The resource ID of the ExpressRoute Gateway.') -output resourceId string = expressRouteGateway.id - -@description('The resource group of the ExpressRoute Gateway was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the ExpressRoute Gateway.') -output name string = expressRouteGateway.name - -@description('The location the resource was deployed into.') -output location string = expressRouteGateway.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json deleted file mode 100644 index 96877d8514..0000000000 --- a/modules/network/express-route-gateway/main.json +++ /dev/null @@ -1,295 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17235076450976067211" - }, - "name": "Express Route Gateways", - "description": "This module deploys an Express Route Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Express Route Gateway." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Firewall policy resource." - } - }, - "allowNonVirtualWanTraffic": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Configures this gateway to accept traffic from non Virtual WAN networks." - } - }, - "autoScaleConfigurationBoundsMax": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Maximum number of scale units deployed for ExpressRoute gateway." - } - }, - "autoScaleConfigurationBoundsMin": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Minimum number of scale units deployed for ExpressRoute gateway." - } - }, - "expressRouteConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of ExpressRoute connections to the ExpressRoute gateway." - } - }, - "virtualHubId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the Virtual Wan Hub." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "expressRouteGateway": { - "type": "Microsoft.Network/expressRouteGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "allowNonVirtualWanTraffic": "[parameters('allowNonVirtualWanTraffic')]", - "autoScaleConfiguration": { - "bounds": { - "max": "[parameters('autoScaleConfigurationBoundsMax')]", - "min": "[parameters('autoScaleConfigurationBoundsMin')]" - } - }, - "expressRouteConnections": "[parameters('expressRouteConnections')]", - "virtualHub": { - "id": "[parameters('virtualHubId')]" - } - } - }, - "expressRouteGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "expressRouteGateway" - ] - }, - "expressRouteGateway_roleAssignments": { - "copy": { - "name": "expressRouteGateway_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "expressRouteGateway" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the ExpressRoute Gateway." - }, - "value": "[resourceId('Microsoft.Network/expressRouteGateways', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the ExpressRoute Gateway was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the ExpressRoute Gateway." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('expressRouteGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 0e84400a01..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Required. The name of the virtual Hub to create.') -param virtualHubName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: '10.0.0.0/16' - virtualWan: { - id: virtualWan.id - } - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id diff --git a/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index d9a40783f7..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,59 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nergmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' - virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' - } -} -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualHubId: nestedDependencies.outputs.virtualHubResourceId - - } -}] diff --git a/modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep deleted file mode 100644 index acaa3b4df8..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,38 +0,0 @@ -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Required. The name of the virtual Hub to create.') -param virtualHubName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: '10.0.0.0/16' - virtualWan: { - id: virtualWan.id - } - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep deleted file mode 100644 index 1939d49a61..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,86 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nergmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' - virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - hello: 'world' - } - autoScaleConfigurationBoundsMin: 2 - autoScaleConfigurationBoundsMax: 3 - virtualHubId: nestedDependencies.outputs.virtualHubResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index acaa3b4df8..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,38 +0,0 @@ -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Required. The name of the virtual Hub to create.') -param virtualHubName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: '10.0.0.0/16' - virtualWan: { - id: virtualWan.id - } - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 81e988ca2d..0000000000 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,69 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nergwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' - virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - tags: { - 'hidden-title': 'This is visible in the resource name' - hello: 'world' - } - autoScaleConfigurationBoundsMin: 2 - autoScaleConfigurationBoundsMax: 3 - virtualHubId: nestedDependencies.outputs.virtualHubResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - } -}] diff --git a/modules/network/express-route-gateway/version.json b/modules/network/express-route-gateway/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/express-route-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/firewall-policy/MOVED-TO-AVM.md b/modules/network/firewall-policy/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/firewall-policy/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 7edb8d41ee..3ca0138a4d 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -1,664 +1,7 @@ -# Firewall Policies `[Microsoft.Network/firewallPolicies]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/firewall-policy](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/firewall-policy).** -This module deploys a Firewall Policy. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/firewall-policy). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/firewallPolicies` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies) | -| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies/ruleCollectionGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.firewall-policy:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfpmin' - params: { - // Required parameters - name: 'nfpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nfpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfpmax' - params: { - // Required parameters - name: 'nfpmax001' - // Non-required parameters - allowSqlRedirect: true - autoLearnPrivateRanges: 'Enabled' - enableDefaultTelemetry: '' - ruleCollectionGroups: [ - { - name: 'rule-001' - priority: 5000 - ruleCollections: [ - { - action: { - type: 'Allow' - } - name: 'collection002' - priority: 5555 - ruleCollectionType: 'FirewallPolicyFilterRuleCollection' - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationFqdns: [] - destinationIpGroups: [] - destinationPorts: [ - '80' - ] - ipProtocols: [ - 'TCP' - 'UDP' - ] - name: 'rule002' - ruleType: 'NetworkRule' - sourceAddresses: [ - '*' - ] - sourceIpGroups: [] - } - ] - } - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nfpmax001" - }, - // Non-required parameters - "allowSqlRedirect": { - "value": true - }, - "autoLearnPrivateRanges": { - "value": "Enabled" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ruleCollectionGroups": { - "value": [ - { - "name": "rule-001", - "priority": 5000, - "ruleCollections": [ - { - "action": { - "type": "Allow" - }, - "name": "collection002", - "priority": 5555, - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "rules": [ - { - "destinationAddresses": [ - "*" - ], - "destinationFqdns": [], - "destinationIpGroups": [], - "destinationPorts": [ - "80" - ], - "ipProtocols": [ - "TCP", - "UDP" - ], - "name": "rule002", - "ruleType": "NetworkRule", - "sourceAddresses": [ - "*" - ], - "sourceIpGroups": [] - } - ] - } - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfpwaf' - params: { - // Required parameters - name: 'nfpwaf001' - // Non-required parameters - allowSqlRedirect: true - autoLearnPrivateRanges: 'Enabled' - enableDefaultTelemetry: '' - ruleCollectionGroups: [ - { - name: 'rule-001' - priority: 5000 - ruleCollections: [ - { - action: { - type: 'Allow' - } - name: 'collection002' - priority: 5555 - ruleCollectionType: 'FirewallPolicyFilterRuleCollection' - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationFqdns: [] - destinationIpGroups: [] - destinationPorts: [ - '80' - ] - ipProtocols: [ - 'TCP' - 'UDP' - ] - name: 'rule002' - ruleType: 'NetworkRule' - sourceAddresses: [ - '*' - ] - sourceIpGroups: [] - } - ] - } - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nfpwaf001" - }, - // Non-required parameters - "allowSqlRedirect": { - "value": true - }, - "autoLearnPrivateRanges": { - "value": "Enabled" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ruleCollectionGroups": { - "value": [ - { - "name": "rule-001", - "priority": 5000, - "ruleCollections": [ - { - "action": { - "type": "Allow" - }, - "name": "collection002", - "priority": 5555, - "ruleCollectionType": "FirewallPolicyFilterRuleCollection", - "rules": [ - { - "destinationAddresses": [ - "*" - ], - "destinationFqdns": [], - "destinationIpGroups": [], - "destinationPorts": [ - "80" - ], - "ipProtocols": [ - "TCP", - "UDP" - ], - "name": "rule002", - "ruleType": "NetworkRule", - "sourceAddresses": [ - "*" - ], - "sourceIpGroups": [] - } - ] - } - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Firewall Policy. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowSqlRedirect`](#parameter-allowsqlredirect) | bool | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | -| [`autoLearnPrivateRanges`](#parameter-autolearnprivateranges) | string | The operation mode for automatically learning private ranges to not be SNAT. | -| [`basePolicyResourceId`](#parameter-basepolicyresourceid) | string | Resource ID of the base policy. | -| [`bypassTrafficSettings`](#parameter-bypasstrafficsettings) | array | List of rules for traffic to bypass. | -| [`certificateName`](#parameter-certificatename) | string | Name of the CA certificate. | -| [`defaultWorkspaceId`](#parameter-defaultworkspaceid) | string | Default Log Analytics Resource ID for Firewall Policy Insights. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableProxy`](#parameter-enableproxy) | bool | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | -| [`fqdns`](#parameter-fqdns) | array | List of FQDNs for the ThreatIntel Allowlist. | -| [`insightsIsEnabled`](#parameter-insightsisenabled) | bool | A flag to indicate if the insights are enabled on the policy. | -| [`ipAddresses`](#parameter-ipaddresses) | array | List of IP addresses for the ThreatIntel Allowlist. | -| [`keyVaultSecretId`](#parameter-keyvaultsecretid) | string | Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`mode`](#parameter-mode) | string | The configuring of intrusion detection. | -| [`privateRanges`](#parameter-privateranges) | array | List of private IP addresses/IP address ranges to not be SNAT. | -| [`retentionDays`](#parameter-retentiondays) | int | Number of days the insights should be enabled on the policy. | -| [`ruleCollectionGroups`](#parameter-rulecollectiongroups) | array | Rule collection groups. | -| [`servers`](#parameter-servers) | array | List of Custom DNS Servers. | -| [`signatureOverrides`](#parameter-signatureoverrides) | array | List of specific signatures states. | -| [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | -| [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | -| [`tier`](#parameter-tier) | string | Tier of Firewall Policy. | -| [`workspaces`](#parameter-workspaces) | array | List of workspaces for Firewall Policy Insights. | - -### Parameter: `name` - -Name of the Firewall Policy. - -- Required: Yes -- Type: string - -### Parameter: `allowSqlRedirect` - -A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `autoLearnPrivateRanges` - -The operation mode for automatically learning private ranges to not be SNAT. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `basePolicyResourceId` - -Resource ID of the base policy. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `bypassTrafficSettings` - -List of rules for traffic to bypass. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `certificateName` - -Name of the CA certificate. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `defaultWorkspaceId` - -Default Log Analytics Resource ID for Firewall Policy Insights. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableProxy` - -Enable DNS Proxy on Firewalls attached to the Firewall Policy. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `fqdns` - -List of FQDNs for the ThreatIntel Allowlist. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `insightsIsEnabled` - -A flag to indicate if the insights are enabled on the policy. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `ipAddresses` - -List of IP addresses for the ThreatIntel Allowlist. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `keyVaultSecretId` - -Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `mode` - -The configuring of intrusion detection. - -- Required: No -- Type: string -- Default: `'Off'` -- Allowed: - ```Bicep - [ - 'Alert' - 'Deny' - 'Off' - ] - ``` - -### Parameter: `privateRanges` - -List of private IP addresses/IP address ranges to not be SNAT. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `retentionDays` - -Number of days the insights should be enabled on the policy. - -- Required: No -- Type: int -- Default: `365` - -### Parameter: `ruleCollectionGroups` - -Rule collection groups. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `servers` - -List of Custom DNS Servers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `signatureOverrides` - -List of specific signatures states. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the Firewall policy resource. - -- Required: No -- Type: object - -### Parameter: `threatIntelMode` - -The operation mode for Threat Intel. - -- Required: No -- Type: string -- Default: `'Off'` -- Allowed: - ```Bicep - [ - 'Alert' - 'Deny' - 'Off' - ] - ``` - -### Parameter: `tier` - -Tier of Firewall Policy. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `workspaces` - -List of workspaces for Firewall Policy Insights. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed firewall policy. | -| `resourceGroupName` | string | The resource group of the deployed firewall policy. | -| `resourceId` | string | The resource ID of the deployed firewall policy. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/firewall-policy/main.bicep b/modules/network/firewall-policy/main.bicep deleted file mode 100644 index e48075cb6c..0000000000 --- a/modules/network/firewall-policy/main.bicep +++ /dev/null @@ -1,209 +0,0 @@ -metadata name = 'Firewall Policies' -metadata description = 'This module deploys a Firewall Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Firewall Policy.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the Firewall policy resource.') -param tags object? - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Resource ID of the base policy.') -param basePolicyResourceId string = '' - -@description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.') -param enableProxy bool = false - -@description('Optional. List of Custom DNS Servers.') -param servers array = [] - -@description('Optional. A flag to indicate if the insights are enabled on the policy.') -param insightsIsEnabled bool = false - -@description('Optional. Default Log Analytics Resource ID for Firewall Policy Insights.') -param defaultWorkspaceId string = '' - -@description('Optional. List of workspaces for Firewall Policy Insights.') -param workspaces array = [] - -@description('Optional. Number of days the insights should be enabled on the policy.') -param retentionDays int = 365 - -@description('Optional. List of rules for traffic to bypass.') -param bypassTrafficSettings array = [] - -@description('Optional. List of specific signatures states.') -param signatureOverrides array = [] - -@description('Optional. The configuring of intrusion detection.') -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param mode string = 'Off' - -@description('Optional. Tier of Firewall Policy.') -@allowed([ - 'Premium' - 'Standard' -]) -param tier string = 'Standard' - -@description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') -param privateRanges array = [] - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. The operation mode for automatically learning private ranges to not be SNAT.') -param autoLearnPrivateRanges string = 'Disabled' - -@description('Optional. The operation mode for Threat Intel.') -@allowed([ - 'Alert' - 'Deny' - 'Off' -]) -param threatIntelMode string = 'Off' - -@description('Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.') -param allowSqlRedirect bool = false - -@description('Optional. List of FQDNs for the ThreatIntel Allowlist.') -param fqdns array = [] - -@description('Optional. List of IP addresses for the ThreatIntel Allowlist.') -param ipAddresses array = [] - -@description('Optional. Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault.') -#disable-next-line secure-secrets-in-params // Not a secret -param keyVaultSecretId string = '' - -@description('Optional. Name of the CA certificate.') -param certificateName string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Rule collection groups.') -param ruleCollectionGroups array = [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - basePolicy: !empty(basePolicyResourceId) ? { - id: basePolicyResourceId - } : null - dnsSettings: enableProxy ? { - enableProxy: enableProxy - servers: servers - } : null - insights: insightsIsEnabled ? { - isEnabled: insightsIsEnabled - logAnalyticsResources: { - defaultWorkspaceId: { - id: !empty(defaultWorkspaceId) ? defaultWorkspaceId : null - } - workspaces: !empty(workspaces) ? workspaces : null - } - retentionDays: retentionDays - } : null - intrusionDetection: (mode != 'Off') ? { - configuration: { - bypassTrafficSettings: !empty(bypassTrafficSettings) ? bypassTrafficSettings : null - signatureOverrides: !empty(signatureOverrides) ? signatureOverrides : null - } - mode: mode - } : null - sku: { - tier: tier - } - snat: !empty(privateRanges) ? { - autoLearnPrivateRanges: autoLearnPrivateRanges - privateRanges: privateRanges - } : null - sql: { - allowSqlRedirect: allowSqlRedirect - } - threatIntelMode: threatIntelMode - threatIntelWhitelist: { - fqdns: fqdns - ipAddresses: ipAddresses - } - transportSecurity: (!empty(keyVaultSecretId) || !empty(certificateName)) ? { - certificateAuthority: { - keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null - name: !empty(certificateName) ? certificateName : null - } - } : null - } -} - -// When a FW policy uses a base policy and have more rule collection groups, -// they need to be deployed sequentially, otherwise the deployment would fail -// because of concurrent access to the base policy. -// The next line forces ARM to deploy them one after the other, so no race concition on the base policy will happen. -@batchSize(1) -module firewallPolicy_ruleCollectionGroups 'rule-collection-group/main.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { - name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}' - params: { - firewallPolicyName: firewallPolicy.name - name: ruleCollectionGroup.name - priority: ruleCollectionGroup.priority - ruleCollections: ruleCollectionGroup.ruleCollections - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed firewall policy.') -output name string = firewallPolicy.name - -@description('The resource ID of the deployed firewall policy.') -output resourceId string = firewallPolicy.id - -@description('The resource group of the deployed firewall policy.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = firewallPolicy.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? diff --git a/modules/network/firewall-policy/main.json b/modules/network/firewall-policy/main.json deleted file mode 100644 index 36679e536d..0000000000 --- a/modules/network/firewall-policy/main.json +++ /dev/null @@ -1,436 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10730945025240444473" - }, - "name": "Firewall Policies", - "description": "This module deploys a Firewall Policy.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Firewall Policy." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Firewall policy resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "basePolicyResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the base policy." - } - }, - "enableProxy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy." - } - }, - "servers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of Custom DNS Servers." - } - }, - "insightsIsEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A flag to indicate if the insights are enabled on the policy." - } - }, - "defaultWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Default Log Analytics Resource ID for Firewall Policy Insights." - } - }, - "workspaces": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of workspaces for Firewall Policy Insights." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. Number of days the insights should be enabled on the policy." - } - }, - "bypassTrafficSettings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of rules for traffic to bypass." - } - }, - "signatureOverrides": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of specific signatures states." - } - }, - "mode": { - "type": "string", - "defaultValue": "Off", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ], - "metadata": { - "description": "Optional. The configuring of intrusion detection." - } - }, - "tier": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Tier of Firewall Policy." - } - }, - "privateRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of private IP addresses/IP address ranges to not be SNAT." - } - }, - "autoLearnPrivateRanges": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. The operation mode for automatically learning private ranges to not be SNAT." - } - }, - "threatIntelMode": { - "type": "string", - "defaultValue": "Off", - "allowedValues": [ - "Alert", - "Deny", - "Off" - ], - "metadata": { - "description": "Optional. The operation mode for Threat Intel." - } - }, - "allowSqlRedirect": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999." - } - }, - "fqdns": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of FQDNs for the ThreatIntel Allowlist." - } - }, - "ipAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of IP addresses for the ThreatIntel Allowlist." - } - }, - "keyVaultSecretId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault." - } - }, - "certificateName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the CA certificate." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "ruleCollectionGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Rule collection groups." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "firewallPolicy": { - "type": "Microsoft.Network/firewallPolicies", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "basePolicy": "[if(not(empty(parameters('basePolicyResourceId'))), createObject('id', parameters('basePolicyResourceId')), null())]", - "dnsSettings": "[if(parameters('enableProxy'), createObject('enableProxy', parameters('enableProxy'), 'servers', parameters('servers')), null())]", - "insights": "[if(parameters('insightsIsEnabled'), createObject('isEnabled', parameters('insightsIsEnabled'), 'logAnalyticsResources', createObject('defaultWorkspaceId', createObject('id', if(not(empty(parameters('defaultWorkspaceId'))), parameters('defaultWorkspaceId'), null())), 'workspaces', if(not(empty(parameters('workspaces'))), parameters('workspaces'), null())), 'retentionDays', parameters('retentionDays')), null())]", - "intrusionDetection": "[if(not(equals(parameters('mode'), 'Off')), createObject('configuration', createObject('bypassTrafficSettings', if(not(empty(parameters('bypassTrafficSettings'))), parameters('bypassTrafficSettings'), null()), 'signatureOverrides', if(not(empty(parameters('signatureOverrides'))), parameters('signatureOverrides'), null())), 'mode', parameters('mode')), null())]", - "sku": { - "tier": "[parameters('tier')]" - }, - "snat": "[if(not(empty(parameters('privateRanges'))), createObject('autoLearnPrivateRanges', parameters('autoLearnPrivateRanges'), 'privateRanges', parameters('privateRanges')), null())]", - "sql": { - "allowSqlRedirect": "[parameters('allowSqlRedirect')]" - }, - "threatIntelMode": "[parameters('threatIntelMode')]", - "threatIntelWhitelist": { - "fqdns": "[parameters('fqdns')]", - "ipAddresses": "[parameters('ipAddresses')]" - }, - "transportSecurity": "[if(or(not(empty(parameters('keyVaultSecretId'))), not(empty(parameters('certificateName')))), createObject('certificateAuthority', createObject('keyVaultSecretId', if(not(empty(parameters('keyVaultSecretId'))), parameters('keyVaultSecretId'), null()), 'name', if(not(empty(parameters('certificateName'))), parameters('certificateName'), null()))), null())]" - } - }, - "firewallPolicy_ruleCollectionGroups": { - "copy": { - "name": "firewallPolicy_ruleCollectionGroups", - "count": "[length(parameters('ruleCollectionGroups'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-firewallPolicy_ruleCollectionGroups-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "firewallPolicyName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ruleCollectionGroups')[copyIndex()].name]" - }, - "priority": { - "value": "[parameters('ruleCollectionGroups')[copyIndex()].priority]" - }, - "ruleCollections": { - "value": "[parameters('ruleCollectionGroups')[copyIndex()].ruleCollections]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18100190658467124638" - }, - "name": "Firewall Policy Rule Collection Groups", - "description": "This module deploys a Firewall Policy Rule Collection Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "firewallPolicyName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule collection group to deploy." - } - }, - "priority": { - "type": "int", - "metadata": { - "description": "Required. Priority of the Firewall Policy Rule Collection Group resource." - } - }, - "ruleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Group of Firewall Policy rule collections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('firewallPolicyName'), parameters('name'))]", - "properties": { - "priority": "[parameters('priority')]", - "ruleCollections": "[parameters('ruleCollections')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule collection group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule collection group." - }, - "value": "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed rule collection group." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "firewallPolicy" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall policy." - }, - "value": "[resourceId('Microsoft.Network/firewallPolicies', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall policy." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('firewallPolicy', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/firewall-policy/rule-collection-group/README.md b/modules/network/firewall-policy/rule-collection-group/README.md deleted file mode 100644 index aa3fdbc956..0000000000 --- a/modules/network/firewall-policy/rule-collection-group/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Firewall Policy Rule Collection Groups `[Microsoft.Network/firewallPolicies/ruleCollectionGroups]` - -This module deploys a Firewall Policy Rule Collection Group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies/ruleCollectionGroups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the rule collection group to deploy. | -| [`priority`](#parameter-priority) | int | Priority of the Firewall Policy Rule Collection Group resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`firewallPolicyName`](#parameter-firewallpolicyname) | string | The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ruleCollections`](#parameter-rulecollections) | array | Group of Firewall Policy rule collections. | - -### Parameter: `name` - -The name of the rule collection group to deploy. - -- Required: Yes -- Type: string - -### Parameter: `priority` - -Priority of the Firewall Policy Rule Collection Group resource. - -- Required: Yes -- Type: int - -### Parameter: `firewallPolicyName` - -The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ruleCollections` - -Group of Firewall Policy rule collections. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed rule collection group. | -| `resourceGroupName` | string | The resource group of the deployed rule collection group. | -| `resourceId` | string | The resource ID of the deployed rule collection group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/firewall-policy/rule-collection-group/main.bicep b/modules/network/firewall-policy/rule-collection-group/main.bicep deleted file mode 100644 index f7a417981f..0000000000 --- a/modules/network/firewall-policy/rule-collection-group/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Firewall Policy Rule Collection Groups' -metadata description = 'This module deploys a Firewall Policy Rule Collection Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment.') -param firewallPolicyName string - -@description('Required. The name of the rule collection group to deploy.') -param name string - -@description('Required. Priority of the Firewall Policy Rule Collection Group resource.') -param priority int - -@description('Optional. Group of Firewall Policy rule collections.') -param ruleCollections array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' existing = { - name: firewallPolicyName -} - -resource ruleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2023-04-01' = { - name: name - parent: firewallPolicy - properties: { - priority: priority - ruleCollections: ruleCollections - } -} - -@description('The name of the deployed rule collection group.') -output name string = ruleCollectionGroup.name - -@description('The resource ID of the deployed rule collection group.') -output resourceId string = ruleCollectionGroup.id - -@description('The resource group of the deployed rule collection group.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/firewall-policy/rule-collection-group/main.json b/modules/network/firewall-policy/rule-collection-group/main.json deleted file mode 100644 index 60a32a18e8..0000000000 --- a/modules/network/firewall-policy/rule-collection-group/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18100190658467124638" - }, - "name": "Firewall Policy Rule Collection Groups", - "description": "This module deploys a Firewall Policy Rule Collection Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "firewallPolicyName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule collection group to deploy." - } - }, - "priority": { - "type": "int", - "metadata": { - "description": "Required. Priority of the Firewall Policy Rule Collection Group resource." - } - }, - "ruleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Group of Firewall Policy rule collections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('firewallPolicyName'), parameters('name'))]", - "properties": { - "priority": "[parameters('priority')]", - "ruleCollections": "[parameters('ruleCollections')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule collection group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule collection group." - }, - "value": "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed rule collection group." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/firewall-policy/rule-collection-group/version.json b/modules/network/firewall-policy/rule-collection-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/firewall-policy/rule-collection-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep b/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 510a9cc539..0000000000 --- a/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfpmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/firewall-policy/tests/e2e/max/main.test.bicep deleted file mode 100644 index 733806d96f..0000000000 --- a/modules/network/firewall-policy/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ruleCollectionGroups: [ - { - name: '${namePrefix}-rule-001' - priority: 5000 - ruleCollections: [ - { - action: { - type: 'Allow' - } - name: 'collection002' - priority: 5555 - ruleCollectionType: 'FirewallPolicyFilterRuleCollection' - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationFqdns: [] - destinationIpGroups: [] - destinationPorts: [ - '80' - ] - ipProtocols: [ - 'TCP' - 'UDP' - ] - name: 'rule002' - ruleType: 'NetworkRule' - sourceAddresses: [ - '*' - ] - sourceIpGroups: [] - } - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - allowSqlRedirect: true - autoLearnPrivateRanges: 'Enabled' - } -}] diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 9d4a296941..0000000000 --- a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ruleCollectionGroups: [ - { - name: '${namePrefix}-rule-001' - priority: 5000 - ruleCollections: [ - { - action: { - type: 'Allow' - } - name: 'collection002' - priority: 5555 - ruleCollectionType: 'FirewallPolicyFilterRuleCollection' - rules: [ - { - destinationAddresses: [ - '*' - ] - destinationFqdns: [] - destinationIpGroups: [] - destinationPorts: [ - '80' - ] - ipProtocols: [ - 'TCP' - 'UDP' - ] - name: 'rule002' - ruleType: 'NetworkRule' - sourceAddresses: [ - '*' - ] - sourceIpGroups: [] - } - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - allowSqlRedirect: true - autoLearnPrivateRanges: 'Enabled' - } -}] diff --git a/modules/network/firewall-policy/version.json b/modules/network/firewall-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/firewall-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md b/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index ee7773322d..d41ad2d278 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -1,804 +1,7 @@ -# Front Door Web Application Firewall (WAF) Policies `[Microsoft.Network/FrontDoorWebApplicationFirewallPolicies]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/front-door-web-application-firewall-policy](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/front-door-web-application-firewall-policy).** -This module deploys a Front Door Web Application Firewall (WAF) Policy. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/front-door-web-application-firewall-policy). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/FrontDoorWebApplicationFirewallPolicies` | [2022-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/FrontDoorWebApplicationFirewallPolicies) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpmin' - params: { - // Required parameters - name: 'nagwafpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpmax' - params: { - // Required parameters - name: 'nagwafpmax001' - // Non-required parameters - customRules: { - rules: [ - { - action: 'Block' - enabledState: 'Enabled' - matchConditions: [ - { - matchValue: [ - 'CH' - ] - matchVariable: 'RemoteAddr' - negateCondition: false - operator: 'GeoMatch' - selector: '' - transforms: [] - } - { - matchValue: [ - 'windows' - ] - matchVariable: 'RequestHeader' - negateCondition: false - operator: 'Contains' - selector: 'UserAgent' - transforms: [] - } - { - matchValue: [ - '?>' - '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - } - ] - } - policySettings: { - customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' - customBlockResponseStatusCode: 200 - mode: 'Prevention' - redirectUrl: 'http://www.bing.com' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sku: 'Premium_AzureFrontDoor' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpmax001" - }, - // Non-required parameters - "customRules": { - "value": { - "rules": [ - { - "action": "Block", - "enabledState": "Enabled", - "matchConditions": [ - { - "matchValue": [ - "CH" - ], - "matchVariable": "RemoteAddr", - "negateCondition": false, - "operator": "GeoMatch", - "selector": "", - "transforms": [] - }, - { - "matchValue": [ - "windows" - ], - "matchVariable": "RequestHeader", - "negateCondition": false, - "operator": "Contains", - "selector": "UserAgent", - "transforms": [] - }, - { - "matchValue": [ - "?>", - "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedRules": { - "value": { - "managedRuleSets": [ - { - "ruleSetType": "Microsoft_BotManagerRuleSet", - "ruleSetVersion": "1.0" - } - ] - } - }, - "policySettings": { - "value": { - "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==", - "customBlockResponseStatusCode": 200, - "mode": "Prevention", - "redirectUrl": "http://www.bing.com" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sku": { - "value": "Premium_AzureFrontDoor" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' - params: { - // Required parameters - name: 'nagwafpwaf001' - // Non-required parameters - customRules: { - rules: [ - { - action: 'Block' - enabledState: 'Enabled' - matchConditions: [ - { - matchValue: [ - 'CH' - ] - matchVariable: 'RemoteAddr' - negateCondition: false - operator: 'GeoMatch' - selector: '' - transforms: [] - } - { - matchValue: [ - 'windows' - ] - matchVariable: 'RequestHeader' - negateCondition: false - operator: 'Contains' - selector: 'UserAgent' - transforms: [] - } - { - matchValue: [ - '?>' - '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - } - ] - } - policySettings: { - customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' - customBlockResponseStatusCode: 200 - mode: 'Prevention' - redirectUrl: 'http://www.bing.com' - } - sku: 'Premium_AzureFrontDoor' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpwaf001" - }, - // Non-required parameters - "customRules": { - "value": { - "rules": [ - { - "action": "Block", - "enabledState": "Enabled", - "matchConditions": [ - { - "matchValue": [ - "CH" - ], - "matchVariable": "RemoteAddr", - "negateCondition": false, - "operator": "GeoMatch", - "selector": "", - "transforms": [] - }, - { - "matchValue": [ - "windows" - ], - "matchVariable": "RequestHeader", - "negateCondition": false, - "operator": "Contains", - "selector": "UserAgent", - "transforms": [] - }, - { - "matchValue": [ - "?>", - "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedRules": { - "value": { - "managedRuleSets": [ - { - "ruleSetType": "Microsoft_BotManagerRuleSet", - "ruleSetVersion": "1.0" - } - ] - } - }, - "policySettings": { - "value": { - "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==", - "customBlockResponseStatusCode": 200, - "mode": "Prevention", - "redirectUrl": "http://www.bing.com" - } - }, - "sku": { - "value": "Premium_AzureFrontDoor" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Front Door WAF policy. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customRules`](#parameter-customrules) | object | The custom rules inside the policy. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | -| [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | The pricing tier of the WAF profile. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -Name of the Front Door WAF policy. - -- Required: Yes -- Type: string - -### Parameter: `customRules` - -The custom rules inside the policy. - -- Required: No -- Type: object -- Default: - ```Bicep - { - rules: [ - { - action: 'Block' - enabledState: 'Enabled' - matchConditions: [ - { - matchValue: [ - 'ZZ' - ] - matchVariable: 'RemoteAddr' - negateCondition: true - operator: 'GeoMatch' - } - ] - name: 'ApplyGeoFilter' - priority: 100 - ruleType: 'MatchRule' - } - ] - } - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedRules` - -Describes the managedRules structure. - -- Required: No -- Type: object -- Default: - ```Bicep - { - managedRuleSets: [ - { - exclusions: [] - ruleGroupOverrides: [] - ruleSetAction: 'Block' - ruleSetType: 'Microsoft_DefaultRuleSet' - ruleSetVersion: '2.1' - } - { - exclusions: [] - ruleGroupOverrides: [] - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - } - ] - } - ``` - -### Parameter: `policySettings` - -The PolicySettings for policy. - -- Required: No -- Type: object -- Default: - ```Bicep - { - enabledState: 'Enabled' - mode: 'Prevention' - } - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -The pricing tier of the WAF profile. - -- Required: No -- Type: string -- Default: `'Standard_AzureFrontDoor'` -- Allowed: - ```Bicep - [ - 'Premium_AzureFrontDoor' - 'Standard_AzureFrontDoor' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Front Door WAF policy. | -| `resourceGroupName` | string | The resource group the Front Door WAF policy was deployed into. | -| `resourceId` | string | The resource ID of the Front Door WAF policy. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep deleted file mode 100644 index 27bfa8e63d..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ /dev/null @@ -1,180 +0,0 @@ -metadata name = 'Front Door Web Application Firewall (WAF) Policies' -metadata description = 'This module deploys a Front Door Web Application Firewall (WAF) Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Front Door WAF policy.') -@minLength(1) -@maxLength(128) -param name string - -@description('Optional. Location for all resources.') -param location string = 'global' - -@allowed([ - 'Standard_AzureFrontDoor' - 'Premium_AzureFrontDoor' -]) -@description('Optional. The pricing tier of the WAF profile.') -param sku string = 'Standard_AzureFrontDoor' - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Describes the managedRules structure.') -param managedRules object = { - managedRuleSets: [ - { - ruleSetType: 'Microsoft_DefaultRuleSet' - ruleSetVersion: '2.1' - ruleGroupOverrides: [] - exclusions: [] - ruleSetAction: 'Block' - } - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - ruleGroupOverrides: [] - exclusions: [] - } - ] -} - -@description('Optional. The custom rules inside the policy.') -param customRules object = { - rules: [ - { - name: 'ApplyGeoFilter' - priority: 100 - enabledState: 'Enabled' - ruleType: 'MatchRule' - action: 'Block' - matchConditions: [ - { - matchVariable: 'RemoteAddr' - operator: 'GeoMatch' - negateCondition: true - matchValue: [ 'ZZ' ] - } - ] - } - ] -} - -@description('Optional. The PolicySettings for policy.') -param policySettings object = { - enabledState: 'Enabled' - mode: 'Prevention' -} - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource frontDoorWAFPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = { - name: name - location: location - sku: { - name: sku - } - tags: tags - properties: { - customRules: customRules - managedRules: sku == 'Premium_AzureFrontDoor' ? managedRules : { managedRuleSets: [] } - policySettings: policySettings - } -} - -resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: frontDoorWAFPolicy -} - -resource frontDoorWAFPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(frontDoorWAFPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: frontDoorWAFPolicy -}] - -@description('The name of the Front Door WAF policy.') -output name string = frontDoorWAFPolicy.name - -@description('The resource ID of the Front Door WAF policy.') -output resourceId string = frontDoorWAFPolicy.id - -@description('The resource group the Front Door WAF policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = frontDoorWAFPolicy.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json deleted file mode 100644 index 578eff792e..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ /dev/null @@ -1,328 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12618111004267812285" - }, - "name": "Front Door Web Application Firewall (WAF) Policies", - "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 128, - "metadata": { - "description": "Required. Name of the Front Door WAF policy." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard_AzureFrontDoor", - "allowedValues": [ - "Standard_AzureFrontDoor", - "Premium_AzureFrontDoor" - ], - "metadata": { - "description": "Optional. The pricing tier of the WAF profile." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedRules": { - "type": "object", - "defaultValue": { - "managedRuleSets": [ - { - "ruleSetType": "Microsoft_DefaultRuleSet", - "ruleSetVersion": "2.1", - "ruleGroupOverrides": [], - "exclusions": [], - "ruleSetAction": "Block" - }, - { - "ruleSetType": "Microsoft_BotManagerRuleSet", - "ruleSetVersion": "1.0", - "ruleGroupOverrides": [], - "exclusions": [] - } - ] - }, - "metadata": { - "description": "Optional. Describes the managedRules structure." - } - }, - "customRules": { - "type": "object", - "defaultValue": { - "rules": [ - { - "name": "ApplyGeoFilter", - "priority": 100, - "enabledState": "Enabled", - "ruleType": "MatchRule", - "action": "Block", - "matchConditions": [ - { - "matchVariable": "RemoteAddr", - "operator": "GeoMatch", - "negateCondition": true, - "matchValue": [ - "ZZ" - ] - } - ] - } - ] - }, - "metadata": { - "description": "Optional. The custom rules inside the policy." - } - }, - "policySettings": { - "type": "object", - "defaultValue": { - "enabledState": "Enabled", - "mode": "Prevention" - }, - "metadata": { - "description": "Optional. The PolicySettings for policy." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "frontDoorWAFPolicy": { - "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies", - "apiVersion": "2022-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('sku')]" - }, - "tags": "[parameters('tags')]", - "properties": { - "customRules": "[parameters('customRules')]", - "managedRules": "[if(equals(parameters('sku'), 'Premium_AzureFrontDoor'), parameters('managedRules'), createObject('managedRuleSets', createArray()))]", - "policySettings": "[parameters('policySettings')]" - } - }, - "frontDoorWAFPolicy_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "frontDoorWAFPolicy" - ] - }, - "frontDoorWAFPolicy_roleAssignments": { - "copy": { - "name": "frontDoorWAFPolicy_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "frontDoorWAFPolicy" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Front Door WAF policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Front Door WAF policy." - }, - "value": "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Front Door WAF policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('frontDoorWAFPolicy', '2022-05-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index bf7f841060..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 7b3d4e8fb0..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep deleted file mode 100644 index 99bdd66dea..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,146 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - sku: 'Premium_AzureFrontDoor' - policySettings: { - mode: 'Prevention' - redirectUrl: 'http://www.bing.com' - customBlockResponseStatusCode: 200 - customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' - } - customRules: { - rules: [ - { - name: 'CustomRule1' - priority: 2 - enabledState: 'Enabled' - action: 'Block' - ruleType: 'MatchRule' - rateLimitDurationInMinutes: 1 - rateLimitThreshold: 10 - matchConditions: [ - { - matchVariable: 'RemoteAddr' - selector: null - operator: 'GeoMatch' - negateCondition: false - transforms: [] - matchValue: [ - 'CH' - ] - } - { - matchVariable: 'RequestHeader' - selector: 'UserAgent' - operator: 'Contains' - negateCondition: false - transforms: [] - matchValue: [ - 'windows' - ] - } - { - matchVariable: 'QueryString' - operator: 'Contains' - negateCondition: false - transforms: [ - 'UrlDecode' - 'Lowercase' - ] - matchValue: [ - '' - ] - } - ] - } - ] - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 7b3d4e8fb0..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 67e8b06778..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,129 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - sku: 'Premium_AzureFrontDoor' - policySettings: { - mode: 'Prevention' - redirectUrl: 'http://www.bing.com' - customBlockResponseStatusCode: 200 - customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' - } - customRules: { - rules: [ - { - name: 'CustomRule1' - priority: 2 - enabledState: 'Enabled' - action: 'Block' - ruleType: 'MatchRule' - rateLimitDurationInMinutes: 1 - rateLimitThreshold: 10 - matchConditions: [ - { - matchVariable: 'RemoteAddr' - selector: null - operator: 'GeoMatch' - negateCondition: false - transforms: [] - matchValue: [ - 'CH' - ] - } - { - matchVariable: 'RequestHeader' - selector: 'UserAgent' - operator: 'Contains' - negateCondition: false - transforms: [] - matchValue: [ - 'windows' - ] - } - { - matchVariable: 'QueryString' - operator: 'Contains' - negateCondition: false - transforms: [ - 'UrlDecode' - 'Lowercase' - ] - matchValue: [ - '' - ] - } - ] - } - ] - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'Microsoft_BotManagerRuleSet' - ruleSetVersion: '1.0' - } - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/front-door-web-application-firewall-policy/version.json b/modules/network/front-door-web-application-firewall-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/front-door/MOVED-TO-AVM.md b/modules/network/front-door/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/front-door/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 5bd96bd73c..3a95d51067 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -1,1165 +1,7 @@ -# Azure Front Doors `[Microsoft.Network/frontDoors]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/front-door](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/front-door).** -This module deploys an Azure Front Door. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/front-door). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/frontDoors` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/frontDoors) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfdmin' - params: { - // Required parameters - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - weight: 50 - } - ] - HealthProbeSettings: { - id: '' - } - LoadBalancingSettings: { - id: '' - } - } - } - ] - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - name: '' - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '' - } - } - } - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "backendPools": { - "value": [ - { - "name": "backendPool", - "properties": { - "backends": [ - { - "address": "biceptest.local", - "backendHostHeader": "backendAddress", - "enabledState": "Enabled", - "httpPort": 80, - "httpsPort": 443, - "priority": 1, - "weight": 50 - } - ], - "HealthProbeSettings": { - "id": "" - }, - "LoadBalancingSettings": { - "id": "" - } - } - } - ] - }, - "frontendEndpoints": { - "value": [ - { - "name": "frontEnd", - "properties": { - "hostName": "", - "sessionAffinityEnabledState": "Disabled", - "sessionAffinityTtlSeconds": 60 - } - } - ] - }, - "healthProbeSettings": { - "value": [ - { - "name": "heathProbe", - "properties": { - "intervalInSeconds": 60, - "path": "/", - "protocol": "Https" - } - } - ] - }, - "loadBalancingSettings": { - "value": [ - { - "name": "loadBalancer", - "properties": { - "additionalLatencyMilliseconds": 0, - "sampleSize": 50, - "successfulSamplesRequired": 1 - } - } - ] - }, - "name": { - "value": "" - }, - "routingRules": { - "value": [ - { - "name": "routingRule", - "properties": { - "acceptedProtocols": [ - "Https" - ], - "enabledState": "Enabled", - "frontendEndpoints": [ - { - "id": "" - } - ], - "patternsToMatch": [ - "/*" - ], - "routeConfiguration": { - "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", - "backendPool": { - "id": "" - } - } - } - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfdmax' - params: { - // Required parameters - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - privateLinkAlias: '' - privateLinkApprovalMessage: '' - privateLinkLocation: '' - privateLinkResourceId: '' - weight: 50 - } - ] - HealthProbeSettings: { - id: '' - } - LoadBalancingSettings: { - id: '' - } - } - } - ] - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - enabledState: '' - healthProbeMethod: '' - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - name: '' - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Http' - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '' - } - forwardingProtocol: 'MatchRequest' - } - } - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - enforceCertificateNameCheck: 'Disabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sendRecvTimeoutSeconds: 10 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "backendPools": { - "value": [ - { - "name": "backendPool", - "properties": { - "backends": [ - { - "address": "biceptest.local", - "backendHostHeader": "backendAddress", - "enabledState": "Enabled", - "httpPort": 80, - "httpsPort": 443, - "priority": 1, - "privateLinkAlias": "", - "privateLinkApprovalMessage": "", - "privateLinkLocation": "", - "privateLinkResourceId": "", - "weight": 50 - } - ], - "HealthProbeSettings": { - "id": "" - }, - "LoadBalancingSettings": { - "id": "" - } - } - } - ] - }, - "frontendEndpoints": { - "value": [ - { - "name": "frontEnd", - "properties": { - "hostName": "", - "sessionAffinityEnabledState": "Disabled", - "sessionAffinityTtlSeconds": 60 - } - } - ] - }, - "healthProbeSettings": { - "value": [ - { - "name": "heathProbe", - "properties": { - "enabledState": "", - "healthProbeMethod": "", - "intervalInSeconds": 60, - "path": "/", - "protocol": "Https" - } - } - ] - }, - "loadBalancingSettings": { - "value": [ - { - "name": "loadBalancer", - "properties": { - "additionalLatencyMilliseconds": 0, - "sampleSize": 50, - "successfulSamplesRequired": 1 - } - } - ] - }, - "name": { - "value": "" - }, - "routingRules": { - "value": [ - { - "name": "routingRule", - "properties": { - "acceptedProtocols": [ - "Http", - "Https" - ], - "enabledState": "Enabled", - "frontendEndpoints": [ - { - "id": "" - } - ], - "patternsToMatch": [ - "/*" - ], - "routeConfiguration": { - "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", - "backendPool": { - "id": "" - }, - "forwardingProtocol": "MatchRequest" - } - } - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "enforceCertificateNameCheck": { - "value": "Disabled" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sendRecvTimeoutSeconds": { - "value": 10 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfdwaf' - params: { - // Required parameters - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - privateLinkAlias: '' - privateLinkApprovalMessage: '' - privateLinkLocation: '' - privateLinkResourceId: '' - weight: 50 - } - ] - HealthProbeSettings: { - id: '' - } - LoadBalancingSettings: { - id: '' - } - } - } - ] - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - enabledState: '' - healthProbeMethod: '' - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - name: '' - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Http' - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '' - } - forwardingProtocol: 'MatchRequest' - } - } - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - enforceCertificateNameCheck: 'Disabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - sendRecvTimeoutSeconds: 10 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "backendPools": { - "value": [ - { - "name": "backendPool", - "properties": { - "backends": [ - { - "address": "biceptest.local", - "backendHostHeader": "backendAddress", - "enabledState": "Enabled", - "httpPort": 80, - "httpsPort": 443, - "priority": 1, - "privateLinkAlias": "", - "privateLinkApprovalMessage": "", - "privateLinkLocation": "", - "privateLinkResourceId": "", - "weight": 50 - } - ], - "HealthProbeSettings": { - "id": "" - }, - "LoadBalancingSettings": { - "id": "" - } - } - } - ] - }, - "frontendEndpoints": { - "value": [ - { - "name": "frontEnd", - "properties": { - "hostName": "", - "sessionAffinityEnabledState": "Disabled", - "sessionAffinityTtlSeconds": 60 - } - } - ] - }, - "healthProbeSettings": { - "value": [ - { - "name": "heathProbe", - "properties": { - "enabledState": "", - "healthProbeMethod": "", - "intervalInSeconds": 60, - "path": "/", - "protocol": "Https" - } - } - ] - }, - "loadBalancingSettings": { - "value": [ - { - "name": "loadBalancer", - "properties": { - "additionalLatencyMilliseconds": 0, - "sampleSize": 50, - "successfulSamplesRequired": 1 - } - } - ] - }, - "name": { - "value": "" - }, - "routingRules": { - "value": [ - { - "name": "routingRule", - "properties": { - "acceptedProtocols": [ - "Http", - "Https" - ], - "enabledState": "Enabled", - "frontendEndpoints": [ - { - "id": "" - } - ], - "patternsToMatch": [ - "/*" - ], - "routeConfiguration": { - "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", - "backendPool": { - "id": "" - }, - "forwardingProtocol": "MatchRequest" - } - } - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "enforceCertificateNameCheck": { - "value": "Disabled" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "sendRecvTimeoutSeconds": { - "value": 10 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backendPools`](#parameter-backendpools) | array | Backend address pool of the frontdoor resource. | -| [`frontendEndpoints`](#parameter-frontendendpoints) | array | Frontend endpoints of the frontdoor resource. | -| [`healthProbeSettings`](#parameter-healthprobesettings) | array | Heath probe settings of the frontdoor resource. | -| [`loadBalancingSettings`](#parameter-loadbalancingsettings) | array | Load balancing settings of the frontdoor resource. | -| [`name`](#parameter-name) | string | The name of the frontDoor. | -| [`routingRules`](#parameter-routingrules) | array | Routing rules settings of the frontdoor resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enabledState`](#parameter-enabledstate) | string | State of the frontdoor resource. | -| [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | string | Enforce certificate name check of the frontdoor resource. | -| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `backendPools` - -Backend address pool of the frontdoor resource. - -- Required: Yes -- Type: array - -### Parameter: `frontendEndpoints` - -Frontend endpoints of the frontdoor resource. - -- Required: Yes -- Type: array - -### Parameter: `healthProbeSettings` - -Heath probe settings of the frontdoor resource. - -- Required: Yes -- Type: array - -### Parameter: `loadBalancingSettings` - -Load balancing settings of the frontdoor resource. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the frontDoor. - -- Required: Yes -- Type: string - -### Parameter: `routingRules` - -Routing rules settings of the frontdoor resource. - -- Required: Yes -- Type: array - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabledState` - -State of the frontdoor resource. - -- Required: No -- Type: string -- Default: `'Enabled'` - -### Parameter: `enforceCertificateNameCheck` - -Enforce certificate name check of the frontdoor resource. - -- Required: No -- Type: string -- Default: `'Disabled'` - -### Parameter: `friendlyName` - -Friendly name of the frontdoor resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sendRecvTimeoutSeconds` - -Certificate name check time of the frontdoor resource. - -- Required: No -- Type: int -- Default: `240` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the front door. | -| `resourceGroupName` | string | The resource group the front door was deployed into. | -| `resourceId` | string | The resource ID of the front door. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep deleted file mode 100644 index bcaa533984..0000000000 --- a/modules/network/front-door/main.bicep +++ /dev/null @@ -1,225 +0,0 @@ -metadata name = 'Azure Front Doors' -metadata description = 'This module deploys an Azure Front Door.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the frontDoor.') -@minLength(1) -@maxLength(64) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. Backend address pool of the frontdoor resource.') -param backendPools array - -@description('Optional. Enforce certificate name check of the frontdoor resource.') -param enforceCertificateNameCheck string = 'Disabled' - -@description('Optional. Certificate name check time of the frontdoor resource.') -@maxValue(240) -param sendRecvTimeoutSeconds int = 240 - -@description('Optional. State of the frontdoor resource.') -param enabledState string = 'Enabled' - -@description('Optional. Friendly name of the frontdoor resource.') -param friendlyName string = '' - -@description('Required. Frontend endpoints of the frontdoor resource.') -param frontendEndpoints array - -@description('Required. Heath probe settings of the frontdoor resource.') -param healthProbeSettings array - -@description('Required. Load balancing settings of the frontdoor resource.') -param loadBalancingSettings array - -@description('Required. Routing rules settings of the frontdoor resource.') -param routingRules array - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource frontDoor 'Microsoft.Network/frontDoors@2020-05-01' = { - name: name - location: 'global' - tags: tags - properties: { - backendPools: backendPools - backendPoolsSettings: { - enforceCertificateNameCheck: enforceCertificateNameCheck - sendRecvTimeoutSeconds: sendRecvTimeoutSeconds - } - enabledState: enabledState - friendlyName: friendlyName - frontendEndpoints: frontendEndpoints - healthProbeSettings: healthProbeSettings - loadBalancingSettings: loadBalancingSettings - routingRules: routingRules - } -} - -resource frontDoor_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: frontDoor -} - -resource frontDoor_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: frontDoor -}] - -resource frontDoor_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(frontDoor.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: frontDoor -}] - -@description('The name of the front door.') -output name string = frontDoor.name - -@description('The resource ID of the front door.') -output resourceId string = frontDoor.id - -@description('The resource group the front door was deployed into.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json deleted file mode 100644 index 394c56eb8a..0000000000 --- a/modules/network/front-door/main.json +++ /dev/null @@ -1,450 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12127605503670931788" - }, - "name": "Azure Front Doors", - "description": "This module deploys an Azure Front Door.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 64, - "metadata": { - "description": "Required. The name of the frontDoor." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "backendPools": { - "type": "array", - "metadata": { - "description": "Required. Backend address pool of the frontdoor resource." - } - }, - "enforceCertificateNameCheck": { - "type": "string", - "defaultValue": "Disabled", - "metadata": { - "description": "Optional. Enforce certificate name check of the frontdoor resource." - } - }, - "sendRecvTimeoutSeconds": { - "type": "int", - "defaultValue": 240, - "maxValue": 240, - "metadata": { - "description": "Optional. Certificate name check time of the frontdoor resource." - } - }, - "enabledState": { - "type": "string", - "defaultValue": "Enabled", - "metadata": { - "description": "Optional. State of the frontdoor resource." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Friendly name of the frontdoor resource." - } - }, - "frontendEndpoints": { - "type": "array", - "metadata": { - "description": "Required. Frontend endpoints of the frontdoor resource." - } - }, - "healthProbeSettings": { - "type": "array", - "metadata": { - "description": "Required. Heath probe settings of the frontdoor resource." - } - }, - "loadBalancingSettings": { - "type": "array", - "metadata": { - "description": "Required. Load balancing settings of the frontdoor resource." - } - }, - "routingRules": { - "type": "array", - "metadata": { - "description": "Required. Routing rules settings of the frontdoor resource." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "frontDoor": { - "type": "Microsoft.Network/frontDoors", - "apiVersion": "2020-05-01", - "name": "[parameters('name')]", - "location": "global", - "tags": "[parameters('tags')]", - "properties": { - "backendPools": "[parameters('backendPools')]", - "backendPoolsSettings": { - "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", - "sendRecvTimeoutSeconds": "[parameters('sendRecvTimeoutSeconds')]" - }, - "enabledState": "[parameters('enabledState')]", - "friendlyName": "[parameters('friendlyName')]", - "frontendEndpoints": "[parameters('frontendEndpoints')]", - "healthProbeSettings": "[parameters('healthProbeSettings')]", - "loadBalancingSettings": "[parameters('loadBalancingSettings')]", - "routingRules": "[parameters('routingRules')]" - } - }, - "frontDoor_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "frontDoor" - ] - }, - "frontDoor_diagnosticSettings": { - "copy": { - "name": "frontDoor_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "frontDoor" - ] - }, - "frontDoor_roleAssignments": { - "copy": { - "name": "frontDoor_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/frontDoors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "frontDoor" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the front door." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the front door." - }, - "value": "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the front door was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/front-door/tests/e2e/defaults/main.test.bicep b/modules/network/front-door/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 6af3d2e506..0000000000 --- a/modules/network/front-door/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,128 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfdmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '${resourceName}.${environment().suffixes.azureFrontDoorEndpointSuffix}' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/FrontendEndpoints/frontEnd' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/BackendPools/backendPool' - } - } - } - } - ] - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - weight: 50 - } - ] - HealthProbeSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/HealthProbeSettings/heathProbe' - } - LoadBalancingSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/LoadBalancingSettings/loadBalancer' - } - } - } - ] - } -}] diff --git a/modules/network/front-door/tests/e2e/max/dependencies.bicep b/modules/network/front-door/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/front-door/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door/tests/e2e/max/main.test.bicep b/modules/network/front-door/tests/e2e/max/main.test.bicep deleted file mode 100644 index 4d954197e7..0000000000 --- a/modules/network/front-door/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,172 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfdmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - privateLinkAlias: '' - privateLinkApprovalMessage: '' - privateLinkLocation: '' - privateLinkResourceId: '' - weight: 50 - } - ] - HealthProbeSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/HealthProbeSettings/heathProbe' - } - LoadBalancingSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/LoadBalancingSettings/loadBalancer' - } - } - } - ] - enforceCertificateNameCheck: 'Disabled' - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '${resourceName}.${environment().suffixes.azureFrontDoorEndpointSuffix}' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - enabledState: '' - healthProbeMethod: '' - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Http' - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/FrontendEndpoints/frontEnd' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/BackendPools/backendPool' - } - forwardingProtocol: 'MatchRequest' - } - } - } - ] - sendRecvTimeoutSeconds: 10 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 3652f40fa1..0000000000 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,155 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfdwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - backendPools: [ - { - name: 'backendPool' - properties: { - backends: [ - { - address: 'biceptest.local' - backendHostHeader: 'backendAddress' - enabledState: 'Enabled' - httpPort: 80 - httpsPort: 443 - priority: 1 - privateLinkAlias: '' - privateLinkApprovalMessage: '' - privateLinkLocation: '' - privateLinkResourceId: '' - weight: 50 - } - ] - HealthProbeSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/HealthProbeSettings/heathProbe' - } - LoadBalancingSettings: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/LoadBalancingSettings/loadBalancer' - } - } - } - ] - enforceCertificateNameCheck: 'Disabled' - frontendEndpoints: [ - { - name: 'frontEnd' - properties: { - hostName: '${resourceName}.${environment().suffixes.azureFrontDoorEndpointSuffix}' - sessionAffinityEnabledState: 'Disabled' - sessionAffinityTtlSeconds: 60 - } - } - ] - healthProbeSettings: [ - { - name: 'heathProbe' - properties: { - enabledState: '' - healthProbeMethod: '' - intervalInSeconds: 60 - path: '/' - protocol: 'Https' - } - } - ] - loadBalancingSettings: [ - { - name: 'loadBalancer' - properties: { - additionalLatencyMilliseconds: 0 - sampleSize: 50 - successfulSamplesRequired: 1 - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - routingRules: [ - { - name: 'routingRule' - properties: { - acceptedProtocols: [ - 'Http' - 'Https' - ] - enabledState: 'Enabled' - frontendEndpoints: [ - { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/FrontendEndpoints/frontEnd' - } - ] - patternsToMatch: [ - '/*' - ] - routeConfiguration: { - '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' - backendPool: { - id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/BackendPools/backendPool' - } - forwardingProtocol: 'MatchRequest' - } - } - } - ] - sendRecvTimeoutSeconds: 10 - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/front-door/version.json b/modules/network/front-door/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/front-door/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/ip-group/MOVED-TO-AVM.md b/modules/network/ip-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/ip-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 6233788cfc..f9dad8b9f5 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -1,474 +1,7 @@ -# IP Groups `[Microsoft.Network/ipGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/ip-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/ip-group).** -This module deploys an IP Group. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/ip-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/ipGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/ipGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ip-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nigmin' - params: { - // Required parameters - name: 'nigmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nigmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nigmax' - params: { - // Required parameters - name: 'nigmax001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddresses: [ - '10.0.0.1' - '10.0.0.2' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nigmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddresses": { - "value": [ - "10.0.0.1", - "10.0.0.2" - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nigwaf' - params: { - // Required parameters - name: 'nigwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddresses: [ - '10.0.0.1' - '10.0.0.2' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nigwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddresses": { - "value": [ - "10.0.0.1", - "10.0.0.2" - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the ipGroups. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipAddresses`](#parameter-ipaddresses) | array | IpAddresses/IpAddressPrefixes in the IpGroups resource. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Resource tags. | - -### Parameter: `name` - -The name of the ipGroups. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipAddresses` - -IpAddresses/IpAddressPrefixes in the IpGroups resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the IP group. | -| `resourceGroupName` | string | The resource group of the IP group was deployed into. | -| `resourceId` | string | The resource ID of the IP group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep deleted file mode 100644 index 08a30eee33..0000000000 --- a/modules/network/ip-group/main.bicep +++ /dev/null @@ -1,125 +0,0 @@ -metadata name = 'IP Groups' -metadata description = 'This module deploys an IP Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the ipGroups.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource.') -param ipAddresses array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource ipGroup 'Microsoft.Network/ipGroups@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - ipAddresses: ipAddresses - } -} - -resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: ipGroup -} - -resource ipGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(ipGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: ipGroup -}] - -@description('The resource ID of the IP group.') -output resourceId string = ipGroup.id - -@description('The resource group of the IP group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the IP group.') -output name string = ipGroup.name - -@description('The location the resource was deployed into.') -output location string = ipGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json deleted file mode 100644 index a7dac7e910..0000000000 --- a/modules/network/ip-group/main.json +++ /dev/null @@ -1,259 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11594835403305587899" - }, - "name": "IP Groups", - "description": "This module deploys an IP Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. The name of the ipGroups." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "ipAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "ipGroup": { - "type": "Microsoft.Network/ipGroups", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipAddresses": "[parameters('ipAddresses')]" - } - }, - "ipGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "ipGroup" - ] - }, - "ipGroup_roleAssignments": { - "copy": { - "name": "ipGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/ipGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "ipGroup" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the IP group." - }, - "value": "[resourceId('Microsoft.Network/ipGroups', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the IP group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the IP group." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('ipGroup', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/ip-group/tests/e2e/defaults/main.test.bicep b/modules/network/ip-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 9511792159..0000000000 --- a/modules/network/ip-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nigmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/ip-group/tests/e2e/max/dependencies.bicep b/modules/network/ip-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/ip-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ip-group/tests/e2e/max/main.test.bicep b/modules/network/ip-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index 06bb71dc3b..0000000000 --- a/modules/network/ip-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,87 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nigmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipAddresses: [ - '10.0.0.1' - '10.0.0.2' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e8767a2291..0000000000 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,70 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nigwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipAddresses: [ - '10.0.0.1' - '10.0.0.2' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/ip-group/version.json b/modules/network/ip-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/ip-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/load-balancer/MOVED-TO-AVM.MD b/modules/network/load-balancer/MOVED-TO-AVM.MD deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/load-balancer/MOVED-TO-AVM.MD +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 94e0c1185f..e45a56b6d7 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -1,1322 +1,7 @@ -# Load Balancers `[Microsoft.Network/loadBalancers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/load-balancer](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/load-balancer).** -This module deploys a Load Balancer. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/load-balancer). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/loadBalancers` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers) | -| `Microsoft.Network/loadBalancers/backendAddressPools` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/backendAddressPools) | -| `Microsoft.Network/loadBalancers/inboundNatRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/inboundNatRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.load-balancer:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Internal](#example-2-internal) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbmin' - params: { - // Required parameters - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: '' - } - ] - name: 'nlbmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "publicIPConfig1", - "publicIPAddressId": "" - } - ] - }, - "name": { - "value": "nlbmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Internal_ - -

- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbint' - params: { - // Required parameters - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - subnetId: '' - } - ] - name: 'nlbint001' - // Non-required parameters - backendAddressPools: [ - { - name: 'servers' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - loadBalancingRules: [ - { - backendAddressPoolName: 'servers' - backendPort: 0 - disableOutboundSnat: true - enableFloatingIP: true - enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 0 - idleTimeoutInMinutes: 4 - loadDistribution: 'Default' - name: 'privateIPLBRule1' - probeName: 'probe1' - protocol: 'All' - } - ] - probes: [ - { - intervalInSeconds: 5 - name: 'probe1' - numberOfProbes: 2 - port: '62000' - protocol: 'Tcp' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "privateIPConfig1", - "subnetId": "" - } - ] - }, - "name": { - "value": "nlbint001" - }, - // Non-required parameters - "backendAddressPools": { - "value": [ - { - "name": "servers" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "inboundNatRules": { - "value": [ - { - "backendPort": 443, - "enableFloatingIP": false, - "enableTcpReset": false, - "frontendIPConfigurationName": "privateIPConfig1", - "frontendPort": 443, - "idleTimeoutInMinutes": 4, - "name": "inboundNatRule1", - "protocol": "Tcp" - }, - { - "backendPort": 3389, - "frontendIPConfigurationName": "privateIPConfig1", - "frontendPort": 3389, - "name": "inboundNatRule2" - } - ] - }, - "loadBalancingRules": { - "value": [ - { - "backendAddressPoolName": "servers", - "backendPort": 0, - "disableOutboundSnat": true, - "enableFloatingIP": true, - "enableTcpReset": false, - "frontendIPConfigurationName": "privateIPConfig1", - "frontendPort": 0, - "idleTimeoutInMinutes": 4, - "loadDistribution": "Default", - "name": "privateIPLBRule1", - "probeName": "probe1", - "protocol": "All" - } - ] - }, - "probes": { - "value": [ - { - "intervalInSeconds": 5, - "name": "probe1", - "numberOfProbes": 2, - "port": "62000", - "protocol": "Tcp" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbmax' - params: { - // Required parameters - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: '' - } - ] - name: 'nlbmax001' - // Non-required parameters - backendAddressPools: [ - { - name: 'backendAddressPool1' - } - { - name: 'backendAddressPool2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - loadBalancingRules: [ - { - backendAddressPoolName: 'backendAddressPool1' - backendPort: 80 - disableOutboundSnat: true - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 80 - idleTimeoutInMinutes: 5 - loadDistribution: 'Default' - name: 'publicIPLBRule1' - probeName: 'probe1' - protocol: 'Tcp' - } - { - backendAddressPoolName: 'backendAddressPool2' - backendPort: 8080 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 8080 - loadDistribution: 'Default' - name: 'publicIPLBRule2' - probeName: 'probe2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - outboundRules: [ - { - allocatedOutboundPorts: 63984 - backendAddressPoolName: 'backendAddressPool1' - frontendIPConfigurationName: 'publicIPConfig1' - name: 'outboundRule1' - } - ] - probes: [ - { - intervalInSeconds: 10 - name: 'probe1' - numberOfProbes: 5 - port: 80 - protocol: 'Tcp' - } - { - name: 'probe2' - port: 443 - protocol: 'Https' - requestPath: '/' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "publicIPConfig1", - "publicIPAddressId": "" - } - ] - }, - "name": { - "value": "nlbmax001" - }, - // Non-required parameters - "backendAddressPools": { - "value": [ - { - "name": "backendAddressPool1" - }, - { - "name": "backendAddressPool2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "inboundNatRules": { - "value": [ - { - "backendPort": 443, - "enableFloatingIP": false, - "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 443, - "idleTimeoutInMinutes": 4, - "name": "inboundNatRule1", - "protocol": "Tcp" - }, - { - "backendPort": 3389, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 3389, - "name": "inboundNatRule2" - } - ] - }, - "loadBalancingRules": { - "value": [ - { - "backendAddressPoolName": "backendAddressPool1", - "backendPort": 80, - "disableOutboundSnat": true, - "enableFloatingIP": false, - "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 80, - "idleTimeoutInMinutes": 5, - "loadDistribution": "Default", - "name": "publicIPLBRule1", - "probeName": "probe1", - "protocol": "Tcp" - }, - { - "backendAddressPoolName": "backendAddressPool2", - "backendPort": 8080, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 8080, - "loadDistribution": "Default", - "name": "publicIPLBRule2", - "probeName": "probe2" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "outboundRules": { - "value": [ - { - "allocatedOutboundPorts": 63984, - "backendAddressPoolName": "backendAddressPool1", - "frontendIPConfigurationName": "publicIPConfig1", - "name": "outboundRule1" - } - ] - }, - "probes": { - "value": [ - { - "intervalInSeconds": 10, - "name": "probe1", - "numberOfProbes": 5, - "port": 80, - "protocol": "Tcp" - }, - { - "name": "probe2", - "port": 443, - "protocol": "Https", - "requestPath": "/" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbwaf' - params: { - // Required parameters - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: '' - } - ] - name: 'nlbwaf001' - // Non-required parameters - backendAddressPools: [ - { - name: 'backendAddressPool1' - } - { - name: 'backendAddressPool2' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - loadBalancingRules: [ - { - backendAddressPoolName: 'backendAddressPool1' - backendPort: 80 - disableOutboundSnat: true - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 80 - idleTimeoutInMinutes: 5 - loadDistribution: 'Default' - name: 'publicIPLBRule1' - probeName: 'probe1' - protocol: 'Tcp' - } - { - backendAddressPoolName: 'backendAddressPool2' - backendPort: 8080 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 8080 - loadDistribution: 'Default' - name: 'publicIPLBRule2' - probeName: 'probe2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - outboundRules: [ - { - allocatedOutboundPorts: 63984 - backendAddressPoolName: 'backendAddressPool1' - frontendIPConfigurationName: 'publicIPConfig1' - name: 'outboundRule1' - } - ] - probes: [ - { - intervalInSeconds: 10 - name: 'probe1' - numberOfProbes: 5 - port: 80 - protocol: 'Tcp' - } - { - name: 'probe2' - port: 443 - protocol: 'Https' - requestPath: '/' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "publicIPConfig1", - "publicIPAddressId": "" - } - ] - }, - "name": { - "value": "nlbwaf001" - }, - // Non-required parameters - "backendAddressPools": { - "value": [ - { - "name": "backendAddressPool1" - }, - { - "name": "backendAddressPool2" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "inboundNatRules": { - "value": [ - { - "backendPort": 443, - "enableFloatingIP": false, - "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 443, - "idleTimeoutInMinutes": 4, - "name": "inboundNatRule1", - "protocol": "Tcp" - }, - { - "backendPort": 3389, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 3389, - "name": "inboundNatRule2" - } - ] - }, - "loadBalancingRules": { - "value": [ - { - "backendAddressPoolName": "backendAddressPool1", - "backendPort": 80, - "disableOutboundSnat": true, - "enableFloatingIP": false, - "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 80, - "idleTimeoutInMinutes": 5, - "loadDistribution": "Default", - "name": "publicIPLBRule1", - "probeName": "probe1", - "protocol": "Tcp" - }, - { - "backendAddressPoolName": "backendAddressPool2", - "backendPort": 8080, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 8080, - "loadDistribution": "Default", - "name": "publicIPLBRule2", - "probeName": "probe2" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "outboundRules": { - "value": [ - { - "allocatedOutboundPorts": 63984, - "backendAddressPoolName": "backendAddressPool1", - "frontendIPConfigurationName": "publicIPConfig1", - "name": "outboundRule1" - } - ] - }, - "probes": { - "value": [ - { - "intervalInSeconds": 10, - "name": "probe1", - "numberOfProbes": 5, - "port": 80, - "protocol": "Tcp" - }, - { - "name": "probe2", - "port": 443, - "protocol": "Https", - "requestPath": "/" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`frontendIPConfigurations`](#parameter-frontendipconfigurations) | array | Array of objects containing all frontend IP configurations. | -| [`name`](#parameter-name) | string | The Proximity Placement Groups Name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backendAddressPools`](#parameter-backendaddresspools) | array | Collection of backend address pools used by a load balancer. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`inboundNatRules`](#parameter-inboundnatrules) | array | Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. | -| [`loadBalancingRules`](#parameter-loadbalancingrules) | array | Array of objects containing all load balancing rules. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`outboundRules`](#parameter-outboundrules) | array | The outbound rules. | -| [`probes`](#parameter-probes) | array | Array of objects containing all probes, these are references in the load balancing rules. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`skuName`](#parameter-skuname) | string | Name of a load balancer SKU. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `frontendIPConfigurations` - -Array of objects containing all frontend IP configurations. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The Proximity Placement Groups Name. - -- Required: Yes -- Type: string - -### Parameter: `backendAddressPools` - -Collection of backend address pools used by a load balancer. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `inboundNatRules` - -Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `loadBalancingRules` - -Array of objects containing all load balancing rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `outboundRules` - -The outbound rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `probes` - -Array of objects containing all probes, these are references in the load balancing rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -Name of a load balancer SKU. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `backendpools` | array | The backend address pools available in the load balancer. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the load balancer. | -| `resourceGroupName` | string | The resource group the load balancer was deployed into. | -| `resourceId` | string | The resource ID of the load balancer. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `backendAddressPools` - -

- -Parameter JSON format - -```json -"backendAddressPools": { - "value": [ - { - "name": "p_hub-bfw-server-bepool", - "properties": { - "loadBalancerBackendAddresses": [ - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.5" - } - }, - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.6" - } - } - ] - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backendAddressPools: [ - { - name: 'p_hub-bfw-server-bepool' - properties: { - loadBalancerBackendAddresses: [ - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.5' - } - } - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.6' - } - } - ] - } - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/load-balancer/backend-address-pool/README.md b/modules/network/load-balancer/backend-address-pool/README.md deleted file mode 100644 index 6570434862..0000000000 --- a/modules/network/load-balancer/backend-address-pool/README.md +++ /dev/null @@ -1,115 +0,0 @@ -# Load Balancer Backend Address Pools `[Microsoft.Network/loadBalancers/backendAddressPools]` - -This module deploys a Load Balancer Backend Address Pools. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/loadBalancers/backendAddressPools` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/backendAddressPools) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the backend address pool. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`loadBalancerName`](#parameter-loadbalancername) | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`drainPeriodInSeconds`](#parameter-drainperiodinseconds) | int | Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`loadBalancerBackendAddresses`](#parameter-loadbalancerbackendaddresses) | array | An array of backend addresses. | -| [`syncMode`](#parameter-syncmode) | string | Backend address synchronous mode for the backend pool. | -| [`tunnelInterfaces`](#parameter-tunnelinterfaces) | array | An array of gateway load balancer tunnel interfaces. | - -### Parameter: `name` - -The name of the backend address pool. - -- Required: Yes -- Type: string - -### Parameter: `loadBalancerName` - -The name of the parent load balancer. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `drainPeriodInSeconds` - -Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `loadBalancerBackendAddresses` - -An array of backend addresses. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `syncMode` - -Backend address synchronous mode for the backend pool. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Automatic' - 'Manual' - ] - ``` - -### Parameter: `tunnelInterfaces` - -An array of gateway load balancer tunnel interfaces. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backend address pool. | -| `resourceGroupName` | string | The resource group the backend address pool was deployed into. | -| `resourceId` | string | The resource ID of the backend address pool. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/load-balancer/backend-address-pool/main.bicep b/modules/network/load-balancer/backend-address-pool/main.bicep deleted file mode 100644 index 3a06064bc0..0000000000 --- a/modules/network/load-balancer/backend-address-pool/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'Load Balancer Backend Address Pools' -metadata description = 'This module deploys a Load Balancer Backend Address Pools.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment.') -param loadBalancerName string - -@description('Required. The name of the backend address pool.') -param name string - -@description('Optional. An array of backend addresses.') -param loadBalancerBackendAddresses array = [] - -@description('Optional. An array of gateway load balancer tunnel interfaces.') -param tunnelInterfaces array = [] - -@description('Optional. Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property.') -param drainPeriodInSeconds int = 0 - -@allowed([ - '' - 'Automatic' - 'Manual' -]) -@description('Optional. Backend address synchronous mode for the backend pool.') -param syncMode string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' existing = { - name: loadBalancerName -} - -resource backendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools@2023-04-01' = { - name: name - properties: { - loadBalancerBackendAddresses: loadBalancerBackendAddresses - tunnelInterfaces: tunnelInterfaces - drainPeriodInSeconds: drainPeriodInSeconds != 0 ? drainPeriodInSeconds : null - syncMode: !empty(syncMode) ? syncMode : null - } - parent: loadBalancer -} - -@description('The name of the backend address pool.') -output name string = backendAddressPool.name - -@description('The resource ID of the backend address pool.') -output resourceId string = backendAddressPool.id - -@description('The resource group the backend address pool was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/load-balancer/backend-address-pool/main.json b/modules/network/load-balancer/backend-address-pool/main.json deleted file mode 100644 index 166b5e8185..0000000000 --- a/modules/network/load-balancer/backend-address-pool/main.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11772165650732157187" - }, - "name": "Load Balancer Backend Address Pools", - "description": "This module deploys a Load Balancer Backend Address Pools.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "loadBalancerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the backend address pool." - } - }, - "loadBalancerBackendAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of backend addresses." - } - }, - "tunnelInterfaces": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of gateway load balancer tunnel interfaces." - } - }, - "drainPeriodInSeconds": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property." - } - }, - "syncMode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Automatic", - "Manual" - ], - "metadata": { - "description": "Optional. Backend address synchronous mode for the backend pool." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/loadBalancers/backendAddressPools", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('loadBalancerName'), parameters('name'))]", - "properties": { - "loadBalancerBackendAddresses": "[parameters('loadBalancerBackendAddresses')]", - "tunnelInterfaces": "[parameters('tunnelInterfaces')]", - "drainPeriodInSeconds": "[if(not(equals(parameters('drainPeriodInSeconds'), 0)), parameters('drainPeriodInSeconds'), null())]", - "syncMode": "[if(not(empty(parameters('syncMode'))), parameters('syncMode'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backend address pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backend address pool." - }, - "value": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('loadBalancerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the backend address pool was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/load-balancer/backend-address-pool/version.json b/modules/network/load-balancer/backend-address-pool/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/load-balancer/backend-address-pool/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/load-balancer/inbound-nat-rule/README.md b/modules/network/load-balancer/inbound-nat-rule/README.md deleted file mode 100644 index 85f725237f..0000000000 --- a/modules/network/load-balancer/inbound-nat-rule/README.md +++ /dev/null @@ -1,167 +0,0 @@ -# Load Balancer Inbound NAT Rules `[Microsoft.Network/loadBalancers/inboundNatRules]` - -This module deploys a Load Balancer Inbound NAT Rules. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/loadBalancers/inboundNatRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/inboundNatRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`frontendIPConfigurationName`](#parameter-frontendipconfigurationname) | string | The name of the frontend IP address to set for the inbound NAT rule. | -| [`frontendPort`](#parameter-frontendport) | int | The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. | -| [`name`](#parameter-name) | string | The name of the inbound NAT rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`loadBalancerName`](#parameter-loadbalancername) | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backendAddressPoolName`](#parameter-backendaddresspoolname) | string | Name of the backend address pool. | -| [`backendPort`](#parameter-backendport) | int | The port used for the internal endpoint. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableFloatingIP`](#parameter-enablefloatingip) | bool | Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. | -| [`enableTcpReset`](#parameter-enabletcpreset) | bool | Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. | -| [`frontendPortRangeEnd`](#parameter-frontendportrangeend) | int | The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | -| [`frontendPortRangeStart`](#parameter-frontendportrangestart) | int | The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | -| [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. | -| [`protocol`](#parameter-protocol) | string | The transport protocol for the endpoint. | - -### Parameter: `frontendIPConfigurationName` - -The name of the frontend IP address to set for the inbound NAT rule. - -- Required: Yes -- Type: string - -### Parameter: `frontendPort` - -The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. - -- Required: Yes -- Type: int - -### Parameter: `name` - -The name of the inbound NAT rule. - -- Required: Yes -- Type: string - -### Parameter: `loadBalancerName` - -The name of the parent load balancer. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `backendAddressPoolName` - -Name of the backend address pool. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `backendPort` - -The port used for the internal endpoint. - -- Required: No -- Type: int -- Default: `[parameters('frontendPort')]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableFloatingIP` - -Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableTcpReset` - -Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `frontendPortRangeEnd` - -The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `frontendPortRangeStart` - -The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `idleTimeoutInMinutes` - -The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. - -- Required: No -- Type: int -- Default: `4` - -### Parameter: `protocol` - -The transport protocol for the endpoint. - -- Required: No -- Type: string -- Default: `'Tcp'` -- Allowed: - ```Bicep - [ - 'All' - 'Tcp' - 'Udp' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the inbound NAT rule. | -| `resourceGroupName` | string | The resource group the inbound NAT rule was deployed into. | -| `resourceId` | string | The resource ID of the inbound NAT rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/load-balancer/inbound-nat-rule/main.bicep b/modules/network/load-balancer/inbound-nat-rule/main.bicep deleted file mode 100644 index 0025ec40b4..0000000000 --- a/modules/network/load-balancer/inbound-nat-rule/main.bicep +++ /dev/null @@ -1,101 +0,0 @@ -metadata name = 'Load Balancer Inbound NAT Rules' -metadata description = 'This module deploys a Load Balancer Inbound NAT Rules.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment.') -param loadBalancerName string - -@description('Required. The name of the inbound NAT rule.') -param name string - -@description('Required. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer.') -@minValue(1) -@maxValue(65534) -param frontendPort int - -@description('Optional. The port used for the internal endpoint.') -@minValue(1) -@maxValue(65535) -param backendPort int = frontendPort - -@description('Optional. Name of the backend address pool.') -param backendAddressPoolName string = '' - -@description('Optional. Configures a virtual machine\'s endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can\'t be changed after you create the endpoint.') -param enableFloatingIP bool = false - -@description('Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP.') -param enableTcpReset bool = false - -@description('Required. The name of the frontend IP address to set for the inbound NAT rule.') -param frontendIPConfigurationName string - -@description('Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool.') -@minValue(-1) -@maxValue(65534) -param frontendPortRangeEnd int = -1 - -@description('Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool.') -@minValue(-1) -@maxValue(65534) -param frontendPortRangeStart int = -1 - -@description('Optional. The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP.') -param idleTimeoutInMinutes int = 4 - -@description('Optional. The transport protocol for the endpoint.') -@allowed([ - 'All' - 'Tcp' - 'Udp' -]) -param protocol string = 'Tcp' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' existing = { - name: loadBalancerName -} - -resource inboundNatRule 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { - name: name - properties: { - frontendPort: frontendPort - backendPort: backendPort - backendAddressPool: !empty(backendAddressPoolName) ? { - id: '${loadBalancer.id}/backendAddressPools/${backendAddressPoolName}' - } : null - enableFloatingIP: enableFloatingIP - enableTcpReset: enableTcpReset - frontendIPConfiguration: { - id: '${loadBalancer.id}/frontendIPConfigurations/${frontendIPConfigurationName}' - } - frontendPortRangeStart: frontendPortRangeStart != -1 ? frontendPortRangeStart : null - frontendPortRangeEnd: frontendPortRangeEnd != -1 ? frontendPortRangeEnd : null - idleTimeoutInMinutes: idleTimeoutInMinutes - protocol: protocol - } - parent: loadBalancer -} - -@description('The name of the inbound NAT rule.') -output name string = inboundNatRule.name - -@description('The resource ID of the inbound NAT rule.') -output resourceId string = inboundNatRule.id - -@description('The resource group the inbound NAT rule was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/load-balancer/inbound-nat-rule/main.json b/modules/network/load-balancer/inbound-nat-rule/main.json deleted file mode 100644 index 0b7171f431..0000000000 --- a/modules/network/load-balancer/inbound-nat-rule/main.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10843150655101094909" - }, - "name": "Load Balancer Inbound NAT Rules", - "description": "This module deploys a Load Balancer Inbound NAT Rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "loadBalancerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the inbound NAT rule." - } - }, - "frontendPort": { - "type": "int", - "minValue": 1, - "maxValue": 65534, - "metadata": { - "description": "Required. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer." - } - }, - "backendPort": { - "type": "int", - "defaultValue": "[parameters('frontendPort')]", - "minValue": 1, - "maxValue": 65535, - "metadata": { - "description": "Optional. The port used for the internal endpoint." - } - }, - "backendAddressPoolName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the backend address pool." - } - }, - "enableFloatingIP": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint." - } - }, - "enableTcpReset": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP." - } - }, - "frontendIPConfigurationName": { - "type": "string", - "metadata": { - "description": "Required. The name of the frontend IP address to set for the inbound NAT rule." - } - }, - "frontendPortRangeEnd": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 65534, - "metadata": { - "description": "Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool." - } - }, - "frontendPortRangeStart": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 65534, - "metadata": { - "description": "Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool." - } - }, - "idleTimeoutInMinutes": { - "type": "int", - "defaultValue": 4, - "metadata": { - "description": "Optional. The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP." - } - }, - "protocol": { - "type": "string", - "defaultValue": "Tcp", - "allowedValues": [ - "All", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Optional. The transport protocol for the endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/loadBalancers/inboundNatRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('loadBalancerName'), parameters('name'))]", - "properties": { - "frontendPort": "[parameters('frontendPort')]", - "backendPort": "[parameters('backendPort')]", - "backendAddressPool": "[if(not(empty(parameters('backendAddressPoolName'))), createObject('id', format('{0}/backendAddressPools/{1}', resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), parameters('backendAddressPoolName'))), null())]", - "enableFloatingIP": "[parameters('enableFloatingIP')]", - "enableTcpReset": "[parameters('enableTcpReset')]", - "frontendIPConfiguration": { - "id": "[format('{0}/frontendIPConfigurations/{1}', resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), parameters('frontendIPConfigurationName'))]" - }, - "frontendPortRangeStart": "[if(not(equals(parameters('frontendPortRangeStart'), -1)), parameters('frontendPortRangeStart'), null())]", - "frontendPortRangeEnd": "[if(not(equals(parameters('frontendPortRangeEnd'), -1)), parameters('frontendPortRangeEnd'), null())]", - "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "protocol": "[parameters('protocol')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the inbound NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the inbound NAT rule." - }, - "value": "[resourceId('Microsoft.Network/loadBalancers/inboundNatRules', parameters('loadBalancerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the inbound NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/load-balancer/inbound-nat-rule/version.json b/modules/network/load-balancer/inbound-nat-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/load-balancer/inbound-nat-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep deleted file mode 100644 index c3d1c82794..0000000000 --- a/modules/network/load-balancer/main.bicep +++ /dev/null @@ -1,322 +0,0 @@ -metadata name = 'Load Balancers' -metadata description = 'This module deploys a Load Balancer.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The Proximity Placement Groups Name.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Name of a load balancer SKU.') -@allowed([ - 'Basic' - 'Standard' -]) -param skuName string = 'Standard' - -@description('Required. Array of objects containing all frontend IP configurations.') -@minLength(1) -param frontendIPConfigurations array - -@description('Optional. Collection of backend address pools used by a load balancer.') -param backendAddressPools array = [] - -@description('Optional. Array of objects containing all load balancing rules.') -param loadBalancingRules array = [] - -@description('Optional. Array of objects containing all probes, these are references in the load balancing rules.') -param probes array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules.') -param inboundNatRules array = [] - -@description('Optional. The outbound rules.') -param outboundRules array = [] - -var frontendIPConfigurationsVar = [for (frontendIPConfiguration, index) in frontendIPConfigurations: { - name: frontendIPConfiguration.name - properties: { - subnet: contains(frontendIPConfiguration, 'subnetId') && !empty(frontendIPConfiguration.subnetId) ? { - id: frontendIPConfiguration.subnetId - } : null - publicIPAddress: contains(frontendIPConfiguration, 'publicIPAddressId') && !empty(frontendIPConfiguration.publicIPAddressId) ? { - id: frontendIPConfiguration.publicIPAddressId - } : null - privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') && !empty(frontendIPConfiguration.privateIPAddress) ? frontendIPConfiguration.privateIPAddress : null - privateIPAddressVersion: contains(frontendIPConfiguration, 'privateIPAddressVersion') ? frontendIPConfiguration.privateIPAddressVersion : 'IPv4' - privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') && !empty(frontendIPConfiguration.subnetId) ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null - gatewayLoadBalancer: contains(frontendIPConfiguration, 'gatewayLoadBalancer') && !empty(frontendIPConfiguration.gatewayLoadBalancer) ? { - id: frontendIPConfiguration.gatewayLoadBalancer - } : null - publicIPPrefix: contains(frontendIPConfiguration, 'publicIPPrefix') && !empty(frontendIPConfiguration.publicIPPrefix) ? { - id: frontendIPConfiguration.publicIPPrefix - } : null - } -}] - -var loadBalancingRulesVar = [for loadBalancingRule in loadBalancingRules: { - name: loadBalancingRule.name - properties: { - backendAddressPool: { - id: az.resourceId('Microsoft.Network/loadBalancers/backendAddressPools', name, loadBalancingRule.backendAddressPoolName) - } - backendPort: loadBalancingRule.backendPort - disableOutboundSnat: contains(loadBalancingRule, 'disableOutboundSnat') ? loadBalancingRule.disableOutboundSnat : true - enableFloatingIP: contains(loadBalancingRule, 'enableFloatingIP') ? loadBalancingRule.enableFloatingIP : false - enableTcpReset: contains(loadBalancingRule, 'enableTcpReset') ? loadBalancingRule.enableTcpReset : false - frontendIPConfiguration: { - id: az.resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', name, loadBalancingRule.frontendIPConfigurationName) - } - frontendPort: loadBalancingRule.frontendPort - idleTimeoutInMinutes: contains(loadBalancingRule, 'idleTimeoutInMinutes') ? loadBalancingRule.idleTimeoutInMinutes : 4 - loadDistribution: contains(loadBalancingRule, 'loadDistribution') ? loadBalancingRule.loadDistribution : 'Default' - probe: { - id: '${az.resourceId('Microsoft.Network/loadBalancers', name)}/probes/${loadBalancingRule.probeName}' - } - protocol: contains(loadBalancingRule, 'protocol') ? loadBalancingRule.protocol : 'Tcp' - } -}] - -var outboundRulesVar = [for outboundRule in outboundRules: { - name: outboundRule.name - properties: { - frontendIPConfigurations: [ - { - id: az.resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', name, outboundRule.frontendIPConfigurationName) - } - ] - backendAddressPool: { - id: az.resourceId('Microsoft.Network/loadBalancers/backendAddressPools', name, outboundRule.backendAddressPoolName) - } - protocol: contains(outboundRule, 'protocol') ? outboundRule.protocol : 'All' - allocatedOutboundPorts: contains(outboundRule, 'allocatedOutboundPorts') ? outboundRule.allocatedOutboundPorts : 63984 - enableTcpReset: contains(outboundRule, 'enableTcpReset') ? outboundRule.enableTcpReset : true - idleTimeoutInMinutes: contains(outboundRule, 'idleTimeoutInMinutes') ? outboundRule.idleTimeoutInMinutes : 4 - } -}] - -var probesVar = [for probe in probes: { - name: probe.name - properties: { - protocol: contains(probe, 'protocol') ? probe.protocol : 'Tcp' - requestPath: toLower(probe.protocol) != 'tcp' ? probe.requestPath : null - port: contains(probe, 'port') ? probe.port : 80 - intervalInSeconds: contains(probe, 'intervalInSeconds') ? probe.intervalInSeconds : 5 - numberOfProbes: contains(probe, 'numberOfProbes') ? probe.numberOfProbes : 2 - } -}] - -var backendAddressPoolNames = [for backendAddressPool in backendAddressPools: { - name: backendAddressPool.name -}] - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - } - properties: { - frontendIPConfigurations: frontendIPConfigurationsVar - loadBalancingRules: loadBalancingRulesVar - backendAddressPools: backendAddressPoolNames - outboundRules: outboundRulesVar - probes: probesVar - } -} - -module loadBalancer_backendAddressPools 'backend-address-pool/main.bicep' = [for (backendAddressPool, index) in backendAddressPools: { - name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' - params: { - loadBalancerName: loadBalancer.name - name: backendAddressPool.name - tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] - loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] - drainPeriodInSeconds: contains(backendAddressPool, 'drainPeriodInSeconds') ? backendAddressPool.drainPeriodInSeconds : 0 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module loadBalancer_inboundNATRules 'inbound-nat-rule/main.bicep' = [for (inboundNATRule, index) in inboundNatRules: { - name: '${uniqueString(deployment().name, location)}-LoadBalancer-inboundNatRules-${index}' - params: { - loadBalancerName: loadBalancer.name - name: inboundNATRule.name - frontendIPConfigurationName: inboundNATRule.frontendIPConfigurationName - frontendPort: inboundNATRule.frontendPort - backendPort: contains(inboundNATRule, 'backendPort') ? inboundNATRule.backendPort : inboundNATRule.frontendPort - backendAddressPoolName: contains(inboundNATRule, 'backendAddressPoolName') ? inboundNATRule.backendAddressPoolName : '' - enableFloatingIP: contains(inboundNATRule, 'enableFloatingIP') ? inboundNATRule.enableFloatingIP : false - enableTcpReset: contains(inboundNATRule, 'enableTcpReset') ? inboundNATRule.enableTcpReset : false - frontendPortRangeEnd: contains(inboundNATRule, 'frontendPortRangeEnd') ? inboundNATRule.frontendPortRangeEnd : -1 - frontendPortRangeStart: contains(inboundNATRule, 'frontendPortRangeStart') ? inboundNATRule.frontendPortRangeStart : -1 - idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 - protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - loadBalancer_backendAddressPools - ] -}] - -resource loadBalancer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: loadBalancer -} - -resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: loadBalancer -}] - -resource loadBalancer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(loadBalancer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: loadBalancer -}] - -@description('The name of the load balancer.') -output name string = loadBalancer.name - -@description('The resource ID of the load balancer.') -output resourceId string = loadBalancer.id - -@description('The resource group the load balancer was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The backend address pools available in the load balancer.') -output backendpools array = loadBalancer.properties.backendAddressPools - -@description('The location the resource was deployed into.') -output location string = loadBalancer.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json deleted file mode 100644 index 6503086e86..0000000000 --- a/modules/network/load-balancer/main.json +++ /dev/null @@ -1,881 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9944578791387151773" - }, - "name": "Load Balancers", - "description": "This module deploys a Load Balancer.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The Proximity Placement Groups Name." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a load balancer SKU." - } - }, - "frontendIPConfigurations": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. Array of objects containing all frontend IP configurations." - } - }, - "backendAddressPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of backend address pools used by a load balancer." - } - }, - "loadBalancingRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of objects containing all load balancing rules." - } - }, - "probes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of objects containing all probes, these are references in the load balancing rules." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "inboundNatRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules." - } - }, - "outboundRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The outbound rules." - } - } - }, - "variables": { - "copy": [ - { - "name": "frontendIPConfigurationsVar", - "count": "[length(parameters('frontendIPConfigurations'))]", - "input": { - "name": "[parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].name]", - "properties": { - "subnet": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'subnetId'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].subnetId))), createObject('id', parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].subnetId), null())]", - "publicIPAddress": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'publicIPAddressId'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].publicIPAddressId))), createObject('id', parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].publicIPAddressId), null())]", - "privateIPAddress": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'privateIPAddress'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].privateIPAddress))), parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].privateIPAddress, null())]", - "privateIPAddressVersion": "[if(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'privateIPAddressVersion'), parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].privateIPAddressVersion, 'IPv4')]", - "privateIPAllocationMethod": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'subnetId'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].subnetId))), if(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'privateIPAddress'), 'Static', 'Dynamic'), null())]", - "gatewayLoadBalancer": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'gatewayLoadBalancer'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].gatewayLoadBalancer))), createObject('id', parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].gatewayLoadBalancer), null())]", - "publicIPPrefix": "[if(and(contains(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')], 'publicIPPrefix'), not(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].publicIPPrefix))), createObject('id', parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurationsVar')].publicIPPrefix), null())]" - } - } - }, - { - "name": "loadBalancingRulesVar", - "count": "[length(parameters('loadBalancingRules'))]", - "input": { - "name": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].name]", - "properties": { - "backendAddressPool": { - "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('name'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].backendAddressPoolName)]" - }, - "backendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].backendPort]", - "disableOutboundSnat": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'disableOutboundSnat'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].disableOutboundSnat, true())]", - "enableFloatingIP": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'enableFloatingIP'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].enableFloatingIP, false())]", - "enableTcpReset": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'enableTcpReset'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].enableTcpReset, false())]", - "frontendIPConfiguration": { - "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('name'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].frontendIPConfigurationName)]" - }, - "frontendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].frontendPort]", - "idleTimeoutInMinutes": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'idleTimeoutInMinutes'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].idleTimeoutInMinutes, 4)]", - "loadDistribution": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'loadDistribution'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].loadDistribution, 'Default')]", - "probe": { - "id": "[format('{0}/probes/{1}', resourceId('Microsoft.Network/loadBalancers', parameters('name')), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].probeName)]" - }, - "protocol": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')], 'protocol'), parameters('loadBalancingRules')[copyIndex('loadBalancingRulesVar')].protocol, 'Tcp')]" - } - } - }, - { - "name": "outboundRulesVar", - "count": "[length(parameters('outboundRules'))]", - "input": { - "name": "[parameters('outboundRules')[copyIndex('outboundRulesVar')].name]", - "properties": { - "frontendIPConfigurations": [ - { - "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('name'), parameters('outboundRules')[copyIndex('outboundRulesVar')].frontendIPConfigurationName)]" - } - ], - "backendAddressPool": { - "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('name'), parameters('outboundRules')[copyIndex('outboundRulesVar')].backendAddressPoolName)]" - }, - "protocol": "[if(contains(parameters('outboundRules')[copyIndex('outboundRulesVar')], 'protocol'), parameters('outboundRules')[copyIndex('outboundRulesVar')].protocol, 'All')]", - "allocatedOutboundPorts": "[if(contains(parameters('outboundRules')[copyIndex('outboundRulesVar')], 'allocatedOutboundPorts'), parameters('outboundRules')[copyIndex('outboundRulesVar')].allocatedOutboundPorts, 63984)]", - "enableTcpReset": "[if(contains(parameters('outboundRules')[copyIndex('outboundRulesVar')], 'enableTcpReset'), parameters('outboundRules')[copyIndex('outboundRulesVar')].enableTcpReset, true())]", - "idleTimeoutInMinutes": "[if(contains(parameters('outboundRules')[copyIndex('outboundRulesVar')], 'idleTimeoutInMinutes'), parameters('outboundRules')[copyIndex('outboundRulesVar')].idleTimeoutInMinutes, 4)]" - } - } - }, - { - "name": "probesVar", - "count": "[length(parameters('probes'))]", - "input": { - "name": "[parameters('probes')[copyIndex('probesVar')].name]", - "properties": { - "protocol": "[if(contains(parameters('probes')[copyIndex('probesVar')], 'protocol'), parameters('probes')[copyIndex('probesVar')].protocol, 'Tcp')]", - "requestPath": "[if(not(equals(toLower(parameters('probes')[copyIndex('probesVar')].protocol), 'tcp')), parameters('probes')[copyIndex('probesVar')].requestPath, null())]", - "port": "[if(contains(parameters('probes')[copyIndex('probesVar')], 'port'), parameters('probes')[copyIndex('probesVar')].port, 80)]", - "intervalInSeconds": "[if(contains(parameters('probes')[copyIndex('probesVar')], 'intervalInSeconds'), parameters('probes')[copyIndex('probesVar')].intervalInSeconds, 5)]", - "numberOfProbes": "[if(contains(parameters('probes')[copyIndex('probesVar')], 'numberOfProbes'), parameters('probes')[copyIndex('probesVar')].numberOfProbes, 2)]" - } - } - }, - { - "name": "backendAddressPoolNames", - "count": "[length(parameters('backendAddressPools'))]", - "input": { - "name": "[parameters('backendAddressPools')[copyIndex('backendAddressPoolNames')].name]" - } - } - ], - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "loadBalancer": { - "type": "Microsoft.Network/loadBalancers", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": { - "frontendIPConfigurations": "[variables('frontendIPConfigurationsVar')]", - "loadBalancingRules": "[variables('loadBalancingRulesVar')]", - "backendAddressPools": "[variables('backendAddressPoolNames')]", - "outboundRules": "[variables('outboundRulesVar')]", - "probes": "[variables('probesVar')]" - } - }, - "loadBalancer_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "loadBalancer" - ] - }, - "loadBalancer_diagnosticSettings": { - "copy": { - "name": "loadBalancer_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "loadBalancer" - ] - }, - "loadBalancer_roleAssignments": { - "copy": { - "name": "loadBalancer_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/loadBalancers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "loadBalancer" - ] - }, - "loadBalancer_backendAddressPools": { - "copy": { - "name": "loadBalancer_backendAddressPools", - "count": "[length(parameters('backendAddressPools'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-loadBalancer-backendAddressPools-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "loadBalancerName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('backendAddressPools')[copyIndex()].name]" - }, - "tunnelInterfaces": "[if(and(contains(parameters('backendAddressPools')[copyIndex()], 'tunnelInterfaces'), not(empty(parameters('backendAddressPools')[copyIndex()].tunnelInterfaces))), createObject('value', parameters('backendAddressPools')[copyIndex()].tunnelInterfaces), createObject('value', createArray()))]", - "loadBalancerBackendAddresses": "[if(and(contains(parameters('backendAddressPools')[copyIndex()], 'loadBalancerBackendAddresses'), not(empty(parameters('backendAddressPools')[copyIndex()].loadBalancerBackendAddresses))), createObject('value', parameters('backendAddressPools')[copyIndex()].loadBalancerBackendAddresses), createObject('value', createArray()))]", - "drainPeriodInSeconds": "[if(contains(parameters('backendAddressPools')[copyIndex()], 'drainPeriodInSeconds'), createObject('value', parameters('backendAddressPools')[copyIndex()].drainPeriodInSeconds), createObject('value', 0))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11772165650732157187" - }, - "name": "Load Balancer Backend Address Pools", - "description": "This module deploys a Load Balancer Backend Address Pools.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "loadBalancerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the backend address pool." - } - }, - "loadBalancerBackendAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of backend addresses." - } - }, - "tunnelInterfaces": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of gateway load balancer tunnel interfaces." - } - }, - "drainPeriodInSeconds": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property." - } - }, - "syncMode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Automatic", - "Manual" - ], - "metadata": { - "description": "Optional. Backend address synchronous mode for the backend pool." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/loadBalancers/backendAddressPools", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('loadBalancerName'), parameters('name'))]", - "properties": { - "loadBalancerBackendAddresses": "[parameters('loadBalancerBackendAddresses')]", - "tunnelInterfaces": "[parameters('tunnelInterfaces')]", - "drainPeriodInSeconds": "[if(not(equals(parameters('drainPeriodInSeconds'), 0)), parameters('drainPeriodInSeconds'), null())]", - "syncMode": "[if(not(empty(parameters('syncMode'))), parameters('syncMode'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backend address pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backend address pool." - }, - "value": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('loadBalancerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the backend address pool was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "loadBalancer" - ] - }, - "loadBalancer_inboundNATRules": { - "copy": { - "name": "loadBalancer_inboundNATRules", - "count": "[length(parameters('inboundNatRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LoadBalancer-inboundNatRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "loadBalancerName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('inboundNatRules')[copyIndex()].name]" - }, - "frontendIPConfigurationName": { - "value": "[parameters('inboundNatRules')[copyIndex()].frontendIPConfigurationName]" - }, - "frontendPort": { - "value": "[parameters('inboundNatRules')[copyIndex()].frontendPort]" - }, - "backendPort": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'backendPort'), createObject('value', parameters('inboundNatRules')[copyIndex()].backendPort), createObject('value', parameters('inboundNatRules')[copyIndex()].frontendPort))]", - "backendAddressPoolName": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'backendAddressPoolName'), createObject('value', parameters('inboundNatRules')[copyIndex()].backendAddressPoolName), createObject('value', ''))]", - "enableFloatingIP": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'enableFloatingIP'), createObject('value', parameters('inboundNatRules')[copyIndex()].enableFloatingIP), createObject('value', false()))]", - "enableTcpReset": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'enableTcpReset'), createObject('value', parameters('inboundNatRules')[copyIndex()].enableTcpReset), createObject('value', false()))]", - "frontendPortRangeEnd": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'frontendPortRangeEnd'), createObject('value', parameters('inboundNatRules')[copyIndex()].frontendPortRangeEnd), createObject('value', -1))]", - "frontendPortRangeStart": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'frontendPortRangeStart'), createObject('value', parameters('inboundNatRules')[copyIndex()].frontendPortRangeStart), createObject('value', -1))]", - "idleTimeoutInMinutes": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'idleTimeoutInMinutes'), createObject('value', parameters('inboundNatRules')[copyIndex()].idleTimeoutInMinutes), createObject('value', 4))]", - "protocol": "[if(contains(parameters('inboundNatRules')[copyIndex()], 'protocol'), createObject('value', parameters('inboundNatRules')[copyIndex()].protocol), createObject('value', 'Tcp'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10843150655101094909" - }, - "name": "Load Balancer Inbound NAT Rules", - "description": "This module deploys a Load Balancer Inbound NAT Rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "loadBalancerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent load balancer. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the inbound NAT rule." - } - }, - "frontendPort": { - "type": "int", - "minValue": 1, - "maxValue": 65534, - "metadata": { - "description": "Required. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer." - } - }, - "backendPort": { - "type": "int", - "defaultValue": "[parameters('frontendPort')]", - "minValue": 1, - "maxValue": 65535, - "metadata": { - "description": "Optional. The port used for the internal endpoint." - } - }, - "backendAddressPoolName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the backend address pool." - } - }, - "enableFloatingIP": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint." - } - }, - "enableTcpReset": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP." - } - }, - "frontendIPConfigurationName": { - "type": "string", - "metadata": { - "description": "Required. The name of the frontend IP address to set for the inbound NAT rule." - } - }, - "frontendPortRangeEnd": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 65534, - "metadata": { - "description": "Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool." - } - }, - "frontendPortRangeStart": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 65534, - "metadata": { - "description": "Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool." - } - }, - "idleTimeoutInMinutes": { - "type": "int", - "defaultValue": 4, - "metadata": { - "description": "Optional. The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP." - } - }, - "protocol": { - "type": "string", - "defaultValue": "Tcp", - "allowedValues": [ - "All", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Optional. The transport protocol for the endpoint." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/loadBalancers/inboundNatRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('loadBalancerName'), parameters('name'))]", - "properties": { - "frontendPort": "[parameters('frontendPort')]", - "backendPort": "[parameters('backendPort')]", - "backendAddressPool": "[if(not(empty(parameters('backendAddressPoolName'))), createObject('id', format('{0}/backendAddressPools/{1}', resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), parameters('backendAddressPoolName'))), null())]", - "enableFloatingIP": "[parameters('enableFloatingIP')]", - "enableTcpReset": "[parameters('enableTcpReset')]", - "frontendIPConfiguration": { - "id": "[format('{0}/frontendIPConfigurations/{1}', resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), parameters('frontendIPConfigurationName'))]" - }, - "frontendPortRangeStart": "[if(not(equals(parameters('frontendPortRangeStart'), -1)), parameters('frontendPortRangeStart'), null())]", - "frontendPortRangeEnd": "[if(not(equals(parameters('frontendPortRangeEnd'), -1)), parameters('frontendPortRangeEnd'), null())]", - "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "protocol": "[parameters('protocol')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the inbound NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the inbound NAT rule." - }, - "value": "[resourceId('Microsoft.Network/loadBalancers/inboundNatRules', parameters('loadBalancerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the inbound NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "loadBalancer", - "loadBalancer_backendAddressPools" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the load balancer." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the load balancer." - }, - "value": "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the load balancer was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "backendpools": { - "type": "array", - "metadata": { - "description": "The backend address pools available in the load balancer." - }, - "value": "[reference('loadBalancer').backendAddressPools]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('loadBalancer', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep b/modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 54ec47a195..0000000000 --- a/modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,25 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id diff --git a/modules/network/load-balancer/tests/e2e/defaults/main.test.bicep b/modules/network/load-balancer/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 412f7617c4..0000000000 --- a/modules/network/load-balancer/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,63 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: nestedDependencies.outputs.publicIPResourceId - } - ] - } -} diff --git a/modules/network/load-balancer/tests/e2e/internal/dependencies.bicep b/modules/network/load-balancer/tests/e2e/internal/dependencies.bicep deleted file mode 100644 index e5b8f3fe0a..0000000000 --- a/modules/network/load-balancer/tests/e2e/internal/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/load-balancer/tests/e2e/internal/main.test.bicep b/modules/network/load-balancer/tests/e2e/internal/main.test.bicep deleted file mode 100644 index 26784c8eb8..0000000000 --- a/modules/network/load-balancer/tests/e2e/internal/main.test.bicep +++ /dev/null @@ -1,149 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbint' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - subnetId: nestedDependencies.outputs.subnetResourceId - } - ] - backendAddressPools: [ - { - name: 'servers' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - skuName: 'Standard' - loadBalancingRules: [ - { - backendAddressPoolName: 'servers' - backendPort: 0 - disableOutboundSnat: true - enableFloatingIP: true - enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 0 - idleTimeoutInMinutes: 4 - loadDistribution: 'Default' - name: 'privateIPLBRule1' - probeName: 'probe1' - protocol: 'All' - } - ] - probes: [ - { - intervalInSeconds: 5 - name: 'probe1' - numberOfProbes: 2 - port: '62000' - protocol: 'Tcp' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/load-balancer/tests/e2e/max/dependencies.bicep b/modules/network/load-balancer/tests/e2e/max/dependencies.bicep deleted file mode 100644 index c54f364b82..0000000000 --- a/modules/network/load-balancer/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,36 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/load-balancer/tests/e2e/max/main.test.bicep b/modules/network/load-balancer/tests/e2e/max/main.test.bicep deleted file mode 100644 index 9d7f2ac2d5..0000000000 --- a/modules/network/load-balancer/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,181 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: nestedDependencies.outputs.publicIPResourceId - } - ] - backendAddressPools: [ - { - name: 'backendAddressPool1' - } - { - name: 'backendAddressPool2' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - loadBalancingRules: [ - { - backendAddressPoolName: 'backendAddressPool1' - backendPort: 80 - disableOutboundSnat: true - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 80 - idleTimeoutInMinutes: 5 - loadDistribution: 'Default' - name: 'publicIPLBRule1' - probeName: 'probe1' - protocol: 'Tcp' - } - { - backendAddressPoolName: 'backendAddressPool2' - backendPort: 8080 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 8080 - loadDistribution: 'Default' - name: 'publicIPLBRule2' - probeName: 'probe2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - outboundRules: [ - { - allocatedOutboundPorts: 63984 - backendAddressPoolName: 'backendAddressPool1' - frontendIPConfigurationName: 'publicIPConfig1' - name: 'outboundRule1' - } - ] - probes: [ - { - intervalInSeconds: 10 - name: 'probe1' - numberOfProbes: 5 - port: 80 - protocol: 'Tcp' - } - { - name: 'probe2' - port: 443 - protocol: 'Https' - requestPath: '/' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index c54f364b82..0000000000 --- a/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,36 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Public IP to create.') -param publicIPName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: publicIPName - location: location - sku: { - name: 'Standard' - tier: 'Regional' - } - properties: { - publicIPAllocationMethod: 'Static' - } - zones: [ - '1' - '2' - '3' - ] -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Public IP.') -output publicIPResourceId string = publicIP.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f0a9319226..0000000000 --- a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,181 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: nestedDependencies.outputs.publicIPResourceId - } - ] - backendAddressPools: [ - { - name: 'backendAddressPool1' - } - { - name: 'backendAddressPool2' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - inboundNatRules: [ - { - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 443 - idleTimeoutInMinutes: 4 - name: 'inboundNatRule1' - protocol: 'Tcp' - } - { - backendPort: 3389 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 3389 - name: 'inboundNatRule2' - } - ] - loadBalancingRules: [ - { - backendAddressPoolName: 'backendAddressPool1' - backendPort: 80 - disableOutboundSnat: true - enableFloatingIP: false - enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 80 - idleTimeoutInMinutes: 5 - loadDistribution: 'Default' - name: 'publicIPLBRule1' - probeName: 'probe1' - protocol: 'Tcp' - } - { - backendAddressPoolName: 'backendAddressPool2' - backendPort: 8080 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 8080 - loadDistribution: 'Default' - name: 'publicIPLBRule2' - probeName: 'probe2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - outboundRules: [ - { - allocatedOutboundPorts: 63984 - backendAddressPoolName: 'backendAddressPool1' - frontendIPConfigurationName: 'publicIPConfig1' - name: 'outboundRule1' - } - ] - probes: [ - { - intervalInSeconds: 10 - name: 'probe1' - numberOfProbes: 5 - port: 80 - protocol: 'Tcp' - } - { - name: 'probe2' - port: 443 - protocol: 'Https' - requestPath: '/' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/load-balancer/version.json b/modules/network/load-balancer/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/load-balancer/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/local-network-gateway/MOVED-TO-AVM.md b/modules/network/local-network-gateway/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/local-network-gateway/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 0bd7452f8a..22235b4adf 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -1,549 +1,7 @@ -# Local Network Gateways `[Microsoft.Network/localNetworkGateways]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/local-network-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/local-network-gateway).** -This module deploys a Local Network Gateway. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/local-network-gateway). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/localNetworkGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/localNetworkGateways) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.local-network-gateway:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlngmin' - params: { - // Required parameters - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - name: 'nlngmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "localAddressPrefixes": { - "value": [ - "192.168.1.0/24" - ] - }, - "localGatewayPublicIpAddress": { - "value": "8.8.8.8" - }, - "name": { - "value": "nlngmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlngmax' - params: { - // Required parameters - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - name: 'nlngmax001' - // Non-required parameters - enableDefaultTelemetry: '' - localAsn: '65123' - localBgpPeeringAddress: '192.168.1.5' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "localAddressPrefixes": { - "value": [ - "192.168.1.0/24" - ] - }, - "localGatewayPublicIpAddress": { - "value": "8.8.8.8" - }, - "name": { - "value": "nlngmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "localAsn": { - "value": "65123" - }, - "localBgpPeeringAddress": { - "value": "192.168.1.5" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlngwaf' - params: { - // Required parameters - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - name: 'nlngwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - localAsn: '65123' - localBgpPeeringAddress: '192.168.1.5' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "localAddressPrefixes": { - "value": [ - "192.168.1.0/24" - ] - }, - "localGatewayPublicIpAddress": { - "value": "8.8.8.8" - }, - "name": { - "value": "nlngwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "localAsn": { - "value": "65123" - }, - "localBgpPeeringAddress": { - "value": "192.168.1.5" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`localAddressPrefixes`](#parameter-localaddressprefixes) | array | List of the local (on-premises) IP address ranges. | -| [`localGatewayPublicIpAddress`](#parameter-localgatewaypublicipaddress) | string | Public IP of the local gateway. | -| [`name`](#parameter-name) | string | Name of the Local Network Gateway. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`fqdn`](#parameter-fqdn) | string | FQDN of local network gateway. | -| [`localAsn`](#parameter-localasn) | string | The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | -| [`localBgpPeeringAddress`](#parameter-localbgppeeringaddress) | string | The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | -| [`localPeerWeight`](#parameter-localpeerweight) | string | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `localAddressPrefixes` - -List of the local (on-premises) IP address ranges. - -- Required: Yes -- Type: array - -### Parameter: `localGatewayPublicIpAddress` - -Public IP of the local gateway. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Local Network Gateway. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `fqdn` - -FQDN of local network gateway. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `localAsn` - -The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `localBgpPeeringAddress` - -The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `localPeerWeight` - -The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the local network gateway. | -| `resourceGroupName` | string | The resource group the local network gateway was deployed into. | -| `resourceId` | string | The resource ID of the local network gateway. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep deleted file mode 100644 index 0d7877dc43..0000000000 --- a/modules/network/local-network-gateway/main.bicep +++ /dev/null @@ -1,151 +0,0 @@ -metadata name = 'Local Network Gateways' -metadata description = 'This module deploys a Local Network Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Local Network Gateway.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. List of the local (on-premises) IP address ranges.') -param localAddressPrefixes array - -@description('Required. Public IP of the local gateway.') -param localGatewayPublicIpAddress string - -@description('Optional. The BGP speaker\'s ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource.') -param localAsn string = '' - -@description('Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource.') -param localBgpPeeringAddress string = '' - -@description('Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided.') -param localPeerWeight string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. FQDN of local network gateway.') -param fqdn string = '' - -var bgpSettings = { - asn: localAsn - bgpPeeringAddress: localBgpPeeringAddress - peerWeight: !empty(localPeerWeight) ? localPeerWeight : '0' -} - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - localNetworkAddressSpace: { - addressPrefixes: localAddressPrefixes - } - fqdn: !empty(fqdn) ? fqdn : null - gatewayIpAddress: localGatewayPublicIpAddress - bgpSettings: !empty(localAsn) && !empty(localBgpPeeringAddress) ? bgpSettings : null - } -} - -resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: localNetworkGateway -} - -resource localNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(localNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: localNetworkGateway -}] - -@description('The resource ID of the local network gateway.') -output resourceId string = localNetworkGateway.id - -@description('The resource group the local network gateway was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the local network gateway.') -output name string = localNetworkGateway.name - -@description('The location the resource was deployed into.') -output location string = localNetworkGateway.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json deleted file mode 100644 index 5fc6a78848..0000000000 --- a/modules/network/local-network-gateway/main.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15135056201876239825" - }, - "name": "Local Network Gateways", - "description": "This module deploys a Local Network Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Local Network Gateway." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "localAddressPrefixes": { - "type": "array", - "metadata": { - "description": "Required. List of the local (on-premises) IP address ranges." - } - }, - "localGatewayPublicIpAddress": { - "type": "string", - "metadata": { - "description": "Required. Public IP of the local gateway." - } - }, - "localAsn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource." - } - }, - "localBgpPeeringAddress": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource." - } - }, - "localPeerWeight": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. FQDN of local network gateway." - } - } - }, - "variables": { - "bgpSettings": { - "asn": "[parameters('localAsn')]", - "bgpPeeringAddress": "[parameters('localBgpPeeringAddress')]", - "peerWeight": "[if(not(empty(parameters('localPeerWeight'))), parameters('localPeerWeight'), '0')]" - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "localNetworkGateway": { - "type": "Microsoft.Network/localNetworkGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "localNetworkAddressSpace": { - "addressPrefixes": "[parameters('localAddressPrefixes')]" - }, - "fqdn": "[if(not(empty(parameters('fqdn'))), parameters('fqdn'), null())]", - "gatewayIpAddress": "[parameters('localGatewayPublicIpAddress')]", - "bgpSettings": "[if(and(not(empty(parameters('localAsn'))), not(empty(parameters('localBgpPeeringAddress')))), variables('bgpSettings'), null())]" - } - }, - "localNetworkGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "localNetworkGateway" - ] - }, - "localNetworkGateway_roleAssignments": { - "copy": { - "name": "localNetworkGateway_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/localNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "localNetworkGateway" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the local network gateway." - }, - "value": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the local network gateway was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the local network gateway." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('localNetworkGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 1265fabb0d..0000000000 --- a/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,53 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlngmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - } -}] diff --git a/modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep deleted file mode 100644 index 150660fecf..0000000000 --- a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,89 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlngmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - localAsn: '65123' - localBgpPeeringAddress: '192.168.1.5' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index a407b64c98..0000000000 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlngwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - localAddressPrefixes: [ - '192.168.1.0/24' - ] - localGatewayPublicIpAddress: '8.8.8.8' - localAsn: '65123' - localBgpPeeringAddress: '192.168.1.5' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/local-network-gateway/version.json b/modules/network/local-network-gateway/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/local-network-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/nat-gateway/MOVED-TO-AVM.md b/modules/network/nat-gateway/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/nat-gateway/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 844f80ecc0..858a477160 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -1,737 +1,7 @@ -# NAT Gateways `[Microsoft.Network/natGateways]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: avm/res/network/nat-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/nat-gateway).** -This module deploys a NAT Gateway. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/nat-gateway). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/natGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/natGateways) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -| `Microsoft.Network/publicIPPrefixes` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPPrefixes) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.nat-gateway:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Combine a generated and provided Public IP Prefix](#example-2-combine-a-generated-and-provided-public-ip-prefix) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nngmax' - params: { - // Required parameters - name: 'nngmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAddressObjects: [ - { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'nngmax001-pip' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nngmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIPAddressObjects": { - "value": [ - { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "nngmax001-pip", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "skuTier": "Regional", - "zones": [ - "1", - "2", - "3" - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Combine a generated and provided Public IP Prefix_ - -This example shows how you can provide a Public IP Prefix to the module, while also generating one in the module. - - -

- -via Bicep module - -```bicep -module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nngcprx' - params: { - // Required parameters - name: 'nngcprx001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPPrefixObjects: [ - { - name: 'nngcprx001-pippre' - prefixLength: 30 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - 'hidden-title': 'CustomTag' - } - } - ] - publicIPPrefixResourceIds: [ - '' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nngcprx001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIPPrefixObjects": { - "value": [ - { - "name": "nngcprx001-pippre", - "prefixLength": 30, - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "tags": { - "hidden-title": "CustomTag" - } - } - ] - }, - "publicIPPrefixResourceIds": { - "value": [ - "" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nngwaf' - params: { - // Required parameters - name: 'nngwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAddressObjects: [ - { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'nngwaf001-pip' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nngwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIPAddressObjects": { - "value": [ - { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "nngwaf001-pip", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "skuTier": "Regional", - "zones": [ - "1", - "2", - "3" - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Bastion resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The idle timeout of the NAT gateway. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicIPAddressObjects`](#parameter-publicipaddressobjects) | array | Specifies the properties of the Public IPs to create and be used by the NAT Gateway. | -| [`publicIPPrefixObjects`](#parameter-publicipprefixobjects) | array | Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. | -| [`publicIPPrefixResourceIds`](#parameter-publicipprefixresourceids) | array | Existing Public IP Prefixes resource IDs to use for the NAT Gateway. | -| [`publicIpResourceIds`](#parameter-publicipresourceids) | array | Existing Public IP Address resource IDs to use for the NAT Gateway. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags for the resource. | -| [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | - -### Parameter: `name` - -Name of the Azure Bastion resource. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `idleTimeoutInMinutes` - -The idle timeout of the NAT gateway. - -- Required: No -- Type: int -- Default: `5` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicIPAddressObjects` - -Specifies the properties of the Public IPs to create and be used by the NAT Gateway. - -- Required: No -- Type: array - -### Parameter: `publicIPPrefixObjects` - -Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. - -- Required: No -- Type: array - -### Parameter: `publicIPPrefixResourceIds` - -Existing Public IP Prefixes resource IDs to use for the NAT Gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicIpResourceIds` - -Existing Public IP Address resource IDs to use for the NAT Gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags for the resource. - -- Required: No -- Type: object - -### Parameter: `zones` - -A list of availability zones denoting the zone in which Nat Gateway should be deployed. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the NAT Gateway. | -| `resourceGroupName` | string | The resource group the NAT Gateway was deployed into. | -| `resourceId` | string | The resource ID of the NAT Gateway. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/public-ip-address` | Local reference | -| `modules/network/public-ip-prefix` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep deleted file mode 100644 index 8e958da2d7..0000000000 --- a/modules/network/nat-gateway/main.bicep +++ /dev/null @@ -1,236 +0,0 @@ -metadata name = 'NAT Gateways' -metadata description = 'This module deploys a NAT Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure Bastion resource.') -param name string - -@description('Optional. The idle timeout of the NAT gateway.') -param idleTimeoutInMinutes int = 5 - -@description('Optional. Existing Public IP Address resource IDs to use for the NAT Gateway.') -param publicIpResourceIds array = [] - -@description('Optional. Existing Public IP Prefixes resource IDs to use for the NAT Gateway.') -param publicIPPrefixResourceIds array = [] - -@description('Optional. Specifies the properties of the Public IPs to create and be used by the NAT Gateway.') -param publicIPAddressObjects array? - -@description('Optional. Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway.') -param publicIPPrefixObjects array? - -@description('Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed.') -param zones array = [] - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags for the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module publicIPAddresses '../public-ip-address/main.bicep' = [for (publicIPAddressObject, index) in (publicIPAddressObjects ?? []): { - name: '${uniqueString(deployment().name, location)}-NatGw-PIP-${index}' - params: { - name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - lock: publicIPAddressObject.?lock ?? lock - diagnosticSettings: publicIPAddressObject.?diagnosticSettings - publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' - publicIPAllocationMethod: 'Static' - publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' - roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] - skuName: 'Standard' - skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' - tags: publicIPAddressObject.?tags ?? tags - zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] - } -}] - -module formattedPublicIpResourceIds 'modules/formatResourceId.bicep' = { - name: 'formattedPublicIpResourceIds' - params: { - generatedResourceIds: [for (obj, index) in (publicIPAddressObjects ?? []): publicIPAddresses[index].outputs.resourceId] - providedResourceIds: publicIpResourceIds - } -} - -module publicIPPrefixes '../public-ip-prefix/main.bicep' = [for (publicIPPrefixObject, index) in (publicIPPrefixObjects ?? []): { - name: '${uniqueString(deployment().name, location)}-NatGw-Prefix-PIP-${index}' - params: { - name: contains(publicIPPrefixObject, 'name') ? publicIPPrefixObject.name : '${name}-pip' - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - lock: publicIPPrefixObject.?lock ?? lock - prefixLength: publicIPPrefixObject.prefixLength - customIPPrefix: publicIPPrefixObject.?customIPPrefix - roleAssignments: publicIPPrefixObject.?roleAssignments - tags: publicIPPrefixObject.?tags ?? tags - } -}] -module formattedPublicIpPrefixResourceIds 'modules/formatResourceId.bicep' = { - name: 'formattedPublicIpPrefixResourceIds' - params: { - generatedResourceIds: [for (obj, index) in (publicIPPrefixObjects ?? []): publicIPPrefixes[index].outputs.resourceId] - providedResourceIds: publicIPPrefixResourceIds - - } -} - -// NAT GATEWAY -// =========== -resource natGateway 'Microsoft.Network/natGateways@2023-04-01' = { - name: name - location: location - tags: tags - sku: { - name: 'Standard' - } - properties: { - idleTimeoutInMinutes: idleTimeoutInMinutes - publicIpPrefixes: formattedPublicIpPrefixResourceIds.outputs.formattedResourceIds - publicIpAddresses: formattedPublicIpResourceIds.outputs.formattedResourceIds - } - zones: zones -} - -resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: natGateway -} - -resource natGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(natGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: natGateway -}] - -@description('The name of the NAT Gateway.') -output name string = natGateway.name - -@description('The resource ID of the NAT Gateway.') -output resourceId string = natGateway.id - -@description('The resource group the NAT Gateway was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = natGateway.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json deleted file mode 100644 index 5f0044c21c..0000000000 --- a/modules/network/nat-gateway/main.json +++ /dev/null @@ -1,1383 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4790906560512983645" - }, - "name": "NAT Gateways", - "description": "This module deploys a NAT Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Bastion resource." - } - }, - "idleTimeoutInMinutes": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The idle timeout of the NAT gateway." - } - }, - "publicIpResourceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Existing Public IP Address resource IDs to use for the NAT Gateway." - } - }, - "publicIPPrefixResourceIds": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Existing Public IP Prefixes resource IDs to use for the NAT Gateway." - } - }, - "publicIPAddressObjects": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the properties of the Public IPs to create and be used by the NAT Gateway." - } - }, - "publicIPPrefixObjects": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "natGateway": { - "type": "Microsoft.Network/natGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "Standard" - }, - "properties": { - "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "publicIpPrefixes": "[reference('formattedPublicIpPrefixResourceIds').outputs.formattedResourceIds.value]", - "publicIpAddresses": "[reference('formattedPublicIpResourceIds').outputs.formattedResourceIds.value]" - }, - "zones": "[parameters('zones')]", - "dependsOn": [ - "formattedPublicIpPrefixResourceIds", - "formattedPublicIpResourceIds" - ] - }, - "natGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "natGateway" - ] - }, - "natGateway_roleAssignments": { - "copy": { - "name": "natGateway_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/natGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "natGateway" - ] - }, - "publicIPAddresses": { - "copy": { - "name": "publicIPAddresses", - "count": "[length(coalesce(parameters('publicIPAddressObjects'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NatGw-PIP-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "diagnosticSettings": { - "value": "[tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'diagnosticSettings')]" - }, - "publicIPAddressVersion": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'publicIPAddressVersion'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].publicIPAddressVersion), createObject('value', 'IPv4'))]", - "publicIPAllocationMethod": { - "value": "Static" - }, - "publicIPPrefixResourceId": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'publicIPPrefixResourceId'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].publicIPPrefixResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'roleAssignments'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "skuName": { - "value": "Standard" - }, - "skuTier": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'skuTier'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].skuTier), createObject('value', 'Regional'))]", - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "zones": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'zones'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].zones), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - }, - "formattedPublicIpResourceIds": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "formattedPublicIpResourceIds", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "generatedResourceIds": { - "copy": [ - { - "name": "value", - "count": "[length(coalesce(parameters('publicIPAddressObjects'), createArray()))]", - "input": "[reference(format('publicIPAddresses[{0}]', copyIndex('value'))).outputs.resourceId.value]" - } - ] - }, - "providedResourceIds": { - "value": "[parameters('publicIpResourceIds')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16528829671778949522" - } - }, - "parameters": { - "generatedResourceIds": { - "type": "array", - "defaultValue": [] - }, - "providedResourceIds": { - "type": "array", - "defaultValue": [] - } - }, - "resources": [], - "outputs": { - "formattedResourceIds": { - "type": "array", - "copy": { - "count": "[length(concat(parameters('generatedResourceIds'), parameters('providedResourceIds')))]", - "input": { - "id": "[concat(parameters('generatedResourceIds'), parameters('providedResourceIds'))[copyIndex()]]" - } - } - } - } - } - }, - "dependsOn": [ - "publicIPAddresses" - ] - }, - "publicIPPrefixes": { - "copy": { - "name": "publicIPPrefixes", - "count": "[length(coalesce(parameters('publicIPPrefixObjects'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NatGw-Prefix-PIP-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "prefixLength": { - "value": "[coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()].prefixLength]" - }, - "customIPPrefix": { - "value": "[tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'customIPPrefix')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11282022059497213596" - }, - "name": "Public IP Prefixes", - "description": "This module deploys a Public IP Prefix.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Public IP Prefix." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "prefixLength": { - "type": "int", - "minValue": 28, - "maxValue": 31, - "metadata": { - "description": "Required. Length of the Public IP Prefix." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "customIPPrefix": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpPrefix": { - "type": "Microsoft.Network/publicIPPrefixes", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "Standard" - }, - "properties": { - "customIPPrefix": "[if(not(empty(parameters('customIPPrefix'))), parameters('customIPPrefix'), null())]", - "publicIPAddressVersion": "IPv4", - "prefixLength": "[parameters('prefixLength')]" - } - }, - "publicIpPrefix_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpPrefix" - ] - }, - "publicIpPrefix_roleAssignments": { - "copy": { - "name": "publicIpPrefix_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpPrefix" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP prefix." - }, - "value": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP prefix was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP prefix." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpPrefix', '2023-04-01', 'full').location]" - } - } - } - } - }, - "formattedPublicIpPrefixResourceIds": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "formattedPublicIpPrefixResourceIds", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "generatedResourceIds": { - "copy": [ - { - "name": "value", - "count": "[length(coalesce(parameters('publicIPPrefixObjects'), createArray()))]", - "input": "[reference(format('publicIPPrefixes[{0}]', copyIndex('value'))).outputs.resourceId.value]" - } - ] - }, - "providedResourceIds": { - "value": "[parameters('publicIPPrefixResourceIds')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16528829671778949522" - } - }, - "parameters": { - "generatedResourceIds": { - "type": "array", - "defaultValue": [] - }, - "providedResourceIds": { - "type": "array", - "defaultValue": [] - } - }, - "resources": [], - "outputs": { - "formattedResourceIds": { - "type": "array", - "copy": { - "count": "[length(concat(parameters('generatedResourceIds'), parameters('providedResourceIds')))]", - "input": { - "id": "[concat(parameters('generatedResourceIds'), parameters('providedResourceIds'))[copyIndex()]]" - } - } - } - } - } - }, - "dependsOn": [ - "publicIPPrefixes" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NAT Gateway." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the NAT Gateway." - }, - "value": "[resourceId('Microsoft.Network/natGateways', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the NAT Gateway was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('natGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/nat-gateway/modules/formatResourceId.bicep b/modules/network/nat-gateway/modules/formatResourceId.bicep deleted file mode 100644 index b4aa1ad772..0000000000 --- a/modules/network/nat-gateway/modules/formatResourceId.bicep +++ /dev/null @@ -1,6 +0,0 @@ -param generatedResourceIds array = [] -param providedResourceIds array = [] - -output formattedResourceIds array = [for resourceId in concat(generatedResourceIds, providedResourceIds): { - id: resourceId -}] diff --git a/modules/network/nat-gateway/tests/e2e/max/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/nat-gateway/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep deleted file mode 100644 index e6adb9a978..0000000000 --- a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,129 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nngmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAddressObjects: [ - { - name: '${namePrefix}${serviceShort}001-pip' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep deleted file mode 100644 index d6562f9465..0000000000 --- a/modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Public IP Prefix to create.') -param publicIPPrefixName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2023-05-01' = { - name: publicIPPrefixName - location: location - sku: { - name: 'Standard' - } - properties: { - prefixLength: 30 - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Public IP Prefix.') -output publicIpPrefixResourceId string = publicIpPrefix.id diff --git a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep deleted file mode 100644 index caceef126b..0000000000 --- a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Combine a generated and provided Public IP Prefix' -metadata description = 'This example shows how you can provide a Public IP Prefix to the module, while also generating one in the module.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nngcprx' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - publicIPPrefixName: 'dep-${namePrefix}-pippre-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPPrefixResourceIds: [ - nestedDependencies.outputs.publicIpPrefixResourceId - ] - publicIPPrefixObjects: [ - { - name: '${namePrefix}${serviceShort}001-pippre' - prefixLength: 30 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'CustomTag' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 15c733767d..0000000000 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,112 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nngwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAddressObjects: [ - { - name: '${namePrefix}${serviceShort}001-pip' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuTier: 'Regional' - zones: [ - '1' - '2' - '3' - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/nat-gateway/version.json b/modules/network/nat-gateway/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/nat-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-interface/MOVED-TO-AVM.md b/modules/network/network-interface/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/network-interface/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 398da34fed..18ca0189f0 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -1,789 +1,7 @@ -# Network Interface `[Microsoft.Network/networkInterfaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/network-interface](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/network-interface).** -This module deploys a Network Interface. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/network-interface). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/networkInterfaces` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkInterfaces) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-interface:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnimin' - params: { - // Required parameters - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - name: 'nnimin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "ipConfigurations": { - "value": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ] - }, - "name": { - "value": "nnimin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnimax' - params: { - // Required parameters - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - subnetResourceId: '' - } - { - applicationSecurityGroups: [ - { - id: '' - } - ] - subnetResourceId: '' - } - ] - name: 'nnimax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "ipConfigurations": { - "value": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "subnetResourceId": "" - }, - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "subnetResourceId": "" - } - ] - }, - "name": { - "value": "nnimax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nniwaf' - params: { - // Required parameters - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - subnetResourceId: '' - } - { - applicationSecurityGroups: [ - { - id: '' - } - ] - subnetResourceId: '' - } - ] - name: 'nniwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "ipConfigurations": { - "value": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "subnetResourceId": "" - }, - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "subnetResourceId": "" - } - ] - }, - "name": { - "value": "nniwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`ipConfigurations`](#parameter-ipconfigurations) | array | A list of IPConfigurations of the network interface. | -| [`name`](#parameter-name) | string | The name of the network interface. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`auxiliaryMode`](#parameter-auxiliarymode) | string | Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | -| [`auxiliarySku`](#parameter-auxiliarysku) | string | Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableTcpStateTracking`](#parameter-disabletcpstatetracking) | bool | Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. | -| [`dnsServers`](#parameter-dnsservers) | array | List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. | -| [`enableAcceleratedNetworking`](#parameter-enableacceleratednetworking) | bool | If the network interface is accelerated networking enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableIPForwarding`](#parameter-enableipforwarding) | bool | Indicates whether IP forwarding is enabled on this network interface. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`networkSecurityGroupResourceId`](#parameter-networksecuritygroupresourceid) | string | The network security group (NSG) to attach to the network interface. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `ipConfigurations` - -A list of IPConfigurations of the network interface. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the network interface. - -- Required: Yes -- Type: string - -### Parameter: `auxiliaryMode` - -Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'Floating' - 'MaxConnections' - 'None' - ] - ``` - -### Parameter: `auxiliarySku` - -Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'A1' - 'A2' - 'A4' - 'A8' - 'None' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableTcpStateTracking` - -Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `dnsServers` - -List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableAcceleratedNetworking` - -If the network interface is accelerated networking enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableIPForwarding` - -Indicates whether IP forwarding is enabled on this network interface. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `networkSecurityGroupResourceId` - -The network security group (NSG) to attach to the network interface. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed resource. | -| `resourceGroupName` | string | The resource group of the deployed resource. | -| `resourceId` | string | The resource ID of the deployed resource. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep deleted file mode 100644 index 069ad203c6..0000000000 --- a/modules/network/network-interface/main.bicep +++ /dev/null @@ -1,240 +0,0 @@ -metadata name = 'Network Interface' -metadata description = 'This module deploys a Network Interface.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the network interface.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Indicates whether IP forwarding is enabled on this network interface.') -param enableIPForwarding bool = false - -@description('Optional. If the network interface is accelerated networking enabled.') -param enableAcceleratedNetworking bool = false - -@description('Optional. List of DNS servers IP addresses. Use \'AzureProvidedDNS\' to switch to azure provided DNS resolution. \'AzureProvidedDNS\' value cannot be combined with other IPs, it must be the only value in dnsServers collection.') -param dnsServers array = [] - -@description('Optional. The network security group (NSG) to attach to the network interface.') -param networkSecurityGroupResourceId string = '' - -@allowed([ - 'Floating' - 'MaxConnections' - 'None' -]) -@description('Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic.') -param auxiliaryMode string = 'None' - -@allowed([ - 'A1' - 'A2' - 'A4' - 'A8' - 'None' -]) -@description('Optional. Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic.') -param auxiliarySku string = 'None' - -@description('Optional. Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true.') -param disableTcpStateTracking bool = false - -@description('Required. A list of IPConfigurations of the network interface.') -param ipConfigurations array - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - auxiliaryMode: auxiliaryMode - auxiliarySku: auxiliarySku - disableTcpStateTracking: disableTcpStateTracking - dnsSettings: !empty(dnsServers) ? { - dnsServers: dnsServers - } : null - enableAcceleratedNetworking: enableAcceleratedNetworking - enableIPForwarding: enableIPForwarding - networkSecurityGroup: !empty(networkSecurityGroupResourceId) ? { - id: networkSecurityGroupResourceId - } : null - ipConfigurations: [for (ipConfiguration, index) in ipConfigurations: { - name: contains(ipConfiguration, 'name') ? ipConfiguration.name : 'ipconfig0${index + 1}' - properties: { - primary: index == 0 ? true : false - privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null - privateIPAddress: contains(ipConfiguration, 'privateIPAddress') ? (!empty(ipConfiguration.privateIPAddress) ? ipConfiguration.privateIPAddress : null) : null - publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? (ipConfiguration.publicIPAddressResourceId != null ? { - id: ipConfiguration.publicIPAddressResourceId - } : null) : null - subnet: { - id: ipConfiguration.subnetResourceId - } - loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null - applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null - applicationGatewayBackendAddressPools: contains(ipConfiguration, 'applicationGatewayBackendAddressPools') ? ipConfiguration.applicationGatewayBackendAddressPools : null - gatewayLoadBalancer: contains(ipConfiguration, 'gatewayLoadBalancer') ? ipConfiguration.gatewayLoadBalancer : null - loadBalancerInboundNatRules: contains(ipConfiguration, 'loadBalancerInboundNatRules') ? ipConfiguration.loadBalancerInboundNatRules : null - privateIPAddressVersion: contains(ipConfiguration, 'privateIPAddressVersion') ? ipConfiguration.privateIPAddressVersion : null - virtualNetworkTaps: contains(ipConfiguration, 'virtualNetworkTaps') ? ipConfiguration.virtualNetworkTaps : null - } - }] - } -} - -resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: networkInterface -}] - -resource networkInterface_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: networkInterface -} - -resource networkInterface_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(networkInterface.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } -}] - -@description('The name of the deployed resource.') -output name string = networkInterface.name - -@description('The resource ID of the deployed resource.') -output resourceId string = networkInterface.id - -@description('The resource group of the deployed resource.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = networkInterface.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json deleted file mode 100644 index 03cd427c05..0000000000 --- a/modules/network/network-interface/main.json +++ /dev/null @@ -1,457 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2750011165297287068" - }, - "name": "Network Interface", - "description": "This module deploys a Network Interface.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the network interface." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "enableIPForwarding": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether IP forwarding is enabled on this network interface." - } - }, - "enableAcceleratedNetworking": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the network interface is accelerated networking enabled." - } - }, - "dnsServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection." - } - }, - "networkSecurityGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The network security group (NSG) to attach to the network interface." - } - }, - "auxiliaryMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Floating", - "MaxConnections", - "None" - ], - "metadata": { - "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - } - }, - "auxiliarySku": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "A1", - "A2", - "A4", - "A8", - "None" - ], - "metadata": { - "description": "Optional. Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - } - }, - "disableTcpStateTracking": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true." - } - }, - "ipConfigurations": { - "type": "array", - "metadata": { - "description": "Required. A list of IPConfigurations of the network interface." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkInterface": { - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "ipConfigurations", - "count": "[length(parameters('ipConfigurations'))]", - "input": { - "name": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'name'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].name, format('ipconfig0{0}', add(copyIndex('ipConfigurations'), 1)))]", - "properties": { - "primary": "[if(equals(copyIndex('ipConfigurations'), 0), true(), false())]", - "privateIPAllocationMethod": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAllocationMethod'), if(not(empty(parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAllocationMethod)), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAllocationMethod, null()), null())]", - "privateIPAddress": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddress'), if(not(empty(parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddress)), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddress, null()), null())]", - "publicIPAddress": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'publicIPAddressResourceId'), if(not(equals(parameters('ipConfigurations')[copyIndex('ipConfigurations')].publicIPAddressResourceId, null())), createObject('id', parameters('ipConfigurations')[copyIndex('ipConfigurations')].publicIPAddressResourceId), null()), null())]", - "subnet": { - "id": "[parameters('ipConfigurations')[copyIndex('ipConfigurations')].subnetResourceId]" - }, - "loadBalancerBackendAddressPools": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerBackendAddressPools'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].loadBalancerBackendAddressPools, null())]", - "applicationSecurityGroups": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationSecurityGroups'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].applicationSecurityGroups, null())]", - "applicationGatewayBackendAddressPools": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationGatewayBackendAddressPools'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].applicationGatewayBackendAddressPools, null())]", - "gatewayLoadBalancer": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'gatewayLoadBalancer'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].gatewayLoadBalancer, null())]", - "loadBalancerInboundNatRules": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerInboundNatRules'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].loadBalancerInboundNatRules, null())]", - "privateIPAddressVersion": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddressVersion'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].privateIPAddressVersion, null())]", - "virtualNetworkTaps": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'virtualNetworkTaps'), parameters('ipConfigurations')[copyIndex('ipConfigurations')].virtualNetworkTaps, null())]" - } - } - } - ], - "auxiliaryMode": "[parameters('auxiliaryMode')]", - "auxiliarySku": "[parameters('auxiliarySku')]", - "disableTcpStateTracking": "[parameters('disableTcpStateTracking')]", - "dnsSettings": "[if(not(empty(parameters('dnsServers'))), createObject('dnsServers', parameters('dnsServers')), null())]", - "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", - "enableIPForwarding": "[parameters('enableIPForwarding')]", - "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('id', parameters('networkSecurityGroupResourceId')), null())]" - } - }, - "networkInterface_diagnosticSettings": { - "copy": { - "name": "networkInterface_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "networkInterface" - ] - }, - "networkInterface_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "networkInterface" - ] - }, - "networkInterface_roleAssignments": { - "copy": { - "name": "networkInterface_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "networkInterface" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed resource." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed resource." - }, - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed resource." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('networkInterface', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-interface/tests/e2e/defaults/dependencies.bicep b/modules/network/network-interface/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 4a0984bd09..0000000000 --- a/modules/network/network-interface/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/network/network-interface/tests/e2e/defaults/main.test.bicep b/modules/network/network-interface/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 00d24eea4b..0000000000 --- a/modules/network/network-interface/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,63 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnimin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - } -}] diff --git a/modules/network/network-interface/tests/e2e/max/dependencies.bicep b/modules/network/network-interface/tests/e2e/max/dependencies.bicep deleted file mode 100644 index b3a10d32f6..0000000000 --- a/modules/network/network-interface/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,113 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -@description('Required. The name of the Load Balancer Backend Address Pool to create.') -param loadBalancerName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - - properties: { - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } - - resource backendPool 'backendAddressPools@2022-01-01' = { - name: 'default' - } -} - -resource inboundNatRule 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { - name: 'inboundNatRule1' - properties: { - frontendPort: 443 - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfiguration: { - id: loadBalancer.properties.frontendIPConfigurations[0].id - } - idleTimeoutInMinutes: 4 - protocol: 'Tcp' - } - parent: loadBalancer -} - -resource inboundNatRule2 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { - name: 'inboundNatRule2' - properties: { - frontendPort: 3389 - backendPort: 3389 - frontendIPConfiguration: { - id: loadBalancer.properties.frontendIPConfigurations[0].id - } - idleTimeoutInMinutes: 4 - protocol: 'Tcp' - } - parent: loadBalancer -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id - -@description('The resource ID of the created Load Balancer Backend Pool Name.') -output loadBalancerBackendPoolResourceId string = loadBalancer::backendPool.id diff --git a/modules/network/network-interface/tests/e2e/max/main.test.bicep b/modules/network/network-interface/tests/e2e/max/main.test.bicep deleted file mode 100644 index 02129671ef..0000000000 --- a/modules/network/network-interface/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,128 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnimax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index b3a10d32f6..0000000000 --- a/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,113 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -@description('Required. The name of the Load Balancer Backend Address Pool to create.') -param loadBalancerName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - - properties: { - frontendIPConfigurations: [ - { - name: 'privateIPConfig1' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } - - resource backendPool 'backendAddressPools@2022-01-01' = { - name: 'default' - } -} - -resource inboundNatRule 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { - name: 'inboundNatRule1' - properties: { - frontendPort: 443 - backendPort: 443 - enableFloatingIP: false - enableTcpReset: false - frontendIPConfiguration: { - id: loadBalancer.properties.frontendIPConfigurations[0].id - } - idleTimeoutInMinutes: 4 - protocol: 'Tcp' - } - parent: loadBalancer -} - -resource inboundNatRule2 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { - name: 'inboundNatRule2' - properties: { - frontendPort: 3389 - backendPort: 3389 - frontendIPConfiguration: { - id: loadBalancer.properties.frontendIPConfigurations[0].id - } - idleTimeoutInMinutes: 4 - protocol: 'Tcp' - } - parent: loadBalancer -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id - -@description('The resource ID of the created Load Balancer Backend Pool Name.') -output loadBalancerBackendPoolResourceId string = loadBalancer::backendPool.id diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index fe4128d347..0000000000 --- a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,128 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nniwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-interface/version.json b/modules/network/network-interface/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-interface/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/MOVED-TO-AVM.md b/modules/network/network-manager/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/network-manager/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 319f8b63df..111728f220 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -1,1247 +1,7 @@ -# Network Managers `[Microsoft.Network/networkManagers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/network-manager](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/network-manager).** -This module deploys a Network Manager. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/network-manager). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/networkManagers` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers) | -| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/connectivityConfigurations) | -| `Microsoft.Network/networkManagers/networkGroups` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/networkGroups) | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/networkGroups/staticMembers) | -| `Microsoft.Network/networkManagers/scopeConnections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/scopeConnections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-manager:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnmmax' - params: { - // Required parameters - name: '' - networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' - ] - networkManagerScopes: { - subscriptions: [ - '' - ] - } - // Non-required parameters - connectivityConfigurations: [ - { - appliesToGroups: [ - { - groupConnectivity: 'None' - isGlobal: 'False' - networkGroupId: '' - useHubGateway: 'False' - } - ] - connectivityTopology: 'HubAndSpoke' - deleteExistingPeering: 'True' - description: 'hubSpokeConnectivity description' - hubs: [ - { - resourceId: '' - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - isGlobal: 'True' - name: 'hubSpokeConnectivity' - } - { - appliesToGroups: [ - { - groupConnectivity: 'None' - isGlobal: 'False' - networkGroupId: '' - useHubGateway: 'False' - } - ] - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - description: 'MeshConnectivity description' - isGlobal: 'True' - name: 'MeshConnectivity' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkGroups: [ - { - description: 'network-group-spokes description' - name: 'network-group-spokes' - staticMembers: [ - { - name: 'virtualNetworkSpoke1' - resourceId: '' - } - { - name: 'virtualNetworkSpoke2' - resourceId: '' - } - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - scopeConnections: [ - { - description: 'description of the scope connection' - name: 'scope-connection-test' - resourceId: '' - tenantid: '' - } - ] - securityAdminConfigurations: [ - { - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - description: 'description of the security admin config' - name: 'test-security-admin-config' - ruleCollections: [ - { - appliesToGroups: [ - { - networkGroupId: '' - } - ] - description: 'test-rule-collection-description' - name: 'test-rule-collection-1' - rules: [ - { - access: 'Allow' - description: 'test-inbound-allow-rule-1-description' - direction: 'Inbound' - name: 'test-inbound-allow-rule-1' - priority: 150 - protocol: 'Tcp' - } - { - access: 'Deny' - description: 'test-outbound-deny-rule-2-description' - direction: 'Outbound' - name: 'test-outbound-deny-rule-2' - priority: 200 - protocol: 'Tcp' - sourcePortRanges: [ - '442-445' - '80' - ] - sources: [ - { - addressPrefix: 'AppService.WestEurope' - addressPrefixType: 'ServiceTag' - } - ] - } - ] - } - { - appliesToGroups: [ - { - networkGroupId: '' - } - ] - description: 'test-rule-collection-description' - name: 'test-rule-collection-2' - rules: [ - { - access: 'Allow' - description: 'test-inbound-allow-rule-3-description' - destinationPortRanges: [ - '442-445' - '80' - ] - destinations: [ - { - addressPrefix: '192.168.20.20' - addressPrefixType: 'IPPrefix' - } - ] - direction: 'Inbound' - name: 'test-inbound-allow-rule-3' - priority: 250 - protocol: 'Tcp' - } - { - access: 'Allow' - description: 'test-inbound-allow-rule-4-description' - destinations: [ - { - addressPrefix: '172.16.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '172.16.1.0/24' - addressPrefixType: 'IPPrefix' - } - ] - direction: 'Inbound' - name: 'test-inbound-allow-rule-4' - priority: 260 - protocol: 'Tcp' - sources: [ - { - addressPrefix: '10.0.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '100.100.100.100' - addressPrefixType: 'IPPrefix' - } - ] - } - ] - } - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "networkManagerScopeAccesses": { - "value": [ - "Connectivity", - "SecurityAdmin" - ] - }, - "networkManagerScopes": { - "value": { - "subscriptions": [ - "" - ] - } - }, - // Non-required parameters - "connectivityConfigurations": { - "value": [ - { - "appliesToGroups": [ - { - "groupConnectivity": "None", - "isGlobal": "False", - "networkGroupId": "", - "useHubGateway": "False" - } - ], - "connectivityTopology": "HubAndSpoke", - "deleteExistingPeering": "True", - "description": "hubSpokeConnectivity description", - "hubs": [ - { - "resourceId": "", - "resourceType": "Microsoft.Network/virtualNetworks" - } - ], - "isGlobal": "True", - "name": "hubSpokeConnectivity" - }, - { - "appliesToGroups": [ - { - "groupConnectivity": "None", - "isGlobal": "False", - "networkGroupId": "", - "useHubGateway": "False" - } - ], - "connectivityTopology": "Mesh", - "deleteExistingPeering": "True", - "description": "MeshConnectivity description", - "isGlobal": "True", - "name": "MeshConnectivity" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkGroups": { - "value": [ - { - "description": "network-group-spokes description", - "name": "network-group-spokes", - "staticMembers": [ - { - "name": "virtualNetworkSpoke1", - "resourceId": "" - }, - { - "name": "virtualNetworkSpoke2", - "resourceId": "" - } - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "scopeConnections": { - "value": [ - { - "description": "description of the scope connection", - "name": "scope-connection-test", - "resourceId": "", - "tenantid": "" - } - ] - }, - "securityAdminConfigurations": { - "value": [ - { - "applyOnNetworkIntentPolicyBasedServices": [ - "AllowRulesOnly" - ], - "description": "description of the security admin config", - "name": "test-security-admin-config", - "ruleCollections": [ - { - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "description": "test-rule-collection-description", - "name": "test-rule-collection-1", - "rules": [ - { - "access": "Allow", - "description": "test-inbound-allow-rule-1-description", - "direction": "Inbound", - "name": "test-inbound-allow-rule-1", - "priority": 150, - "protocol": "Tcp" - }, - { - "access": "Deny", - "description": "test-outbound-deny-rule-2-description", - "direction": "Outbound", - "name": "test-outbound-deny-rule-2", - "priority": 200, - "protocol": "Tcp", - "sourcePortRanges": [ - "442-445", - "80" - ], - "sources": [ - { - "addressPrefix": "AppService.WestEurope", - "addressPrefixType": "ServiceTag" - } - ] - } - ] - }, - { - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "description": "test-rule-collection-description", - "name": "test-rule-collection-2", - "rules": [ - { - "access": "Allow", - "description": "test-inbound-allow-rule-3-description", - "destinationPortRanges": [ - "442-445", - "80" - ], - "destinations": [ - { - "addressPrefix": "192.168.20.20", - "addressPrefixType": "IPPrefix" - } - ], - "direction": "Inbound", - "name": "test-inbound-allow-rule-3", - "priority": 250, - "protocol": "Tcp" - }, - { - "access": "Allow", - "description": "test-inbound-allow-rule-4-description", - "destinations": [ - { - "addressPrefix": "172.16.0.0/24", - "addressPrefixType": "IPPrefix" - }, - { - "addressPrefix": "172.16.1.0/24", - "addressPrefixType": "IPPrefix" - } - ], - "direction": "Inbound", - "name": "test-inbound-allow-rule-4", - "priority": 260, - "protocol": "Tcp", - "sources": [ - { - "addressPrefix": "10.0.0.0/24", - "addressPrefixType": "IPPrefix" - }, - { - "addressPrefix": "100.100.100.100", - "addressPrefixType": "IPPrefix" - } - ] - } - ] - } - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnmwaf' - params: { - // Required parameters - name: '' - networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' - ] - networkManagerScopes: { - subscriptions: [ - '' - ] - } - // Non-required parameters - connectivityConfigurations: [ - { - appliesToGroups: [ - { - groupConnectivity: 'None' - isGlobal: 'False' - networkGroupId: '' - useHubGateway: 'False' - } - ] - connectivityTopology: 'HubAndSpoke' - deleteExistingPeering: 'True' - description: 'hubSpokeConnectivity description' - hubs: [ - { - resourceId: '' - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - isGlobal: 'True' - name: 'hubSpokeConnectivity' - } - { - appliesToGroups: [ - { - groupConnectivity: 'None' - isGlobal: 'False' - networkGroupId: '' - useHubGateway: 'False' - } - ] - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - description: 'MeshConnectivity description' - isGlobal: 'True' - name: 'MeshConnectivity' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkGroups: [ - { - description: 'network-group-spokes description' - name: 'network-group-spokes' - staticMembers: [ - { - name: 'virtualNetworkSpoke1' - resourceId: '' - } - { - name: 'virtualNetworkSpoke2' - resourceId: '' - } - ] - } - ] - scopeConnections: [ - { - description: 'description of the scope connection' - name: 'scope-connection-test' - resourceId: '' - tenantid: '' - } - ] - securityAdminConfigurations: [ - { - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - description: 'description of the security admin config' - name: 'test-security-admin-config' - ruleCollections: [ - { - appliesToGroups: [ - { - networkGroupId: '' - } - ] - description: 'test-rule-collection-description' - name: 'test-rule-collection-1' - rules: [ - { - access: 'Allow' - description: 'test-inbound-allow-rule-1-description' - direction: 'Inbound' - name: 'test-inbound-allow-rule-1' - priority: 150 - protocol: 'Tcp' - } - { - access: 'Deny' - description: 'test-outbound-deny-rule-2-description' - direction: 'Outbound' - name: 'test-outbound-deny-rule-2' - priority: 200 - protocol: 'Tcp' - sourcePortRanges: [ - '442-445' - '80' - ] - sources: [ - { - addressPrefix: 'AppService.WestEurope' - addressPrefixType: 'ServiceTag' - } - ] - } - ] - } - { - appliesToGroups: [ - { - networkGroupId: '' - } - ] - description: 'test-rule-collection-description' - name: 'test-rule-collection-2' - rules: [ - { - access: 'Allow' - description: 'test-inbound-allow-rule-3-description' - destinationPortRanges: [ - '442-445' - '80' - ] - destinations: [ - { - addressPrefix: '192.168.20.20' - addressPrefixType: 'IPPrefix' - } - ] - direction: 'Inbound' - name: 'test-inbound-allow-rule-3' - priority: 250 - protocol: 'Tcp' - } - { - access: 'Allow' - description: 'test-inbound-allow-rule-4-description' - destinations: [ - { - addressPrefix: '172.16.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '172.16.1.0/24' - addressPrefixType: 'IPPrefix' - } - ] - direction: 'Inbound' - name: 'test-inbound-allow-rule-4' - priority: 260 - protocol: 'Tcp' - sources: [ - { - addressPrefix: '10.0.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '100.100.100.100' - addressPrefixType: 'IPPrefix' - } - ] - } - ] - } - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "networkManagerScopeAccesses": { - "value": [ - "Connectivity", - "SecurityAdmin" - ] - }, - "networkManagerScopes": { - "value": { - "subscriptions": [ - "" - ] - } - }, - // Non-required parameters - "connectivityConfigurations": { - "value": [ - { - "appliesToGroups": [ - { - "groupConnectivity": "None", - "isGlobal": "False", - "networkGroupId": "", - "useHubGateway": "False" - } - ], - "connectivityTopology": "HubAndSpoke", - "deleteExistingPeering": "True", - "description": "hubSpokeConnectivity description", - "hubs": [ - { - "resourceId": "", - "resourceType": "Microsoft.Network/virtualNetworks" - } - ], - "isGlobal": "True", - "name": "hubSpokeConnectivity" - }, - { - "appliesToGroups": [ - { - "groupConnectivity": "None", - "isGlobal": "False", - "networkGroupId": "", - "useHubGateway": "False" - } - ], - "connectivityTopology": "Mesh", - "deleteExistingPeering": "True", - "description": "MeshConnectivity description", - "isGlobal": "True", - "name": "MeshConnectivity" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkGroups": { - "value": [ - { - "description": "network-group-spokes description", - "name": "network-group-spokes", - "staticMembers": [ - { - "name": "virtualNetworkSpoke1", - "resourceId": "" - }, - { - "name": "virtualNetworkSpoke2", - "resourceId": "" - } - ] - } - ] - }, - "scopeConnections": { - "value": [ - { - "description": "description of the scope connection", - "name": "scope-connection-test", - "resourceId": "", - "tenantid": "" - } - ] - }, - "securityAdminConfigurations": { - "value": [ - { - "applyOnNetworkIntentPolicyBasedServices": [ - "AllowRulesOnly" - ], - "description": "description of the security admin config", - "name": "test-security-admin-config", - "ruleCollections": [ - { - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "description": "test-rule-collection-description", - "name": "test-rule-collection-1", - "rules": [ - { - "access": "Allow", - "description": "test-inbound-allow-rule-1-description", - "direction": "Inbound", - "name": "test-inbound-allow-rule-1", - "priority": 150, - "protocol": "Tcp" - }, - { - "access": "Deny", - "description": "test-outbound-deny-rule-2-description", - "direction": "Outbound", - "name": "test-outbound-deny-rule-2", - "priority": 200, - "protocol": "Tcp", - "sourcePortRanges": [ - "442-445", - "80" - ], - "sources": [ - { - "addressPrefix": "AppService.WestEurope", - "addressPrefixType": "ServiceTag" - } - ] - } - ] - }, - { - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "description": "test-rule-collection-description", - "name": "test-rule-collection-2", - "rules": [ - { - "access": "Allow", - "description": "test-inbound-allow-rule-3-description", - "destinationPortRanges": [ - "442-445", - "80" - ], - "destinations": [ - { - "addressPrefix": "192.168.20.20", - "addressPrefixType": "IPPrefix" - } - ], - "direction": "Inbound", - "name": "test-inbound-allow-rule-3", - "priority": 250, - "protocol": "Tcp" - }, - { - "access": "Allow", - "description": "test-inbound-allow-rule-4-description", - "destinations": [ - { - "addressPrefix": "172.16.0.0/24", - "addressPrefixType": "IPPrefix" - }, - { - "addressPrefix": "172.16.1.0/24", - "addressPrefixType": "IPPrefix" - } - ], - "direction": "Inbound", - "name": "test-inbound-allow-rule-4", - "priority": 260, - "protocol": "Tcp", - "sources": [ - { - "addressPrefix": "10.0.0.0/24", - "addressPrefixType": "IPPrefix" - }, - { - "addressPrefix": "100.100.100.100", - "addressPrefixType": "IPPrefix" - } - ] - } - ] - } - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Network Manager. | -| [`networkManagerScopeAccesses`](#parameter-networkmanagerscopeaccesses) | array | Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. | -| [`networkManagerScopes`](#parameter-networkmanagerscopes) | object | Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkGroups`](#parameter-networkgroups) | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectivityConfigurations`](#parameter-connectivityconfigurations) | array | Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. | -| [`description`](#parameter-description) | string | A description of the network manager. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`scopeConnections`](#parameter-scopeconnections) | array | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | -| [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Network Manager. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerScopeAccesses` - -Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. - -- Required: Yes -- Type: array - -### Parameter: `networkManagerScopes` - -Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. - -- Required: Yes -- Type: object - -### Parameter: `networkGroups` - -Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `connectivityConfigurations` - -Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `description` - -A description of the network manager. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scopeConnections` - -Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `securityAdminConfigurations` - -Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the network manager. | -| `resourceGroupName` | string | The resource group the network manager was deployed into. | -| `resourceId` | string | The resource ID of the network manager. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Considerations - -In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). - -### Parameter Usage: `networkManagerScopes` - -Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. - -**Note**: You can't create multiple Azure Virtual Network Manager instances with an overlapping scope of the same hierarchy and the same features selected. - -

- -Parameter JSON format - -```json -"networkManagerScopes": { - "value": { - "subscriptions": [ - "/subscriptions/" - ], - "managementGroups": [ - "/providers/Microsoft.Management/managementGroups/" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -networkManagerScopes: { - subscriptions: [ - '/subscriptions/' - ] - managementGroups: [ - '/providers/Microsoft.Management/managementGroups/[[managementGroupId]]' - ] -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/network-manager/connectivity-configuration/README.md b/modules/network/network-manager/connectivity-configuration/README.md deleted file mode 100644 index 6168ea4e7f..0000000000 --- a/modules/network/network-manager/connectivity-configuration/README.md +++ /dev/null @@ -1,146 +0,0 @@ -# Network Manager Connectivity Configurations `[Microsoft.Network/networkManagers/connectivityConfigurations]` - -This module deploys a Network Manager Connectivity Configuration. -Connectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/connectivityConfigurations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appliesToGroups`](#parameter-appliestogroups) | array | Network Groups for the configuration. | -| [`connectivityTopology`](#parameter-connectivitytopology) | string | Connectivity topology type. | -| [`name`](#parameter-name) | string | The name of the connectivity configuration. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hubs`](#parameter-hubs) | array | List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deleteExistingPeering`](#parameter-deleteexistingpeering) | string | Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". | -| [`description`](#parameter-description) | string | A description of the connectivity configuration. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`isGlobal`](#parameter-isglobal) | string | Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. | - -### Parameter: `appliesToGroups` - -Network Groups for the configuration. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `connectivityTopology` - -Connectivity topology type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'HubAndSpoke' - 'Mesh' - ] - ``` - -### Parameter: `name` - -The name of the connectivity configuration. - -- Required: Yes -- Type: string - -### Parameter: `hubs` - -List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `deleteExistingPeering` - -Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". - -- Required: No -- Type: string -- Default: `'False'` -- Allowed: - ```Bicep - [ - 'False' - 'True' - ] - ``` - -### Parameter: `description` - -A description of the connectivity configuration. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `isGlobal` - -Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. - -- Required: No -- Type: string -- Default: `'False'` -- Allowed: - ```Bicep - [ - 'False' - 'True' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed connectivity configuration. | -| `resourceGroupName` | string | The resource group the connectivity configuration was deployed into. | -| `resourceId` | string | The resource ID of the deployed connectivity configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/connectivity-configuration/main.bicep b/modules/network/network-manager/connectivity-configuration/main.bicep deleted file mode 100644 index 4df5a1d1e9..0000000000 --- a/modules/network/network-manager/connectivity-configuration/main.bicep +++ /dev/null @@ -1,83 +0,0 @@ -metadata name = 'Network Manager Connectivity Configurations' -metadata description = '''This module deploys a Network Manager Connectivity Configuration. -Connectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@maxLength(64) -@sys.description('Required. The name of the connectivity configuration.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the connectivity configuration.') -param description string = '' - -@sys.description('Required. Network Groups for the configuration.') -param appliesToGroups array = [] - -@allowed([ - 'HubAndSpoke' - 'Mesh' -]) -@sys.description('Required. Connectivity topology type.') -param connectivityTopology string - -@sys.description('Conditional. List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke".') -param hubs array = [] - -@allowed([ - 'True' - 'False' -]) -@sys.description('Optional. Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke".') -param deleteExistingPeering string = 'False' - -@allowed([ - 'True' - 'False' -]) -@sys.description('Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions.') -param isGlobal string = 'False' - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName -} - -resource connectivityConfiguration 'Microsoft.Network/networkManagers/connectivityConfigurations@2023-02-01' = { - name: name - parent: networkManager - properties: { - appliesToGroups: appliesToGroups - connectivityTopology: connectivityTopology - deleteExistingPeering: connectivityTopology == 'HubAndSpoke' ? deleteExistingPeering : 'False' - description: description - hubs: connectivityTopology == 'HubAndSpoke' ? hubs : [] - isGlobal: isGlobal - } -} - -@sys.description('The name of the deployed connectivity configuration.') -output name string = connectivityConfiguration.name - -@sys.description('The resource ID of the deployed connectivity configuration.') -output resourceId string = connectivityConfiguration.id - -@sys.description('The resource group the connectivity configuration was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/connectivity-configuration/main.json b/modules/network/network-manager/connectivity-configuration/main.json deleted file mode 100644 index 3674663934..0000000000 --- a/modules/network/network-manager/connectivity-configuration/main.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "2318326690435131857" - }, - "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the connectivity configuration." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the connectivity configuration." - } - }, - "appliesToGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. Network Groups for the configuration." - } - }, - "connectivityTopology": { - "type": "string", - "allowedValues": [ - "HubAndSpoke", - "Mesh" - ], - "metadata": { - "description": "Required. Connectivity topology type." - } - }, - "hubs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "deleteExistingPeering": { - "type": "string", - "defaultValue": "False", - "allowedValues": [ - "True", - "False" - ], - "metadata": { - "description": "Optional. Flag if need to remove current existing peerings. If set to \"True\", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "isGlobal": { - "type": "string", - "defaultValue": "False", - "allowedValues": [ - "True", - "False" - ], - "metadata": { - "description": "Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to \"True\", a global mesh enables connectivity across regions." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/connectivityConfigurations", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "appliesToGroups": "[parameters('appliesToGroups')]", - "connectivityTopology": "[parameters('connectivityTopology')]", - "deleteExistingPeering": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('deleteExistingPeering'), 'False')]", - "description": "[parameters('description')]", - "hubs": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('hubs'), createArray())]", - "isGlobal": "[parameters('isGlobal')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed connectivity configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed connectivity configuration." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/connectivityConfigurations', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the connectivity configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/connectivity-configuration/version.json b/modules/network/network-manager/connectivity-configuration/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/connectivity-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep deleted file mode 100644 index c867dd3d0c..0000000000 --- a/modules/network/network-manager/main.bicep +++ /dev/null @@ -1,201 +0,0 @@ -metadata name = 'Network Managers' -metadata description = 'This module deploys a Network Manager.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. Name of the Network Manager.') -@minLength(1) -@maxLength(64) -param name string - -@sys.description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@sys.description('Optional. The lock settings of the service.') -param lock lockType - -@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@sys.description('Optional. Tags of the resource.') -param tags object? - -@maxLength(500) -@sys.description('Optional. A description of the network manager.') -param description string = '' - -@sys.description('Required. Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs.') -param networkManagerScopeAccesses array - -@sys.description('Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment.') -param networkManagerScopes object - -@sys.description('Conditional. Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details.') -param networkGroups array = [] - -@sys.description('Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations.') -param connectivityConfigurations array = [] - -@sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant.') -param scopeConnections array = [] - -@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to.') -param securityAdminConfigurations array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' = { - name: name - location: location - tags: tags - properties: { - description: description - networkManagerScopeAccesses: networkManagerScopeAccesses - networkManagerScopes: networkManagerScopes - } -} - -module networkManager_networkGroups 'network-group/main.bicep' = [for (networkGroup, index) in networkGroups: { - name: '${uniqueString(deployment().name, location)}-NetworkManager-NetworkGroups-${index}' - params: { - name: networkGroup.name - networkManagerName: networkManager.name - description: contains(networkGroup, 'description') ? networkGroup.description : '' - staticMembers: contains(networkGroup, 'staticMembers') ? networkGroup.staticMembers : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module networkManager_connectivityConfigurations 'connectivity-configuration/main.bicep' = [for (connectivityConfiguration, index) in connectivityConfigurations: { - name: '${uniqueString(deployment().name, location)}-NetworkManager-ConnectivityConfigurations-${index}' - params: { - name: connectivityConfiguration.name - networkManagerName: networkManager.name - description: contains(connectivityConfiguration, 'description') ? connectivityConfiguration.description : '' - appliesToGroups: connectivityConfiguration.appliesToGroups - connectivityTopology: connectivityConfiguration.connectivityTopology - hubs: contains(connectivityConfiguration, 'hubs') ? connectivityConfiguration.hubs : [] - deleteExistingPeering: contains(connectivityConfiguration, 'hubs') && (connectivityConfiguration.connectivityTopology == 'HubAndSpoke') ? connectivityConfiguration.deleteExistingPeering : 'False' - isGlobal: contains(connectivityConfiguration, 'isGlobal') ? connectivityConfiguration.isGlobal : 'False' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: networkManager_networkGroups -}] - -module networkManager_scopeConnections 'scope-connection/main.bicep' = [for (scopeConnection, index) in scopeConnections: { - name: '${uniqueString(deployment().name, location)}-NetworkManager-ScopeConnections-${index}' - params: { - name: scopeConnection.name - networkManagerName: networkManager.name - description: contains(scopeConnection, 'description') ? scopeConnection.description : '' - resourceId: scopeConnection.resourceId - tenantId: scopeConnection.tenantId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module networkManager_securityAdminConfigurations 'security-admin-configuration/main.bicep' = [for (securityAdminConfiguration, index) in securityAdminConfigurations: { - name: '${uniqueString(deployment().name, location)}-NetworkManager-SecurityAdminConfigurations-${index}' - params: { - name: securityAdminConfiguration.name - networkManagerName: networkManager.name - description: contains(securityAdminConfiguration, 'description') ? securityAdminConfiguration.description : '' - applyOnNetworkIntentPolicyBasedServices: securityAdminConfiguration.applyOnNetworkIntentPolicyBasedServices - ruleCollections: contains(securityAdminConfiguration, 'ruleCollections') ? securityAdminConfiguration.ruleCollections : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: networkManager_networkGroups -}] - -resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: networkManager -} - -resource networkManager_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(networkManager.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: networkManager -}] - -@sys.description('The resource group the network manager was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The resource ID of the network manager.') -output resourceId string = networkManager.id - -@sys.description('The name of the network manager.') -output name string = networkManager.name - -@sys.description('The location the resource was deployed into.') -output location string = networkManager.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json deleted file mode 100644 index 134021002c..0000000000 --- a/modules/network/network-manager/main.json +++ /dev/null @@ -1,1423 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "15603026422855568539" - }, - "name": "Network Managers", - "description": "This module deploys a Network Manager.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 64, - "metadata": { - "description": "Required. Name of the Network Manager." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the network manager." - } - }, - "networkManagerScopeAccesses": { - "type": "array", - "metadata": { - "description": "Required. Scope Access. String array containing any of \"Connectivity\", \"SecurityAdmin\". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs." - } - }, - "networkManagerScopes": { - "type": "object", - "metadata": { - "description": "Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the \"Microsoft.Network\" resource provider is registered for those Management Groups prior to deployment." - } - }, - "networkGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. Network Groups and static members to create for the network manager. Required if using \"connectivityConfigurations\" or \"securityAdminConfigurations\" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details." - } - }, - "connectivityConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations." - } - }, - "scopeConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant." - } - }, - "securityAdminConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkManager": { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "networkManagerScopeAccesses": "[parameters('networkManagerScopeAccesses')]", - "networkManagerScopes": "[parameters('networkManagerScopes')]" - } - }, - "networkManager_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "networkManager" - ] - }, - "networkManager_roleAssignments": { - "copy": { - "name": "networkManager_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "networkManager" - ] - }, - "networkManager_networkGroups": { - "copy": { - "name": "networkManager_networkGroups", - "count": "[length(parameters('networkGroups'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-NetworkGroups-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('networkGroups')[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('networkGroups')[copyIndex()], 'description'), createObject('value', parameters('networkGroups')[copyIndex()].description), createObject('value', ''))]", - "staticMembers": "[if(contains(parameters('networkGroups')[copyIndex()], 'staticMembers'), createObject('value', parameters('networkGroups')[copyIndex()].staticMembers), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "15283743152988303838" - }, - "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the network group." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the network group." - } - }, - "staticMembers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]" - } - }, - { - "copy": { - "name": "networkGroup_staticMembers", - "count": "[length(parameters('staticMembers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkGroup-StaticMembers-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "networkGroupName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('staticMembers')[copyIndex()].name]" - }, - "resourceId": { - "value": "[parameters('staticMembers')[copyIndex()].resourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "6621385901045960143" - }, - "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "networkGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network group. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", - "properties": { - "resourceId": "[parameters('resourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed static member." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed static member." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups/staticMembers', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static member was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed network group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed network group." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkManager" - ] - }, - "networkManager_connectivityConfigurations": { - "copy": { - "name": "networkManager_connectivityConfigurations", - "count": "[length(parameters('connectivityConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-ConnectivityConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('connectivityConfigurations')[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('connectivityConfigurations')[copyIndex()], 'description'), createObject('value', parameters('connectivityConfigurations')[copyIndex()].description), createObject('value', ''))]", - "appliesToGroups": { - "value": "[parameters('connectivityConfigurations')[copyIndex()].appliesToGroups]" - }, - "connectivityTopology": { - "value": "[parameters('connectivityConfigurations')[copyIndex()].connectivityTopology]" - }, - "hubs": "[if(contains(parameters('connectivityConfigurations')[copyIndex()], 'hubs'), createObject('value', parameters('connectivityConfigurations')[copyIndex()].hubs), createObject('value', createArray()))]", - "deleteExistingPeering": "[if(and(contains(parameters('connectivityConfigurations')[copyIndex()], 'hubs'), equals(parameters('connectivityConfigurations')[copyIndex()].connectivityTopology, 'HubAndSpoke')), createObject('value', parameters('connectivityConfigurations')[copyIndex()].deleteExistingPeering), createObject('value', 'False'))]", - "isGlobal": "[if(contains(parameters('connectivityConfigurations')[copyIndex()], 'isGlobal'), createObject('value', parameters('connectivityConfigurations')[copyIndex()].isGlobal), createObject('value', 'False'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "2318326690435131857" - }, - "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the connectivity configuration." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the connectivity configuration." - } - }, - "appliesToGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. Network Groups for the configuration." - } - }, - "connectivityTopology": { - "type": "string", - "allowedValues": [ - "HubAndSpoke", - "Mesh" - ], - "metadata": { - "description": "Required. Connectivity topology type." - } - }, - "hubs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "deleteExistingPeering": { - "type": "string", - "defaultValue": "False", - "allowedValues": [ - "True", - "False" - ], - "metadata": { - "description": "Optional. Flag if need to remove current existing peerings. If set to \"True\", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "isGlobal": { - "type": "string", - "defaultValue": "False", - "allowedValues": [ - "True", - "False" - ], - "metadata": { - "description": "Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to \"True\", a global mesh enables connectivity across regions." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/connectivityConfigurations", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "appliesToGroups": "[parameters('appliesToGroups')]", - "connectivityTopology": "[parameters('connectivityTopology')]", - "deleteExistingPeering": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('deleteExistingPeering'), 'False')]", - "description": "[parameters('description')]", - "hubs": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('hubs'), createArray())]", - "isGlobal": "[parameters('isGlobal')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed connectivity configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed connectivity configuration." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/connectivityConfigurations', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the connectivity configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkManager", - "networkManager_networkGroups" - ] - }, - "networkManager_scopeConnections": { - "copy": { - "name": "networkManager_scopeConnections", - "count": "[length(parameters('scopeConnections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-ScopeConnections-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('scopeConnections')[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('scopeConnections')[copyIndex()], 'description'), createObject('value', parameters('scopeConnections')[copyIndex()].description), createObject('value', ''))]", - "resourceId": { - "value": "[parameters('scopeConnections')[copyIndex()].resourceId]" - }, - "tenantId": { - "value": "[parameters('scopeConnections')[copyIndex()].tenantId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "15307617637283317811" - }, - "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the scope connection." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the scope connection." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Enter the subscription or management group resource ID that you want to add to this network manager's scope." - } - }, - "tenantId": { - "type": "string", - "metadata": { - "description": "Required. Tenant ID of the subscription or management group that you want to manage." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/scopeConnections", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "resourceId": "[parameters('resourceId')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed scope connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed scope connection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/scopeConnections', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the scope connection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkManager" - ] - }, - "networkManager_securityAdminConfigurations": { - "copy": { - "name": "networkManager_securityAdminConfigurations", - "count": "[length(parameters('securityAdminConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-SecurityAdminConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('securityAdminConfigurations')[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": "[if(contains(parameters('securityAdminConfigurations')[copyIndex()], 'description'), createObject('value', parameters('securityAdminConfigurations')[copyIndex()].description), createObject('value', ''))]", - "applyOnNetworkIntentPolicyBasedServices": { - "value": "[parameters('securityAdminConfigurations')[copyIndex()].applyOnNetworkIntentPolicyBasedServices]" - }, - "ruleCollections": "[if(contains(parameters('securityAdminConfigurations')[copyIndex()], 'ruleCollections'), createObject('value', parameters('securityAdminConfigurations')[copyIndex()].ruleCollections), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "10563520895120682908" - }, - "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the security admin configuration." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the security admin configuration." - } - }, - "applyOnNetworkIntentPolicyBasedServices": { - "type": "array", - "defaultValue": [ - "None" - ], - "allowedValues": [ - "None", - "All", - "AllowRulesOnly" - ], - "metadata": { - "description": "Required. Enum list of network intent policy based services." - } - }, - "ruleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]" - } - }, - { - "copy": { - "name": "securityAdminConfigurations_ruleCollections", - "count": "[length(parameters('ruleCollections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SecurityAdminConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "securityAdminConfigurationName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ruleCollections')[copyIndex()].name]" - }, - "appliesToGroups": { - "value": "[parameters('ruleCollections')[copyIndex()].appliesToGroups]" - }, - "rules": "[if(contains(parameters('ruleCollections')[copyIndex()], 'rules'), createObject('value', parameters('ruleCollections')[copyIndex()].rules), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1001246465525638239" - }, - "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the admin rule collection." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the admin rule collection." - } - }, - "appliesToGroups": { - "type": "array", - "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." - } - }, - "rules": { - "type": "array", - "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "appliesToGroups": "[parameters('appliesToGroups')]" - } - }, - { - "copy": { - "name": "securityAdminConfigurations_rules", - "count": "[length(parameters('rules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "securityAdminConfigurationName": { - "value": "[parameters('securityAdminConfigurationName')]" - }, - "ruleCollectionName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('rules')[copyIndex()].name]" - }, - "access": { - "value": "[parameters('rules')[copyIndex()].access]" - }, - "description": "[if(contains(parameters('rules')[copyIndex()], 'description'), createObject('value', parameters('rules')[copyIndex()].description), createObject('value', ''))]", - "destinationPortRanges": "[if(contains(parameters('rules')[copyIndex()], 'destinationPortRanges'), createObject('value', parameters('rules')[copyIndex()].destinationPortRanges), createObject('value', createArray()))]", - "destinations": "[if(contains(parameters('rules')[copyIndex()], 'destinations'), createObject('value', parameters('rules')[copyIndex()].destinations), createObject('value', createArray()))]", - "direction": { - "value": "[parameters('rules')[copyIndex()].direction]" - }, - "priority": { - "value": "[parameters('rules')[copyIndex()].priority]" - }, - "protocol": { - "value": "[parameters('rules')[copyIndex()].protocol]" - }, - "sourcePortRanges": "[if(contains(parameters('rules')[copyIndex()], 'sourcePortRanges'), createObject('value', parameters('rules')[copyIndex()].sourcePortRanges), createObject('value', createArray()))]", - "sources": "[if(contains(parameters('rules')[copyIndex()], 'sources'), createObject('value', parameters('rules')[copyIndex()].sources), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "9158772761946781279" - }, - "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "ruleCollectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the rule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", - "kind": "Custom", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "destinations": "[parameters('destinations')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]", - "sources": "[parameters('sources')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed admin rule collection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed admin rule collection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the admin rule collection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security admin configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security admin configuration." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the security admin configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkManager", - "networkManager_networkGroups" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network manager was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network manager." - }, - "value": "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the network manager." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('networkManager', '2023-02-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/network-group/README.md b/modules/network/network-manager/network-group/README.md deleted file mode 100644 index dfc2942b79..0000000000 --- a/modules/network/network-manager/network-group/README.md +++ /dev/null @@ -1,91 +0,0 @@ -# Network Manager Network Groups `[Microsoft.Network/networkManagers/networkGroups]` - -This module deploys a Network Manager Network Group. -A network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/networkGroups` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/networkGroups) | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/networkGroups/staticMembers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the network group. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | A description of the network group. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`staticMembers`](#parameter-staticmembers) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | - -### Parameter: `name` - -The name of the network group. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -A description of the network group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `staticMembers` - -Static Members to create for the network group. Contains virtual networks to add to the network group. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed network group. | -| `resourceGroupName` | string | The resource group the network group was deployed into. | -| `resourceId` | string | The resource ID of the deployed network group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/network-group/main.bicep b/modules/network/network-manager/network-group/main.bicep deleted file mode 100644 index 83ebe0ec80..0000000000 --- a/modules/network/network-manager/network-group/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Network Manager Network Groups' -metadata description = '''This module deploys a Network Manager Network Group. -A network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@maxLength(64) -@sys.description('Required. The name of the network group.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the network group.') -param description string = '' - -@sys.description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') -param staticMembers array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName -} - -resource networkGroup 'Microsoft.Network/networkManagers/networkGroups@2023-02-01' = { - name: name - parent: networkManager - properties: { - description: description - } -} - -module networkGroup_staticMembers 'static-member/main.bicep' = [for (staticMember, index) in staticMembers: { - name: '${uniqueString(deployment().name)}-NetworkGroup-StaticMembers-${index}' - params: { - networkManagerName: networkManager.name - networkGroupName: networkGroup.name - name: staticMember.name - resourceId: staticMember.resourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@sys.description('The name of the deployed network group.') -output name string = networkGroup.name - -@sys.description('The resource ID of the deployed network group.') -output resourceId string = networkGroup.id - -@sys.description('The resource group the network group was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/network-group/main.json b/modules/network/network-manager/network-group/main.json deleted file mode 100644 index b6a153bd82..0000000000 --- a/modules/network/network-manager/network-group/main.json +++ /dev/null @@ -1,230 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "15283743152988303838" - }, - "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the network group." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the network group." - } - }, - "staticMembers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]" - } - }, - { - "copy": { - "name": "networkGroup_staticMembers", - "count": "[length(parameters('staticMembers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkGroup-StaticMembers-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "networkGroupName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('staticMembers')[copyIndex()].name]" - }, - "resourceId": { - "value": "[parameters('staticMembers')[copyIndex()].resourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "6621385901045960143" - }, - "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "networkGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network group. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", - "properties": { - "resourceId": "[parameters('resourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed static member." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed static member." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups/staticMembers', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static member was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed network group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed network group." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/network-group/static-member/README.md b/modules/network/network-manager/network-group/static-member/README.md deleted file mode 100644 index 43d13ca7e6..0000000000 --- a/modules/network/network-manager/network-group/static-member/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Network Manager Network Group Static Members `[Microsoft.Network/networkManagers/networkGroups/staticMembers]` - -This module deploys a Network Manager Network Group Static Member. -Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/networkGroups/staticMembers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the static member. | -| [`resourceId`](#parameter-resourceid) | string | Resource ID of the virtual network. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkGroupName`](#parameter-networkgroupname) | string | The name of the parent network group. Required if the template is used in a standalone deployment. | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -The name of the static member. - -- Required: Yes -- Type: string - -### Parameter: `resourceId` - -Resource ID of the virtual network. - -- Required: Yes -- Type: string - -### Parameter: `networkGroupName` - -The name of the parent network group. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed static member. | -| `resourceGroupName` | string | The resource group the static member was deployed into. | -| `resourceId` | string | The resource ID of the deployed static member. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/network-group/static-member/main.bicep b/modules/network/network-manager/network-group/static-member/main.bicep deleted file mode 100644 index e1ede7aa2d..0000000000 --- a/modules/network/network-manager/network-group/static-member/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'Network Manager Network Group Static Members' -metadata description = '''This module deploys a Network Manager Network Group Static Member. -Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.''' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@description('Conditional. The name of the parent network group. Required if the template is used in a standalone deployment.') -param networkGroupName string - -@description('Required. The name of the static member.') -param name string - -@description('Required. Resource ID of the virtual network.') -param resourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName - - resource networkGroup 'networkGroups@2023-02-01' existing = { - name: networkGroupName - } -} - -resource staticMember 'Microsoft.Network/networkManagers/networkGroups/staticMembers@2023-02-01' = { - name: name - parent: networkManager::networkGroup - properties: { - resourceId: resourceId - } -} - -@description('The name of the deployed static member.') -output name string = staticMember.name - -@description('The resource ID of the deployed static member.') -output resourceId string = staticMember.id - -@description('The resource group the static member was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/network-group/static-member/main.json b/modules/network/network-manager/network-group/static-member/main.json deleted file mode 100644 index 71962536ce..0000000000 --- a/modules/network/network-manager/network-group/static-member/main.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "6621385901045960143" - }, - "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "networkGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network group. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", - "properties": { - "resourceId": "[parameters('resourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed static member." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed static member." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups/staticMembers', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static member was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/network-group/static-member/version.json b/modules/network/network-manager/network-group/static-member/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/network-group/static-member/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/network-group/version.json b/modules/network/network-manager/network-group/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/network-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/scope-connection/README.md b/modules/network/network-manager/scope-connection/README.md deleted file mode 100644 index ad53105021..0000000000 --- a/modules/network/network-manager/scope-connection/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Network Manager Scope Connections `[Microsoft.Network/networkManagers/scopeConnections]` - -This module deploys a Network Manager Scope Connection. -Create a cross-tenant connection to manage a resource from another tenant. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/scopeConnections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/scopeConnections) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the scope connection. | -| [`resourceId`](#parameter-resourceid) | string | Enter the subscription or management group resource ID that you want to add to this network manager's scope. | -| [`tenantId`](#parameter-tenantid) | string | Tenant ID of the subscription or management group that you want to manage. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | A description of the scope connection. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -The name of the scope connection. - -- Required: Yes -- Type: string - -### Parameter: `resourceId` - -Enter the subscription or management group resource ID that you want to add to this network manager's scope. - -- Required: Yes -- Type: string - -### Parameter: `tenantId` - -Tenant ID of the subscription or management group that you want to manage. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -A description of the scope connection. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed scope connection. | -| `resourceGroupName` | string | The resource group the scope connection was deployed into. | -| `resourceId` | string | The resource ID of the deployed scope connection. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/scope-connection/main.bicep b/modules/network/network-manager/scope-connection/main.bicep deleted file mode 100644 index 1db5deb2ae..0000000000 --- a/modules/network/network-manager/scope-connection/main.bicep +++ /dev/null @@ -1,59 +0,0 @@ -metadata name = 'Network Manager Scope Connections' -metadata description = '''This module deploys a Network Manager Scope Connection. -Create a cross-tenant connection to manage a resource from another tenant.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@maxLength(64) -@sys.description('Required. The name of the scope connection.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the scope connection.') -param description string = '' - -@sys.description('Required. Enter the subscription or management group resource ID that you want to add to this network manager\'s scope.') -param resourceId string - -@sys.description('Required. Tenant ID of the subscription or management group that you want to manage.') -param tenantId string - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName -} - -resource scopeConnection 'Microsoft.Network/networkManagers/scopeConnections@2023-02-01' = { - name: name - parent: networkManager - properties: { - description: description - resourceId: resourceId - tenantId: tenantId - } -} - -@sys.description('The name of the deployed scope connection.') -output name string = scopeConnection.name - -@sys.description('The resource ID of the deployed scope connection.') -output resourceId string = scopeConnection.id - -@sys.description('The resource group the scope connection was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/scope-connection/main.json b/modules/network/network-manager/scope-connection/main.json deleted file mode 100644 index cf2d3d9167..0000000000 --- a/modules/network/network-manager/scope-connection/main.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "15307617637283317811" - }, - "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the scope connection." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the scope connection." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Enter the subscription or management group resource ID that you want to add to this network manager's scope." - } - }, - "tenantId": { - "type": "string", - "metadata": { - "description": "Required. Tenant ID of the subscription or management group that you want to manage." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/scopeConnections", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "resourceId": "[parameters('resourceId')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed scope connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed scope connection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/scopeConnections', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the scope connection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/scope-connection/version.json b/modules/network/network-manager/scope-connection/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/scope-connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/security-admin-configuration/README.md b/modules/network/network-manager/security-admin-configuration/README.md deleted file mode 100644 index acf913b035..0000000000 --- a/modules/network/network-manager/security-admin-configuration/README.md +++ /dev/null @@ -1,114 +0,0 @@ -# Network Manager Security Admin Configurations `[Microsoft.Network/networkManagers/securityAdminConfigurations]` - -This module deploys an Network Manager Security Admin Configuration. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applyOnNetworkIntentPolicyBasedServices`](#parameter-applyonnetworkintentpolicybasedservices) | array | Enum list of network intent policy based services. | -| [`name`](#parameter-name) | string | The name of the security admin configuration. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | A description of the security admin configuration. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ruleCollections`](#parameter-rulecollections) | array | A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. | - -### Parameter: `applyOnNetworkIntentPolicyBasedServices` - -Enum list of network intent policy based services. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'None' - ] - ``` -- Allowed: - ```Bicep - [ - 'All' - 'AllowRulesOnly' - 'None' - ] - ``` - -### Parameter: `name` - -The name of the security admin configuration. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -A description of the security admin configuration. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ruleCollections` - -A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed security admin configuration. | -| `resourceGroupName` | string | The resource group the security admin configuration was deployed into. | -| `resourceId` | string | The resource ID of the deployed security admin configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/security-admin-configuration/main.bicep b/modules/network/network-manager/security-admin-configuration/main.bicep deleted file mode 100644 index 8d470520e3..0000000000 --- a/modules/network/network-manager/security-admin-configuration/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Network Manager Security Admin Configurations' -metadata description = '''This module deploys an Network Manager Security Admin Configuration. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@maxLength(64) -@sys.description('Required. The name of the security admin configuration.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the security admin configuration.') -param description string = '' - -@allowed([ - 'None' - 'All' - 'AllowRulesOnly' -]) -@sys.description('Required. Enum list of network intent policy based services.') -param applyOnNetworkIntentPolicyBasedServices array = [ 'None' ] - -@sys.description('Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules.') -param ruleCollections array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName -} - -resource securityAdminConfigurations 'Microsoft.Network/networkManagers/securityAdminConfigurations@2023-02-01' = { - name: name - parent: networkManager - properties: { - description: description - applyOnNetworkIntentPolicyBasedServices: applyOnNetworkIntentPolicyBasedServices - } -} - -module securityAdminConfigurations_ruleCollections 'rule-collection/main.bicep' = [for (ruleCollection, index) in ruleCollections: { - name: '${uniqueString(deployment().name)}-SecurityAdminConfigurations-RuleCollections-${index}' - params: { - networkManagerName: networkManager.name - securityAdminConfigurationName: securityAdminConfigurations.name - name: ruleCollection.name - appliesToGroups: ruleCollection.appliesToGroups - rules: contains(ruleCollection, 'rules') ? ruleCollection.rules : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@sys.description('The name of the deployed security admin configuration.') -output name string = securityAdminConfigurations.name - -@sys.description('The resource ID of the deployed security admin configuration.') -output resourceId string = securityAdminConfigurations.id - -@sys.description('The resource group the security admin configuration was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/security-admin-configuration/main.json b/modules/network/network-manager/security-admin-configuration/main.json deleted file mode 100644 index e6d238c84b..0000000000 --- a/modules/network/network-manager/security-admin-configuration/main.json +++ /dev/null @@ -1,500 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "10563520895120682908" - }, - "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the security admin configuration." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the security admin configuration." - } - }, - "applyOnNetworkIntentPolicyBasedServices": { - "type": "array", - "defaultValue": [ - "None" - ], - "allowedValues": [ - "None", - "All", - "AllowRulesOnly" - ], - "metadata": { - "description": "Required. Enum list of network intent policy based services." - } - }, - "ruleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]" - } - }, - { - "copy": { - "name": "securityAdminConfigurations_ruleCollections", - "count": "[length(parameters('ruleCollections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SecurityAdminConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "securityAdminConfigurationName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ruleCollections')[copyIndex()].name]" - }, - "appliesToGroups": { - "value": "[parameters('ruleCollections')[copyIndex()].appliesToGroups]" - }, - "rules": "[if(contains(parameters('ruleCollections')[copyIndex()], 'rules'), createObject('value', parameters('ruleCollections')[copyIndex()].rules), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1001246465525638239" - }, - "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the admin rule collection." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the admin rule collection." - } - }, - "appliesToGroups": { - "type": "array", - "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." - } - }, - "rules": { - "type": "array", - "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "appliesToGroups": "[parameters('appliesToGroups')]" - } - }, - { - "copy": { - "name": "securityAdminConfigurations_rules", - "count": "[length(parameters('rules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "securityAdminConfigurationName": { - "value": "[parameters('securityAdminConfigurationName')]" - }, - "ruleCollectionName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('rules')[copyIndex()].name]" - }, - "access": { - "value": "[parameters('rules')[copyIndex()].access]" - }, - "description": "[if(contains(parameters('rules')[copyIndex()], 'description'), createObject('value', parameters('rules')[copyIndex()].description), createObject('value', ''))]", - "destinationPortRanges": "[if(contains(parameters('rules')[copyIndex()], 'destinationPortRanges'), createObject('value', parameters('rules')[copyIndex()].destinationPortRanges), createObject('value', createArray()))]", - "destinations": "[if(contains(parameters('rules')[copyIndex()], 'destinations'), createObject('value', parameters('rules')[copyIndex()].destinations), createObject('value', createArray()))]", - "direction": { - "value": "[parameters('rules')[copyIndex()].direction]" - }, - "priority": { - "value": "[parameters('rules')[copyIndex()].priority]" - }, - "protocol": { - "value": "[parameters('rules')[copyIndex()].protocol]" - }, - "sourcePortRanges": "[if(contains(parameters('rules')[copyIndex()], 'sourcePortRanges'), createObject('value', parameters('rules')[copyIndex()].sourcePortRanges), createObject('value', createArray()))]", - "sources": "[if(contains(parameters('rules')[copyIndex()], 'sources'), createObject('value', parameters('rules')[copyIndex()].sources), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "9158772761946781279" - }, - "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "ruleCollectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the rule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", - "kind": "Custom", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "destinations": "[parameters('destinations')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]", - "sources": "[parameters('sources')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed admin rule collection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed admin rule collection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the admin rule collection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security admin configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security admin configuration." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the security admin configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/README.md deleted file mode 100644 index dc47633126..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Network Manager Security Admin Configuration Rule Collections `[Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections]` - -This module deploys an Network Manager Security Admin Configuration Rule Collection. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appliesToGroups`](#parameter-appliestogroups) | array | List of network groups for configuration. An admin rule collection must be associated to at least one network group. | -| [`name`](#parameter-name) | string | The name of the admin rule collection. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | -| [`securityAdminConfigurationName`](#parameter-securityadminconfigurationname) | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | A description of the admin rule collection. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rules`](#parameter-rules) | array | List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. | - -### Parameter: `appliesToGroups` - -List of network groups for configuration. An admin rule collection must be associated to at least one network group. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the admin rule collection. - -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `securityAdminConfigurationName` - -The name of the parent security admin configuration. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -A description of the admin rule collection. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rules` - -List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. - -- Required: Yes -- Type: array - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed admin rule collection. | -| `resourceGroupName` | string | The resource group the admin rule collection was deployed into. | -| `resourceId` | string | The resource ID of the deployed admin rule collection. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/main.bicep b/modules/network/network-manager/security-admin-configuration/rule-collection/main.bicep deleted file mode 100644 index f0d1cef059..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/main.bicep +++ /dev/null @@ -1,87 +0,0 @@ -metadata name = 'Network Manager Security Admin Configuration Rule Collections' -metadata description = '''This module deploys an Network Manager Security Admin Configuration Rule Collection. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@sys.description('Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment.') -param securityAdminConfigurationName string - -@maxLength(64) -@sys.description('Required. The name of the admin rule collection.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the admin rule collection.') -param description string = '' - -@sys.description('Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group.') -param appliesToGroups array - -@sys.description('Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.') -param rules array - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName - - resource securityAdminConfiguration 'securityAdminConfigurations@2023-02-01' existing = { - name: securityAdminConfigurationName - } -} - -resource ruleCollection 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections@2023-02-01' = { - name: name - parent: networkManager::securityAdminConfiguration - properties: { - description: description - appliesToGroups: appliesToGroups - } -} - -module securityAdminConfigurations_rules 'rule/main.bicep' = [for (rule, index) in rules: { - name: '${uniqueString(deployment().name)}-RuleCollections-Rules-${index}' - params: { - networkManagerName: networkManager.name - securityAdminConfigurationName: securityAdminConfigurationName - ruleCollectionName: ruleCollection.name - name: rule.name - access: rule.access - description: contains(rule, 'description') ? rule.description : '' - destinationPortRanges: contains(rule, 'destinationPortRanges') ? rule.destinationPortRanges : [] - destinations: contains(rule, 'destinations') ? rule.destinations : [] - direction: rule.direction - priority: rule.priority - protocol: rule.protocol - sourcePortRanges: contains(rule, 'sourcePortRanges') ? rule.sourcePortRanges : [] - sources: contains(rule, 'sources') ? rule.sources : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@sys.description('The name of the deployed admin rule collection.') -output name string = ruleCollection.name - -@sys.description('The resource ID of the deployed admin rule collection.') -output resourceId string = ruleCollection.id - -@sys.description('The resource group the admin rule collection was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/main.json deleted file mode 100644 index a87527ecfb..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json +++ /dev/null @@ -1,348 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1001246465525638239" - }, - "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the admin rule collection." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the admin rule collection." - } - }, - "appliesToGroups": { - "type": "array", - "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." - } - }, - "rules": { - "type": "array", - "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", - "properties": { - "description": "[parameters('description')]", - "appliesToGroups": "[parameters('appliesToGroups')]" - } - }, - { - "copy": { - "name": "securityAdminConfigurations_rules", - "count": "[length(parameters('rules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "securityAdminConfigurationName": { - "value": "[parameters('securityAdminConfigurationName')]" - }, - "ruleCollectionName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('rules')[copyIndex()].name]" - }, - "access": { - "value": "[parameters('rules')[copyIndex()].access]" - }, - "description": "[if(contains(parameters('rules')[copyIndex()], 'description'), createObject('value', parameters('rules')[copyIndex()].description), createObject('value', ''))]", - "destinationPortRanges": "[if(contains(parameters('rules')[copyIndex()], 'destinationPortRanges'), createObject('value', parameters('rules')[copyIndex()].destinationPortRanges), createObject('value', createArray()))]", - "destinations": "[if(contains(parameters('rules')[copyIndex()], 'destinations'), createObject('value', parameters('rules')[copyIndex()].destinations), createObject('value', createArray()))]", - "direction": { - "value": "[parameters('rules')[copyIndex()].direction]" - }, - "priority": { - "value": "[parameters('rules')[copyIndex()].priority]" - }, - "protocol": { - "value": "[parameters('rules')[copyIndex()].protocol]" - }, - "sourcePortRanges": "[if(contains(parameters('rules')[copyIndex()], 'sourcePortRanges'), createObject('value', parameters('rules')[copyIndex()].sourcePortRanges), createObject('value', createArray()))]", - "sources": "[if(contains(parameters('rules')[copyIndex()], 'sources'), createObject('value', parameters('rules')[copyIndex()].sources), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "9158772761946781279" - }, - "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "ruleCollectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the rule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", - "kind": "Custom", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "destinations": "[parameters('destinations')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]", - "sources": "[parameters('sources')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed admin rule collection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed admin rule collection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the admin rule collection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md deleted file mode 100644 index 7e0081bd9e..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md +++ /dev/null @@ -1,191 +0,0 @@ -# Network Manager Security Admin Configuration Rule Collection Rules `[Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules]` - -This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`access`](#parameter-access) | string | Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. | -| [`direction`](#parameter-direction) | string | Indicates if the traffic matched against the rule in inbound or outbound. | -| [`name`](#parameter-name) | string | The name of the rule. | -| [`priority`](#parameter-priority) | int | The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | -| [`protocol`](#parameter-protocol) | string | Network protocol this rule applies to. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | -| [`ruleCollectionName`](#parameter-rulecollectionname) | string | The name of the parent rule collection. Required if the template is used in a standalone deployment. | -| [`securityAdminConfigurationName`](#parameter-securityadminconfigurationname) | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`description`](#parameter-description) | string | A description of the rule. | -| [`destinationPortRanges`](#parameter-destinationportranges) | array | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | -| [`destinations`](#parameter-destinations) | array | The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`sourcePortRanges`](#parameter-sourceportranges) | array | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | -| [`sources`](#parameter-sources) | array | The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | - -### Parameter: `access` - -Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Allow' - 'AlwaysAllow' - 'Deny' - ] - ``` - -### Parameter: `direction` - -Indicates if the traffic matched against the rule in inbound or outbound. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Inbound' - 'Outbound' - ] - ``` - -### Parameter: `name` - -The name of the rule. - -- Required: Yes -- Type: string - -### Parameter: `priority` - -The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. - -- Required: Yes -- Type: int - -### Parameter: `protocol` - -Network protocol this rule applies to. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Ah' - 'Any' - 'Esp' - 'Icmp' - 'Tcp' - 'Udp' - ] - ``` - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `ruleCollectionName` - -The name of the parent rule collection. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `securityAdminConfigurationName` - -The name of the parent security admin configuration. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `description` - -A description of the rule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `destinationPortRanges` - -List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `destinations` - -The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `sourcePortRanges` - -List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sources` - -The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed rule. | -| `resourceGroupName` | string | The resource group the rule was deployed into. | -| `resourceId` | string | The resource ID of the deployed rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep deleted file mode 100644 index bd4beb20be..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep +++ /dev/null @@ -1,117 +0,0 @@ -metadata name = 'Network Manager Security Admin Configuration Rule Collection Rules' -metadata description = '''This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule. -A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.''' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') -param networkManagerName string - -@sys.description('Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment.') -param securityAdminConfigurationName string - -@sys.description('Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment.') -param ruleCollectionName string - -@maxLength(64) -@sys.description('Required. The name of the rule.') -param name string - -@maxLength(500) -@sys.description('Optional. A description of the rule.') -param description string = '' - -@allowed([ - 'Allow' - 'AlwaysAllow' - 'Deny' -]) -@sys.description('Required. Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs.') -param access string - -@sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') -param destinationPortRanges array = [] - -@sys.description('Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') -param destinations array = [] - -@allowed([ - 'Inbound' - 'Outbound' -]) -@sys.description('Required. Indicates if the traffic matched against the rule in inbound or outbound.') -param direction string - -@minValue(1) -@maxValue(4096) -@sys.description('Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.') -param priority int - -@allowed([ - 'Ah' - 'Any' - 'Esp' - 'Icmp' - 'Tcp' - 'Udp' -]) -@sys.description('Required. Network protocol this rule applies to.') -param protocol string - -@sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') -param sourcePortRanges array = [] - -@sys.description('Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') -param sources array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: networkManagerName - - resource securityAdminConfiguration 'securityAdminConfigurations@2023-02-01' existing = { - name: securityAdminConfigurationName - - resource ruleCollection 'ruleCollections@2023-02-01' existing = { - name: ruleCollectionName - } - } -} - -resource rule 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-02-01' = { - name: name - parent: networkManager::securityAdminConfiguration::ruleCollection - kind: 'Custom' - properties: { - access: access - description: description - destinationPortRanges: destinationPortRanges - destinations: destinations - direction: direction - priority: priority - protocol: protocol - sourcePortRanges: sourcePortRanges - sources: sources - } -} - -@sys.description('The name of the deployed rule.') -output name string = rule.name - -@sys.description('The resource ID of the deployed rule.') -output resourceId string = rule.id - -@sys.description('The resource group the rule was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json deleted file mode 100644 index cd74d5ebdc..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "9158772761946781279" - }, - "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "securityAdminConfigurationName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." - } - }, - "ruleCollectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the rule." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-02-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", - "kind": "Custom", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "destinations": "[parameters('destinations')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]", - "sources": "[parameters('sources')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed rule." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/version.json b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/version.json b/modules/network/network-manager/security-admin-configuration/rule-collection/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/security-admin-configuration/version.json b/modules/network/network-manager/security-admin-configuration/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/network-manager/security-admin-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-manager/tests/e2e/max/dependencies.bicep b/modules/network/network-manager/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 501a5a13c0..0000000000 --- a/modules/network/network-manager/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,96 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Hub Virtual Network to create.') -param virtualNetworkHubName string - -@description('Required. The name of the Spoke 1 Virtual Network to create.') -param virtualNetworkSpoke1Name string - -@description('Required. The name of the Spoke 2 Virtual Network to create.') -param virtualNetworkSpoke2Name string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -var addressPrefixHub = '10.0.0.0/16' -var addressPrefixSpoke1 = '172.16.0.0/12' -var addressPrefixSpoke2 = '192.168.0.0/16' -var subnetName = 'defaultSubnet' - -resource virtualNetworkHub 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkHubName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixHub - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixHub - } - } - ] - } -} - -resource virtualNetworkSpoke1 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkSpoke1Name - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixSpoke1 - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixSpoke1 - } - } - ] - } -} - -resource virtualNetworkSpoke2 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkSpoke2Name - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixSpoke2 - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixSpoke2 - } - } - ] - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Hub Virtual Network.') -output virtualNetworkHubId string = virtualNetworkHub.id - -@description('The resource ID of the created Spoke 1 Virtual Network.') -output virtualNetworkSpoke1Id string = virtualNetworkSpoke1.id - -@description('The resource ID of the created Spoke 2 Virtual Network.') -output virtualNetworkSpoke2Id string = virtualNetworkSpoke2.id diff --git a/modules/network/network-manager/tests/e2e/max/main.test.bicep b/modules/network/network-manager/tests/e2e/max/main.test.bicep deleted file mode 100644 index d0e1fd2393..0000000000 --- a/modules/network/network-manager/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,266 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnmmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkHubName: 'dep-${namePrefix}-vnetHub-${serviceShort}' - virtualNetworkSpoke1Name: 'dep-${namePrefix}-vnetSpoke1-${serviceShort}' - virtualNetworkSpoke2Name: 'dep-${namePrefix}-vnetSpoke2-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var networkManagerName = '${namePrefix}${serviceShort}001' -var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: networkManagerName - enableDefaultTelemetry: enableDefaultTelemetry - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' - ] - networkManagerScopes: { - subscriptions: [ - subscription().id - ] - } - networkGroups: [ - { - name: 'network-group-spokes' - description: 'network-group-spokes description' - staticMembers: [ - { - name: 'virtualNetworkSpoke1' - resourceId: nestedDependencies.outputs.virtualNetworkSpoke1Id - } - { - name: 'virtualNetworkSpoke2' - resourceId: nestedDependencies.outputs.virtualNetworkSpoke2Id - } - ] - } - ] - connectivityConfigurations: [ - { - name: 'hubSpokeConnectivity' - description: 'hubSpokeConnectivity description' - connectivityTopology: 'HubAndSpoke' - hubs: [ - { - resourceId: nestedDependencies.outputs.virtualNetworkHubId - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - { - name: 'MeshConnectivity' - description: 'MeshConnectivity description' - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - ] - scopeConnections: [ - { - name: 'scope-connection-test' - description: 'description of the scope connection' - resourceId: subscription().id - tenantid: tenant().tenantId - } - ] - securityAdminConfigurations: [ - { - name: 'test-security-admin-config' - description: 'description of the security admin config' - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - ruleCollections: [ - { - name: 'test-rule-collection-1' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-1' - description: 'test-inbound-allow-rule-1-description' - access: 'Allow' - direction: 'Inbound' - priority: 150 - protocol: 'Tcp' - } - { - name: 'test-outbound-deny-rule-2' - description: 'test-outbound-deny-rule-2-description' - access: 'Deny' - direction: 'Outbound' - priority: 200 - protocol: 'Tcp' - sourcePortRanges: [ - '80' - '442-445' - ] - sources: [ - { - addressPrefix: 'AppService.WestEurope' - addressPrefixType: 'ServiceTag' - } - ] - } - ] - } - { - name: 'test-rule-collection-2' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-3' - description: 'test-inbound-allow-rule-3-description' - access: 'Allow' - direction: 'Inbound' - destinationPortRanges: [ - '80' - '442-445' - ] - destinations: [ - { - addressPrefix: '192.168.20.20' - addressPrefixType: 'IPPrefix' - } - ] - priority: 250 - protocol: 'Tcp' - } - { - name: 'test-inbound-allow-rule-4' - description: 'test-inbound-allow-rule-4-description' - access: 'Allow' - direction: 'Inbound' - sources: [ - { - addressPrefix: '10.0.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '100.100.100.100' - addressPrefixType: 'IPPrefix' - } - ] - destinations: [ - { - addressPrefix: '172.16.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '172.16.1.0/24' - addressPrefixType: 'IPPrefix' - } - ] - priority: 260 - protocol: 'Tcp' - } - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 501a5a13c0..0000000000 --- a/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,96 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Hub Virtual Network to create.') -param virtualNetworkHubName string - -@description('Required. The name of the Spoke 1 Virtual Network to create.') -param virtualNetworkSpoke1Name string - -@description('Required. The name of the Spoke 2 Virtual Network to create.') -param virtualNetworkSpoke2Name string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -var addressPrefixHub = '10.0.0.0/16' -var addressPrefixSpoke1 = '172.16.0.0/12' -var addressPrefixSpoke2 = '192.168.0.0/16' -var subnetName = 'defaultSubnet' - -resource virtualNetworkHub 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkHubName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixHub - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixHub - } - } - ] - } -} - -resource virtualNetworkSpoke1 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkSpoke1Name - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixSpoke1 - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixSpoke1 - } - } - ] - } -} - -resource virtualNetworkSpoke2 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkSpoke2Name - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefixSpoke2 - ] - } - subnets: [ - { - name: subnetName - properties: { - addressPrefix: addressPrefixSpoke2 - } - } - ] - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Hub Virtual Network.') -output virtualNetworkHubId string = virtualNetworkHub.id - -@description('The resource ID of the created Spoke 1 Virtual Network.') -output virtualNetworkSpoke1Id string = virtualNetworkSpoke1.id - -@description('The resource ID of the created Spoke 2 Virtual Network.') -output virtualNetworkSpoke2Id string = virtualNetworkSpoke2.id diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 630be8e2bc..0000000000 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,249 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnmwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkHubName: 'dep-${namePrefix}-vnetHub-${serviceShort}' - virtualNetworkSpoke1Name: 'dep-${namePrefix}-vnetSpoke1-${serviceShort}' - virtualNetworkSpoke2Name: 'dep-${namePrefix}-vnetSpoke2-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var networkManagerName = '${namePrefix}${serviceShort}001' -var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: networkManagerName - enableDefaultTelemetry: enableDefaultTelemetry - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' - ] - networkManagerScopes: { - subscriptions: [ - subscription().id - ] - } - networkGroups: [ - { - name: 'network-group-spokes' - description: 'network-group-spokes description' - staticMembers: [ - { - name: 'virtualNetworkSpoke1' - resourceId: nestedDependencies.outputs.virtualNetworkSpoke1Id - } - { - name: 'virtualNetworkSpoke2' - resourceId: nestedDependencies.outputs.virtualNetworkSpoke2Id - } - ] - } - ] - connectivityConfigurations: [ - { - name: 'hubSpokeConnectivity' - description: 'hubSpokeConnectivity description' - connectivityTopology: 'HubAndSpoke' - hubs: [ - { - resourceId: nestedDependencies.outputs.virtualNetworkHubId - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - { - name: 'MeshConnectivity' - description: 'MeshConnectivity description' - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - ] - scopeConnections: [ - { - name: 'scope-connection-test' - description: 'description of the scope connection' - resourceId: subscription().id - tenantid: tenant().tenantId - } - ] - securityAdminConfigurations: [ - { - name: 'test-security-admin-config' - description: 'description of the security admin config' - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - ruleCollections: [ - { - name: 'test-rule-collection-1' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-1' - description: 'test-inbound-allow-rule-1-description' - access: 'Allow' - direction: 'Inbound' - priority: 150 - protocol: 'Tcp' - } - { - name: 'test-outbound-deny-rule-2' - description: 'test-outbound-deny-rule-2-description' - access: 'Deny' - direction: 'Outbound' - priority: 200 - protocol: 'Tcp' - sourcePortRanges: [ - '80' - '442-445' - ] - sources: [ - { - addressPrefix: 'AppService.WestEurope' - addressPrefixType: 'ServiceTag' - } - ] - } - ] - } - { - name: 'test-rule-collection-2' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-3' - description: 'test-inbound-allow-rule-3-description' - access: 'Allow' - direction: 'Inbound' - destinationPortRanges: [ - '80' - '442-445' - ] - destinations: [ - { - addressPrefix: '192.168.20.20' - addressPrefixType: 'IPPrefix' - } - ] - priority: 250 - protocol: 'Tcp' - } - { - name: 'test-inbound-allow-rule-4' - description: 'test-inbound-allow-rule-4-description' - access: 'Allow' - direction: 'Inbound' - sources: [ - { - addressPrefix: '10.0.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '100.100.100.100' - addressPrefixType: 'IPPrefix' - } - ] - destinations: [ - { - addressPrefix: '172.16.0.0/24' - addressPrefixType: 'IPPrefix' - } - { - addressPrefix: '172.16.1.0/24' - addressPrefixType: 'IPPrefix' - } - ] - priority: 260 - protocol: 'Tcp' - } - ] - } - ] - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-manager/version.json b/modules/network/network-manager/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-manager/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-security-group/MOVED-TO-AVM.md b/modules/network/network-security-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/network-security-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index ba3e62ca92..1b51ef73b3 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -1,849 +1,7 @@ -# Network Security Groups `[Microsoft.Network/networkSecurityGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/network-security-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/network-security-group).** -This module deploys a Network security Group (NSG). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/network-security-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/networkSecurityGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkSecurityGroups) | -| `Microsoft.Network/networkSecurityGroups/securityRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkSecurityGroups/securityRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-security-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnsgmin' - params: { - // Required parameters - name: 'nnsgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nnsgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnsgmax' - params: { - // Required parameters - name: 'nnsgmax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - securityRules: [ - { - name: 'Specific' - properties: { - access: 'Allow' - description: 'Tests specific IPs and ports' - destinationAddressPrefix: '*' - destinationPortRange: '8080' - direction: 'Inbound' - priority: 100 - protocol: '*' - sourceAddressPrefix: '*' - sourcePortRange: '*' - } - } - { - name: 'Ranges' - properties: { - access: 'Allow' - description: 'Tests Ranges' - destinationAddressPrefixes: [ - '10.2.0.0/16' - '10.3.0.0/16' - ] - destinationPortRanges: [ - '90' - '91' - ] - direction: 'Inbound' - priority: 101 - protocol: '*' - sourceAddressPrefixes: [ - '10.0.0.0/16' - '10.1.0.0/16' - ] - sourcePortRanges: [ - '80' - '81' - ] - } - } - { - name: 'Port_8082' - properties: { - access: 'Allow' - description: 'Allow inbound access on TCP 8082' - destinationApplicationSecurityGroups: [ - { - id: '' - } - ] - destinationPortRange: '8082' - direction: 'Inbound' - priority: 102 - protocol: '*' - sourceApplicationSecurityGroups: [ - { - id: '' - } - ] - sourcePortRange: '*' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nnsgmax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "securityRules": { - "value": [ - { - "name": "Specific", - "properties": { - "access": "Allow", - "description": "Tests specific IPs and ports", - "destinationAddressPrefix": "*", - "destinationPortRange": "8080", - "direction": "Inbound", - "priority": 100, - "protocol": "*", - "sourceAddressPrefix": "*", - "sourcePortRange": "*" - } - }, - { - "name": "Ranges", - "properties": { - "access": "Allow", - "description": "Tests Ranges", - "destinationAddressPrefixes": [ - "10.2.0.0/16", - "10.3.0.0/16" - ], - "destinationPortRanges": [ - "90", - "91" - ], - "direction": "Inbound", - "priority": 101, - "protocol": "*", - "sourceAddressPrefixes": [ - "10.0.0.0/16", - "10.1.0.0/16" - ], - "sourcePortRanges": [ - "80", - "81" - ] - } - }, - { - "name": "Port_8082", - "properties": { - "access": "Allow", - "description": "Allow inbound access on TCP 8082", - "destinationApplicationSecurityGroups": [ - { - "id": "" - } - ], - "destinationPortRange": "8082", - "direction": "Inbound", - "priority": 102, - "protocol": "*", - "sourceApplicationSecurityGroups": [ - { - "id": "" - } - ], - "sourcePortRange": "*" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnsgwaf' - params: { - // Required parameters - name: 'nnsgwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - securityRules: [ - { - name: 'Specific' - properties: { - access: 'Allow' - description: 'Tests specific IPs and ports' - destinationAddressPrefix: '*' - destinationPortRange: '8080' - direction: 'Inbound' - priority: 100 - protocol: '*' - sourceAddressPrefix: '*' - sourcePortRange: '*' - } - } - { - name: 'Ranges' - properties: { - access: 'Allow' - description: 'Tests Ranges' - destinationAddressPrefixes: [ - '10.2.0.0/16' - '10.3.0.0/16' - ] - destinationPortRanges: [ - '90' - '91' - ] - direction: 'Inbound' - priority: 101 - protocol: '*' - sourceAddressPrefixes: [ - '10.0.0.0/16' - '10.1.0.0/16' - ] - sourcePortRanges: [ - '80' - '81' - ] - } - } - { - name: 'Port_8082' - properties: { - access: 'Allow' - description: 'Allow inbound access on TCP 8082' - destinationApplicationSecurityGroups: [ - { - id: '' - } - ] - destinationPortRange: '8082' - direction: 'Inbound' - priority: 102 - protocol: '*' - sourceApplicationSecurityGroups: [ - { - id: '' - } - ] - sourcePortRange: '*' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nnsgwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "securityRules": { - "value": [ - { - "name": "Specific", - "properties": { - "access": "Allow", - "description": "Tests specific IPs and ports", - "destinationAddressPrefix": "*", - "destinationPortRange": "8080", - "direction": "Inbound", - "priority": 100, - "protocol": "*", - "sourceAddressPrefix": "*", - "sourcePortRange": "*" - } - }, - { - "name": "Ranges", - "properties": { - "access": "Allow", - "description": "Tests Ranges", - "destinationAddressPrefixes": [ - "10.2.0.0/16", - "10.3.0.0/16" - ], - "destinationPortRanges": [ - "90", - "91" - ], - "direction": "Inbound", - "priority": 101, - "protocol": "*", - "sourceAddressPrefixes": [ - "10.0.0.0/16", - "10.1.0.0/16" - ], - "sourcePortRanges": [ - "80", - "81" - ] - } - }, - { - "name": "Port_8082", - "properties": { - "access": "Allow", - "description": "Allow inbound access on TCP 8082", - "destinationApplicationSecurityGroups": [ - { - "id": "" - } - ], - "destinationPortRange": "8082", - "direction": "Inbound", - "priority": 102, - "protocol": "*", - "sourceApplicationSecurityGroups": [ - { - "id": "" - } - ], - "sourcePortRange": "*" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Network Security Group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | -| [`tags`](#parameter-tags) | object | Tags of the NSG resource. | - -### Parameter: `name` - -Name of the Network Security Group. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `flushConnection` - -When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securityRules` - -Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the NSG resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the network security group. | -| `resourceGroupName` | string | The resource group the network security group was deployed into. | -| `resourceId` | string | The resource ID of the network security group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep deleted file mode 100644 index 83266cb10a..0000000000 --- a/modules/network/network-security-group/main.bicep +++ /dev/null @@ -1,227 +0,0 @@ -metadata name = 'Network Security Groups' -metadata description = 'This module deploys a Network security Group (NSG).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Network Security Group.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed.') -param securityRules array = [] - -@description('Optional. When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions.') -param flushConnection bool = false - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the NSG resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - flushConnection: flushConnection - securityRules: [for securityRule in securityRules: { - name: securityRule.name - properties: { - protocol: securityRule.properties.protocol - access: securityRule.properties.access - priority: securityRule.properties.priority - direction: securityRule.properties.direction - description: contains(securityRule.properties, 'description') ? securityRule.properties.description : '' - sourcePortRange: contains(securityRule.properties, 'sourcePortRange') ? securityRule.properties.sourcePortRange : '' - sourcePortRanges: contains(securityRule.properties, 'sourcePortRanges') ? securityRule.properties.sourcePortRanges : [] - destinationPortRange: contains(securityRule.properties, 'destinationPortRange') ? securityRule.properties.destinationPortRange : '' - destinationPortRanges: contains(securityRule.properties, 'destinationPortRanges') ? securityRule.properties.destinationPortRanges : [] - sourceAddressPrefix: contains(securityRule.properties, 'sourceAddressPrefix') ? securityRule.properties.sourceAddressPrefix : '' - destinationAddressPrefix: contains(securityRule.properties, 'destinationAddressPrefix') ? securityRule.properties.destinationAddressPrefix : '' - sourceAddressPrefixes: contains(securityRule.properties, 'sourceAddressPrefixes') ? securityRule.properties.sourceAddressPrefixes : [] - destinationAddressPrefixes: contains(securityRule.properties, 'destinationAddressPrefixes') ? securityRule.properties.destinationAddressPrefixes : [] - sourceApplicationSecurityGroups: contains(securityRule.properties, 'sourceApplicationSecurityGroups') ? securityRule.properties.sourceApplicationSecurityGroups : [] - destinationApplicationSecurityGroups: contains(securityRule.properties, 'destinationApplicationSecurityGroups') ? securityRule.properties.destinationApplicationSecurityGroups : [] - } - }] - } -} - -module networkSecurityGroup_securityRules 'security-rule/main.bicep' = [for (securityRule, index) in securityRules: { - name: '${uniqueString(deployment().name, location)}-securityRule-${index}' - params: { - name: securityRule.name - networkSecurityGroupName: networkSecurityGroup.name - protocol: securityRule.properties.protocol - access: securityRule.properties.access - priority: securityRule.properties.priority - direction: securityRule.properties.direction - description: contains(securityRule.properties, 'description') ? securityRule.properties.description : '' - sourcePortRange: contains(securityRule.properties, 'sourcePortRange') ? securityRule.properties.sourcePortRange : '' - sourcePortRanges: contains(securityRule.properties, 'sourcePortRanges') ? securityRule.properties.sourcePortRanges : [] - destinationPortRange: contains(securityRule.properties, 'destinationPortRange') ? securityRule.properties.destinationPortRange : '' - destinationPortRanges: contains(securityRule.properties, 'destinationPortRanges') ? securityRule.properties.destinationPortRanges : [] - sourceAddressPrefix: contains(securityRule.properties, 'sourceAddressPrefix') ? securityRule.properties.sourceAddressPrefix : '' - destinationAddressPrefix: contains(securityRule.properties, 'destinationAddressPrefix') ? securityRule.properties.destinationAddressPrefix : '' - sourceAddressPrefixes: contains(securityRule.properties, 'sourceAddressPrefixes') ? securityRule.properties.sourceAddressPrefixes : [] - destinationAddressPrefixes: contains(securityRule.properties, 'destinationAddressPrefixes') ? securityRule.properties.destinationAddressPrefixes : [] - sourceApplicationSecurityGroups: contains(securityRule.properties, 'sourceApplicationSecurityGroups') ? securityRule.properties.sourceApplicationSecurityGroups : [] - destinationApplicationSecurityGroups: contains(securityRule.properties, 'destinationApplicationSecurityGroups') ? securityRule.properties.destinationApplicationSecurityGroups : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: networkSecurityGroup -} - -resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: networkSecurityGroup -}] - -resource networkSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(networkSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: networkSecurityGroup -}] - -@description('The resource group the network security group was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the network security group.') -output resourceId string = networkSecurityGroup.id - -@description('The name of the network security group.') -output name string = networkSecurityGroup.name - -@description('The location the resource was deployed into.') -output location string = networkSecurityGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json deleted file mode 100644 index c6f01814cd..0000000000 --- a/modules/network/network-security-group/main.json +++ /dev/null @@ -1,675 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15234016184111184785" - }, - "name": "Network Security Groups", - "description": "This module deploys a Network security Group (NSG).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Network Security Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "securityRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed." - } - }, - "flushConnection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the NSG resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkSecurityGroup": { - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "securityRules", - "count": "[length(parameters('securityRules'))]", - "input": { - "name": "[parameters('securityRules')[copyIndex('securityRules')].name]", - "properties": { - "protocol": "[parameters('securityRules')[copyIndex('securityRules')].properties.protocol]", - "access": "[parameters('securityRules')[copyIndex('securityRules')].properties.access]", - "priority": "[parameters('securityRules')[copyIndex('securityRules')].properties.priority]", - "direction": "[parameters('securityRules')[copyIndex('securityRules')].properties.direction]", - "description": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'description'), parameters('securityRules')[copyIndex('securityRules')].properties.description, '')]", - "sourcePortRange": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'sourcePortRange'), parameters('securityRules')[copyIndex('securityRules')].properties.sourcePortRange, '')]", - "sourcePortRanges": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'sourcePortRanges'), parameters('securityRules')[copyIndex('securityRules')].properties.sourcePortRanges, createArray())]", - "destinationPortRange": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'destinationPortRange'), parameters('securityRules')[copyIndex('securityRules')].properties.destinationPortRange, '')]", - "destinationPortRanges": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'destinationPortRanges'), parameters('securityRules')[copyIndex('securityRules')].properties.destinationPortRanges, createArray())]", - "sourceAddressPrefix": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'sourceAddressPrefix'), parameters('securityRules')[copyIndex('securityRules')].properties.sourceAddressPrefix, '')]", - "destinationAddressPrefix": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'destinationAddressPrefix'), parameters('securityRules')[copyIndex('securityRules')].properties.destinationAddressPrefix, '')]", - "sourceAddressPrefixes": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'sourceAddressPrefixes'), parameters('securityRules')[copyIndex('securityRules')].properties.sourceAddressPrefixes, createArray())]", - "destinationAddressPrefixes": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'destinationAddressPrefixes'), parameters('securityRules')[copyIndex('securityRules')].properties.destinationAddressPrefixes, createArray())]", - "sourceApplicationSecurityGroups": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'sourceApplicationSecurityGroups'), parameters('securityRules')[copyIndex('securityRules')].properties.sourceApplicationSecurityGroups, createArray())]", - "destinationApplicationSecurityGroups": "[if(contains(parameters('securityRules')[copyIndex('securityRules')].properties, 'destinationApplicationSecurityGroups'), parameters('securityRules')[copyIndex('securityRules')].properties.destinationApplicationSecurityGroups, createArray())]" - } - } - } - ], - "flushConnection": "[parameters('flushConnection')]" - } - }, - "networkSecurityGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "networkSecurityGroup" - ] - }, - "networkSecurityGroup_diagnosticSettings": { - "copy": { - "name": "networkSecurityGroup_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "networkSecurityGroup" - ] - }, - "networkSecurityGroup_roleAssignments": { - "copy": { - "name": "networkSecurityGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "networkSecurityGroup" - ] - }, - "networkSecurityGroup_securityRules": { - "copy": { - "name": "networkSecurityGroup_securityRules", - "count": "[length(parameters('securityRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-securityRule-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('securityRules')[copyIndex()].name]" - }, - "networkSecurityGroupName": { - "value": "[parameters('name')]" - }, - "protocol": { - "value": "[parameters('securityRules')[copyIndex()].properties.protocol]" - }, - "access": { - "value": "[parameters('securityRules')[copyIndex()].properties.access]" - }, - "priority": { - "value": "[parameters('securityRules')[copyIndex()].properties.priority]" - }, - "direction": { - "value": "[parameters('securityRules')[copyIndex()].properties.direction]" - }, - "description": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'description'), createObject('value', parameters('securityRules')[copyIndex()].properties.description), createObject('value', ''))]", - "sourcePortRange": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'sourcePortRange'), createObject('value', parameters('securityRules')[copyIndex()].properties.sourcePortRange), createObject('value', ''))]", - "sourcePortRanges": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'sourcePortRanges'), createObject('value', parameters('securityRules')[copyIndex()].properties.sourcePortRanges), createObject('value', createArray()))]", - "destinationPortRange": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'destinationPortRange'), createObject('value', parameters('securityRules')[copyIndex()].properties.destinationPortRange), createObject('value', ''))]", - "destinationPortRanges": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'destinationPortRanges'), createObject('value', parameters('securityRules')[copyIndex()].properties.destinationPortRanges), createObject('value', createArray()))]", - "sourceAddressPrefix": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'sourceAddressPrefix'), createObject('value', parameters('securityRules')[copyIndex()].properties.sourceAddressPrefix), createObject('value', ''))]", - "destinationAddressPrefix": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'destinationAddressPrefix'), createObject('value', parameters('securityRules')[copyIndex()].properties.destinationAddressPrefix), createObject('value', ''))]", - "sourceAddressPrefixes": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'sourceAddressPrefixes'), createObject('value', parameters('securityRules')[copyIndex()].properties.sourceAddressPrefixes), createObject('value', createArray()))]", - "destinationAddressPrefixes": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'destinationAddressPrefixes'), createObject('value', parameters('securityRules')[copyIndex()].properties.destinationAddressPrefixes), createObject('value', createArray()))]", - "sourceApplicationSecurityGroups": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'sourceApplicationSecurityGroups'), createObject('value', parameters('securityRules')[copyIndex()].properties.sourceApplicationSecurityGroups), createObject('value', createArray()))]", - "destinationApplicationSecurityGroups": "[if(contains(parameters('securityRules')[copyIndex()].properties, 'destinationApplicationSecurityGroups'), createObject('value', parameters('securityRules')[copyIndex()].properties.destinationApplicationSecurityGroups), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5230356401692373453" - }, - "name": "Network Security Group (NSG) Security Rules", - "description": "This module deploys a Network Security Group (NSG) Security Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the security rule." - } - }, - "networkSecurityGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment." - } - }, - "access": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Whether network traffic is allowed or denied." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 140, - "metadata": { - "description": "Optional. A description for this rule." - } - }, - "destinationAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The destination address prefix. CIDR or destination IP range. Asterisk \"*\" can also be used to match all source IPs. Default tags such as \"VirtualNetwork\", \"AzureLoadBalancer\" and \"Internet\" can also be used." - } - }, - "destinationAddressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destination address prefixes. CIDR or destination IP ranges." - } - }, - "destinationApplicationSecurityGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The application security group specified as destination." - } - }, - "destinationPortRange": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The destination port or range. Integer or range between 0 and 65535. Asterisk \"*\" can also be used to match all ports." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destination port ranges." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic." - } - }, - "priority": { - "type": "int", - "metadata": { - "description": "Required. The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "*", - "Ah", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourceAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The CIDR or source IP range. Asterisk \"*\" can also be used to match all source IPs. Default tags such as \"VirtualNetwork\", \"AzureLoadBalancer\" and \"Internet\" can also be used. If this is an ingress rule, specifies where network traffic originates from." - } - }, - "sourceAddressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The CIDR or source IP ranges." - } - }, - "sourceApplicationSecurityGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The application security group specified as source." - } - }, - "sourcePortRange": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source port or range. Integer or range between 0 and 65535. Asterisk \"*\" can also be used to match all ports." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source port ranges." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkSecurityGroups/securityRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkSecurityGroupName'), parameters('name'))]", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationAddressPrefix": "[parameters('destinationAddressPrefix')]", - "destinationAddressPrefixes": "[parameters('destinationAddressPrefixes')]", - "destinationApplicationSecurityGroups": "[parameters('destinationApplicationSecurityGroups')]", - "destinationPortRange": "[parameters('destinationPortRange')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourceAddressPrefix": "[parameters('sourceAddressPrefix')]", - "sourceAddressPrefixes": "[parameters('sourceAddressPrefixes')]", - "sourceApplicationSecurityGroups": "[parameters('sourceApplicationSecurityGroups')]", - "sourcePortRange": "[parameters('sourcePortRange')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the security rule was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the security rule." - }, - "value": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroupName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the security rule." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "networkSecurityGroup" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network security group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network security group." - }, - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the network security group." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('networkSecurityGroup', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-security-group/security-rule/README.md b/modules/network/network-security-group/security-rule/README.md deleted file mode 100644 index b0f951daa0..0000000000 --- a/modules/network/network-security-group/security-rule/README.md +++ /dev/null @@ -1,228 +0,0 @@ -# Network Security Group (NSG) Security Rules `[Microsoft.Network/networkSecurityGroups/securityRules]` - -This module deploys a Network Security Group (NSG) Security Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkSecurityGroups/securityRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkSecurityGroups/securityRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`direction`](#parameter-direction) | string | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | -| [`name`](#parameter-name) | string | The name of the security rule. | -| [`priority`](#parameter-priority) | int | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | -| [`protocol`](#parameter-protocol) | string | Network protocol this rule applies to. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkSecurityGroupName`](#parameter-networksecuritygroupname) | string | The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`access`](#parameter-access) | string | Whether network traffic is allowed or denied. | -| [`description`](#parameter-description) | string | A description for this rule. | -| [`destinationAddressPrefix`](#parameter-destinationaddressprefix) | string | The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. | -| [`destinationAddressPrefixes`](#parameter-destinationaddressprefixes) | array | The destination address prefixes. CIDR or destination IP ranges. | -| [`destinationApplicationSecurityGroups`](#parameter-destinationapplicationsecuritygroups) | array | The application security group specified as destination. | -| [`destinationPortRange`](#parameter-destinationportrange) | string | The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | -| [`destinationPortRanges`](#parameter-destinationportranges) | array | The destination port ranges. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`sourceAddressPrefix`](#parameter-sourceaddressprefix) | string | The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. | -| [`sourceAddressPrefixes`](#parameter-sourceaddressprefixes) | array | The CIDR or source IP ranges. | -| [`sourceApplicationSecurityGroups`](#parameter-sourceapplicationsecuritygroups) | array | The application security group specified as source. | -| [`sourcePortRange`](#parameter-sourceportrange) | string | The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | -| [`sourcePortRanges`](#parameter-sourceportranges) | array | The source port ranges. | - -### Parameter: `direction` - -The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Inbound' - 'Outbound' - ] - ``` - -### Parameter: `name` - -The name of the security rule. - -- Required: Yes -- Type: string - -### Parameter: `priority` - -The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. - -- Required: Yes -- Type: int - -### Parameter: `protocol` - -Network protocol this rule applies to. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - '*' - 'Ah' - 'Esp' - 'Icmp' - 'Tcp' - 'Udp' - ] - ``` - -### Parameter: `networkSecurityGroupName` - -The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `access` - -Whether network traffic is allowed or denied. - -- Required: No -- Type: string -- Default: `'Deny'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `description` - -A description for this rule. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `destinationAddressPrefix` - -The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `destinationAddressPrefixes` - -The destination address prefixes. CIDR or destination IP ranges. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `destinationApplicationSecurityGroups` - -The application security group specified as destination. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `destinationPortRange` - -The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `destinationPortRanges` - -The destination port ranges. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `sourceAddressPrefix` - -The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceAddressPrefixes` - -The CIDR or source IP ranges. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sourceApplicationSecurityGroups` - -The application security group specified as source. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sourcePortRange` - -The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourcePortRanges` - -The source port ranges. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the security rule. | -| `resourceGroupName` | string | The resource group the security rule was deployed into. | -| `resourceId` | string | The resource ID of the security rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-security-group/security-rule/main.bicep b/modules/network/network-security-group/security-rule/main.bicep deleted file mode 100644 index 6ecda23638..0000000000 --- a/modules/network/network-security-group/security-rule/main.bicep +++ /dev/null @@ -1,121 +0,0 @@ -metadata name = 'Network Security Group (NSG) Security Rules' -metadata description = 'This module deploys a Network Security Group (NSG) Security Rule.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. The name of the security rule.') -param name string - -@sys.description('Conditional. The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment.') -param networkSecurityGroupName string - -@sys.description('Optional. Whether network traffic is allowed or denied.') -@allowed([ - 'Allow' - 'Deny' -]) -param access string = 'Deny' - -@sys.description('Optional. A description for this rule.') -@maxLength(140) -param description string = '' - -@sys.description('Optional. The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used.') -param destinationAddressPrefix string = '' - -@sys.description('Optional. The destination address prefixes. CIDR or destination IP ranges.') -param destinationAddressPrefixes array = [] - -@sys.description('Optional. The application security group specified as destination.') -param destinationApplicationSecurityGroups array = [] - -@sys.description('Optional. The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports.') -param destinationPortRange string = '' - -@sys.description('Optional. The destination port ranges.') -param destinationPortRanges array = [] - -@sys.description('Required. The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.') -@allowed([ - 'Inbound' - 'Outbound' -]) -param direction string - -@sys.description('Required. The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.') -param priority int - -@sys.description('Required. Network protocol this rule applies to.') -@allowed([ - '*' - 'Ah' - 'Esp' - 'Icmp' - 'Tcp' - 'Udp' -]) -param protocol string - -@sys.description('Optional. The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from.') -param sourceAddressPrefix string = '' - -@sys.description('Optional. The CIDR or source IP ranges.') -param sourceAddressPrefixes array = [] - -@sys.description('Optional. The application security group specified as source.') -param sourceApplicationSecurityGroups array = [] - -@sys.description('Optional. The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports.') -param sourcePortRange string = '' - -@sys.description('Optional. The source port ranges.') -param sourcePortRanges array = [] - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' existing = { - name: networkSecurityGroupName -} - -resource securityRule 'Microsoft.Network/networkSecurityGroups/securityRules@2023-04-01' = { - name: name - parent: networkSecurityGroup - properties: { - access: access - description: description - destinationAddressPrefix: destinationAddressPrefix - destinationAddressPrefixes: destinationAddressPrefixes - destinationApplicationSecurityGroups: destinationApplicationSecurityGroups - destinationPortRange: destinationPortRange - destinationPortRanges: destinationPortRanges - direction: direction - priority: priority - protocol: protocol - sourceAddressPrefix: sourceAddressPrefix - sourceAddressPrefixes: sourceAddressPrefixes - sourceApplicationSecurityGroups: sourceApplicationSecurityGroups - sourcePortRange: sourcePortRange - sourcePortRanges: sourcePortRanges - } -} - -@sys.description('The resource group the security rule was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The resource ID of the security rule.') -output resourceId string = securityRule.id - -@sys.description('The name of the security rule.') -output name string = securityRule.name diff --git a/modules/network/network-security-group/security-rule/main.json b/modules/network/network-security-group/security-rule/main.json deleted file mode 100644 index 9d34ec99a7..0000000000 --- a/modules/network/network-security-group/security-rule/main.json +++ /dev/null @@ -1,215 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5230356401692373453" - }, - "name": "Network Security Group (NSG) Security Rules", - "description": "This module deploys a Network Security Group (NSG) Security Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the security rule." - } - }, - "networkSecurityGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment." - } - }, - "access": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Whether network traffic is allowed or denied." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 140, - "metadata": { - "description": "Optional. A description for this rule." - } - }, - "destinationAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The destination address prefix. CIDR or destination IP range. Asterisk \"*\" can also be used to match all source IPs. Default tags such as \"VirtualNetwork\", \"AzureLoadBalancer\" and \"Internet\" can also be used." - } - }, - "destinationAddressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destination address prefixes. CIDR or destination IP ranges." - } - }, - "destinationApplicationSecurityGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The application security group specified as destination." - } - }, - "destinationPortRange": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The destination port or range. Integer or range between 0 and 65535. Asterisk \"*\" can also be used to match all ports." - } - }, - "destinationPortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The destination port ranges." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic." - } - }, - "priority": { - "type": "int", - "metadata": { - "description": "Required. The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "*", - "Ah", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourceAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The CIDR or source IP range. Asterisk \"*\" can also be used to match all source IPs. Default tags such as \"VirtualNetwork\", \"AzureLoadBalancer\" and \"Internet\" can also be used. If this is an ingress rule, specifies where network traffic originates from." - } - }, - "sourceAddressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The CIDR or source IP ranges." - } - }, - "sourceApplicationSecurityGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The application security group specified as source." - } - }, - "sourcePortRange": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The source port or range. Integer or range between 0 and 65535. Asterisk \"*\" can also be used to match all ports." - } - }, - "sourcePortRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The source port ranges." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/networkSecurityGroups/securityRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkSecurityGroupName'), parameters('name'))]", - "properties": { - "access": "[parameters('access')]", - "description": "[parameters('description')]", - "destinationAddressPrefix": "[parameters('destinationAddressPrefix')]", - "destinationAddressPrefixes": "[parameters('destinationAddressPrefixes')]", - "destinationApplicationSecurityGroups": "[parameters('destinationApplicationSecurityGroups')]", - "destinationPortRange": "[parameters('destinationPortRange')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourceAddressPrefix": "[parameters('sourceAddressPrefix')]", - "sourceAddressPrefixes": "[parameters('sourceAddressPrefixes')]", - "sourceApplicationSecurityGroups": "[parameters('sourceApplicationSecurityGroups')]", - "sourcePortRange": "[parameters('sourcePortRange')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the security rule was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the security rule." - }, - "value": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroupName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the security rule." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-security-group/security-rule/version.json b/modules/network/network-security-group/security-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-security-group/security-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep b/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index e3113e43e2..0000000000 --- a/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnsgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/network-security-group/tests/e2e/max/dependencies.bicep b/modules/network/network-security-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 951c71af97..0000000000 --- a/modules/network/network-security-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/network-security-group/tests/e2e/max/main.test.bicep b/modules/network/network-security-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index b0cae014bc..0000000000 --- a/modules/network/network-security-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,171 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnsgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - securityRules: [ - { - name: 'Specific' - properties: { - access: 'Allow' - description: 'Tests specific IPs and ports' - destinationAddressPrefix: '*' - destinationPortRange: '8080' - direction: 'Inbound' - priority: 100 - protocol: '*' - sourceAddressPrefix: '*' - sourcePortRange: '*' - } - } - { - name: 'Ranges' - properties: { - access: 'Allow' - description: 'Tests Ranges' - destinationAddressPrefixes: [ - '10.2.0.0/16' - '10.3.0.0/16' - ] - destinationPortRanges: [ - '90' - '91' - ] - direction: 'Inbound' - priority: 101 - protocol: '*' - sourceAddressPrefixes: [ - '10.0.0.0/16' - '10.1.0.0/16' - ] - sourcePortRanges: [ - '80' - '81' - ] - } - } - { - name: 'Port_8082' - properties: { - access: 'Allow' - description: 'Allow inbound access on TCP 8082' - destinationApplicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - destinationPortRange: '8082' - direction: 'Inbound' - priority: 102 - protocol: '*' - sourceApplicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - sourcePortRange: '*' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 951c71af97..0000000000 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index cb46477554..0000000000 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,154 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnsgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - securityRules: [ - { - name: 'Specific' - properties: { - access: 'Allow' - description: 'Tests specific IPs and ports' - destinationAddressPrefix: '*' - destinationPortRange: '8080' - direction: 'Inbound' - priority: 100 - protocol: '*' - sourceAddressPrefix: '*' - sourcePortRange: '*' - } - } - { - name: 'Ranges' - properties: { - access: 'Allow' - description: 'Tests Ranges' - destinationAddressPrefixes: [ - '10.2.0.0/16' - '10.3.0.0/16' - ] - destinationPortRanges: [ - '90' - '91' - ] - direction: 'Inbound' - priority: 101 - protocol: '*' - sourceAddressPrefixes: [ - '10.0.0.0/16' - '10.1.0.0/16' - ] - sourcePortRanges: [ - '80' - '81' - ] - } - } - { - name: 'Port_8082' - properties: { - access: 'Allow' - description: 'Allow inbound access on TCP 8082' - destinationApplicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - destinationPortRange: '8082' - direction: 'Inbound' - priority: 102 - protocol: '*' - sourceApplicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - sourcePortRange: '*' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-security-group/version.json b/modules/network/network-security-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-security-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index 07a3771138..8b354728c2 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -1,719 +1,7 @@ -# Network Watchers `[Microsoft.Network/networkWatchers]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Network Watcher. +**This module has been evolved into the following AVM module: [avm/res/network/network-watcher](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/network-watcher).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/network-watcher). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/networkWatchers` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers) | -| `Microsoft.Network/networkWatchers/connectionMonitors` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/connectionMonitors) | -| `Microsoft.Network/networkWatchers/flowLogs` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/flowLogs) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-watcher:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnwmin' - params: { - enableDefaultTelemetry: '' - location: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnwmax' - params: { - connectionMonitors: [ - { - endpoints: [ - { - name: '' - resourceId: '' - type: 'AzureVM' - } - { - address: 'www.bing.com' - name: 'Bing' - type: 'ExternalAddress' - } - ] - name: 'nnwmax-cm-001' - testConfigurations: [ - { - httpConfiguration: { - method: 'Get' - port: 80 - preferHTTPS: false - requestHeaders: [] - validStatusCodeRanges: [ - '200' - ] - } - name: 'HTTP Bing Test' - protocol: 'Http' - successThreshold: { - checksFailedPercent: 5 - roundTripTimeMs: 100 - } - testFrequencySec: 30 - } - ] - testGroups: [ - { - destinations: [ - 'Bing' - ] - disable: false - name: 'test-http-Bing' - sources: [ - 'subnet-001(${resourceGroup.name})' - ] - testConfigurations: [ - 'HTTP Bing Test' - ] - } - ] - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - flowLogs: [ - { - enabled: false - storageId: '' - targetResourceId: '' - } - { - formatVersion: 1 - name: 'nnwmax-fl-001' - retentionInDays: 8 - storageId: '' - targetResourceId: '' - trafficAnalyticsInterval: 10 - workspaceResourceId: '' - } - ] - location: '' - name: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "connectionMonitors": { - "value": [ - { - "endpoints": [ - { - "name": "", - "resourceId": "", - "type": "AzureVM" - }, - { - "address": "www.bing.com", - "name": "Bing", - "type": "ExternalAddress" - } - ], - "name": "nnwmax-cm-001", - "testConfigurations": [ - { - "httpConfiguration": { - "method": "Get", - "port": 80, - "preferHTTPS": false, - "requestHeaders": [], - "validStatusCodeRanges": [ - "200" - ] - }, - "name": "HTTP Bing Test", - "protocol": "Http", - "successThreshold": { - "checksFailedPercent": 5, - "roundTripTimeMs": 100 - }, - "testFrequencySec": 30 - } - ], - "testGroups": [ - { - "destinations": [ - "Bing" - ], - "disable": false, - "name": "test-http-Bing", - "sources": [ - "subnet-001(${resourceGroup.name})" - ], - "testConfigurations": [ - "HTTP Bing Test" - ] - } - ], - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "flowLogs": { - "value": [ - { - "enabled": false, - "storageId": "", - "targetResourceId": "" - }, - { - "formatVersion": 1, - "name": "nnwmax-fl-001", - "retentionInDays": 8, - "storageId": "", - "targetResourceId": "", - "trafficAnalyticsInterval": 10, - "workspaceResourceId": "" - } - ] - }, - "location": { - "value": "" - }, - "name": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnwwaf' - params: { - connectionMonitors: [ - { - endpoints: [ - { - name: '' - resourceId: '' - type: 'AzureVM' - } - { - address: 'www.bing.com' - name: 'Bing' - type: 'ExternalAddress' - } - ] - name: 'nnwwaf-cm-001' - testConfigurations: [ - { - httpConfiguration: { - method: 'Get' - port: 80 - preferHTTPS: false - requestHeaders: [] - validStatusCodeRanges: [ - '200' - ] - } - name: 'HTTP Bing Test' - protocol: 'Http' - successThreshold: { - checksFailedPercent: 5 - roundTripTimeMs: 100 - } - testFrequencySec: 30 - } - ] - testGroups: [ - { - destinations: [ - 'Bing' - ] - disable: false - name: 'test-http-Bing' - sources: [ - 'subnet-001(${resourceGroup.name})' - ] - testConfigurations: [ - 'HTTP Bing Test' - ] - } - ] - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - flowLogs: [ - { - enabled: false - storageId: '' - targetResourceId: '' - } - { - formatVersion: 1 - name: 'nnwwaf-fl-001' - retentionInDays: 8 - storageId: '' - targetResourceId: '' - trafficAnalyticsInterval: 10 - workspaceResourceId: '' - } - ] - location: '' - name: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "connectionMonitors": { - "value": [ - { - "endpoints": [ - { - "name": "", - "resourceId": "", - "type": "AzureVM" - }, - { - "address": "www.bing.com", - "name": "Bing", - "type": "ExternalAddress" - } - ], - "name": "nnwwaf-cm-001", - "testConfigurations": [ - { - "httpConfiguration": { - "method": "Get", - "port": 80, - "preferHTTPS": false, - "requestHeaders": [], - "validStatusCodeRanges": [ - "200" - ] - }, - "name": "HTTP Bing Test", - "protocol": "Http", - "successThreshold": { - "checksFailedPercent": 5, - "roundTripTimeMs": 100 - }, - "testFrequencySec": 30 - } - ], - "testGroups": [ - { - "destinations": [ - "Bing" - ], - "disable": false, - "name": "test-http-Bing", - "sources": [ - "subnet-001(${resourceGroup.name})" - ], - "testConfigurations": [ - "HTTP Bing Test" - ] - } - ], - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "flowLogs": { - "value": [ - { - "enabled": false, - "storageId": "", - "targetResourceId": "" - }, - { - "formatVersion": 1, - "name": "nnwwaf-fl-001", - "retentionInDays": 8, - "storageId": "", - "targetResourceId": "", - "trafficAnalyticsInterval": 10, - "workspaceResourceId": "" - } - ] - }, - "location": { - "value": "" - }, - "name": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectionMonitors`](#parameter-connectionmonitors) | array | Array that contains the Connection Monitors. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`flowLogs`](#parameter-flowlogs) | array | Array that contains the Flow Logs. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`name`](#parameter-name) | string | Name of the Network Watcher resource (hidden). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `connectionMonitors` - -Array that contains the Connection Monitors. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `flowLogs` - -Array that contains the Flow Logs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `name` - -Name of the Network Watcher resource (hidden). - -- Required: No -- Type: string -- Default: `[format('NetworkWatcher_{0}', parameters('location'))]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed network watcher. | -| `resourceGroupName` | string | The resource group the network watcher was deployed into. | -| `resourceId` | string | The resource ID of the deployed network watcher. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/network-watcher/connection-monitor/README.md b/modules/network/network-watcher/connection-monitor/README.md deleted file mode 100644 index ff5812ad1a..0000000000 --- a/modules/network/network-watcher/connection-monitor/README.md +++ /dev/null @@ -1,121 +0,0 @@ -# Network Watchers Connection Monitors `[Microsoft.Network/networkWatchers/connectionMonitors]` - -This module deploys a Network Watcher Connection Monitor. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkWatchers/connectionMonitors` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/connectionMonitors) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endpoints`](#parameter-endpoints) | array | List of connection monitor endpoints. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`networkWatcherName`](#parameter-networkwatchername) | string | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`testConfigurations`](#parameter-testconfigurations) | array | List of connection monitor test configurations. | -| [`testGroups`](#parameter-testgroups) | array | List of connection monitor test groups. | -| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | - -### Parameter: `name` - -Name of the resource. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endpoints` - -List of connection monitor endpoints. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `networkWatcherName` - -Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. - -- Required: No -- Type: string -- Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `testConfigurations` - -List of connection monitor test configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `testGroups` - -List of connection monitor test groups. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `workspaceResourceId` - -Specify the Log Analytics Workspace Resource ID. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed connection monitor. | -| `resourceGroupName` | string | The resource group the connection monitor was deployed into. | -| `resourceId` | string | The resource ID of the deployed connection monitor. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-watcher/connection-monitor/main.bicep b/modules/network/network-watcher/connection-monitor/main.bicep deleted file mode 100644 index 536db29611..0000000000 --- a/modules/network/network-watcher/connection-monitor/main.bicep +++ /dev/null @@ -1,80 +0,0 @@ -metadata name = 'Network Watchers Connection Monitors' -metadata description = 'This module deploys a Network Watcher Connection Monitor.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG.') -param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' - -@description('Required. Name of the resource.') -param name string - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. List of connection monitor endpoints.') -param endpoints array = [] - -@description('Optional. List of connection monitor test configurations.') -param testConfigurations array = [] - -@description('Optional. List of connection monitor test groups.') -param testGroups array = [] - -@description('Optional. Specify the Log Analytics Workspace Resource ID.') -param workspaceResourceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var outputs = !empty(workspaceResourceId) ? [ - { - type: 'Workspace' - workspaceSettings: { - workspaceResourceId: workspaceResourceId - } - } -] : null - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkWatcher 'Microsoft.Network/networkWatchers@2023-04-01' existing = { - name: networkWatcherName -} - -resource connectionMonitor 'Microsoft.Network/networkWatchers/connectionMonitors@2023-04-01' = { - name: name - parent: networkWatcher - tags: tags - location: location - properties: { - endpoints: endpoints - testConfigurations: testConfigurations - testGroups: testGroups - outputs: outputs - } -} - -@description('The name of the deployed connection monitor.') -output name string = connectionMonitor.name - -@description('The resource ID of the deployed connection monitor.') -output resourceId string = connectionMonitor.id - -@description('The resource group the connection monitor was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = connectionMonitor.location diff --git a/modules/network/network-watcher/connection-monitor/main.json b/modules/network/network-watcher/connection-monitor/main.json deleted file mode 100644 index f80ecbc337..0000000000 --- a/modules/network/network-watcher/connection-monitor/main.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15782320161408670286" - }, - "name": "Network Watchers Connection Monitors", - "description": "This module deploys a Network Watcher Connection Monitor.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkWatcherName": { - "type": "string", - "defaultValue": "[format('NetworkWatcher_{0}', resourceGroup().location)]", - "metadata": { - "description": "Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "endpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor endpoints." - } - }, - "testConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor test configurations." - } - }, - "testGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor test groups." - } - }, - "workspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the Log Analytics Workspace Resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "outputs": "[if(not(empty(parameters('workspaceResourceId'))), createArray(createObject('type', 'Workspace', 'workspaceSettings', createObject('workspaceResourceId', parameters('workspaceResourceId')))), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkWatcher": { - "existing": true, - "type": "Microsoft.Network/networkWatchers", - "apiVersion": "2023-04-01", - "name": "[parameters('networkWatcherName')]" - }, - "connectionMonitor": { - "type": "Microsoft.Network/networkWatchers/connectionMonitors", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "properties": { - "endpoints": "[parameters('endpoints')]", - "testConfigurations": "[parameters('testConfigurations')]", - "testGroups": "[parameters('testGroups')]", - "outputs": "[variables('outputs')]" - }, - "dependsOn": [ - "networkWatcher" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed connection monitor." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed connection monitor." - }, - "value": "[resourceId('Microsoft.Network/networkWatchers/connectionMonitors', parameters('networkWatcherName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the connection monitor was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('connectionMonitor', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-watcher/connection-monitor/version.json b/modules/network/network-watcher/connection-monitor/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-watcher/connection-monitor/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md deleted file mode 100644 index b6489b44bb..0000000000 --- a/modules/network/network-watcher/flow-log/README.md +++ /dev/null @@ -1,162 +0,0 @@ -# NSG Flow Logs `[Microsoft.Network/networkWatchers/flowLogs]` - -This module controls the Network Security Group Flow Logs and analytics settings. -**Note: this module must be run on the Resource Group where Network Watcher is deployed** - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/networkWatchers/flowLogs` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/flowLogs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageId`](#parameter-storageid) | string | Resource ID of the diagnostic storage account. | -| [`targetResourceId`](#parameter-targetresourceid) | string | Resource ID of the NSG that must be enabled for Flow Logs. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enabled`](#parameter-enabled) | bool | If the flow log should be enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`formatVersion`](#parameter-formatversion) | int | The flow log format version. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`name`](#parameter-name) | string | Name of the resource. | -| [`networkWatcherName`](#parameter-networkwatchername) | string | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | -| [`retentionInDays`](#parameter-retentionindays) | int | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`trafficAnalyticsInterval`](#parameter-trafficanalyticsinterval) | int | The interval in minutes which would decide how frequently TA service should do flow analytics. | -| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | - -### Parameter: `storageId` - -Resource ID of the diagnostic storage account. - -- Required: Yes -- Type: string - -### Parameter: `targetResourceId` - -Resource ID of the NSG that must be enabled for Flow Logs. - -- Required: Yes -- Type: string - -### Parameter: `enabled` - -If the flow log should be enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `formatVersion` - -The flow log format version. - -- Required: No -- Type: int -- Default: `2` -- Allowed: - ```Bicep - [ - 1 - 2 - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `name` - -Name of the resource. - -- Required: No -- Type: string -- Default: `[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]` - -### Parameter: `networkWatcherName` - -Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. - -- Required: No -- Type: string -- Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` - -### Parameter: `retentionInDays` - -Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. - -- Required: No -- Type: int -- Default: `365` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `trafficAnalyticsInterval` - -The interval in minutes which would decide how frequently TA service should do flow analytics. - -- Required: No -- Type: int -- Default: `60` -- Allowed: - ```Bicep - [ - 10 - 60 - ] - ``` - -### Parameter: `workspaceResourceId` - -Specify the Log Analytics Workspace Resource ID. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the flow log. | -| `resourceGroupName` | string | The resource group the flow log was deployed into. | -| `resourceId` | string | The resource ID of the flow log. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/network-watcher/flow-log/main.bicep b/modules/network/network-watcher/flow-log/main.bicep deleted file mode 100644 index b1bbb833a5..0000000000 --- a/modules/network/network-watcher/flow-log/main.bicep +++ /dev/null @@ -1,110 +0,0 @@ -metadata name = 'NSG Flow Logs' -metadata description = '''This module controls the Network Security Group Flow Logs and analytics settings. -**Note: this module must be run on the Resource Group where Network Watcher is deployed**''' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG.') -param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' - -@description('Optional. Name of the resource.') -param name string = '${last(split(targetResourceId, '/'))}-${split(targetResourceId, '/')[4]}-flowlog' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. Resource ID of the NSG that must be enabled for Flow Logs.') -param targetResourceId string - -@description('Required. Resource ID of the diagnostic storage account.') -param storageId string - -@description('Optional. If the flow log should be enabled.') -param enabled bool = true - -@description('Optional. The flow log format version.') -@allowed([ - 1 - 2 -]) -param formatVersion int = 2 - -@description('Optional. Specify the Log Analytics Workspace Resource ID.') -param workspaceResourceId string = '' - -@description('Optional. The interval in minutes which would decide how frequently TA service should do flow analytics.') -@allowed([ - 10 - 60 -]) -param trafficAnalyticsInterval int = 60 - -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') -@minValue(0) -@maxValue(365) -param retentionInDays int = 365 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var flowAnalyticsConfiguration = !empty(workspaceResourceId) && enabled == true ? { - networkWatcherFlowAnalyticsConfiguration: { - enabled: true - workspaceResourceId: workspaceResourceId - trafficAnalyticsInterval: trafficAnalyticsInterval - } -} : { - networkWatcherFlowAnalyticsConfiguration: { - enabled: false - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkWatcher 'Microsoft.Network/networkWatchers@2023-04-01' existing = { - name: networkWatcherName -} - -resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2023-04-01' = { - name: name - parent: networkWatcher - tags: tags - location: location - properties: { - targetResourceId: targetResourceId - storageId: storageId - enabled: enabled - retentionPolicy: { - days: retentionInDays - enabled: retentionInDays == 0 ? false : true - } - format: { - type: 'JSON' - version: formatVersion - } - flowAnalyticsConfiguration: flowAnalyticsConfiguration - } -} -@description('The name of the flow log.') -output name string = flowLog.name - -@description('The resource ID of the flow log.') -output resourceId string = flowLog.id - -@description('The resource group the flow log was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = flowLog.location diff --git a/modules/network/network-watcher/flow-log/main.json b/modules/network/network-watcher/flow-log/main.json deleted file mode 100644 index 43b245b827..0000000000 --- a/modules/network/network-watcher/flow-log/main.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2197507893118006956" - }, - "name": "NSG Flow Logs", - "description": "This module controls the Network Security Group Flow Logs and analytics settings.\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkWatcherName": { - "type": "string", - "defaultValue": "[format('NetworkWatcher_{0}', resourceGroup().location)]", - "metadata": { - "description": "Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]", - "metadata": { - "description": "Optional. Name of the resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "targetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the NSG that must be enabled for Flow Logs." - } - }, - "storageId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the diagnostic storage account." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If the flow log should be enabled." - } - }, - "formatVersion": { - "type": "int", - "defaultValue": 2, - "allowedValues": [ - 1, - 2 - ], - "metadata": { - "description": "Optional. The flow log format version." - } - }, - "workspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the Log Analytics Workspace Resource ID." - } - }, - "trafficAnalyticsInterval": { - "type": "int", - "defaultValue": 60, - "allowedValues": [ - 10, - 60 - ], - "metadata": { - "description": "Optional. The interval in minutes which would decide how frequently TA service should do flow analytics." - } - }, - "retentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "flowAnalyticsConfiguration": "[if(and(not(empty(parameters('workspaceResourceId'))), equals(parameters('enabled'), true())), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', true(), 'workspaceResourceId', parameters('workspaceResourceId'), 'trafficAnalyticsInterval', parameters('trafficAnalyticsInterval'))), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', false())))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkWatcher": { - "existing": true, - "type": "Microsoft.Network/networkWatchers", - "apiVersion": "2023-04-01", - "name": "[parameters('networkWatcherName')]" - }, - "flowLog": { - "type": "Microsoft.Network/networkWatchers/flowLogs", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "properties": { - "targetResourceId": "[parameters('targetResourceId')]", - "storageId": "[parameters('storageId')]", - "enabled": "[parameters('enabled')]", - "retentionPolicy": { - "days": "[parameters('retentionInDays')]", - "enabled": "[if(equals(parameters('retentionInDays'), 0), false(), true())]" - }, - "format": { - "type": "JSON", - "version": "[parameters('formatVersion')]" - }, - "flowAnalyticsConfiguration": "[variables('flowAnalyticsConfiguration')]" - }, - "dependsOn": [ - "networkWatcher" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flow log." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flow log." - }, - "value": "[resourceId('Microsoft.Network/networkWatchers/flowLogs', parameters('networkWatcherName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the flow log was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('flowLog', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-watcher/flow-log/version.json b/modules/network/network-watcher/flow-log/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-watcher/flow-log/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep deleted file mode 100644 index 4cde8cc540..0000000000 --- a/modules/network/network-watcher/main.bicep +++ /dev/null @@ -1,158 +0,0 @@ -metadata name = 'Network Watchers' -metadata description = 'This module deploys a Network Watcher.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Name of the Network Watcher resource (hidden).') -@minLength(1) -param name string = 'NetworkWatcher_${location}' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array that contains the Connection Monitors.') -param connectionMonitors array = [] - -@description('Optional. Array that contains the Flow Logs.') -param flowLogs array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource networkWatcher 'Microsoft.Network/networkWatchers@2023-04-01' = { - name: name - location: location - tags: tags - properties: {} -} - -resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: networkWatcher -} - -resource networkWatcher_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(networkWatcher.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: networkWatcher -}] - -module networkWatcher_connectionMonitors 'connection-monitor/main.bicep' = [for (connectionMonitor, index) in connectionMonitors: { - name: '${uniqueString(deployment().name, location)}-NW-ConnectionMonitor-${index}' - params: { - endpoints: contains(connectionMonitor, 'endpoints') ? connectionMonitor.endpoints : [] - name: connectionMonitor.name - networkWatcherName: networkWatcher.name - testConfigurations: contains(connectionMonitor, 'testConfigurations') ? connectionMonitor.testConfigurations : [] - testGroups: contains(connectionMonitor, 'testGroups') ? connectionMonitor.testGroups : [] - workspaceResourceId: contains(connectionMonitor, 'workspaceResourceId') ? connectionMonitor.workspaceResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module networkWatcher_flowLogs 'flow-log/main.bicep' = [for (flowLog, index) in flowLogs: { - name: '${uniqueString(deployment().name, location)}-NW-FlowLog-${index}' - params: { - enabled: contains(flowLog, 'enabled') ? flowLog.enabled : true - formatVersion: contains(flowLog, 'formatVersion') ? flowLog.formatVersion : 2 - location: contains(flowLog, 'location') ? flowLog.location : location - name: contains(flowLog, 'name') ? flowLog.name : '${last(split(flowLog.targetResourceId, '/'))}-${split(flowLog.targetResourceId, '/')[4]}-flowlog' - networkWatcherName: networkWatcher.name - retentionInDays: contains(flowLog, 'retentionInDays') ? flowLog.retentionInDays : 365 - storageId: flowLog.storageId - targetResourceId: flowLog.targetResourceId - trafficAnalyticsInterval: contains(flowLog, 'trafficAnalyticsInterval') ? flowLog.trafficAnalyticsInterval : 60 - workspaceResourceId: contains(flowLog, 'workspaceResourceId') ? flowLog.workspaceResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed network watcher.') -output name string = networkWatcher.name - -@description('The resource ID of the deployed network watcher.') -output resourceId string = networkWatcher.id - -@description('The resource group the network watcher was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = networkWatcher.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json deleted file mode 100644 index aa3112d351..0000000000 --- a/modules/network/network-watcher/main.json +++ /dev/null @@ -1,676 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10879972113485324121" - }, - "name": "Network Watchers", - "description": "This module deploys a Network Watcher.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('NetworkWatcher_{0}', parameters('location'))]", - "minLength": 1, - "metadata": { - "description": "Optional. Name of the Network Watcher resource (hidden)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "connectionMonitors": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array that contains the Connection Monitors." - } - }, - "flowLogs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array that contains the Flow Logs." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkWatcher": { - "type": "Microsoft.Network/networkWatchers", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": {} - }, - "networkWatcher_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "networkWatcher" - ] - }, - "networkWatcher_roleAssignments": { - "copy": { - "name": "networkWatcher_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/networkWatchers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "networkWatcher" - ] - }, - "networkWatcher_connectionMonitors": { - "copy": { - "name": "networkWatcher_connectionMonitors", - "count": "[length(parameters('connectionMonitors'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NW-ConnectionMonitor-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "endpoints": "[if(contains(parameters('connectionMonitors')[copyIndex()], 'endpoints'), createObject('value', parameters('connectionMonitors')[copyIndex()].endpoints), createObject('value', createArray()))]", - "name": { - "value": "[parameters('connectionMonitors')[copyIndex()].name]" - }, - "networkWatcherName": { - "value": "[parameters('name')]" - }, - "testConfigurations": "[if(contains(parameters('connectionMonitors')[copyIndex()], 'testConfigurations'), createObject('value', parameters('connectionMonitors')[copyIndex()].testConfigurations), createObject('value', createArray()))]", - "testGroups": "[if(contains(parameters('connectionMonitors')[copyIndex()], 'testGroups'), createObject('value', parameters('connectionMonitors')[copyIndex()].testGroups), createObject('value', createArray()))]", - "workspaceResourceId": "[if(contains(parameters('connectionMonitors')[copyIndex()], 'workspaceResourceId'), createObject('value', parameters('connectionMonitors')[copyIndex()].workspaceResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15782320161408670286" - }, - "name": "Network Watchers Connection Monitors", - "description": "This module deploys a Network Watcher Connection Monitor.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkWatcherName": { - "type": "string", - "defaultValue": "[format('NetworkWatcher_{0}', resourceGroup().location)]", - "metadata": { - "description": "Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "endpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor endpoints." - } - }, - "testConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor test configurations." - } - }, - "testGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of connection monitor test groups." - } - }, - "workspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the Log Analytics Workspace Resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "outputs": "[if(not(empty(parameters('workspaceResourceId'))), createArray(createObject('type', 'Workspace', 'workspaceSettings', createObject('workspaceResourceId', parameters('workspaceResourceId')))), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkWatcher": { - "existing": true, - "type": "Microsoft.Network/networkWatchers", - "apiVersion": "2023-04-01", - "name": "[parameters('networkWatcherName')]" - }, - "connectionMonitor": { - "type": "Microsoft.Network/networkWatchers/connectionMonitors", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "properties": { - "endpoints": "[parameters('endpoints')]", - "testConfigurations": "[parameters('testConfigurations')]", - "testGroups": "[parameters('testGroups')]", - "outputs": "[variables('outputs')]" - }, - "dependsOn": [ - "networkWatcher" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed connection monitor." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed connection monitor." - }, - "value": "[resourceId('Microsoft.Network/networkWatchers/connectionMonitors', parameters('networkWatcherName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the connection monitor was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('connectionMonitor', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "networkWatcher" - ] - }, - "networkWatcher_flowLogs": { - "copy": { - "name": "networkWatcher_flowLogs", - "count": "[length(parameters('flowLogs'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NW-FlowLog-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enabled": "[if(contains(parameters('flowLogs')[copyIndex()], 'enabled'), createObject('value', parameters('flowLogs')[copyIndex()].enabled), createObject('value', true()))]", - "formatVersion": "[if(contains(parameters('flowLogs')[copyIndex()], 'formatVersion'), createObject('value', parameters('flowLogs')[copyIndex()].formatVersion), createObject('value', 2))]", - "location": "[if(contains(parameters('flowLogs')[copyIndex()], 'location'), createObject('value', parameters('flowLogs')[copyIndex()].location), createObject('value', parameters('location')))]", - "name": "[if(contains(parameters('flowLogs')[copyIndex()], 'name'), createObject('value', parameters('flowLogs')[copyIndex()].name), createObject('value', format('{0}-{1}-flowlog', last(split(parameters('flowLogs')[copyIndex()].targetResourceId, '/')), split(parameters('flowLogs')[copyIndex()].targetResourceId, '/')[4])))]", - "networkWatcherName": { - "value": "[parameters('name')]" - }, - "retentionInDays": "[if(contains(parameters('flowLogs')[copyIndex()], 'retentionInDays'), createObject('value', parameters('flowLogs')[copyIndex()].retentionInDays), createObject('value', 365))]", - "storageId": { - "value": "[parameters('flowLogs')[copyIndex()].storageId]" - }, - "targetResourceId": { - "value": "[parameters('flowLogs')[copyIndex()].targetResourceId]" - }, - "trafficAnalyticsInterval": "[if(contains(parameters('flowLogs')[copyIndex()], 'trafficAnalyticsInterval'), createObject('value', parameters('flowLogs')[copyIndex()].trafficAnalyticsInterval), createObject('value', 60))]", - "workspaceResourceId": "[if(contains(parameters('flowLogs')[copyIndex()], 'workspaceResourceId'), createObject('value', parameters('flowLogs')[copyIndex()].workspaceResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2197507893118006956" - }, - "name": "NSG Flow Logs", - "description": "This module controls the Network Security Group Flow Logs and analytics settings.\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkWatcherName": { - "type": "string", - "defaultValue": "[format('NetworkWatcher_{0}', resourceGroup().location)]", - "metadata": { - "description": "Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]", - "metadata": { - "description": "Optional. Name of the resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "targetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the NSG that must be enabled for Flow Logs." - } - }, - "storageId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the diagnostic storage account." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If the flow log should be enabled." - } - }, - "formatVersion": { - "type": "int", - "defaultValue": 2, - "allowedValues": [ - 1, - 2 - ], - "metadata": { - "description": "Optional. The flow log format version." - } - }, - "workspaceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the Log Analytics Workspace Resource ID." - } - }, - "trafficAnalyticsInterval": { - "type": "int", - "defaultValue": 60, - "allowedValues": [ - 10, - 60 - ], - "metadata": { - "description": "Optional. The interval in minutes which would decide how frequently TA service should do flow analytics." - } - }, - "retentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "flowAnalyticsConfiguration": "[if(and(not(empty(parameters('workspaceResourceId'))), equals(parameters('enabled'), true())), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', true(), 'workspaceResourceId', parameters('workspaceResourceId'), 'trafficAnalyticsInterval', parameters('trafficAnalyticsInterval'))), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', false())))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "networkWatcher": { - "existing": true, - "type": "Microsoft.Network/networkWatchers", - "apiVersion": "2023-04-01", - "name": "[parameters('networkWatcherName')]" - }, - "flowLog": { - "type": "Microsoft.Network/networkWatchers/flowLogs", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", - "properties": { - "targetResourceId": "[parameters('targetResourceId')]", - "storageId": "[parameters('storageId')]", - "enabled": "[parameters('enabled')]", - "retentionPolicy": { - "days": "[parameters('retentionInDays')]", - "enabled": "[if(equals(parameters('retentionInDays'), 0), false(), true())]" - }, - "format": { - "type": "JSON", - "version": "[parameters('formatVersion')]" - }, - "flowAnalyticsConfiguration": "[variables('flowAnalyticsConfiguration')]" - }, - "dependsOn": [ - "networkWatcher" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flow log." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flow log." - }, - "value": "[resourceId('Microsoft.Network/networkWatchers/flowLogs', parameters('networkWatcherName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the flow log was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('flowLog', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "networkWatcher" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed network watcher." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed network watcher." - }, - "value": "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network watcher was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('networkWatcher', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep b/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c05b464bdb..0000000000 --- a/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default NetworkWatcher resource group. Do not change. - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnwmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -#disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one -var testLocation = 'northeurope' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - // Note: This value is not required and only set to enable testing - location: testLocation - } -}] diff --git a/modules/network/network-watcher/tests/e2e/max/dependencies.bicep b/modules/network/network-watcher/tests/e2e/max/dependencies.bicep deleted file mode 100644 index c20f841f30..0000000000 --- a/modules/network/network-watcher/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,144 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the first Network Security Group to create.') -param firstNetworkSecurityGroupName string - -@description('Required. The name of the second Network Security Group to create.') -param secondNetworkSecurityGroupName string - -@description('Required. The name of the Virtual Machine to create.') -param virtualMachineName string - -@description('Optional. The password to leverage for the VM login.') -@secure() -param password string = newGuid() - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource firstNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: firstNetworkSecurityGroupName - location: location -} - -resource secondNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: secondNetworkSecurityGroupName - location: location -} - -resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { - name: '${virtualMachineName}-nic' - location: location - properties: { - ipConfigurations: [ - { - name: 'ipconfig01' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-08-01' = { - name: virtualMachineName - location: location - properties: { - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id - properties: { - deleteOption: 'Delete' - primary: true - } - } - ] - } - storageProfile: { - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - deleteOption: 'Delete' - createOption: 'FromImage' - } - } - hardwareProfile: { - vmSize: 'Standard_B1ms' - } - osProfile: { - adminUsername: '${virtualMachineName}cake' - adminPassword: password - computerName: virtualMachineName - linuxConfiguration: { - disablePasswordAuthentication: false - } - } - } -} - -resource extension 'Microsoft.Compute/virtualMachines/extensions@2021-07-01' = { - name: 'NetworkWatcherAgent' - parent: virtualMachine - location: location - properties: { - publisher: 'Microsoft.Azure.NetworkWatcher' - type: 'NetworkWatcherAgentLinux' - typeHandlerVersion: '1.4' - autoUpgradeMinorVersion: true - enableAutomaticUpgrade: false - settings: {} - protectedSettings: {} - suppressFailures: false - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Virtual Machine.') -output virtualMachineResourceId string = virtualMachine.id - -@description('The resource ID of the first created Network Security Group.') -output firstNetworkSecurityGroupResourceId string = firstNetworkSecurityGroup.id - -@description('The resource ID of the second created Network Security Group.') -output secondNetworkSecurityGroupResourceId string = secondNetworkSecurityGroup.id diff --git a/modules/network/network-watcher/tests/e2e/max/main.test.bicep b/modules/network/network-watcher/tests/e2e/max/main.test.bicep deleted file mode 100644 index c453c48b8d..0000000000 --- a/modules/network/network-watcher/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,169 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default NetworkWatcher resource group. Do not change. - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - firstNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-1-${serviceShort}' - secondNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-2-${serviceShort}' - virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -#disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one -var testLocation = 'westeurope' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'NetworkWatcher_${testLocation}' - location: testLocation - connectionMonitors: [ - { - name: '${namePrefix}-${serviceShort}-cm-001' - endpoints: [ - { - name: '${namePrefix}-subnet-001(${resourceGroup.name})' - resourceId: nestedDependencies.outputs.virtualMachineResourceId - type: 'AzureVM' - } - { - address: 'www.bing.com' - name: 'Bing' - type: 'ExternalAddress' - } - ] - testConfigurations: [ - { - httpConfiguration: { - method: 'Get' - port: 80 - preferHTTPS: false - requestHeaders: [] - validStatusCodeRanges: [ - '200' - ] - } - name: 'HTTP Bing Test' - protocol: 'Http' - successThreshold: { - checksFailedPercent: 5 - roundTripTimeMs: 100 - } - testFrequencySec: 30 - } - ] - testGroups: [ - { - destinations: [ - 'Bing' - ] - disable: false - name: 'test-http-Bing' - sources: [ - '${namePrefix}-subnet-001(${resourceGroup.name})' - ] - testConfigurations: [ - 'HTTP Bing Test' - ] - } - ] - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - flowLogs: [ - { - enabled: false - storageId: diagnosticDependencies.outputs.storageAccountResourceId - targetResourceId: nestedDependencies.outputs.firstNetworkSecurityGroupResourceId - } - { - formatVersion: 1 - name: '${namePrefix}-${serviceShort}-fl-001' - retentionInDays: 8 - storageId: diagnosticDependencies.outputs.storageAccountResourceId - targetResourceId: nestedDependencies.outputs.secondNetworkSecurityGroupResourceId - trafficAnalyticsInterval: 10 - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index c20f841f30..0000000000 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,144 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the first Network Security Group to create.') -param firstNetworkSecurityGroupName string - -@description('Required. The name of the second Network Security Group to create.') -param secondNetworkSecurityGroupName string - -@description('Required. The name of the Virtual Machine to create.') -param virtualMachineName string - -@description('Optional. The password to leverage for the VM login.') -@secure() -param password string = newGuid() - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource firstNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: firstNetworkSecurityGroupName - location: location -} - -resource secondNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: secondNetworkSecurityGroupName - location: location -} - -resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { - name: '${virtualMachineName}-nic' - location: location - properties: { - ipConfigurations: [ - { - name: 'ipconfig01' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-08-01' = { - name: virtualMachineName - location: location - properties: { - networkProfile: { - networkInterfaces: [ - { - id: networkInterface.id - properties: { - deleteOption: 'Delete' - primary: true - } - } - ] - } - storageProfile: { - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - deleteOption: 'Delete' - createOption: 'FromImage' - } - } - hardwareProfile: { - vmSize: 'Standard_B1ms' - } - osProfile: { - adminUsername: '${virtualMachineName}cake' - adminPassword: password - computerName: virtualMachineName - linuxConfiguration: { - disablePasswordAuthentication: false - } - } - } -} - -resource extension 'Microsoft.Compute/virtualMachines/extensions@2021-07-01' = { - name: 'NetworkWatcherAgent' - parent: virtualMachine - location: location - properties: { - publisher: 'Microsoft.Azure.NetworkWatcher' - type: 'NetworkWatcherAgentLinux' - typeHandlerVersion: '1.4' - autoUpgradeMinorVersion: true - enableAutomaticUpgrade: false - settings: {} - protectedSettings: {} - suppressFailures: false - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Virtual Machine.') -output virtualMachineResourceId string = virtualMachine.id - -@description('The resource ID of the first created Network Security Group.') -output firstNetworkSecurityGroupResourceId string = firstNetworkSecurityGroup.id - -@description('The resource ID of the second created Network Security Group.') -output secondNetworkSecurityGroupResourceId string = secondNetworkSecurityGroup.id diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 0753347fd0..0000000000 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,152 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default NetworkWatcher resource group. Do not change. - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - firstNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-1-${serviceShort}' - secondNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-2-${serviceShort}' - virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -#disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one -var testLocation = 'westeurope' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'NetworkWatcher_${testLocation}' - location: testLocation - connectionMonitors: [ - { - name: '${namePrefix}-${serviceShort}-cm-001' - endpoints: [ - { - name: '${namePrefix}-subnet-001(${resourceGroup.name})' - resourceId: nestedDependencies.outputs.virtualMachineResourceId - type: 'AzureVM' - } - { - address: 'www.bing.com' - name: 'Bing' - type: 'ExternalAddress' - } - ] - testConfigurations: [ - { - httpConfiguration: { - method: 'Get' - port: 80 - preferHTTPS: false - requestHeaders: [] - validStatusCodeRanges: [ - '200' - ] - } - name: 'HTTP Bing Test' - protocol: 'Http' - successThreshold: { - checksFailedPercent: 5 - roundTripTimeMs: 100 - } - testFrequencySec: 30 - } - ] - testGroups: [ - { - destinations: [ - 'Bing' - ] - disable: false - name: 'test-http-Bing' - sources: [ - '${namePrefix}-subnet-001(${resourceGroup.name})' - ] - testConfigurations: [ - 'HTTP Bing Test' - ] - } - ] - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - flowLogs: [ - { - enabled: false - storageId: diagnosticDependencies.outputs.storageAccountResourceId - targetResourceId: nestedDependencies.outputs.firstNetworkSecurityGroupResourceId - } - { - formatVersion: 1 - name: '${namePrefix}-${serviceShort}-fl-001' - retentionInDays: 8 - storageId: diagnosticDependencies.outputs.storageAccountResourceId - targetResourceId: nestedDependencies.outputs.secondNetworkSecurityGroupResourceId - trafficAnalyticsInterval: 10 - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/network-watcher/version.json b/modules/network/network-watcher/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/network-watcher/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/MOVED-TO-AVM.md b/modules/network/private-dns-zone/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/private-dns-zone/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index cb8de05f03..7ba61f3a34 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -1,1171 +1,7 @@ -# Private DNS Zones `[Microsoft.Network/privateDnsZones]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/private-dns-zone](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/private-dns-zone).** -This module deploys a Private DNS zone. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/private-dns-zone). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones) | -| `Microsoft.Network/privateDnsZones/A` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) | -| `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | -| `Microsoft.Network/privateDnsZones/CNAME` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) | -| `Microsoft.Network/privateDnsZones/MX` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) | -| `Microsoft.Network/privateDnsZones/PTR` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) | -| `Microsoft.Network/privateDnsZones/SOA` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) | -| `Microsoft.Network/privateDnsZones/SRV` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) | -| `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | -| `Microsoft.Network/privateDnsZones/virtualNetworkLinks` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/virtualNetworkLinks) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-dns-zone:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npdzmin' - params: { - // Required parameters - name: 'npdzmin001.com' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npdzmin001.com" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npdzmax' - params: { - // Required parameters - name: 'npdzmax001.com' - // Non-required parameters - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soaRecord: { - email: 'azureprivatedns-host.microsoft.com' - expireTime: 2419200 - host: 'azureprivatedns.net' - minimumTtl: 10 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - virtualNetworkLinks: [ - { - registrationEnabled: true - virtualNetworkResourceId: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npdzmax001.com" - }, - // Non-required parameters - "a": { - "value": [ - { - "aRecords": [ - { - "ipv4Address": "10.240.4.4" - } - ], - "name": "A_10.240.4.4", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "aaaa": { - "value": [ - { - "aaaaRecords": [ - { - "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" - } - ], - "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", - "ttl": 3600 - } - ] - }, - "cname": { - "value": [ - { - "cnameRecord": { - "cname": "test" - }, - "name": "CNAME_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "mx": { - "value": [ - { - "mxRecords": [ - { - "exchange": "contoso.com", - "preference": 100 - } - ], - "name": "MX_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "ptr": { - "value": [ - { - "name": "PTR_contoso", - "ptrRecords": [ - { - "ptrdname": "contoso.com" - } - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "soa": { - "value": [ - { - "name": "@", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "soaRecord": { - "email": "azureprivatedns-host.microsoft.com", - "expireTime": 2419200, - "host": "azureprivatedns.net", - "minimumTtl": 10, - "refreshTime": 3600, - "retryTime": 300, - "serialNumber": "1" - }, - "ttl": 3600 - } - ] - }, - "srv": { - "value": [ - { - "name": "SRV_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "srvRecords": [ - { - "port": 9332, - "priority": 0, - "target": "test.contoso.com", - "weight": 0 - } - ], - "ttl": 3600 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "txt": { - "value": [ - { - "name": "TXT_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600, - "txtRecords": [ - { - "value": [ - "test" - ] - } - ] - } - ] - }, - "virtualNetworkLinks": { - "value": [ - { - "registrationEnabled": true, - "virtualNetworkResourceId": "" - } - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npdzwaf' - params: { - // Required parameters - name: 'npdzwaf001.com' - // Non-required parameters - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - soaRecord: { - email: 'azureprivatedns-host.microsoft.com' - expireTime: 2419200 - host: 'azureprivatedns.net' - minimumTtl: 10 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - virtualNetworkLinks: [ - { - registrationEnabled: true - virtualNetworkResourceId: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npdzwaf001.com" - }, - // Non-required parameters - "a": { - "value": [ - { - "aRecords": [ - { - "ipv4Address": "10.240.4.4" - } - ], - "name": "A_10.240.4.4", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "aaaa": { - "value": [ - { - "aaaaRecords": [ - { - "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" - } - ], - "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", - "ttl": 3600 - } - ] - }, - "cname": { - "value": [ - { - "cnameRecord": { - "cname": "test" - }, - "name": "CNAME_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "mx": { - "value": [ - { - "mxRecords": [ - { - "exchange": "contoso.com", - "preference": 100 - } - ], - "name": "MX_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "ptr": { - "value": [ - { - "name": "PTR_contoso", - "ptrRecords": [ - { - "ptrdname": "contoso.com" - } - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600 - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "soa": { - "value": [ - { - "name": "@", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "soaRecord": { - "email": "azureprivatedns-host.microsoft.com", - "expireTime": 2419200, - "host": "azureprivatedns.net", - "minimumTtl": 10, - "refreshTime": 3600, - "retryTime": 300, - "serialNumber": "1" - }, - "ttl": 3600 - } - ] - }, - "srv": { - "value": [ - { - "name": "SRV_contoso", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "srvRecords": [ - { - "port": 9332, - "priority": 0, - "target": "test.contoso.com", - "weight": 0 - } - ], - "ttl": 3600 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "txt": { - "value": [ - { - "name": "TXT_test", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "ttl": 3600, - "txtRecords": [ - { - "value": [ - "test" - ] - } - ] - } - ] - }, - "virtualNetworkLinks": { - "value": [ - { - "registrationEnabled": true, - "virtualNetworkResourceId": "" - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Private DNS zone name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`a`](#parameter-a) | array | Array of A records. | -| [`aaaa`](#parameter-aaaa) | array | Array of AAAA records. | -| [`cname`](#parameter-cname) | array | Array of CNAME records. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`mx`](#parameter-mx) | array | Array of MX records. | -| [`ptr`](#parameter-ptr) | array | Array of PTR records. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`soa`](#parameter-soa) | array | Array of SOA records. | -| [`srv`](#parameter-srv) | array | Array of SRV records. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`txt`](#parameter-txt) | array | Array of TXT records. | -| [`virtualNetworkLinks`](#parameter-virtualnetworklinks) | array | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | - -### Parameter: `name` - -Private DNS zone name. - -- Required: Yes -- Type: string - -### Parameter: `a` - -Array of A records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `aaaa` - -Array of AAAA records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `cname` - -Array of CNAME records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location of the PrivateDNSZone. Should be global. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `mx` - -Array of MX records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ptr` - -Array of PTR records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `soa` - -Array of SOA records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `srv` - -Array of SRV records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `txt` - -Array of TXT records. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `virtualNetworkLinks` - -Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private DNS zone. | -| `resourceGroupName` | string | The resource group the private DNS zone was deployed into. | -| `resourceId` | string | The resource ID of the private DNS zone. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md deleted file mode 100644 index 324cf8f429..0000000000 --- a/modules/network/private-dns-zone/a/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone A record `[Microsoft.Network/privateDnsZones/A]` - -This module deploys a Private DNS Zone A record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/A` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the A record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aRecords`](#parameter-arecords) | array | The list of A records in the record set. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the A record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `aRecords` - -The list of A records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed A record. | -| `resourceGroupName` | string | The resource group of the deployed A record. | -| `resourceId` | string | The resource ID of the deployed A record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/a/main.bicep b/modules/network/private-dns-zone/a/main.bicep deleted file mode 100644 index 14ed4d1909..0000000000 --- a/modules/network/private-dns-zone/a/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone A record' -metadata description = 'This module deploys a Private DNS Zone A record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the A record.') -param name string - -@description('Optional. The list of A records in the record set.') -param aRecords array = [] - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource A 'Microsoft.Network/privateDnsZones/A@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - aRecords: aRecords - metadata: metadata - ttl: ttl - } -} - -resource A_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(A.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: A -}] - -@description('The name of the deployed A record.') -output name string = A.name - -@description('The resource ID of the deployed A record.') -output resourceId string = A.id - -@description('The resource group of the deployed A record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/a/main.json b/modules/network/private-dns-zone/a/main.json deleted file mode 100644 index 4c0a30545a..0000000000 --- a/modules/network/private-dns-zone/a/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3949185236374936253" - }, - "name": "Private DNS Zone A record", - "description": "This module deploys a Private DNS Zone A record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the A record." - } - }, - "aRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of A records in the record set." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "A": { - "type": "Microsoft.Network/privateDnsZones/A", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "aRecords": "[parameters('aRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "A_roleAssignments": { - "copy": { - "name": "A_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "A" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed A record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed A record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed A record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/a/version.json b/modules/network/private-dns-zone/a/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/a/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md deleted file mode 100644 index a7aabb30c0..0000000000 --- a/modules/network/private-dns-zone/aaaa/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone AAAA record `[Microsoft.Network/privateDnsZones/AAAA]` - -This module deploys a Private DNS Zone AAAA record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the AAAA record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`aaaaRecords`](#parameter-aaaarecords) | array | The list of AAAA records in the record set. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the AAAA record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `aaaaRecords` - -The list of AAAA records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed AAAA record. | -| `resourceGroupName` | string | The resource group of the deployed AAAA record. | -| `resourceId` | string | The resource ID of the deployed AAAA record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/aaaa/main.bicep b/modules/network/private-dns-zone/aaaa/main.bicep deleted file mode 100644 index d36d381db7..0000000000 --- a/modules/network/private-dns-zone/aaaa/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone AAAA record' -metadata description = 'This module deploys a Private DNS Zone AAAA record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the AAAA record.') -param name string - -@description('Optional. The list of AAAA records in the record set.') -param aaaaRecords array = [] - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - aaaaRecords: aaaaRecords - metadata: metadata - ttl: ttl - } -} - -resource AAAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(AAAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: AAAA -}] - -@description('The name of the deployed AAAA record.') -output name string = AAAA.name - -@description('The resource ID of the deployed AAAA record.') -output resourceId string = AAAA.id - -@description('The resource group of the deployed AAAA record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/aaaa/main.json b/modules/network/private-dns-zone/aaaa/main.json deleted file mode 100644 index af984e6778..0000000000 --- a/modules/network/private-dns-zone/aaaa/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18254437762408001216" - }, - "name": "Private DNS Zone AAAA record", - "description": "This module deploys a Private DNS Zone AAAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AAAA record." - } - }, - "aaaaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AAAA records in the record set." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "AAAA": { - "type": "Microsoft.Network/privateDnsZones/AAAA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "aaaaRecords": "[parameters('aaaaRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "AAAA_roleAssignments": { - "copy": { - "name": "AAAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "AAAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed AAAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed AAAA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed AAAA record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/aaaa/version.json b/modules/network/private-dns-zone/aaaa/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/aaaa/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md deleted file mode 100644 index 14ac042831..0000000000 --- a/modules/network/private-dns-zone/cname/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone CNAME record `[Microsoft.Network/privateDnsZones/CNAME]` - -This module deploys a Private DNS Zone CNAME record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/CNAME` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the CNAME record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cnameRecord`](#parameter-cnamerecord) | object | A CNAME record. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the CNAME record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `cnameRecord` - -A CNAME record. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed CNAME record. | -| `resourceGroupName` | string | The resource group of the deployed CNAME record. | -| `resourceId` | string | The resource ID of the deployed CNAME record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/cname/main.bicep b/modules/network/private-dns-zone/cname/main.bicep deleted file mode 100644 index 10ca076674..0000000000 --- a/modules/network/private-dns-zone/cname/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone CNAME record' -metadata description = 'This module deploys a Private DNS Zone CNAME record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the CNAME record.') -param name string - -@description('Optional. A CNAME record.') -param cnameRecord object = {} - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - cnameRecord: cnameRecord - metadata: metadata - ttl: ttl - } -} - -resource CNAME_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(CNAME.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: CNAME -}] - -@description('The name of the deployed CNAME record.') -output name string = CNAME.name - -@description('The resource ID of the deployed CNAME record.') -output resourceId string = CNAME.id - -@description('The resource group of the deployed CNAME record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/cname/main.json b/modules/network/private-dns-zone/cname/main.json deleted file mode 100644 index 73a4108987..0000000000 --- a/modules/network/private-dns-zone/cname/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5688376231538421822" - }, - "name": "Private DNS Zone CNAME record", - "description": "This module deploys a Private DNS Zone CNAME record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CNAME record." - } - }, - "cnameRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A CNAME record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "CNAME": { - "type": "Microsoft.Network/privateDnsZones/CNAME", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "cnameRecord": "[parameters('cnameRecord')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "CNAME_roleAssignments": { - "copy": { - "name": "CNAME_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CNAME" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CNAME record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CNAME record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CNAME record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/cname/version.json b/modules/network/private-dns-zone/cname/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/cname/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/main.bicep b/modules/network/private-dns-zone/main.bicep deleted file mode 100644 index e1ee451d5a..0000000000 --- a/modules/network/private-dns-zone/main.bicep +++ /dev/null @@ -1,269 +0,0 @@ -metadata name = 'Private DNS Zones' -metadata description = 'This module deploys a Private DNS zone.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Private DNS zone name.') -param name string - -@description('Optional. Array of A records.') -param a array = [] - -@description('Optional. Array of AAAA records.') -param aaaa array = [] - -@description('Optional. Array of CNAME records.') -param cname array = [] - -@description('Optional. Array of MX records.') -param mx array = [] - -@description('Optional. Array of PTR records.') -param ptr array = [] - -@description('Optional. Array of SOA records.') -param soa array = [] - -@description('Optional. Array of SRV records.') -param srv array = [] - -@description('Optional. Array of TXT records.') -param txt array = [] - -@description('Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties \'vnetResourceId\' and \'registrationEnabled\'. The \'vnetResourceId\' is a resource ID of a vNet to link, \'registrationEnabled\' (bool) enables automatic DNS registration in the zone for the linked vNet.') -param virtualNetworkLinks array = [] - -@description('Optional. The location of the PrivateDNSZone. Should be global.') -param location string = 'global' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: name - location: location - tags: tags -} - -module privateDnsZone_A 'a/main.bicep' = [for (aRecord, index) in a: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-ARecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: aRecord.name - aRecords: contains(aRecord, 'aRecords') ? aRecord.aRecords : [] - metadata: contains(aRecord, 'metadata') ? aRecord.metadata : {} - ttl: contains(aRecord, 'ttl') ? aRecord.ttl : 3600 - roleAssignments: contains(aRecord, 'roleAssignments') ? aRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_AAAA 'aaaa/main.bicep' = [for (aaaaRecord, index) in aaaa: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-AAAARecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: aaaaRecord.name - aaaaRecords: contains(aaaaRecord, 'aaaaRecords') ? aaaaRecord.aaaaRecords : [] - metadata: contains(aaaaRecord, 'metadata') ? aaaaRecord.metadata : {} - ttl: contains(aaaaRecord, 'ttl') ? aaaaRecord.ttl : 3600 - roleAssignments: contains(aaaaRecord, 'roleAssignments') ? aaaaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_CNAME 'cname/main.bicep' = [for (cnameRecord, index) in cname: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-CNAMERecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: cnameRecord.name - cnameRecord: contains(cnameRecord, 'cnameRecord') ? cnameRecord.cnameRecord : {} - metadata: contains(cnameRecord, 'metadata') ? cnameRecord.metadata : {} - ttl: contains(cnameRecord, 'ttl') ? cnameRecord.ttl : 3600 - roleAssignments: contains(cnameRecord, 'roleAssignments') ? cnameRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_MX 'mx/main.bicep' = [for (mxRecord, index) in mx: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-MXRecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: mxRecord.name - metadata: contains(mxRecord, 'metadata') ? mxRecord.metadata : {} - mxRecords: contains(mxRecord, 'mxRecords') ? mxRecord.mxRecords : [] - ttl: contains(mxRecord, 'ttl') ? mxRecord.ttl : 3600 - roleAssignments: contains(mxRecord, 'roleAssignments') ? mxRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_PTR 'ptr/main.bicep' = [for (ptrRecord, index) in ptr: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-PTRRecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: ptrRecord.name - metadata: contains(ptrRecord, 'metadata') ? ptrRecord.metadata : {} - ptrRecords: contains(ptrRecord, 'ptrRecords') ? ptrRecord.ptrRecords : [] - ttl: contains(ptrRecord, 'ttl') ? ptrRecord.ttl : 3600 - roleAssignments: contains(ptrRecord, 'roleAssignments') ? ptrRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_SOA 'soa/main.bicep' = [for (soaRecord, index) in soa: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-SOARecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: soaRecord.name - metadata: contains(soaRecord, 'metadata') ? soaRecord.metadata : {} - soaRecord: contains(soaRecord, 'soaRecord') ? soaRecord.soaRecord : {} - ttl: contains(soaRecord, 'ttl') ? soaRecord.ttl : 3600 - roleAssignments: contains(soaRecord, 'roleAssignments') ? soaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_SRV 'srv/main.bicep' = [for (srvRecord, index) in srv: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-SRVRecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: srvRecord.name - metadata: contains(srvRecord, 'metadata') ? srvRecord.metadata : {} - srvRecords: contains(srvRecord, 'srvRecords') ? srvRecord.srvRecords : [] - ttl: contains(srvRecord, 'ttl') ? srvRecord.ttl : 3600 - roleAssignments: contains(srvRecord, 'roleAssignments') ? srvRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_TXT 'txt/main.bicep' = [for (txtRecord, index) in txt: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-TXTRecord-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: txtRecord.name - metadata: contains(txtRecord, 'metadata') ? txtRecord.metadata : {} - txtRecords: contains(txtRecord, 'txtRecords') ? txtRecord.txtRecords : [] - ttl: contains(txtRecord, 'ttl') ? txtRecord.ttl : 3600 - roleAssignments: contains(txtRecord, 'roleAssignments') ? txtRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module privateDnsZone_virtualNetworkLinks 'virtual-network-link/main.bicep' = [for (virtualNetworkLink, index) in virtualNetworkLinks: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-VirtualNetworkLink-${index}' - params: { - privateDnsZoneName: privateDnsZone.name - name: contains(virtualNetworkLink, 'name') ? virtualNetworkLink.name : '${last(split(virtualNetworkLink.virtualNetworkResourceId, '/'))}-vnetlink' - virtualNetworkResourceId: virtualNetworkLink.virtualNetworkResourceId - location: contains(virtualNetworkLink, 'location') ? virtualNetworkLink.location : 'global' - registrationEnabled: contains(virtualNetworkLink, 'registrationEnabled') ? virtualNetworkLink.registrationEnabled : false - tags: virtualNetworkLink.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource privateDnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: privateDnsZone -} - -resource privateDnsZone_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(privateDnsZone.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: privateDnsZone -}] - -@description('The resource group the private DNS zone was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the private DNS zone.') -output name string = privateDnsZone.name - -@description('The resource ID of the private DNS zone.') -output resourceId string = privateDnsZone.id - -@description('The location the resource was deployed into.') -output location string = privateDnsZone.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json deleted file mode 100644 index 105ede90f1..0000000000 --- a/modules/network/private-dns-zone/main.json +++ /dev/null @@ -1,2556 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9913746381155072618" - }, - "name": "Private DNS Zones", - "description": "This module deploys a Private DNS zone.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Private DNS zone name." - } - }, - "a": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of A records." - } - }, - "aaaa": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of AAAA records." - } - }, - "cname": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of CNAME records." - } - }, - "mx": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of MX records." - } - }, - "ptr": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of PTR records." - } - }, - "soa": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of SOA records." - } - }, - "srv": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of SRV records." - } - }, - "txt": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of TXT records." - } - }, - "virtualNetworkLinks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - "privateDnsZone_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_roleAssignments": { - "copy": { - "name": "privateDnsZone_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_A": { - "copy": { - "name": "privateDnsZone_A", - "count": "[length(parameters('a'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-ARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('a')[copyIndex()].name]" - }, - "aRecords": "[if(contains(parameters('a')[copyIndex()], 'aRecords'), createObject('value', parameters('a')[copyIndex()].aRecords), createObject('value', createArray()))]", - "metadata": "[if(contains(parameters('a')[copyIndex()], 'metadata'), createObject('value', parameters('a')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('a')[copyIndex()], 'ttl'), createObject('value', parameters('a')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('a')[copyIndex()], 'roleAssignments'), createObject('value', parameters('a')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3949185236374936253" - }, - "name": "Private DNS Zone A record", - "description": "This module deploys a Private DNS Zone A record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the A record." - } - }, - "aRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of A records in the record set." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "A": { - "type": "Microsoft.Network/privateDnsZones/A", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "aRecords": "[parameters('aRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "A_roleAssignments": { - "copy": { - "name": "A_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "A" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed A record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed A record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed A record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_AAAA": { - "copy": { - "name": "privateDnsZone_AAAA", - "count": "[length(parameters('aaaa'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-AAAARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('aaaa')[copyIndex()].name]" - }, - "aaaaRecords": "[if(contains(parameters('aaaa')[copyIndex()], 'aaaaRecords'), createObject('value', parameters('aaaa')[copyIndex()].aaaaRecords), createObject('value', createArray()))]", - "metadata": "[if(contains(parameters('aaaa')[copyIndex()], 'metadata'), createObject('value', parameters('aaaa')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('aaaa')[copyIndex()], 'ttl'), createObject('value', parameters('aaaa')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('aaaa')[copyIndex()], 'roleAssignments'), createObject('value', parameters('aaaa')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18254437762408001216" - }, - "name": "Private DNS Zone AAAA record", - "description": "This module deploys a Private DNS Zone AAAA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AAAA record." - } - }, - "aaaaRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of AAAA records in the record set." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "AAAA": { - "type": "Microsoft.Network/privateDnsZones/AAAA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "aaaaRecords": "[parameters('aaaaRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "AAAA_roleAssignments": { - "copy": { - "name": "AAAA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "AAAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed AAAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed AAAA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed AAAA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_CNAME": { - "copy": { - "name": "privateDnsZone_CNAME", - "count": "[length(parameters('cname'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-CNAMERecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('cname')[copyIndex()].name]" - }, - "cnameRecord": "[if(contains(parameters('cname')[copyIndex()], 'cnameRecord'), createObject('value', parameters('cname')[copyIndex()].cnameRecord), createObject('value', createObject()))]", - "metadata": "[if(contains(parameters('cname')[copyIndex()], 'metadata'), createObject('value', parameters('cname')[copyIndex()].metadata), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('cname')[copyIndex()], 'ttl'), createObject('value', parameters('cname')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('cname')[copyIndex()], 'roleAssignments'), createObject('value', parameters('cname')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5688376231538421822" - }, - "name": "Private DNS Zone CNAME record", - "description": "This module deploys a Private DNS Zone CNAME record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CNAME record." - } - }, - "cnameRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A CNAME record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "CNAME": { - "type": "Microsoft.Network/privateDnsZones/CNAME", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "cnameRecord": "[parameters('cnameRecord')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "CNAME_roleAssignments": { - "copy": { - "name": "CNAME_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CNAME" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CNAME record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CNAME record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CNAME record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_MX": { - "copy": { - "name": "privateDnsZone_MX", - "count": "[length(parameters('mx'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-MXRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('mx')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('mx')[copyIndex()], 'metadata'), createObject('value', parameters('mx')[copyIndex()].metadata), createObject('value', createObject()))]", - "mxRecords": "[if(contains(parameters('mx')[copyIndex()], 'mxRecords'), createObject('value', parameters('mx')[copyIndex()].mxRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('mx')[copyIndex()], 'ttl'), createObject('value', parameters('mx')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('mx')[copyIndex()], 'roleAssignments'), createObject('value', parameters('mx')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6121652824910092918" - }, - "name": "Private DNS Zone MX record", - "description": "This module deploys a Private DNS Zone MX record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "mxRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of MX records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "MX": { - "type": "Microsoft.Network/privateDnsZones/MX", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "mxRecords": "[parameters('mxRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "MX_roleAssignments": { - "copy": { - "name": "MX_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "MX" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MX record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MX record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MX record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_PTR": { - "copy": { - "name": "privateDnsZone_PTR", - "count": "[length(parameters('ptr'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-PTRRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('ptr')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('ptr')[copyIndex()], 'metadata'), createObject('value', parameters('ptr')[copyIndex()].metadata), createObject('value', createObject()))]", - "ptrRecords": "[if(contains(parameters('ptr')[copyIndex()], 'ptrRecords'), createObject('value', parameters('ptr')[copyIndex()].ptrRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('ptr')[copyIndex()], 'ttl'), createObject('value', parameters('ptr')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('ptr')[copyIndex()], 'roleAssignments'), createObject('value', parameters('ptr')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13755349248029897715" - }, - "name": "Private DNS Zone PTR record", - "description": "This module deploys a Private DNS Zone PTR record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PTR record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ptrRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of PTR records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "PTR_roleAssignments": { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "PTR" - ] - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "PTR": { - "type": "Microsoft.Network/privateDnsZones/PTR", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ptrRecords": "[parameters('ptrRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PTR record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PTR record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PTR record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_SOA": { - "copy": { - "name": "privateDnsZone_SOA", - "count": "[length(parameters('soa'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-SOARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('soa')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('soa')[copyIndex()], 'metadata'), createObject('value', parameters('soa')[copyIndex()].metadata), createObject('value', createObject()))]", - "soaRecord": "[if(contains(parameters('soa')[copyIndex()], 'soaRecord'), createObject('value', parameters('soa')[copyIndex()].soaRecord), createObject('value', createObject()))]", - "ttl": "[if(contains(parameters('soa')[copyIndex()], 'ttl'), createObject('value', parameters('soa')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('soa')[copyIndex()], 'roleAssignments'), createObject('value', parameters('soa')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17071167904833492436" - }, - "name": "Private DNS Zone SOA record", - "description": "This module deploys a Private DNS Zone SOA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SOA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "soaRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A SOA record." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SOA": { - "type": "Microsoft.Network/privateDnsZones/SOA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "soaRecord": "[parameters('soaRecord')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "SOA_roleAssignments": { - "copy": { - "name": "SOA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SOA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SOA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SOA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SOA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_SRV": { - "copy": { - "name": "privateDnsZone_SRV", - "count": "[length(parameters('srv'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-SRVRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('srv')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('srv')[copyIndex()], 'metadata'), createObject('value', parameters('srv')[copyIndex()].metadata), createObject('value', createObject()))]", - "srvRecords": "[if(contains(parameters('srv')[copyIndex()], 'srvRecords'), createObject('value', parameters('srv')[copyIndex()].srvRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('srv')[copyIndex()], 'ttl'), createObject('value', parameters('srv')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('srv')[copyIndex()], 'roleAssignments'), createObject('value', parameters('srv')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11637594462630888096" - }, - "name": "Private DNS Zone SRV record", - "description": "This module deploys a Private DNS Zone SRV record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SRV record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "srvRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SRV records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SRV": { - "type": "Microsoft.Network/privateDnsZones/SRV", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "srvRecords": "[parameters('srvRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "SRV_roleAssignments": { - "copy": { - "name": "SRV_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SRV" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SRV record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SRV record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SRV record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_TXT": { - "copy": { - "name": "privateDnsZone_TXT", - "count": "[length(parameters('txt'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-TXTRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('txt')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('txt')[copyIndex()], 'metadata'), createObject('value', parameters('txt')[copyIndex()].metadata), createObject('value', createObject()))]", - "txtRecords": "[if(contains(parameters('txt')[copyIndex()], 'txtRecords'), createObject('value', parameters('txt')[copyIndex()].txtRecords), createObject('value', createArray()))]", - "ttl": "[if(contains(parameters('txt')[copyIndex()], 'ttl'), createObject('value', parameters('txt')[copyIndex()].ttl), createObject('value', 3600))]", - "roleAssignments": "[if(contains(parameters('txt')[copyIndex()], 'roleAssignments'), createObject('value', parameters('txt')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "61165308790737358" - }, - "name": "Private DNS Zone TXT record", - "description": "This module deploys a Private DNS Zone TXT record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the TXT record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "txtRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of TXT records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "TXT": { - "type": "Microsoft.Network/privateDnsZones/TXT", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]", - "txtRecords": "[parameters('txtRecords')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "TXT_roleAssignments": { - "copy": { - "name": "TXT_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "TXT" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed TXT record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed TXT record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed TXT record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_virtualNetworkLinks": { - "copy": { - "name": "privateDnsZone_virtualNetworkLinks", - "count": "[length(parameters('virtualNetworkLinks'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-VirtualNetworkLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'name'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].name), createObject('value', format('{0}-vnetlink', last(split(parameters('virtualNetworkLinks')[copyIndex()].virtualNetworkResourceId, '/')))))]", - "virtualNetworkResourceId": { - "value": "[parameters('virtualNetworkLinks')[copyIndex()].virtualNetworkResourceId]" - }, - "location": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'location'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].location), createObject('value', 'global'))]", - "registrationEnabled": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'registrationEnabled'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].registrationEnabled), createObject('value', false()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('virtualNetworkLinks')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2575181024828080198" - }, - "name": "Private DNS Zone Virtual Network Link", - "description": "This module deploys a Private DNS Zone Virtual Network Link.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the virtual network link." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "registrationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?." - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Required. Link to another virtual network resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "virtualNetworkLink": { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": "[parameters('registrationEnabled')]", - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network link." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network link." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/virtualNetworkLinks', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network link." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualNetworkLink', '2020-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private DNS zone was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private DNS zone." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private DNS zone." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateDnsZone', '2020-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md deleted file mode 100644 index 666ea216fa..0000000000 --- a/modules/network/private-dns-zone/mx/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone MX record `[Microsoft.Network/privateDnsZones/MX]` - -This module deploys a Private DNS Zone MX record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/MX` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the MX record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`mxRecords`](#parameter-mxrecords) | array | The list of MX records in the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the MX record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `mxRecords` - -The list of MX records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed MX record. | -| `resourceGroupName` | string | The resource group of the deployed MX record. | -| `resourceId` | string | The resource ID of the deployed MX record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/mx/main.bicep b/modules/network/private-dns-zone/mx/main.bicep deleted file mode 100644 index 1937467d66..0000000000 --- a/modules/network/private-dns-zone/mx/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone MX record' -metadata description = 'This module deploys a Private DNS Zone MX record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the MX record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of MX records in the record set.') -param mxRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource MX 'Microsoft.Network/privateDnsZones/MX@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - metadata: metadata - mxRecords: mxRecords - ttl: ttl - } -} - -resource MX_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(MX.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: MX -}] - -@description('The name of the deployed MX record.') -output name string = MX.name - -@description('The resource ID of the deployed MX record.') -output resourceId string = MX.id - -@description('The resource group of the deployed MX record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/mx/main.json b/modules/network/private-dns-zone/mx/main.json deleted file mode 100644 index b4e3e092af..0000000000 --- a/modules/network/private-dns-zone/mx/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6121652824910092918" - }, - "name": "Private DNS Zone MX record", - "description": "This module deploys a Private DNS Zone MX record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "mxRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of MX records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "MX": { - "type": "Microsoft.Network/privateDnsZones/MX", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "mxRecords": "[parameters('mxRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "MX_roleAssignments": { - "copy": { - "name": "MX_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "MX" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MX record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MX record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MX record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/mx/version.json b/modules/network/private-dns-zone/mx/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/mx/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md deleted file mode 100644 index 20aa566d5e..0000000000 --- a/modules/network/private-dns-zone/ptr/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone PTR record `[Microsoft.Network/privateDnsZones/PTR]` - -This module deploys a Private DNS Zone PTR record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/PTR` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the PTR record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`ptrRecords`](#parameter-ptrrecords) | array | The list of PTR records in the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the PTR record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `ptrRecords` - -The list of PTR records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed PTR record. | -| `resourceGroupName` | string | The resource group of the deployed PTR record. | -| `resourceId` | string | The resource ID of the deployed PTR record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/ptr/main.bicep b/modules/network/private-dns-zone/ptr/main.bicep deleted file mode 100644 index 2b4094fee9..0000000000 --- a/modules/network/private-dns-zone/ptr/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone PTR record' -metadata description = 'This module deploys a Private DNS Zone PTR record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the PTR record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of PTR records in the record set.') -param ptrRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource PTR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(PTR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: PTR -}] - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource PTR 'Microsoft.Network/privateDnsZones/PTR@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - metadata: metadata - ptrRecords: ptrRecords - ttl: ttl - } -} - -@description('The name of the deployed PTR record.') -output name string = PTR.name - -@description('The resource ID of the deployed PTR record.') -output resourceId string = PTR.id - -@description('The resource group of the deployed PTR record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/ptr/main.json b/modules/network/private-dns-zone/ptr/main.json deleted file mode 100644 index 756e0de5ba..0000000000 --- a/modules/network/private-dns-zone/ptr/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13755349248029897715" - }, - "name": "Private DNS Zone PTR record", - "description": "This module deploys a Private DNS Zone PTR record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PTR record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ptrRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of PTR records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "PTR_roleAssignments": { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "PTR" - ] - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "PTR": { - "type": "Microsoft.Network/privateDnsZones/PTR", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ptrRecords": "[parameters('ptrRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PTR record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PTR record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PTR record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/ptr/version.json b/modules/network/private-dns-zone/ptr/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/ptr/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md deleted file mode 100644 index 37fd471fdf..0000000000 --- a/modules/network/private-dns-zone/soa/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone SOA record `[Microsoft.Network/privateDnsZones/SOA]` - -This module deploys a Private DNS Zone SOA record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/SOA` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SOA record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`soaRecord`](#parameter-soarecord) | object | A SOA record. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the SOA record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `soaRecord` - -A SOA record. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed SOA record. | -| `resourceGroupName` | string | The resource group of the deployed SOA record. | -| `resourceId` | string | The resource ID of the deployed SOA record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/soa/main.bicep b/modules/network/private-dns-zone/soa/main.bicep deleted file mode 100644 index 5661f96a86..0000000000 --- a/modules/network/private-dns-zone/soa/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone SOA record' -metadata description = 'This module deploys a Private DNS Zone SOA record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the SOA record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. A SOA record.') -param soaRecord object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource SOA 'Microsoft.Network/privateDnsZones/SOA@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - metadata: metadata - soaRecord: soaRecord - ttl: ttl - } -} - -resource SOA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(SOA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: SOA -}] - -@description('The name of the deployed SOA record.') -output name string = SOA.name - -@description('The resource ID of the deployed SOA record.') -output resourceId string = SOA.id - -@description('The resource group of the deployed SOA record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/soa/main.json b/modules/network/private-dns-zone/soa/main.json deleted file mode 100644 index 2da7e394d2..0000000000 --- a/modules/network/private-dns-zone/soa/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17071167904833492436" - }, - "name": "Private DNS Zone SOA record", - "description": "This module deploys a Private DNS Zone SOA record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SOA record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "soaRecord": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A SOA record." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SOA": { - "type": "Microsoft.Network/privateDnsZones/SOA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "soaRecord": "[parameters('soaRecord')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "SOA_roleAssignments": { - "copy": { - "name": "SOA_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SOA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SOA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SOA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SOA record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/soa/version.json b/modules/network/private-dns-zone/soa/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/soa/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md deleted file mode 100644 index da0f621c88..0000000000 --- a/modules/network/private-dns-zone/srv/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone SRV record `[Microsoft.Network/privateDnsZones/SRV]` - -This module deploys a Private DNS Zone SRV record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/SRV` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SRV record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | - -### Parameter: `name` - -The name of the SRV record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `srvRecords` - -The list of SRV records in the record set. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed SRV record. | -| `resourceGroupName` | string | The resource group of the deployed SRV record. | -| `resourceId` | string | The resource ID of the deployed SRV record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/srv/main.bicep b/modules/network/private-dns-zone/srv/main.bicep deleted file mode 100644 index aa5a1a95e1..0000000000 --- a/modules/network/private-dns-zone/srv/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone SRV record' -metadata description = 'This module deploys a Private DNS Zone SRV record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the SRV record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The list of SRV records in the record set.') -param srvRecords array = [] - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource SRV 'Microsoft.Network/privateDnsZones/SRV@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - metadata: metadata - srvRecords: srvRecords - ttl: ttl - } -} - -resource SRV_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(SRV.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: SRV -}] - -@description('The name of the deployed SRV record.') -output name string = SRV.name - -@description('The resource ID of the deployed SRV record.') -output resourceId string = SRV.id - -@description('The resource group of the deployed SRV record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/srv/main.json b/modules/network/private-dns-zone/srv/main.json deleted file mode 100644 index d795aa1f9d..0000000000 --- a/modules/network/private-dns-zone/srv/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11637594462630888096" - }, - "name": "Private DNS Zone SRV record", - "description": "This module deploys a Private DNS Zone SRV record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SRV record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "srvRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SRV records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SRV": { - "type": "Microsoft.Network/privateDnsZones/SRV", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "srvRecords": "[parameters('srvRecords')]", - "ttl": "[parameters('ttl')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "SRV_roleAssignments": { - "copy": { - "name": "SRV_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SRV" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SRV record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SRV record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SRV record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/srv/version.json b/modules/network/private-dns-zone/srv/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/srv/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 9302e41bcf..0000000000 --- a/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npdzmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - } -}] diff --git a/modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep deleted file mode 100644 index f4ff1fbf54..0000000000 --- a/modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep deleted file mode 100644 index 8e28928ada..0000000000 --- a/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,225 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npdzmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soaRecord: { - email: 'azureprivatedns-host.microsoft.com' - expireTime: 2419200 - host: 'azureprivatedns.net' - minimumTtl: 10 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - virtualNetworkLinks: [ - { - registrationEnabled: true - virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index f4ff1fbf54..0000000000 --- a/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 591d3e4e8d..0000000000 --- a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,225 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npdzwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001.com' - a: [ - { - aRecords: [ - { - ipv4Address: '10.240.4.4' - } - ] - name: 'A_10.240.4.4' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - aaaa: [ - { - aaaaRecords: [ - { - ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' - } - ] - name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' - ttl: 3600 - } - ] - cname: [ - { - cnameRecord: { - cname: 'test' - } - name: 'CNAME_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - mx: [ - { - mxRecords: [ - { - exchange: 'contoso.com' - preference: 100 - } - ] - name: 'MX_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - ptr: [ - { - name: 'PTR_contoso' - ptrRecords: [ - { - ptrdname: 'contoso.com' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soa: [ - { - name: '@' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - soaRecord: { - email: 'azureprivatedns-host.microsoft.com' - expireTime: 2419200 - host: 'azureprivatedns.net' - minimumTtl: 10 - refreshTime: 3600 - retryTime: 300 - serialNumber: '1' - } - ttl: 3600 - } - ] - srv: [ - { - name: 'SRV_contoso' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - srvRecords: [ - { - port: 9332 - priority: 0 - target: 'test.contoso.com' - weight: 0 - } - ] - ttl: 3600 - } - ] - txt: [ - { - name: 'TXT_test' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ttl: 3600 - txtRecords: [ - { - value: [ - 'test' - ] - } - ] - } - ] - virtualNetworkLinks: [ - { - registrationEnabled: true - virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md deleted file mode 100644 index 36e82bc657..0000000000 --- a/modules/network/private-dns-zone/txt/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# Private DNS Zone TXT record `[Microsoft.Network/privateDnsZones/TXT]` - -This module deploys a Private DNS Zone TXT record. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the TXT record. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -| [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | - -### Parameter: `name` - -The name of the TXT record. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `metadata` - -The metadata attached to the record set. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `ttl` - -The TTL (time-to-live) of the records in the record set. - -- Required: No -- Type: int -- Default: `3600` - -### Parameter: `txtRecords` - -The list of TXT records in the record set. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed TXT record. | -| `resourceGroupName` | string | The resource group of the deployed TXT record. | -| `resourceId` | string | The resource ID of the deployed TXT record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/txt/main.bicep b/modules/network/private-dns-zone/txt/main.bicep deleted file mode 100644 index afbe9ae0f9..0000000000 --- a/modules/network/private-dns-zone/txt/main.bicep +++ /dev/null @@ -1,113 +0,0 @@ -metadata name = 'Private DNS Zone TXT record' -metadata description = 'This module deploys a Private DNS Zone TXT record.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Required. The name of the TXT record.') -param name string - -@description('Optional. The metadata attached to the record set.') -param metadata object = {} - -@description('Optional. The TTL (time-to-live) of the records in the record set.') -param ttl int = 3600 - -@description('Optional. The list of TXT records in the record set.') -param txtRecords array = [] - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource TXT 'Microsoft.Network/privateDnsZones/TXT@2020-06-01' = { - name: name - parent: privateDnsZone - properties: { - metadata: metadata - ttl: ttl - txtRecords: txtRecords - } -} - -resource TXT_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(TXT.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: TXT -}] - -@description('The name of the deployed TXT record.') -output name string = TXT.name - -@description('The resource ID of the deployed TXT record.') -output resourceId string = TXT.id - -@description('The resource group of the deployed TXT record.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-dns-zone/txt/main.json b/modules/network/private-dns-zone/txt/main.json deleted file mode 100644 index 2b6c165ec4..0000000000 --- a/modules/network/private-dns-zone/txt/main.json +++ /dev/null @@ -1,226 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "61165308790737358" - }, - "name": "Private DNS Zone TXT record", - "description": "This module deploys a Private DNS Zone TXT record.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the TXT record." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "txtRecords": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of TXT records in the record set." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "TXT": { - "type": "Microsoft.Network/privateDnsZones/TXT", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]", - "txtRecords": "[parameters('txtRecords')]" - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "TXT_roleAssignments": { - "copy": { - "name": "TXT_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "TXT" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed TXT record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed TXT record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed TXT record." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/txt/version.json b/modules/network/private-dns-zone/txt/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/txt/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/version.json b/modules/network/private-dns-zone/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-dns-zone/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-dns-zone/virtual-network-link/README.md b/modules/network/private-dns-zone/virtual-network-link/README.md deleted file mode 100644 index 8cb4a9d04d..0000000000 --- a/modules/network/private-dns-zone/virtual-network-link/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# Private DNS Zone Virtual Network Link `[Microsoft.Network/privateDnsZones/virtualNetworkLinks]` - -This module deploys a Private DNS Zone Virtual Network Link. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/privateDnsZones/virtualNetworkLinks` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/virtualNetworkLinks) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Link to another virtual network resource ID. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | -| [`name`](#parameter-name) | string | The name of the virtual network link. | -| [`registrationEnabled`](#parameter-registrationenabled) | bool | Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `virtualNetworkResourceId` - -Link to another virtual network resource ID. - -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location of the PrivateDNSZone. Should be global. - -- Required: No -- Type: string -- Default: `'global'` - -### Parameter: `name` - -The name of the virtual network link. - -- Required: No -- Type: string -- Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` - -### Parameter: `registrationEnabled` - -Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed virtual network link. | -| `resourceGroupName` | string | The resource group of the deployed virtual network link. | -| `resourceId` | string | The resource ID of the deployed virtual network link. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-dns-zone/virtual-network-link/main.bicep b/modules/network/private-dns-zone/virtual-network-link/main.bicep deleted file mode 100644 index 0885bf3952..0000000000 --- a/modules/network/private-dns-zone/virtual-network-link/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'Private DNS Zone Virtual Network Link' -metadata description = 'This module deploys a Private DNS Zone Virtual Network Link.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment.') -param privateDnsZoneName string - -@description('Optional. The name of the virtual network link.') -param name string = '${last(split(virtualNetworkResourceId, '/'))}-vnetlink' - -@description('Optional. The location of the PrivateDNSZone. Should be global.') -param location string = 'global' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?.') -param registrationEnabled bool = false - -@description('Required. Link to another virtual network resource ID.') -param virtualNetworkResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { - name: privateDnsZoneName -} - -resource virtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { - name: name - parent: privateDnsZone - location: location - tags: tags - properties: { - registrationEnabled: registrationEnabled - virtualNetwork: { - id: virtualNetworkResourceId - } - } -} - -@description('The name of the deployed virtual network link.') -output name string = virtualNetworkLink.name - -@description('The resource ID of the deployed virtual network link.') -output resourceId string = virtualNetworkLink.id - -@description('The resource group of the deployed virtual network link.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = virtualNetworkLink.location diff --git a/modules/network/private-dns-zone/virtual-network-link/main.json b/modules/network/private-dns-zone/virtual-network-link/main.json deleted file mode 100644 index 7fc8dca0c1..0000000000 --- a/modules/network/private-dns-zone/virtual-network-link/main.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2575181024828080198" - }, - "name": "Private DNS Zone Virtual Network Link", - "description": "This module deploys a Private DNS Zone Virtual Network Link.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the virtual network link." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "registrationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?." - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Required. Link to another virtual network resource ID." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "virtualNetworkLink": { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": "[parameters('registrationEnabled')]", - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network link." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network link." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/virtualNetworkLinks', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network link." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualNetworkLink', '2020-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-dns-zone/virtual-network-link/version.json b/modules/network/private-dns-zone/virtual-network-link/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/private-dns-zone/virtual-network-link/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-endpoint/MOVED-TO-AVM.md b/modules/network/private-endpoint/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/private-endpoint/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 1ca7067d72..69dc4ea3f6 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -1,732 +1,7 @@ -# Private Endpoints `[Microsoft.Network/privateEndpoints]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/private-endpoint](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/private-endpoint).** -This module deploys a Private Endpoint. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/private-endpoint). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-endpoint:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npemin' - params: { - // Required parameters - groupIds: [ - 'vault' - ] - name: 'npemin001' - serviceResourceId: '' - subnetResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupIds": { - "value": [ - "vault" - ] - }, - "name": { - "value": "npemin001" - }, - "serviceResourceId": { - "value": "" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npemax' - params: { - // Required parameters - groupIds: [ - 'vault' - ] - name: 'npemax001' - serviceResourceId: '' - subnetResourceId: '' - // Non-required parameters - applicationSecurityGroupResourceIds: [ - '' - ] - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - customNetworkInterfaceName: 'npemax001nic' - enableDefaultTelemetry: '' - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateDnsZoneResourceIds: [ - '' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupIds": { - "value": [ - "vault" - ] - }, - "name": { - "value": "npemax001" - }, - "serviceResourceId": { - "value": "" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "applicationSecurityGroupResourceIds": { - "value": [ - "" - ] - }, - "customDnsConfigs": { - "value": [ - { - "fqdn": "abc.keyvault.com", - "ipAddresses": [ - "10.0.0.10" - ] - } - ] - }, - "customNetworkInterfaceName": { - "value": "npemax001nic" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipConfigurations": { - "value": [ - { - "name": "myIPconfig", - "properties": { - "groupId": "vault", - "memberName": "default", - "privateIPAddress": "10.0.0.10" - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateDnsZoneResourceIds": { - "value": [ - "" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npewaf' - params: { - // Required parameters - groupIds: [ - 'vault' - ] - name: 'npewaf001' - serviceResourceId: '' - subnetResourceId: '' - // Non-required parameters - applicationSecurityGroupResourceIds: [ - '' - ] - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - customNetworkInterfaceName: 'npewaf001nic' - enableDefaultTelemetry: '' - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateDnsZoneResourceIds: [ - '' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupIds": { - "value": [ - "vault" - ] - }, - "name": { - "value": "npewaf001" - }, - "serviceResourceId": { - "value": "" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "applicationSecurityGroupResourceIds": { - "value": [ - "" - ] - }, - "customDnsConfigs": { - "value": [ - { - "fqdn": "abc.keyvault.com", - "ipAddresses": [ - "10.0.0.10" - ] - } - ] - }, - "customNetworkInterfaceName": { - "value": "npewaf001nic" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipConfigurations": { - "value": [ - { - "name": "myIPconfig", - "properties": { - "groupId": "vault", - "memberName": "default", - "privateIPAddress": "10.0.0.10" - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateDnsZoneResourceIds": { - "value": [ - "" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`groupIds`](#parameter-groupids) | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | -| [`name`](#parameter-name) | string | Name of the private endpoint resource to create. | -| [`serviceResourceId`](#parameter-serviceresourceid) | string | Resource ID of the resource that needs to be connected to the network. | -| [`subnetResourceId`](#parameter-subnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-applicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-customdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-customnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-ipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`manualPrivateLinkServiceConnections`](#parameter-manualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`privateDnsZoneGroupName`](#parameter-privatednszonegroupname) | string | The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `groupIds` - -Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name of the private endpoint resource to create. - -- Required: Yes -- Type: string - -### Parameter: `serviceResourceId` - -Resource ID of the resource that needs to be connected to the network. - -- Required: Yes -- Type: string - -### Parameter: `subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`fqdn`](#parameter-customdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-customdnsconfigsipaddresses) | array | A list of private ip addresses of the private endpoint. | - -### Parameter: `customDnsConfigs.fqdn` - -Fqdn that resolves to private endpoint ip address. - -- Required: Yes -- Type: string - -### Parameter: `customDnsConfigs.ipAddresses` - -A list of private ip addresses of the private endpoint. - -- Required: Yes -- Type: array - -### Parameter: `customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-ipconfigurationsname) | string | The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-ipconfigurationsproperties) | object | Properties of private endpoint IP configurations. | - -### Parameter: `ipConfigurations.name` - -The name of the resource that is unique within a resource group. - -- Required: Yes -- Type: string - -### Parameter: `ipConfigurations.properties` - -Properties of private endpoint IP configurations. - -- Required: Yes -- Type: object - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateDnsZoneGroupName` - -The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. - -- Required: No -- Type: string - -### Parameter: `privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private endpoint. | -| `resourceGroupName` | string | The resource group the private endpoint was deployed into. | -| `resourceId` | string | The resource ID of the private endpoint. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep deleted file mode 100644 index 1c5e1df2d1..0000000000 --- a/modules/network/private-endpoint/main.bicep +++ /dev/null @@ -1,210 +0,0 @@ -metadata name = 'Private Endpoints' -metadata description = 'This module deploys a Private Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the private endpoint resource to create.') -param name string - -@description('Required. Resource ID of the subnet where the endpoint needs to be created.') -param subnetResourceId string - -@description('Required. Resource ID of the resource that needs to be connected to the network.') -param serviceResourceId string - -@description('Optional. Application security groups in which the private endpoint IP configuration is included.') -param applicationSecurityGroupResourceIds array? - -@description('Optional. The custom name of the network interface attached to the private endpoint.') -param customNetworkInterfaceName string? - -@description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') -param ipConfigurations ipConfigurationsType? - -@description('Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to.') -param groupIds array - -@description('Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided.') -param privateDnsZoneGroupName string? - -@description('Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.') -param privateDnsZoneResourceIds array? - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object? - -@description('Optional. Custom DNS configurations.') -param customDnsConfigs customDnsConfigType? - -@description('Optional. Manual PrivateLink Service Connections.') -param manualPrivateLinkServiceConnections array? - -@description('Optional. Enable/Disable usage telemetry for module.') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - applicationSecurityGroups: [for applicationSecurityGroupResourceId in (applicationSecurityGroupResourceIds ?? []): { - id: applicationSecurityGroupResourceId - }] - customDnsConfigs: customDnsConfigs - customNetworkInterfaceName: customNetworkInterfaceName ?? '' - ipConfigurations: ipConfigurations ?? [] - manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections ?? [] - privateLinkServiceConnections: [ - { - name: name - properties: { - privateLinkServiceId: serviceResourceId - groupIds: groupIds - } - } - ] - subnet: { - id: subnetResourceId - } - } -} - -module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneResourceIds)) { - name: '${uniqueString(deployment().name)}-PrivateEndpoint-PrivateDnsZoneGroup' - params: { - name: privateDnsZoneGroupName ?? 'default' - privateDNSResourceIds: privateDnsZoneResourceIds ?? [] - privateEndpointName: privateEndpoint.name - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource privateEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: privateEndpoint -} - -resource privateEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(privateEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: privateEndpoint -}] - -@description('The resource group the private endpoint was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the private endpoint.') -output resourceId string = privateEndpoint.id - -@description('The name of the private endpoint.') -output name string = privateEndpoint.name - -@description('The location the resource was deployed into.') -output location string = privateEndpoint.location - -// ================ // -// Definitions // -// ================ // - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type ipConfigurationsType = { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } -}[]? - -type customDnsConfigType = { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] -}[]? diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json deleted file mode 100644 index 2d73f7ad0f..0000000000 --- a/modules/network/private-endpoint/main.json +++ /dev/null @@ -1,546 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-endpoint/private-dns-zone-group/README.md b/modules/network/private-endpoint/private-dns-zone-group/README.md deleted file mode 100644 index bdcb972739..0000000000 --- a/modules/network/private-endpoint/private-dns-zone-group/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Private Endpoint Private DNS Zone Groups `[Microsoft.Network/privateEndpoints/privateDnsZoneGroups]` - -This module deploys a Private Endpoint Private DNS Zone Group. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateDNSResourceIds`](#parameter-privatednsresourceids) | array | Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateEndpointName`](#parameter-privateendpointname) | string | The name of the parent private endpoint. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`name`](#parameter-name) | string | The name of the private DNS zone group. | - -### Parameter: `privateDNSResourceIds` - -Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. - -- Required: Yes -- Type: array - -### Parameter: `privateEndpointName` - -The name of the parent private endpoint. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the private DNS zone group. - -- Required: No -- Type: string -- Default: `'default'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the private endpoint DNS zone group. | -| `resourceGroupName` | string | The resource group the private endpoint DNS zone group was deployed into. | -| `resourceId` | string | The resource ID of the private endpoint DNS zone group. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.bicep b/modules/network/private-endpoint/private-dns-zone-group/main.bicep deleted file mode 100644 index 49a089a700..0000000000 --- a/modules/network/private-endpoint/private-dns-zone-group/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'Private Endpoint Private DNS Zone Groups' -metadata description = 'This module deploys a Private Endpoint Private DNS Zone Group.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment.') -param privateEndpointName string - -@description('Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones.') -@minLength(1) -@maxLength(5) -param privateDNSResourceIds array - -@description('Optional. The name of the private DNS zone group.') -param name string = 'default' - -@description('Optional. Enable/Disable usage telemetry for module.') -param enableDefaultTelemetry bool = true - -var privateDnsZoneConfigs = [for privateDNSResourceId in privateDNSResourceIds: { - name: last(split(privateDNSResourceId, '/'))! - properties: { - privateDnsZoneId: privateDNSResourceId - } -}] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' existing = { - name: privateEndpointName -} - -resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = { - name: name - parent: privateEndpoint - properties: { - privateDnsZoneConfigs: privateDnsZoneConfigs - } -} - -@description('The name of the private endpoint DNS zone group.') -output name string = privateDnsZoneGroup.name - -@description('The resource ID of the private endpoint DNS zone group.') -output resourceId string = privateDnsZoneGroup.id - -@description('The resource group the private endpoint DNS zone group was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.json b/modules/network/private-endpoint/private-dns-zone-group/main.json deleted file mode 100644 index 4fd7738ac7..0000000000 --- a/modules/network/private-endpoint/private-dns-zone-group/main.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-endpoint/private-dns-zone-group/version.json b/modules/network/private-endpoint/private-dns-zone-group/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/network/private-endpoint/private-dns-zone-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index a2a1d93da2..0000000000 --- a/modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,54 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id diff --git a/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep b/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 51389d4e03..0000000000 --- a/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,63 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npemin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupIds: [ - 'vault' - ] - serviceResourceId: nestedDependencies.outputs.keyVaultResourceId - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } -}] diff --git a/modules/network/private-endpoint/tests/e2e/max/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a4bc9dabca..0000000000 --- a/modules/network/private-endpoint/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,95 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/private-endpoint/tests/e2e/max/main.test.bicep b/modules/network/private-endpoint/tests/e2e/max/main.test.bicep deleted file mode 100644 index 0812571d74..0000000000 --- a/modules/network/private-endpoint/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,106 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npemax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupIds: [ - 'vault' - ] - serviceResourceId: nestedDependencies.outputs.keyVaultResourceId - subnetResourceId: nestedDependencies.outputs.subnetResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' - applicationSecurityGroupResourceIds: [ - nestedDependencies.outputs.applicationSecurityGroupResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a4bc9dabca..0000000000 --- a/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,95 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Application Security Group to create.') -param applicationSecurityGroupName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 72e2c7f377..0000000000 --- a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,106 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npewaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - groupIds: [ - 'vault' - ] - serviceResourceId: nestedDependencies.outputs.keyVaultResourceId - subnetResourceId: nestedDependencies.outputs.subnetResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - groupId: 'vault' - memberName: 'default' - privateIPAddress: '10.0.0.10' - } - } - ] - customDnsConfigs: [ - { - fqdn: 'abc.keyvault.com' - ipAddresses: [ - '10.0.0.10' - ] - } - ] - customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' - applicationSecurityGroupResourceIds: [ - nestedDependencies.outputs.applicationSecurityGroupResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-endpoint/version.json b/modules/network/private-endpoint/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/network/private-endpoint/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/private-link-service/MOVED-TO-AVM.md b/modules/network/private-link-service/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/private-link-service/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index d57bb46b3b..1414f08609 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -1,848 +1,7 @@ -# Private Link Services `[Microsoft.Network/privateLinkServices]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/private-link-service](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/private-link-service).** -This module deploys a Private Link Service. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/private-link-service). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateLinkServices` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/privateLinkServices) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-link-service:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nplsmin' - params: { - // Required parameters - name: 'nplsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipConfigurations: [ - { - name: 'nplsmin01' - properties: { - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipConfigurations": { - "value": [ - { - "name": "nplsmin01", - "properties": { - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nplsmax' - params: { - // Required parameters - name: 'nplsmax001' - // Non-required parameters - autoApproval: { - subscriptions: [ - '*' - ] - } - enableDefaultTelemetry: '' - enableProxyProtocol: true - fqdns: [ - 'nplsmax.plsfqdn01.azure.privatelinkservice' - 'nplsmax.plsfqdn02.azure.privatelinkservice' - ] - ipConfigurations: [ - { - name: 'nplsmax01' - properties: { - primary: true - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - visibility: { - subscriptions: [ - '' - ] - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplsmax001" - }, - // Non-required parameters - "autoApproval": { - "value": { - "subscriptions": [ - "*" - ] - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableProxyProtocol": { - "value": true - }, - "fqdns": { - "value": [ - "nplsmax.plsfqdn01.azure.privatelinkservice", - "nplsmax.plsfqdn02.azure.privatelinkservice" - ] - }, - "ipConfigurations": { - "value": [ - { - "name": "nplsmax01", - "properties": { - "primary": true, - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "visibility": { - "value": { - "subscriptions": [ - "" - ] - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nplswaf' - params: { - // Required parameters - name: 'nplswaf001' - // Non-required parameters - autoApproval: { - subscriptions: [ - '*' - ] - } - enableDefaultTelemetry: '' - enableProxyProtocol: true - fqdns: [ - 'nplswaf.plsfqdn01.azure.privatelinkservice' - 'nplswaf.plsfqdn02.azure.privatelinkservice' - ] - ipConfigurations: [ - { - name: 'nplswaf01' - properties: { - primary: true - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - visibility: { - subscriptions: [ - '' - ] - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplswaf001" - }, - // Non-required parameters - "autoApproval": { - "value": { - "subscriptions": [ - "*" - ] - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableProxyProtocol": { - "value": true - }, - "fqdns": { - "value": [ - "nplswaf.plsfqdn01.azure.privatelinkservice", - "nplswaf.plsfqdn02.azure.privatelinkservice" - ] - }, - "ipConfigurations": { - "value": [ - { - "name": "nplswaf01", - "properties": { - "primary": true, - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "visibility": { - "value": { - "subscriptions": [ - "" - ] - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the private link service to create. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoApproval`](#parameter-autoapproval) | object | The auto-approval list of the private link service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableProxyProtocol`](#parameter-enableproxyprotocol) | bool | Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. | -| [`extendedLocation`](#parameter-extendedlocation) | object | The extended location of the load balancer. | -| [`fqdns`](#parameter-fqdns) | array | The list of Fqdn. | -| [`ipConfigurations`](#parameter-ipconfigurations) | array | An array of private link service IP configurations. | -| [`loadBalancerFrontendIpConfigurations`](#parameter-loadbalancerfrontendipconfigurations) | array | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | -| [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | - -### Parameter: `name` - -Name of the private link service to create. - -- Required: Yes -- Type: string - -### Parameter: `autoApproval` - -The auto-approval list of the private link service. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableProxyProtocol` - -Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `extendedLocation` - -The extended location of the load balancer. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `fqdns` - -The list of Fqdn. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipConfigurations` - -An array of private link service IP configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `loadBalancerFrontendIpConfigurations` - -An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `visibility` - -Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private link service. | -| `resourceGroupName` | string | The resource group the private link service was deployed into. | -| `resourceId` | string | The resource ID of the private link service. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `ipConfigurations` - -This property refers to the NAT (Network Address Translation) IP configuration for the Private Link service. The NAT IP can be chosen from any subnet in a service provider's virtual network. Private Link service performs destination side NAT-ing on the Private Link traffic. This ensures that there is no IP conflict between source (consumer side) and destination (service provider) address space. On the destination side (service provider side), the NAT IP address will show up as Source IP for all packets received by your service and destination IP for all packets sent by your service. - -

- -Parameter JSON format - -```json -"ipConfigurations": { - "value": [ - // Example showing only mandatory fields - { - "name": "minpls01", // Name of the IP configuration - "properties": { - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001" // The subnet selected here will be used by the Private Link Service to pick up the NAT IP - } - } - }, - // Example showing commonly used fields - { - "name": "pls01", // Name of the IP configuration - "properties": { - "primary": false, // Whether the ip configuration is primary or not - "privateIPAddressVersion": "IPv4", // Whether the specific IP configuration is IPv4 or IPv6. Default is IPv4 - "privateIPAllocationMethod": "Static", // The private IP address allocation method - "privateIPAddress": "10.0.1.10", // If "privateIPAllocationMethod" is set to "Static" then this needs to be supplied - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001" // The subnet selected here will be used by the Private Link Service to pick up the NAT IP - } - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -ipConfigurations: [ - // Example showing only mandatory fields - { - name: 'minpls01' // Name of the IP configuration - properties: { - subnet: { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001' // The subnet selected here will be used by the Private Link Service to pick up the NAT IP - } - } - } - // Example showing commonly used fields - { - name: 'pls01' // Name of the IP configuration - properties: { - primary: false // Whether the ip configuration is primary or not - privateIPAddressVersion: 'IPv4' // Whether the specific IP configuration is IPv4 or IPv6. Default is IPv4 - privateIPAllocationMethod: 'Static' // Whether the specific IP configuration is IPv4 or IPv6. Default is IPv4 - privateIPAddress: '10.0.1.10' // If "privateIPAllocationMethod" is set to "Static" then this needs to be supplied - subnet: { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001' // The subnet selected here will be used by the Private Link Service to pick up the NAT IP - } - } - } -] -``` - -
-

- -### Parameter Usage: `extendedLocation` - -This is the Edge Zone ID of the Edge Zone corresponding to the region in which the resource is deployed. More information is available here: [Azure Edge Zone ID](https://learn.microsoft.com/en-us/azure/public-multi-access-edge-compute-mec/key-concepts#azure-edge-zone-id). - -

- -Parameter JSON format - -```json -"extendedLocation": { - // Example showing usage of the extendedLocation param - "value": { - "name": "attatlanta1", // Edge Zone ID for the parent East US 2 region is "attatlanta1" - "type": "EdgeZone" // Fixed value - } -} -``` - -
- -
- -Bicep format - -```bicep -extendedLocation: { - // Example showing usage of the extendedLocation param - name: 'attdallas1' // Edge Zone ID for the parent South Central US region is "attdallas1". - type: 'EdgeZone' // Fixed value -} -``` - -
-

- -### Parameter Usage: `autoApproval` - -Auto-approval controls the automated access to the Private Link service. The subscriptions specified in the auto-approval list are approved automatically when a connection is requested from private endpoints in those subscriptions. - -

- -Parameter JSON format - -```json -// Example to auto-approve for all the subscriptions present under the "visibility" param -"autoApproval": { - "value": [ - "*" - ] -} - -// Example to auto-approve a specific set of subscriptions. This should always be a subset of the subscriptions provided under the "visibility" param -"autoApproval": { - "value": [ - "12345678-1234-1234-1234-123456781234", // Subscription 1 - "87654321-1234-1234-1234-123456781234" // Subscription 2 - ] -} -``` - -
- -
- -Bicep format - -```bicep -// Example to auto-approve for all the subscriptions present under the "visibility" param -autoApproval: [ - "*" -] - -// Example to auto-approve a specific set of subscriptions. This should always be a subset of the subscriptions provided under "visibility" -autoApproval: [ - '12345678-1234-1234-1234-123456781234' // Subscription 1 - '87654321-1234-1234-1234-123456781234' // Subscription 2 -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep deleted file mode 100644 index 7f8f61068e..0000000000 --- a/modules/network/private-link-service/main.bicep +++ /dev/null @@ -1,152 +0,0 @@ -metadata name = 'Private Link Services' -metadata description = 'This module deploys a Private Link Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the private link service to create.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object? - -@description('Optional. The extended location of the load balancer.') -param extendedLocation object = {} - -@description('Optional. The auto-approval list of the private link service.') -param autoApproval object = {} - -@description('Optional. Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header.') -param enableProxyProtocol bool = false - -@description('Optional. The list of Fqdn.') -param fqdns array = [] - -@description('Optional. An array of private link service IP configurations.') -param ipConfigurations array = [] - -@description('Optional. An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations.') -param loadBalancerFrontendIpConfigurations array = [] - -@description('Optional. Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions.') -param visibility object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateLinkService 'Microsoft.Network/privateLinkServices@2022-11-01' = { - name: name - location: location - tags: tags - extendedLocation: !empty(extendedLocation) ? extendedLocation : null - properties: { - autoApproval: autoApproval - enableProxyProtocol: enableProxyProtocol - fqdns: fqdns - ipConfigurations: ipConfigurations - loadBalancerFrontendIpConfigurations: loadBalancerFrontendIpConfigurations - visibility: visibility - } -} - -resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: privateLinkService -} - -resource privateLinkService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(privateLinkService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: privateLinkService -}] - -@description('The resource group the private link service was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the private link service.') -output resourceId string = privateLinkService.id - -@description('The name of the private link service.') -output name string = privateLinkService.name - -@description('The location the resource was deployed into.') -output location string = privateLinkService.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json deleted file mode 100644 index 3b5dd0ec02..0000000000 --- a/modules/network/private-link-service/main.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "16095668767284797776" - }, - "name": "Private Link Services", - "description": "This module deploys a Private Link Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private link service to create." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "extendedLocation": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The extended location of the load balancer." - } - }, - "autoApproval": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The auto-approval list of the private link service." - } - }, - "enableProxyProtocol": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header." - } - }, - "fqdns": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Fqdn." - } - }, - "ipConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of private link service IP configurations." - } - }, - "loadBalancerFrontendIpConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations." - } - }, - "visibility": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateLinkService": { - "type": "Microsoft.Network/privateLinkServices", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "extendedLocation": "[if(not(empty(parameters('extendedLocation'))), parameters('extendedLocation'), null())]", - "properties": { - "autoApproval": "[parameters('autoApproval')]", - "enableProxyProtocol": "[parameters('enableProxyProtocol')]", - "fqdns": "[parameters('fqdns')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "loadBalancerFrontendIpConfigurations": "[parameters('loadBalancerFrontendIpConfigurations')]", - "visibility": "[parameters('visibility')]" - } - }, - "privateLinkService_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateLinkService" - ] - }, - "privateLinkService_roleAssignments": { - "copy": { - "name": "privateLinkService_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateLinkServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateLinkService" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private link service was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private link service." - }, - "value": "[resourceId('Microsoft.Network/privateLinkServices', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private link service." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateLinkService', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep b/modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index cecd1df763..0000000000 --- a/modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,57 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - properties: { - frontendIPConfigurations: [ - { - name: 'frontendIPConfiguration' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Load Balancer Frontend IP Configuration.') -output loadBalancerFrontendIpConfigurationResourceId string = loadBalancer.properties.frontendIPConfigurations[0].id diff --git a/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep b/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c6a012f831..0000000000 --- a/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nplsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - name: '${serviceShort}01' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: nestedDependencies.outputs.loadBalancerFrontendIpConfigurationResourceId - } - ] - } -}] diff --git a/modules/network/private-link-service/tests/e2e/max/dependencies.bicep b/modules/network/private-link-service/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 1031dd4830..0000000000 --- a/modules/network/private-link-service/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - properties: { - frontendIPConfigurations: [ - { - name: 'frontendIPConfiguration' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Load Balancer Frontend IP Configuration.') -output loadBalancerFrontendIpConfigurationResourceId string = loadBalancer.properties.frontendIPConfigurations[0].id diff --git a/modules/network/private-link-service/tests/e2e/max/main.test.bicep b/modules/network/private-link-service/tests/e2e/max/main.test.bicep deleted file mode 100644 index 1fc85cda3b..0000000000 --- a/modules/network/private-link-service/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,107 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nplsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - ipConfigurations: [ - { - name: '${serviceShort}01' - properties: { - primary: true - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: nestedDependencies.outputs.loadBalancerFrontendIpConfigurationResourceId - } - ] - autoApproval: { - subscriptions: [ - '*' - ] - } - visibility: { - subscriptions: [ - subscription().subscriptionId - ] - } - enableProxyProtocol: true - fqdns: [ - '${serviceShort}.plsfqdn01.azure.privatelinkservice' - '${serviceShort}.plsfqdn02.azure.privatelinkservice' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 1031dd4830..0000000000 --- a/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Load Balancer to create.') -param loadBalancerName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { - name: loadBalancerName - location: location - sku: { - name: 'Standard' - } - properties: { - frontendIPConfigurations: [ - { - name: 'frontendIPConfiguration' - properties: { - subnet: { - id: virtualNetwork.properties.subnets[0].id - } - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Load Balancer Frontend IP Configuration.') -output loadBalancerFrontendIpConfigurationResourceId string = loadBalancer.properties.frontendIPConfigurations[0].id diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index cc74016e1e..0000000000 --- a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,107 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nplswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - ipConfigurations: [ - { - name: '${serviceShort}01' - properties: { - primary: true - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: nestedDependencies.outputs.loadBalancerFrontendIpConfigurationResourceId - } - ] - autoApproval: { - subscriptions: [ - '*' - ] - } - visibility: { - subscriptions: [ - subscription().subscriptionId - ] - } - enableProxyProtocol: true - fqdns: [ - '${serviceShort}.plsfqdn01.azure.privatelinkservice' - '${serviceShort}.plsfqdn02.azure.privatelinkservice' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/private-link-service/version.json b/modules/network/private-link-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/private-link-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/public-ip-address/MOVED-TO-AVM.md b/modules/network/public-ip-address/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/public-ip-address/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 758b33d6c9..9268826d12 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -1,763 +1,7 @@ -# Public IP Addresses `[Microsoft.Network/publicIPAddresses]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/public-ip-address](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/public-ip-address).** -This module deploys a Public IP Address. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/public-ip-address). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-address:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npiamin' - params: { - // Required parameters - name: 'npiamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npiamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npiamax' - params: { - // Required parameters - name: 'npiamax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - zones: [ - '1' - '2' - '3' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npiamax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIPAllocationMethod": { - "value": "Static" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npiawaf' - params: { - // Required parameters - name: 'npiawaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - zones: [ - '1' - '2' - '3' - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npiawaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIPAllocationMethod": { - "value": "Static" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Public IP Address. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`domainNameLabel`](#parameter-domainnamelabel) | string | The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. | -| [`domainNameLabelScope`](#parameter-domainnamelabelscope) | string | The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`fqdn`](#parameter-fqdn) | string | The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicIPAddressVersion`](#parameter-publicipaddressversion) | string | IP address version. | -| [`publicIPAllocationMethod`](#parameter-publicipallocationmethod) | string | The public IP address allocation method. | -| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| [`reverseFqdn`](#parameter-reversefqdn) | string | The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`skuName`](#parameter-skuname) | string | Name of a public IP address SKU. | -| [`skuTier`](#parameter-skutier) | string | Tier of a public IP address SKU. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zones`](#parameter-zones) | array | A list of availability zones denoting the IP allocated for the resource needs to come from. | - -### Parameter: `name` - -The name of the Public IP Address. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `domainNameLabel` - -The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `domainNameLabelScope` - -The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'NoReuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `fqdn` - -The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `publicIPAddressVersion` - -IP address version. - -- Required: No -- Type: string -- Default: `'IPv4'` -- Allowed: - ```Bicep - [ - 'IPv4' - 'IPv6' - ] - ``` - -### Parameter: `publicIPAllocationMethod` - -The public IP address allocation method. - -- Required: No -- Type: string -- Default: `'Static'` -- Allowed: - ```Bicep - [ - 'Dynamic' - 'Static' - ] - ``` - -### Parameter: `publicIPPrefixResourceId` - -Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `reverseFqdn` - -The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -Name of a public IP address SKU. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Standard' - ] - ``` - -### Parameter: `skuTier` - -Tier of a public IP address SKU. - -- Required: No -- Type: string -- Default: `'Regional'` -- Allowed: - ```Bicep - [ - 'Global' - 'Regional' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zones` - -A list of availability zones denoting the IP allocated for the resource needs to come from. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `ipAddress` | string | The public IP address of the public IP address resource. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the public IP address. | -| `resourceGroupName` | string | The resource group the public IP address was deployed into. | -| `resourceId` | string | The resource ID of the public IP address. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep deleted file mode 100644 index 46fd1decb2..0000000000 --- a/modules/network/public-ip-address/main.bicep +++ /dev/null @@ -1,261 +0,0 @@ -metadata name = 'Public IP Addresses' -metadata description = 'This module deploys a Public IP Address.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Public IP Address.') -param name string - -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixResourceId string = '' - -@description('Optional. The public IP address allocation method.') -@allowed([ - 'Dynamic' - 'Static' -]) -param publicIPAllocationMethod string = 'Static' - -@description('Optional. Name of a public IP address SKU.') -@allowed([ - 'Basic' - 'Standard' -]) -param skuName string = 'Standard' - -@description('Optional. Tier of a public IP address SKU.') -@allowed([ - 'Global' - 'Regional' -]) -param skuTier string = 'Regional' - -@description('Optional. A list of availability zones denoting the IP allocated for the resource needs to come from.') -param zones array = [] - -@description('Optional. IP address version.') -@allowed([ - 'IPv4' - 'IPv6' -]) -param publicIPAddressVersion string = 'IPv4' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system.') -param domainNameLabel string = '' - -@allowed([ - '' - 'NoReuse' - 'ResourceGroupReuse' - 'SubscriptionReuse' - 'TenantReuse' -]) -@description('Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN.') -param domainNameLabelScope string = '' - -@description('Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone.') -param fqdn string = '' - -@description('Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN.') -param reverseFqdn string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Tags of the resource.') -param tags object? - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2023-04-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - tier: skuTier - } - zones: zones - properties: { - dnsSettings: !empty(domainNameLabel) ? { - domainNameLabel: domainNameLabel - domainNameLabelScope: domainNameLabelScope - fqdn: fqdn - reverseFqdn: reverseFqdn - } : null - publicIPAddressVersion: publicIPAddressVersion - publicIPAllocationMethod: publicIPAllocationMethod - publicIPPrefix: !empty(publicIPPrefixResourceId) ? { - id: publicIPPrefixResourceId - } : null - idleTimeoutInMinutes: 4 - ipTags: [] - } -} - -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: publicIpAddress -} - -resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: publicIpAddress -}] - -resource publicIpAddress_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(publicIpAddress.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } -}] - -@description('The resource group the public IP address was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the public IP address.') -output name string = publicIpAddress.name - -@description('The resource ID of the public IP address.') -output resourceId string = publicIpAddress.id - -@description('The public IP address of the public IP address resource.') -output ipAddress string = contains(publicIpAddress.properties, 'ipAddress') ? publicIpAddress.properties.ipAddress : '' - -@description('The location the resource was deployed into.') -output location string = publicIpAddress.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json deleted file mode 100644 index 1f444a3ba0..0000000000 --- a/modules/network/public-ip-address/main.json +++ /dev/null @@ -1,496 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep b/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c4f1e366fd..0000000000 --- a/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/public-ip-address/tests/e2e/max/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/public-ip-address/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-address/tests/e2e/max/main.test.bicep b/modules/network/public-ip-address/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7ce46d663b..0000000000 --- a/modules/network/public-ip-address/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,108 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 5e16ba63ef..0000000000 --- a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,108 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/public-ip-address/version.json b/modules/network/public-ip-address/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/public-ip-address/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/public-ip-prefix/MOVED-TO-AVM.md b/modules/network/public-ip-prefix/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/public-ip-prefix/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index fa80cb1372..597c1d1410 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -1,474 +1,7 @@ -# Public IP Prefixes `[Microsoft.Network/publicIPPrefixes]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/public-ip-prefix](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/public-ip-prefix).** -This module deploys a Public IP Prefix. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/public-ip-prefix). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/publicIPPrefixes` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPPrefixes) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-prefix:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npipmin' - params: { - // Required parameters - name: 'npipmin001' - prefixLength: 28 - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npipmin001" - }, - "prefixLength": { - "value": 28 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npipmax' - params: { - // Required parameters - name: 'npipmax001' - prefixLength: 28 - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npipmax001" - }, - "prefixLength": { - "value": 28 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npipwaf' - params: { - // Required parameters - name: 'npipwaf001' - prefixLength: 28 - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npipwaf001" - }, - "prefixLength": { - "value": 28 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Public IP Prefix. | -| [`prefixLength`](#parameter-prefixlength) | int | Length of the Public IP Prefix. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customIPPrefix`](#parameter-customipprefix) | object | The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Public IP Prefix. - -- Required: Yes -- Type: string - -### Parameter: `prefixLength` - -Length of the Public IP Prefix. - -- Required: Yes -- Type: int - -### Parameter: `customIPPrefix` - -The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the public IP prefix. | -| `resourceGroupName` | string | The resource group the public IP prefix was deployed into. | -| `resourceId` | string | The resource ID of the public IP prefix. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep deleted file mode 100644 index 97b513f893..0000000000 --- a/modules/network/public-ip-prefix/main.bicep +++ /dev/null @@ -1,135 +0,0 @@ -metadata name = 'Public IP Prefixes' -metadata description = 'This module deploys a Public IP Prefix.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Public IP Prefix.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. Length of the Public IP Prefix.') -@minValue(28) -@maxValue(31) -param prefixLength int - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range.') -param customIPPrefix object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2023-04-01' = { - name: name - location: location - tags: tags - sku: { - name: 'Standard' - } - properties: { - customIPPrefix: !empty(customIPPrefix) ? customIPPrefix : null - publicIPAddressVersion: 'IPv4' - prefixLength: prefixLength - } -} - -resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: publicIpPrefix -} - -resource publicIpPrefix_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(publicIpPrefix.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: publicIpPrefix -}] - -@description('The resource ID of the public IP prefix.') -output resourceId string = publicIpPrefix.id - -@description('The resource group the public IP prefix was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the public IP prefix.') -output name string = publicIpPrefix.name - -@description('The location the resource was deployed into.') -output location string = publicIpPrefix.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json deleted file mode 100644 index b8010113ed..0000000000 --- a/modules/network/public-ip-prefix/main.json +++ /dev/null @@ -1,272 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11282022059497213596" - }, - "name": "Public IP Prefixes", - "description": "This module deploys a Public IP Prefix.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Public IP Prefix." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "prefixLength": { - "type": "int", - "minValue": 28, - "maxValue": 31, - "metadata": { - "description": "Required. Length of the Public IP Prefix." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "customIPPrefix": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpPrefix": { - "type": "Microsoft.Network/publicIPPrefixes", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "Standard" - }, - "properties": { - "customIPPrefix": "[if(not(empty(parameters('customIPPrefix'))), parameters('customIPPrefix'), null())]", - "publicIPAddressVersion": "IPv4", - "prefixLength": "[parameters('prefixLength')]" - } - }, - "publicIpPrefix_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpPrefix" - ] - }, - "publicIpPrefix_roleAssignments": { - "copy": { - "name": "publicIpPrefix_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpPrefix" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP prefix." - }, - "value": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP prefix was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP prefix." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpPrefix', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 520214d9be..0000000000 --- a/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npipmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - prefixLength: 28 - } -}] diff --git a/modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep deleted file mode 100644 index 04bc42d4e9..0000000000 --- a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,84 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npipmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - prefixLength: 28 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 9081c0314b..0000000000 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,67 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npipwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - prefixLength: 28 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/public-ip-prefix/version.json b/modules/network/public-ip-prefix/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/public-ip-prefix/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/route-table/MOVED-TO-AVM.md b/modules/network/route-table/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/route-table/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 04717517cb..c69c3366b3 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -1,503 +1,7 @@ -# Route Tables `[Microsoft.Network/routeTables]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/route-table](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/route-table).** -This module deploys a User Defined Route Table (UDR). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/route-table). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/routeTables` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/routeTables) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.route-table:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nrtmin' - params: { - // Required parameters - name: 'nrtmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nrtmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nrtmax' - params: { - // Required parameters - name: 'nrtmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: '172.16.0.20' - nextHopType: 'VirtualAppliance' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nrtmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "routes": { - "value": [ - { - "name": "default", - "properties": { - "addressPrefix": "0.0.0.0/0", - "nextHopIpAddress": "172.16.0.20", - "nextHopType": "VirtualAppliance" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nrtwaf' - params: { - // Required parameters - name: 'nrtwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: '172.16.0.20' - nextHopType: 'VirtualAppliance' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nrtwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "routes": { - "value": [ - { - "name": "default", - "properties": { - "addressPrefix": "0.0.0.0/0", - "nextHopIpAddress": "172.16.0.20", - "nextHopType": "VirtualAppliance" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name given for the hub route table. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`disableBgpRoutePropagation`](#parameter-disablebgproutepropagation) | bool | Switch to disable BGP route propagation. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`routes`](#parameter-routes) | array | An Array of Routes to be established within the hub route table. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name given for the hub route table. - -- Required: Yes -- Type: string - -### Parameter: `disableBgpRoutePropagation` - -Switch to disable BGP route propagation. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `routes` - -An Array of Routes to be established within the hub route table. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the route table. | -| `resourceGroupName` | string | The resource group the route table was deployed into. | -| `resourceId` | string | The resource ID of the route table. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/route-table/main.bicep b/modules/network/route-table/main.bicep deleted file mode 100644 index 3db1e9d17f..0000000000 --- a/modules/network/route-table/main.bicep +++ /dev/null @@ -1,128 +0,0 @@ -metadata name = 'Route Tables' -metadata description = 'This module deploys a User Defined Route Table (UDR).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name given for the hub route table.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. An Array of Routes to be established within the hub route table.') -param routes array = [] - -@description('Optional. Switch to disable BGP route propagation.') -param disableBgpRoutePropagation bool = false - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - routes: routes - disableBgpRoutePropagation: disableBgpRoutePropagation - } -} - -resource routeTable_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: routeTable -} - -resource routeTable_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(routeTable.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: routeTable -}] - -@description('The resource group the route table was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the route table.') -output name string = routeTable.name - -@description('The resource ID of the route table.') -output resourceId string = routeTable.id - -@description('The location the resource was deployed into.') -output location string = routeTable.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json deleted file mode 100644 index d3838e6b03..0000000000 --- a/modules/network/route-table/main.json +++ /dev/null @@ -1,266 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17284213437442846894" - }, - "name": "Route Tables", - "description": "This module deploys a User Defined Route Table (UDR).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name given for the hub route table." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An Array of Routes to be established within the hub route table." - } - }, - "disableBgpRoutePropagation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to disable BGP route propagation." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "routeTable": { - "type": "Microsoft.Network/routeTables", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "routes": "[parameters('routes')]", - "disableBgpRoutePropagation": "[parameters('disableBgpRoutePropagation')]" - } - }, - "routeTable_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/routeTables/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "routeTable" - ] - }, - "routeTable_roleAssignments": { - "copy": { - "name": "routeTable_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/routeTables/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/routeTables', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "routeTable" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the route table was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the route table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the route table." - }, - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('routeTable', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/route-table/tests/e2e/defaults/main.test.bicep b/modules/network/route-table/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index bc7617bb87..0000000000 --- a/modules/network/route-table/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nrtmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/route-table/tests/e2e/max/dependencies.bicep b/modules/network/route-table/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/route-table/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/route-table/tests/e2e/max/main.test.bicep b/modules/network/route-table/tests/e2e/max/main.test.bicep deleted file mode 100644 index f611d8c177..0000000000 --- a/modules/network/route-table/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,83 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nrtmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: '172.16.0.20' - nextHopType: 'VirtualAppliance' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 6edf7269f8..0000000000 --- a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,83 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nrtwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: '172.16.0.20' - nextHopType: 'VirtualAppliance' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/route-table/version.json b/modules/network/route-table/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/route-table/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index e3f68a8e08..8a5549cf71 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -1,526 +1,7 @@ -# Service Endpoint Policies `[Microsoft.Network/serviceEndpointPolicies]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Service Endpoint Policy. +**This module has been evolved into the following AVM module: [avm/res/network/service-endpoint-policy](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/service-endpoint-policy).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/service-endpoint-policy). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/serviceEndpointPolicies` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/serviceEndpointPolicies) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.service-endpoint-policy:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nsnpmin' - params: { - // Required parameters - name: 'nsnpmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nsnpmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nsnpmax' - params: { - // Required parameters - name: 'nsnpmax-001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - serviceEndpointPolicyDefinitions: [ - { - name: 'Storage.ServiceEndpoint' - properties: { - description: 'Allow Microsoft.Storage' - service: 'Microsoft.Storage' - serviceResources: [ - '' - ] - } - type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nsnpmax-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "serviceEndpointPolicyDefinitions": { - "value": [ - { - "name": "Storage.ServiceEndpoint", - "properties": { - "description": "Allow Microsoft.Storage", - "service": "Microsoft.Storage", - "serviceResources": [ - "" - ] - }, - "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nsnpwaf' - params: { - // Required parameters - name: 'nsnpwaf-001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - serviceEndpointPolicyDefinitions: [ - { - name: 'Storage.ServiceEndpoint' - properties: { - description: 'Allow Microsoft.Storage' - service: 'Microsoft.Storage' - serviceResources: [ - '' - ] - } - type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nsnpwaf-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "serviceEndpointPolicyDefinitions": { - "value": [ - { - "name": "Storage.ServiceEndpoint", - "properties": { - "description": "Allow Microsoft.Storage", - "service": "Microsoft.Storage", - "serviceResources": [ - "" - ] - }, - "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The Service Endpoint Policy name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`contextualServiceEndpointPolicies`](#parameter-contextualserviceendpointpolicies) | array | An Array of contextual service endpoint policy. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`serviceAlias`](#parameter-servicealias) | string | The alias indicating if the policy belongs to a service. | -| [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The Service Endpoint Policy name. - -- Required: Yes -- Type: string - -### Parameter: `contextualServiceEndpointPolicies` - -An Array of contextual service endpoint policy. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serviceAlias` - -The alias indicating if the policy belongs to a service. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `serviceEndpointPolicyDefinitions` - -An Array of service endpoint policy definitions. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Service Endpoint Policy. | -| `resourceGroupName` | string | The resource group the Service Endpoint Policy was deployed into. | -| `resourceId` | string | The resource ID of the Service Endpoint Policy. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep deleted file mode 100644 index 9d9b83348d..0000000000 --- a/modules/network/service-endpoint-policy/main.bicep +++ /dev/null @@ -1,132 +0,0 @@ -metadata name = 'Service Endpoint Policies' -metadata description = 'This module deploys a Service Endpoint Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The Service Endpoint Policy name.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. An Array of service endpoint policy definitions.') -param serviceEndpointPolicyDefinitions array = [] - -@description('Optional. An Array of contextual service endpoint policy.') -param contextualServiceEndpointPolicies array = [] - -@description('Optional. The alias indicating if the policy belongs to a service.') -param serviceAlias string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource serviceEndpointPolicy 'Microsoft.Network/serviceEndpointPolicies@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - serviceAlias: !empty(serviceAlias) ? serviceAlias : null - contextualServiceEndpointPolicies: !empty(contextualServiceEndpointPolicies) ? contextualServiceEndpointPolicies : null - serviceEndpointPolicyDefinitions: !empty(serviceEndpointPolicyDefinitions) ? serviceEndpointPolicyDefinitions : null - } -} - -resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: serviceEndpointPolicy -} - -resource serviceEndpointPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(serviceEndpointPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: serviceEndpointPolicy -}] - -@description('The resource group the Service Endpoint Policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Service Endpoint Policy.') -output name string = serviceEndpointPolicy.name - -@description('The resource ID of the Service Endpoint Policy.') -output resourceId string = serviceEndpointPolicy.id - -@description('The location the resource was deployed into.') -output location string = serviceEndpointPolicy.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json deleted file mode 100644 index 0e6f729e47..0000000000 --- a/modules/network/service-endpoint-policy/main.json +++ /dev/null @@ -1,274 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11859236081077741465" - }, - "name": "Service Endpoint Policies", - "description": "This module deploys a Service Endpoint Policy.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The Service Endpoint Policy name." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "serviceEndpointPolicyDefinitions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An Array of service endpoint policy definitions." - } - }, - "contextualServiceEndpointPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An Array of contextual service endpoint policy." - } - }, - "serviceAlias": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The alias indicating if the policy belongs to a service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "serviceEndpointPolicy": { - "type": "Microsoft.Network/serviceEndpointPolicies", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "serviceAlias": "[if(not(empty(parameters('serviceAlias'))), parameters('serviceAlias'), null())]", - "contextualServiceEndpointPolicies": "[if(not(empty(parameters('contextualServiceEndpointPolicies'))), parameters('contextualServiceEndpointPolicies'), null())]", - "serviceEndpointPolicyDefinitions": "[if(not(empty(parameters('serviceEndpointPolicyDefinitions'))), parameters('serviceEndpointPolicyDefinitions'), null())]" - } - }, - "serviceEndpointPolicy_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "serviceEndpointPolicy" - ] - }, - "serviceEndpointPolicy_roleAssignments": { - "copy": { - "name": "serviceEndpointPolicy_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "serviceEndpointPolicy" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Service Endpoint Policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Service Endpoint Policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Service Endpoint Policy." - }, - "value": "[resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('serviceEndpointPolicy', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 56ed8c03d5..0000000000 --- a/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nsnpmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - } -}] diff --git a/modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep deleted file mode 100644 index 271bf7e24a..0000000000 --- a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,96 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nsnpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - serviceEndpointPolicyDefinitions: [ - { - name: 'Storage.ServiceEndpoint' - properties: { - service: 'Microsoft.Storage' - description: 'Allow Microsoft.Storage' - serviceResources: [ - subscription().id - ] - } - type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' - } - ] - } -}] diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index ba10f48947..0000000000 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,79 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nsnpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - serviceEndpointPolicyDefinitions: [ - { - name: 'Storage.ServiceEndpoint' - properties: { - service: 'Microsoft.Storage' - description: 'Allow Microsoft.Storage' - serviceResources: [ - subscription().id - ] - } - type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' - } - ] - } -}] diff --git a/modules/network/service-endpoint-policy/version.json b/modules/network/service-endpoint-policy/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/network/service-endpoint-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md b/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 20d5f19260..7207ee1561 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -1,796 +1,7 @@ -# Traffic Manager Profiles `[Microsoft.Network/trafficmanagerprofiles]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/trafficmanagerprofile](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/trafficmanagerprofile).** -This module deploys a Traffic Manager Profile. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/trafficmanagerprofile). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/trafficmanagerprofiles` | [2018-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-08-01/trafficmanagerprofiles) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.trafficmanagerprofile:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpmin' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpmax' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpwaf' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Traffic Manager. | -| [`relativeName`](#parameter-relativename) | string | The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endpoints`](#parameter-endpoints) | array | The list of endpoints in the Traffic Manager profile. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maxReturn`](#parameter-maxreturn) | int | Maximum number of endpoints to be returned for MultiValue routing type. | -| [`monitorConfig`](#parameter-monitorconfig) | object | The endpoint monitoring settings of the Traffic Manager profile. | -| [`profileStatus`](#parameter-profilestatus) | string | The status of the Traffic Manager profile. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Resource tags. | -| [`trafficRoutingMethod`](#parameter-trafficroutingmethod) | string | The traffic routing method of the Traffic Manager profile. | -| [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | -| [`ttl`](#parameter-ttl) | int | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | - -### Parameter: `name` - -Name of the Traffic Manager. - -- Required: Yes -- Type: string - -### Parameter: `relativeName` - -The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endpoints` - -The list of endpoints in the Traffic Manager profile. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maxReturn` - -Maximum number of endpoints to be returned for MultiValue routing type. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `monitorConfig` - -The endpoint monitoring settings of the Traffic Manager profile. - -- Required: No -- Type: object -- Default: - ```Bicep - { - path: '/' - port: '80' - protocol: 'http' - } - ``` - -### Parameter: `profileStatus` - -The status of the Traffic Manager profile. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - -### Parameter: `trafficRoutingMethod` - -The traffic routing method of the Traffic Manager profile. - -- Required: No -- Type: string -- Default: `'Performance'` -- Allowed: - ```Bicep - [ - 'Geographic' - 'MultiValue' - 'Performance' - 'Priority' - 'Subnet' - 'Weighted' - ] - ``` - -### Parameter: `trafficViewEnrollmentStatus` - -Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `ttl` - -The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. - -- Required: No -- Type: int -- Default: `60` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the traffic manager was deployed into. | -| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | -| `resourceId` | string | The resource ID of the traffic manager. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `monitorConfig` - -

- -Parameter JSON format - -```json -"monitorConfig": { - "value": { - "protocol": "http", - "port": "80", - "path": "/" - } -} -``` - -
- -
- -Bicep format - -```bicep -monitorConfig: { - protocol: 'http' - port: '80' - path: '/' -} -``` - -
-

- -### Parameter Usage: `endpoints` - -

- -Parameter JSON format - -```json -"endpoints": { - "value": [ - { - "id": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/trafficManagerProfiles//azureEndpoints/", - "name": "MyEndpoint001", - "type": "Microsoft.Network/trafficManagerProfiles/azureEndpoints", - "properties": - { - "endpointStatus": "Enabled", - "endpointMonitorStatus": "CheckingEndpoint", - "targetResourceId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/publicIPAddresses/", - "target": "my-pip-001.eastus.cloudapp.azure.com", - "weight": 1, - "priority": 1, - "endpointLocation": "East US" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -endpoints: [ - { - id: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/trafficManagerProfiles//azureEndpoints/' - name: 'MyEndpoint001' - type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints' - properties: - { - endpointStatus: 'Enabled' - endpointMonitorStatus: 'CheckingEndpoint' - targetResourceId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/publicIPAddresses/' - target: 'my-pip-001.eastus.cloudapp.azure.com' - weight: 1 - priority: 1 - endpointLocation: 'East US' - } - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep deleted file mode 100644 index 0b8890079e..0000000000 --- a/modules/network/trafficmanagerprofile/main.bicep +++ /dev/null @@ -1,237 +0,0 @@ -metadata name = 'Traffic Manager Profiles' -metadata description = 'This module deploys a Traffic Manager Profile.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Traffic Manager.') -@minLength(1) -param name string - -@description('Optional. The status of the Traffic Manager profile.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param profileStatus string = 'Enabled' - -@description('Optional. The traffic routing method of the Traffic Manager profile.') -@allowed([ - 'Performance' - 'Priority' - 'Weighted' - 'Geographic' - 'MultiValue' - 'Subnet' -]) -param trafficRoutingMethod string = 'Performance' - -@description('Required. The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile.') -param relativeName string - -@description('Optional. The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile.') -param ttl int = 60 - -@description('Optional. The endpoint monitoring settings of the Traffic Manager profile.') -param monitorConfig object = { - protocol: 'http' - port: '80' - path: '/' -} - -@description('Optional. The list of endpoints in the Traffic Manager profile.') -param endpoints array = [] - -@description('Optional. Indicates whether Traffic View is \'Enabled\' or \'Disabled\' for the Traffic Manager profile. Null, indicates \'Disabled\'. Enabling this feature will increase the cost of the Traffic Manage profile.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param trafficViewEnrollmentStatus string = 'Disabled' - -@description('Optional. Maximum number of endpoints to be returned for MultiValue routing type.') -param maxReturn int = 1 - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Resource tags.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2018-08-01' = { - name: name - tags: tags - location: 'global' - properties: { - profileStatus: profileStatus - trafficRoutingMethod: trafficRoutingMethod - dnsConfig: { - relativeName: relativeName - ttl: ttl - } - monitorConfig: monitorConfig - endpoints: endpoints - trafficViewEnrollmentStatus: trafficViewEnrollmentStatus - maxReturn: maxReturn - } -} - -resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: trafficManagerProfile -} - -resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: trafficManagerProfile -}] - -resource trafficManagerProfile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(trafficManagerProfile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: trafficManagerProfile -}] - -@description('The resource ID of the traffic manager.') -output resourceId string = trafficManagerProfile.id - -@description('The resource group the traffic manager was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the traffic manager was deployed into.') -output name string = trafficManagerProfile.name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json deleted file mode 100644 index 76f4462e01..0000000000 --- a/modules/network/trafficmanagerprofile/main.json +++ /dev/null @@ -1,458 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16146918790976496656" - }, - "name": "Traffic Manager Profiles", - "description": "This module deploys a Traffic Manager Profile.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Traffic Manager." - } - }, - "profileStatus": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The status of the Traffic Manager profile." - } - }, - "trafficRoutingMethod": { - "type": "string", - "defaultValue": "Performance", - "allowedValues": [ - "Performance", - "Priority", - "Weighted", - "Geographic", - "MultiValue", - "Subnet" - ], - "metadata": { - "description": "Optional. The traffic routing method of the Traffic Manager profile." - } - }, - "relativeName": { - "type": "string", - "metadata": { - "description": "Required. The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile." - } - }, - "ttl": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile." - } - }, - "monitorConfig": { - "type": "object", - "defaultValue": { - "protocol": "http", - "port": "80", - "path": "/" - }, - "metadata": { - "description": "Optional. The endpoint monitoring settings of the Traffic Manager profile." - } - }, - "endpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of endpoints in the Traffic Manager profile." - } - }, - "trafficViewEnrollmentStatus": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile." - } - }, - "maxReturn": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Maximum number of endpoints to be returned for MultiValue routing type." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "trafficManagerProfile": { - "type": "Microsoft.Network/trafficmanagerprofiles", - "apiVersion": "2018-08-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "location": "global", - "properties": { - "profileStatus": "[parameters('profileStatus')]", - "trafficRoutingMethod": "[parameters('trafficRoutingMethod')]", - "dnsConfig": { - "relativeName": "[parameters('relativeName')]", - "ttl": "[parameters('ttl')]" - }, - "monitorConfig": "[parameters('monitorConfig')]", - "endpoints": "[parameters('endpoints')]", - "trafficViewEnrollmentStatus": "[parameters('trafficViewEnrollmentStatus')]", - "maxReturn": "[parameters('maxReturn')]" - } - }, - "trafficManagerProfile_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "trafficManagerProfile" - ] - }, - "trafficManagerProfile_diagnosticSettings": { - "copy": { - "name": "trafficManagerProfile_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "trafficManagerProfile" - ] - }, - "trafficManagerProfile_roleAssignments": { - "copy": { - "name": "trafficManagerProfile_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "trafficManagerProfile" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the traffic manager." - }, - "value": "[resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the traffic manager was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the traffic manager was deployed into." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index a8e21d17c1..0000000000 --- a/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ntmpmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - relativeName: resourceName - } -}] diff --git a/modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep deleted file mode 100644 index 997d876567..0000000000 --- a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,112 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ntmpmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - relativeName: resourceName - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 850a5be046..0000000000 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ntmpwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -var resourceName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: resourceName - relativeName: resourceName - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/trafficmanagerprofile/version.json b/modules/network/trafficmanagerprofile/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/trafficmanagerprofile/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-hub/MOVED-TO-AVM.md b/modules/network/virtual-hub/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/virtual-hub/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 58da1098eb..a78c42e0c1 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -1,615 +1,7 @@ -# Virtual Hubs `[Microsoft.Network/virtualHubs]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/virtual-hub](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/virtual-hub).** -This module deploys a Virtual Hub. -If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/virtual-hub). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Network/virtualHubs` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs) | -| `Microsoft.Network/virtualHubs/hubRouteTables` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubRouteTables) | -| `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubVirtualNetworkConnections) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-hub:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvhmin' - params: { - // Required parameters - addressPrefix: '10.0.0.0/16' - name: 'nvhmin' - virtualWanId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefix": { - "value": "10.0.0.0/16" - }, - "name": { - "value": "nvhmin" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvhmax' - params: { - // Required parameters - addressPrefix: '10.1.0.0/16' - name: 'nvhmax' - virtualWanId: '' - // Non-required parameters - enableDefaultTelemetry: '' - hubRouteTables: [ - { - name: 'routeTable1' - } - ] - hubVirtualNetworkConnections: [ - { - name: 'connection1' - remoteVirtualNetworkId: '' - routingConfiguration: { - associatedRouteTable: { - id: '' - } - propagatedRouteTables: { - ids: [ - { - id: '' - } - ] - labels: [ - 'none' - ] - } - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefix": { - "value": "10.1.0.0/16" - }, - "name": { - "value": "nvhmax" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "hubRouteTables": { - "value": [ - { - "name": "routeTable1" - } - ] - }, - "hubVirtualNetworkConnections": { - "value": [ - { - "name": "connection1", - "remoteVirtualNetworkId": "", - "routingConfiguration": { - "associatedRouteTable": { - "id": "" - }, - "propagatedRouteTables": { - "ids": [ - { - "id": "" - } - ], - "labels": [ - "none" - ] - } - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvhwaf' - params: { - // Required parameters - addressPrefix: '10.1.0.0/16' - name: 'nvhwaf' - virtualWanId: '' - // Non-required parameters - enableDefaultTelemetry: '' - hubRouteTables: [ - { - name: 'routeTable1' - } - ] - hubVirtualNetworkConnections: [ - { - name: 'connection1' - remoteVirtualNetworkId: '' - routingConfiguration: { - associatedRouteTable: { - id: '' - } - propagatedRouteTables: { - ids: [ - { - id: '' - } - ] - labels: [ - 'none' - ] - } - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefix": { - "value": "10.1.0.0/16" - }, - "name": { - "value": "nvhwaf" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "hubRouteTables": { - "value": [ - { - "name": "routeTable1" - } - ] - }, - "hubVirtualNetworkConnections": { - "value": [ - { - "name": "connection1", - "remoteVirtualNetworkId": "", - "routingConfiguration": { - "associatedRouteTable": { - "id": "" - }, - "propagatedRouteTables": { - "ids": [ - { - "id": "" - } - ], - "labels": [ - "none" - ] - } - } - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefix`](#parameter-addressprefix) | string | Address-prefix for this VirtualHub. | -| [`name`](#parameter-name) | string | The virtual hub name. | -| [`virtualWanId`](#parameter-virtualwanid) | string | Resource ID of the virtual WAN to link to. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowBranchToBranchTraffic`](#parameter-allowbranchtobranchtraffic) | bool | Flag to control transit for VirtualRouter hub. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`expressRouteGatewayId`](#parameter-expressroutegatewayid) | string | Resource ID of the Express Route Gateway to link to. | -| [`hubRouteTables`](#parameter-hubroutetables) | array | Route tables to create for the virtual hub. | -| [`hubVirtualNetworkConnections`](#parameter-hubvirtualnetworkconnections) | array | Virtual network connections to create for the virtual hub. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`p2SVpnGatewayId`](#parameter-p2svpngatewayid) | string | Resource ID of the Point-to-Site VPN Gateway to link to. | -| [`preferredRoutingGateway`](#parameter-preferredroutinggateway) | string | The preferred routing gateway types. | -| [`routeTableRoutes`](#parameter-routetableroutes) | array | VirtualHub route tables. | -| [`securityPartnerProviderId`](#parameter-securitypartnerproviderid) | string | ID of the Security Partner Provider to link to. | -| [`securityProviderName`](#parameter-securityprovidername) | string | The Security Provider name. | -| [`sku`](#parameter-sku) | string | The sku of this VirtualHub. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualHubRouteTableV2s`](#parameter-virtualhubroutetablev2s) | array | List of all virtual hub route table v2s associated with this VirtualHub. | -| [`virtualRouterAsn`](#parameter-virtualrouterasn) | int | VirtualRouter ASN. | -| [`virtualRouterIps`](#parameter-virtualrouterips) | array | VirtualRouter IPs. | -| [`vpnGatewayId`](#parameter-vpngatewayid) | string | Resource ID of the VPN Gateway to link to. | - -### Parameter: `addressPrefix` - -Address-prefix for this VirtualHub. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The virtual hub name. - -- Required: Yes -- Type: string - -### Parameter: `virtualWanId` - -Resource ID of the virtual WAN to link to. - -- Required: Yes -- Type: string - -### Parameter: `allowBranchToBranchTraffic` - -Flag to control transit for VirtualRouter hub. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `expressRouteGatewayId` - -Resource ID of the Express Route Gateway to link to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `hubRouteTables` - -Route tables to create for the virtual hub. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `hubVirtualNetworkConnections` - -Virtual network connections to create for the virtual hub. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `p2SVpnGatewayId` - -Resource ID of the Point-to-Site VPN Gateway to link to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `preferredRoutingGateway` - -The preferred routing gateway types. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'ExpressRoute' - 'None' - 'VpnGateway' - ] - ``` - -### Parameter: `routeTableRoutes` - -VirtualHub route tables. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `securityPartnerProviderId` - -ID of the Security Partner Provider to link to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `securityProviderName` - -The Security Provider name. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sku` - -The sku of this VirtualHub. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualHubRouteTableV2s` - -List of all virtual hub route table v2s associated with this VirtualHub. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `virtualRouterAsn` - -VirtualRouter ASN. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `virtualRouterIps` - -VirtualRouter IPs. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `vpnGatewayId` - -Resource ID of the VPN Gateway to link to. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual hub. | -| `resourceGroupName` | string | The resource group the virtual hub was deployed into. | -| `resourceId` | string | The resource ID of the virtual hub. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/virtual-hub/hub-route-table/README.md b/modules/network/virtual-hub/hub-route-table/README.md deleted file mode 100644 index d60664ecb0..0000000000 --- a/modules/network/virtual-hub/hub-route-table/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Virtual Hub Route Tables `[Microsoft.Network/virtualHubs/hubRouteTables]` - -This module deploys a Virtual Hub Route Table. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/virtualHubs/hubRouteTables` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubRouteTables) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The route table name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualHubName`](#parameter-virtualhubname) | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`labels`](#parameter-labels) | array | List of labels associated with this route table. | -| [`routes`](#parameter-routes) | array | List of all routes. | - -### Parameter: `name` - -The route table name. - -- Required: Yes -- Type: string - -### Parameter: `virtualHubName` - -The name of the parent virtual hub. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `labels` - -List of labels associated with this route table. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `routes` - -List of all routes. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed virtual hub route table. | -| `resourceGroupName` | string | The resource group the virtual hub route table was deployed into. | -| `resourceId` | string | The resource ID of the deployed virtual hub route table. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/virtual-hub/hub-route-table/main.bicep b/modules/network/virtual-hub/hub-route-table/main.bicep deleted file mode 100644 index a513af1f09..0000000000 --- a/modules/network/virtual-hub/hub-route-table/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Virtual Hub Route Tables' -metadata description = 'This module deploys a Virtual Hub Route Table.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The route table name.') -param name string - -@description('Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment.') -param virtualHubName string - -@description('Optional. List of labels associated with this route table.') -param labels array = [] - -@description('Optional. List of all routes.') -param routes array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-11-01' existing = { - name: virtualHubName -} - -resource hubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2022-11-01' = { - name: name - parent: virtualHub - properties: { - labels: !empty(labels) ? labels : null - routes: !empty(routes) ? routes : null - } -} - -@description('The name of the deployed virtual hub route table.') -output name string = hubRouteTable.name - -@description('The resource ID of the deployed virtual hub route table.') -output resourceId string = hubRouteTable.id - -@description('The resource group the virtual hub route table was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/virtual-hub/hub-route-table/main.json b/modules/network/virtual-hub/hub-route-table/main.json deleted file mode 100644 index 83581c7ceb..0000000000 --- a/modules/network/virtual-hub/hub-route-table/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14379005468048197578" - }, - "name": "Virtual Hub Route Tables", - "description": "This module deploys a Virtual Hub Route Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The route table name." - } - }, - "virtualHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of labels associated with this route table." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all routes." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualHubs/hubRouteTables", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualHubName'), parameters('name'))]", - "properties": { - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), null())]", - "routes": "[if(not(empty(parameters('routes'))), parameters('routes'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual hub route table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual hub route table." - }, - "value": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', parameters('virtualHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual hub route table was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-hub/hub-route-table/version.json b/modules/network/virtual-hub/hub-route-table/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-hub/hub-route-table/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/README.md b/modules/network/virtual-hub/hub-virtual-network-connection/README.md deleted file mode 100644 index 87b479fa96..0000000000 --- a/modules/network/virtual-hub/hub-virtual-network-connection/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Virtual Hub Virtual Network Connections `[Microsoft.Network/virtualHubs/hubVirtualNetworkConnections]` - -This module deploys a Virtual Hub Virtual Network Connection. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubVirtualNetworkConnections) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The connection name. | -| [`remoteVirtualNetworkId`](#parameter-remotevirtualnetworkid) | string | Resource ID of the virtual network to link to. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualHubName`](#parameter-virtualhubname) | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableInternetSecurity`](#parameter-enableinternetsecurity) | bool | Enable internet security. | -| [`routingConfiguration`](#parameter-routingconfiguration) | object | Routing Configuration indicating the associated and propagated route tables for this connection. | - -### Parameter: `name` - -The connection name. - -- Required: Yes -- Type: string - -### Parameter: `remoteVirtualNetworkId` - -Resource ID of the virtual network to link to. - -- Required: Yes -- Type: string - -### Parameter: `virtualHubName` - -The name of the parent virtual hub. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableInternetSecurity` - -Enable internet security. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `routingConfiguration` - -Routing Configuration indicating the associated and propagated route tables for this connection. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual hub connection. | -| `resourceGroupName` | string | The resource group the virtual hub connection was deployed into. | -| `resourceId` | string | The resource ID of the virtual hub connection. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/main.bicep b/modules/network/virtual-hub/hub-virtual-network-connection/main.bicep deleted file mode 100644 index d2ba073aeb..0000000000 --- a/modules/network/virtual-hub/hub-virtual-network-connection/main.bicep +++ /dev/null @@ -1,58 +0,0 @@ -metadata name = 'Virtual Hub Virtual Network Connections' -metadata description = 'This module deploys a Virtual Hub Virtual Network Connection.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The connection name.') -param name string - -@description('Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment.') -param virtualHubName string - -@description('Optional. Enable internet security.') -param enableInternetSecurity bool = true - -@description('Required. Resource ID of the virtual network to link to.') -param remoteVirtualNetworkId string - -@description('Optional. Routing Configuration indicating the associated and propagated route tables for this connection.') -param routingConfiguration object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-11-01' existing = { - name: virtualHubName -} - -resource hubVirtualNetworkConnection 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2022-11-01' = { - name: name - parent: virtualHub - properties: { - enableInternetSecurity: enableInternetSecurity - remoteVirtualNetwork: { - id: remoteVirtualNetworkId - } - routingConfiguration: !empty(routingConfiguration) ? routingConfiguration : null - } -} - -@description('The resource group the virtual hub connection was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the virtual hub connection.') -output resourceId string = hubVirtualNetworkConnection.id - -@description('The name of the virtual hub connection.') -output name string = hubVirtualNetworkConnection.name diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/main.json b/modules/network/virtual-hub/hub-virtual-network-connection/main.json deleted file mode 100644 index cbe73029be..0000000000 --- a/modules/network/virtual-hub/hub-virtual-network-connection/main.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1891918102977675989" - }, - "name": "Virtual Hub Virtual Network Connections", - "description": "This module deploys a Virtual Hub Virtual Network Connection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The connection name." - } - }, - "virtualHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment." - } - }, - "enableInternetSecurity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable internet security." - } - }, - "remoteVirtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network to link to." - } - }, - "routingConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Routing Configuration indicating the associated and propagated route tables for this connection." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualHubName'), parameters('name'))]", - "properties": { - "enableInternetSecurity": "[parameters('enableInternetSecurity')]", - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkId')]" - }, - "routingConfiguration": "[if(not(empty(parameters('routingConfiguration'))), parameters('routingConfiguration'), null())]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual hub connection was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual hub connection." - }, - "value": "[resourceId('Microsoft.Network/virtualHubs/hubVirtualNetworkConnections', parameters('virtualHubName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual hub connection." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/version.json b/modules/network/virtual-hub/hub-virtual-network-connection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-hub/hub-virtual-network-connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-hub/main.bicep b/modules/network/virtual-hub/main.bicep deleted file mode 100644 index eabe51ce79..0000000000 --- a/modules/network/virtual-hub/main.bicep +++ /dev/null @@ -1,184 +0,0 @@ -metadata name = 'Virtual Hubs' -metadata description = '''This module deploys a Virtual Hub. -If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.''' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The virtual hub name.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Required. Address-prefix for this VirtualHub.') -param addressPrefix string - -@description('Optional. Flag to control transit for VirtualRouter hub.') -param allowBranchToBranchTraffic bool = true - -@description('Optional. Resource ID of the Express Route Gateway to link to.') -param expressRouteGatewayId string = '' - -@description('Optional. Resource ID of the Point-to-Site VPN Gateway to link to.') -param p2SVpnGatewayId string = '' - -@description('Optional. The preferred routing gateway types.') -@allowed([ - 'ExpressRoute' - 'None' - 'VpnGateway' - '' -]) -param preferredRoutingGateway string = '' - -@description('Optional. VirtualHub route tables.') -param routeTableRoutes array = [] - -@description('Optional. ID of the Security Partner Provider to link to.') -param securityPartnerProviderId string = '' - -@description('Optional. The Security Provider name.') -param securityProviderName string = '' - -@allowed([ - 'Basic' - 'Standard' -]) -@description('Optional. The sku of this VirtualHub.') -param sku string = 'Standard' - -@description('Optional. List of all virtual hub route table v2s associated with this VirtualHub.') -param virtualHubRouteTableV2s array = [] - -@description('Optional. VirtualRouter ASN.') -param virtualRouterAsn int = -1 - -@description('Optional. VirtualRouter IPs.') -param virtualRouterIps array = [] - -@description('Required. Resource ID of the virtual WAN to link to.') -param virtualWanId string - -@description('Optional. Resource ID of the VPN Gateway to link to.') -param vpnGatewayId string = '' - -@description('Optional. Route tables to create for the virtual hub.') -param hubRouteTables array = [] - -@description('Optional. Virtual network connections to create for the virtual hub.') -param hubVirtualNetworkConnections array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-11-01' = { - name: name - location: location - tags: tags - properties: { - addressPrefix: addressPrefix - allowBranchToBranchTraffic: allowBranchToBranchTraffic - expressRouteGateway: !empty(expressRouteGatewayId) ? { - id: expressRouteGatewayId - } : null - p2SVpnGateway: !empty(p2SVpnGatewayId) ? { - id: p2SVpnGatewayId - } : null - preferredRoutingGateway: !empty(preferredRoutingGateway) ? any(preferredRoutingGateway) : null - routeTable: !empty(routeTableRoutes) ? { - routes: routeTableRoutes - } : null - securityPartnerProvider: !empty(securityPartnerProviderId) ? { - id: securityPartnerProviderId - } : null - securityProviderName: securityProviderName - sku: sku - virtualHubRouteTableV2s: virtualHubRouteTableV2s - virtualRouterAsn: virtualRouterAsn != -1 ? virtualRouterAsn : null - virtualRouterIps: !empty(virtualRouterIps) ? virtualRouterIps : null - virtualWan: { - id: virtualWanId - } - vpnGateway: !empty(vpnGatewayId) ? { - id: vpnGatewayId - } : null - } -} - -resource virtualHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: virtualHub -} - -module virtualHub_routeTables 'hub-route-table/main.bicep' = [for (routeTable, index) in hubRouteTables: { - name: '${uniqueString(deployment().name, location)}-routeTable-${index}' - params: { - virtualHubName: virtualHub.name - name: routeTable.name - labels: contains(routeTable, 'labels') ? routeTable.labels : [] - routes: contains(routeTable, 'routes') ? routeTable.routes : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module virtualHub_hubVirtualNetworkConnections 'hub-virtual-network-connection/main.bicep' = [for (virtualNetworkConnection, index) in hubVirtualNetworkConnections: { - name: '${uniqueString(deployment().name, location)}-connection-${index}' - params: { - virtualHubName: virtualHub.name - name: virtualNetworkConnection.name - enableInternetSecurity: contains(virtualNetworkConnection, 'enableInternetSecurity') ? virtualNetworkConnection.enableInternetSecurity : true - remoteVirtualNetworkId: virtualNetworkConnection.remoteVirtualNetworkId - routingConfiguration: contains(virtualNetworkConnection, 'routingConfiguration') ? virtualNetworkConnection.routingConfiguration : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - virtualHub_routeTables - ] -}] - -@description('The resource group the virtual hub was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the virtual hub.') -output resourceId string = virtualHub.id - -@description('The name of the virtual hub.') -output name string = virtualHub.name - -@description('The location the resource was deployed into.') -output location string = virtualHub.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json deleted file mode 100644 index 29df355b0d..0000000000 --- a/modules/network/virtual-hub/main.json +++ /dev/null @@ -1,554 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15154780567521533176" - }, - "name": "Virtual Hubs", - "description": "This module deploys a Virtual Hub.\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The virtual hub name." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address-prefix for this VirtualHub." - } - }, - "allowBranchToBranchTraffic": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Flag to control transit for VirtualRouter hub." - } - }, - "expressRouteGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Express Route Gateway to link to." - } - }, - "p2SVpnGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Point-to-Site VPN Gateway to link to." - } - }, - "preferredRoutingGateway": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ExpressRoute", - "None", - "VpnGateway", - "" - ], - "metadata": { - "description": "Optional. The preferred routing gateway types." - } - }, - "routeTableRoutes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. VirtualHub route tables." - } - }, - "securityPartnerProviderId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the Security Partner Provider to link to." - } - }, - "securityProviderName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Security Provider name." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. The sku of this VirtualHub." - } - }, - "virtualHubRouteTableV2s": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all virtual hub route table v2s associated with this VirtualHub." - } - }, - "virtualRouterAsn": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. VirtualRouter ASN." - } - }, - "virtualRouterIps": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. VirtualRouter IPs." - } - }, - "virtualWanId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual WAN to link to." - } - }, - "vpnGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the VPN Gateway to link to." - } - }, - "hubRouteTables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Route tables to create for the virtual hub." - } - }, - "hubVirtualNetworkConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Virtual network connections to create for the virtual hub." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualHub": { - "type": "Microsoft.Network/virtualHubs", - "apiVersion": "2022-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "addressPrefix": "[parameters('addressPrefix')]", - "allowBranchToBranchTraffic": "[parameters('allowBranchToBranchTraffic')]", - "expressRouteGateway": "[if(not(empty(parameters('expressRouteGatewayId'))), createObject('id', parameters('expressRouteGatewayId')), null())]", - "p2SVpnGateway": "[if(not(empty(parameters('p2SVpnGatewayId'))), createObject('id', parameters('p2SVpnGatewayId')), null())]", - "preferredRoutingGateway": "[if(not(empty(parameters('preferredRoutingGateway'))), parameters('preferredRoutingGateway'), null())]", - "routeTable": "[if(not(empty(parameters('routeTableRoutes'))), createObject('routes', parameters('routeTableRoutes')), null())]", - "securityPartnerProvider": "[if(not(empty(parameters('securityPartnerProviderId'))), createObject('id', parameters('securityPartnerProviderId')), null())]", - "securityProviderName": "[parameters('securityProviderName')]", - "sku": "[parameters('sku')]", - "virtualHubRouteTableV2s": "[parameters('virtualHubRouteTableV2s')]", - "virtualRouterAsn": "[if(not(equals(parameters('virtualRouterAsn'), -1)), parameters('virtualRouterAsn'), null())]", - "virtualRouterIps": "[if(not(empty(parameters('virtualRouterIps'))), parameters('virtualRouterIps'), null())]", - "virtualWan": { - "id": "[parameters('virtualWanId')]" - }, - "vpnGateway": "[if(not(empty(parameters('vpnGatewayId'))), createObject('id', parameters('vpnGatewayId')), null())]" - } - }, - "virtualHub_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/virtualHubs/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "virtualHub" - ] - }, - "virtualHub_routeTables": { - "copy": { - "name": "virtualHub_routeTables", - "count": "[length(parameters('hubRouteTables'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-routeTable-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('hubRouteTables')[copyIndex()].name]" - }, - "labels": "[if(contains(parameters('hubRouteTables')[copyIndex()], 'labels'), createObject('value', parameters('hubRouteTables')[copyIndex()].labels), createObject('value', createArray()))]", - "routes": "[if(contains(parameters('hubRouteTables')[copyIndex()], 'routes'), createObject('value', parameters('hubRouteTables')[copyIndex()].routes), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14379005468048197578" - }, - "name": "Virtual Hub Route Tables", - "description": "This module deploys a Virtual Hub Route Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The route table name." - } - }, - "virtualHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment." - } - }, - "labels": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of labels associated with this route table." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all routes." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualHubs/hubRouteTables", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualHubName'), parameters('name'))]", - "properties": { - "labels": "[if(not(empty(parameters('labels'))), parameters('labels'), null())]", - "routes": "[if(not(empty(parameters('routes'))), parameters('routes'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual hub route table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual hub route table." - }, - "value": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', parameters('virtualHubName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual hub route table was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "virtualHub" - ] - }, - "virtualHub_hubVirtualNetworkConnections": { - "copy": { - "name": "virtualHub_hubVirtualNetworkConnections", - "count": "[length(parameters('hubVirtualNetworkConnections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-connection-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualHubName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('hubVirtualNetworkConnections')[copyIndex()].name]" - }, - "enableInternetSecurity": "[if(contains(parameters('hubVirtualNetworkConnections')[copyIndex()], 'enableInternetSecurity'), createObject('value', parameters('hubVirtualNetworkConnections')[copyIndex()].enableInternetSecurity), createObject('value', true()))]", - "remoteVirtualNetworkId": { - "value": "[parameters('hubVirtualNetworkConnections')[copyIndex()].remoteVirtualNetworkId]" - }, - "routingConfiguration": "[if(contains(parameters('hubVirtualNetworkConnections')[copyIndex()], 'routingConfiguration'), createObject('value', parameters('hubVirtualNetworkConnections')[copyIndex()].routingConfiguration), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1891918102977675989" - }, - "name": "Virtual Hub Virtual Network Connections", - "description": "This module deploys a Virtual Hub Virtual Network Connection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The connection name." - } - }, - "virtualHubName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual hub. Required if the template is used in a standalone deployment." - } - }, - "enableInternetSecurity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable internet security." - } - }, - "remoteVirtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network to link to." - } - }, - "routingConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Routing Configuration indicating the associated and propagated route tables for this connection." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections", - "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', parameters('virtualHubName'), parameters('name'))]", - "properties": { - "enableInternetSecurity": "[parameters('enableInternetSecurity')]", - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkId')]" - }, - "routingConfiguration": "[if(not(empty(parameters('routingConfiguration'))), parameters('routingConfiguration'), null())]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual hub connection was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual hub connection." - }, - "value": "[resourceId('Microsoft.Network/virtualHubs/hubVirtualNetworkConnections', parameters('virtualHubName'), parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual hub connection." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "virtualHub", - "virtualHub_routeTables" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual hub was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual hub." - }, - "value": "[resourceId('Microsoft.Network/virtualHubs', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual hub." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualHub', '2022-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index bb151ad9d8..0000000000 --- a/modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep b/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 584c74324e..0000000000 --- a/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,59 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvhmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - addressPrefix: '10.0.0.0/16' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - } -}] diff --git a/modules/network/virtual-hub/tests/e2e/max/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 9c4af5313d..0000000000 --- a/modules/network/virtual-hub/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Required. The name of the Virtual WAN to create.') -param virtualWANName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/virtual-hub/tests/e2e/max/main.test.bicep b/modules/network/virtual-hub/tests/e2e/max/main.test.bicep deleted file mode 100644 index b8ffb6fc70..0000000000 --- a/modules/network/virtual-hub/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvhmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - addressPrefix: '10.1.0.0/16' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - hubRouteTables: [ - { - name: 'routeTable1' - } - ] - hubVirtualNetworkConnections: [ - { - name: 'connection1' - remoteVirtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId - routingConfiguration: { - associatedRouteTable: { - id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' - } - propagatedRouteTables: { - ids: [ - { - id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' - } - ] - labels: [ - 'none' - ] - } - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 9c4af5313d..0000000000 --- a/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Required. The name of the Virtual WAN to create.') -param virtualWANName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index befed0daa5..0000000000 --- a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,95 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvhwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - addressPrefix: '10.1.0.0/16' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - hubRouteTables: [ - { - name: 'routeTable1' - } - ] - hubVirtualNetworkConnections: [ - { - name: 'connection1' - remoteVirtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId - routingConfiguration: { - associatedRouteTable: { - id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' - } - propagatedRouteTables: { - ids: [ - { - id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' - } - ] - labels: [ - 'none' - ] - } - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/virtual-hub/version.json b/modules/network/virtual-hub/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-hub/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-network-gateway/MOVED-TO-AVM.md b/modules/network/virtual-network-gateway/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/virtual-network-gateway/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 5965be59a5..b24d2a342e 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -1,1270 +1,7 @@ -# Virtual Network Gateways `[Microsoft.Network/virtualNetworkGateways]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/virtual-network-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/virtual-network-gateway).** -This module deploys a Virtual Network Gateway. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/virtual-network-gateway). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -| `Microsoft.Network/virtualNetworkGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworkGateways) | -| `Microsoft.Network/virtualNetworkGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworkGateways/natRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-network-gateway:1.0.0`. - -- [Aadvpn](#example-1-aadvpn) -- [Expressroute](#example-2-expressroute) -- [Vpn](#example-3-vpn) - -### Example 1: _Aadvpn_ - -
- -via Bicep module - -```bicep -module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvngavpn' - params: { - // Required parameters - gatewayType: 'Vpn' - name: 'nvngavpn001' - skuName: 'VpnGw2AZ' - vNetResourceId: '' - // Non-required parameters - activeActive: false - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - domainNameLabel: [ - 'dm-nvngavpn' - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIpZones: [ - '1' - '2' - '3' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vpnClientAadConfiguration: { - aadAudience: '41b23e61-6c1e-4545-b367-cd054e0ed4b4' - aadIssuer: '' - aadTenant: '' - vpnAuthenticationTypes: [ - 'AAD' - ] - vpnClientProtocols: [ - 'OpenVPN' - ] - } - vpnType: 'RouteBased' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "gatewayType": { - "value": "Vpn" - }, - "name": { - "value": "nvngavpn001" - }, - "skuName": { - "value": "VpnGw2AZ" - }, - "vNetResourceId": { - "value": "" - }, - // Non-required parameters - "activeActive": { - "value": false - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "domainNameLabel": { - "value": [ - "dm-nvngavpn" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "publicIpZones": { - "value": [ - "1", - "2", - "3" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vpnClientAadConfiguration": { - "value": { - "aadAudience": "41b23e61-6c1e-4545-b367-cd054e0ed4b4", - "aadIssuer": "", - "aadTenant": "", - "vpnAuthenticationTypes": [ - "AAD" - ], - "vpnClientProtocols": [ - "OpenVPN" - ] - } - }, - "vpnType": { - "value": "RouteBased" - } - } -} -``` - -
-

- -### Example 2: _Expressroute_ - -

- -via Bicep module - -```bicep -module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvger' - params: { - // Required parameters - gatewayType: 'ExpressRoute' - name: 'nvger001' - skuName: 'ErGw1AZ' - vNetResourceId: '' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - domainNameLabel: [ - 'dm-nvger' - ] - enableDefaultTelemetry: '' - gatewayPipName: 'pip-nvger' - publicIpZones: [ - '1' - '2' - '3' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Contact: 'test.user@testcompany.com' - CostCenter: '' - Environment: 'Validation' - 'hidden-title': 'This is visible in the resource name' - PurchaseOrder: '' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "gatewayType": { - "value": "ExpressRoute" - }, - "name": { - "value": "nvger001" - }, - "skuName": { - "value": "ErGw1AZ" - }, - "vNetResourceId": { - "value": "" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "domainNameLabel": { - "value": [ - "dm-nvger" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gatewayPipName": { - "value": "pip-nvger" - }, - "publicIpZones": { - "value": [ - "1", - "2", - "3" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Contact": "test.user@testcompany.com", - "CostCenter": "", - "Environment": "Validation", - "hidden-title": "This is visible in the resource name", - "PurchaseOrder": "", - "Role": "DeploymentValidation", - "ServiceName": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Vpn_ - -

- -via Bicep module - -```bicep -module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgvpn' - params: { - // Required parameters - gatewayType: 'Vpn' - name: 'nvgvpn001' - skuName: 'VpnGw2AZ' - vNetResourceId: '' - // Non-required parameters - activeActive: true - allowRemoteVnetTraffic: true - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableIPSecReplayProtection: true - domainNameLabel: [ - 'dm-nvgvpn' - ] - enableBgpRouteTranslationForNat: true - enableDefaultTelemetry: '' - enablePrivateIpAddress: true - gatewayDefaultSiteLocalNetworkGatewayId: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - natRules: [ - { - externalMappings: [ - { - addressSpace: '192.168.0.0/24' - portRange: '100' - } - ] - internalMappings: [ - { - addressSpace: '10.100.0.0/24' - portRange: '100' - } - ] - mode: 'IngressSnat' - name: 'nat-rule-1-static-IngressSnat' - type: 'Static' - } - { - externalMappings: [ - { - addressSpace: '10.200.0.0/26' - } - ] - internalMappings: [ - { - addressSpace: '172.16.0.0/26' - } - ] - mode: 'EgressSnat' - name: 'nat-rule-2-dynamic-EgressSnat' - type: 'Dynamic' - } - ] - publicIpZones: [ - '1' - '2' - '3' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vpnGatewayGeneration: 'Generation2' - vpnType: 'RouteBased' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "gatewayType": { - "value": "Vpn" - }, - "name": { - "value": "nvgvpn001" - }, - "skuName": { - "value": "VpnGw2AZ" - }, - "vNetResourceId": { - "value": "" - }, - // Non-required parameters - "activeActive": { - "value": true - }, - "allowRemoteVnetTraffic": { - "value": true - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableIPSecReplayProtection": { - "value": true - }, - "domainNameLabel": { - "value": [ - "dm-nvgvpn" - ] - }, - "enableBgpRouteTranslationForNat": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enablePrivateIpAddress": { - "value": true - }, - "gatewayDefaultSiteLocalNetworkGatewayId": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "natRules": { - "value": [ - { - "externalMappings": [ - { - "addressSpace": "192.168.0.0/24", - "portRange": "100" - } - ], - "internalMappings": [ - { - "addressSpace": "10.100.0.0/24", - "portRange": "100" - } - ], - "mode": "IngressSnat", - "name": "nat-rule-1-static-IngressSnat", - "type": "Static" - }, - { - "externalMappings": [ - { - "addressSpace": "10.200.0.0/26" - } - ], - "internalMappings": [ - { - "addressSpace": "172.16.0.0/26" - } - ], - "mode": "EgressSnat", - "name": "nat-rule-2-dynamic-EgressSnat", - "type": "Dynamic" - } - ] - }, - "publicIpZones": { - "value": [ - "1", - "2", - "3" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vpnGatewayGeneration": { - "value": "Generation2" - }, - "vpnType": { - "value": "RouteBased" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`gatewayType`](#parameter-gatewaytype) | string | Specifies the gateway type. E.g. VPN, ExpressRoute. | -| [`name`](#parameter-name) | string | Specifies the Virtual Network Gateway name. | -| [`skuName`](#parameter-skuname) | string | The SKU of the Gateway. | -| [`vNetResourceId`](#parameter-vnetresourceid) | string | Virtual Network resource ID. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`activeActive`](#parameter-activeactive) | bool | Value to specify if the Gateway should be deployed in active-active or active-passive configuration. | -| [`activeGatewayPipName`](#parameter-activegatewaypipname) | string | Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | -| [`allowRemoteVnetTraffic`](#parameter-allowremotevnettraffic) | bool | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | -| [`allowVirtualWanTraffic`](#parameter-allowvirtualwantraffic) | bool | Configures this gateway to accept traffic from remote Virtual WAN networks. | -| [`asn`](#parameter-asn) | int | ASN value. | -| [`clientRevokedCertThumbprint`](#parameter-clientrevokedcertthumbprint) | string | Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | -| [`clientRootCertData`](#parameter-clientrootcertdata) | string | Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableIPSecReplayProtection`](#parameter-disableipsecreplayprotection) | bool | disableIPSecReplayProtection flag. Used for VPN Gateways. | -| [`domainNameLabel`](#parameter-domainnamelabel) | array | DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | -| [`enableBgp`](#parameter-enablebgp) | bool | Value to specify if BGP is enabled or not. | -| [`enableBgpRouteTranslationForNat`](#parameter-enablebgproutetranslationfornat) | bool | EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableDnsForwarding`](#parameter-enablednsforwarding) | bool | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. | -| [`enablePrivateIpAddress`](#parameter-enableprivateipaddress) | bool | Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. | -| [`gatewayDefaultSiteLocalNetworkGatewayId`](#parameter-gatewaydefaultsitelocalnetworkgatewayid) | string | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | -| [`gatewayPipName`](#parameter-gatewaypipname) | string | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`natRules`](#parameter-natrules) | array | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | -| [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | -| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| [`publicIpZones`](#parameter-publicipzones) | array | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vpnClientAadConfiguration`](#parameter-vpnclientaadconfiguration) | object | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | -| [`vpnClientAddressPoolPrefix`](#parameter-vpnclientaddresspoolprefix) | string | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | -| [`vpnGatewayGeneration`](#parameter-vpngatewaygeneration) | string | The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. | -| [`vpnType`](#parameter-vpntype) | string | Specifies the VPN type. | - -### Parameter: `gatewayType` - -Specifies the gateway type. E.g. VPN, ExpressRoute. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ExpressRoute' - 'Vpn' - ] - ``` - -### Parameter: `name` - -Specifies the Virtual Network Gateway name. - -- Required: Yes -- Type: string - -### Parameter: `skuName` - -The SKU of the Gateway. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Basic' - 'ErGw1AZ' - 'ErGw2AZ' - 'ErGw3AZ' - 'HighPerformance' - 'Standard' - 'UltraPerformance' - 'VpnGw1' - 'VpnGw1AZ' - 'VpnGw2' - 'VpnGw2AZ' - 'VpnGw3' - 'VpnGw3AZ' - 'VpnGw4' - 'VpnGw4AZ' - 'VpnGw5' - 'VpnGw5AZ' - ] - ``` - -### Parameter: `vNetResourceId` - -Virtual Network resource ID. - -- Required: Yes -- Type: string - -### Parameter: `activeActive` - -Value to specify if the Gateway should be deployed in active-active or active-passive configuration. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `activeGatewayPipName` - -Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. - -- Required: No -- Type: string -- Default: `[format('{0}-pip2', parameters('name'))]` - -### Parameter: `allowRemoteVnetTraffic` - -Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `allowVirtualWanTraffic` - -Configures this gateway to accept traffic from remote Virtual WAN networks. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `asn` - -ASN value. - -- Required: No -- Type: int -- Default: `65815` - -### Parameter: `clientRevokedCertThumbprint` - -Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `clientRootCertData` - -Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableIPSecReplayProtection` - -disableIPSecReplayProtection flag. Used for VPN Gateways. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `domainNameLabel` - -DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableBgp` - -Value to specify if BGP is enabled or not. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableBgpRouteTranslationForNat` - -EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDnsForwarding` - -Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePrivateIpAddress` - -Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `gatewayDefaultSiteLocalNetworkGatewayId` - -The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `gatewayPipName` - -Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. - -- Required: No -- Type: string -- Default: `[format('{0}-pip1', parameters('name'))]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `natRules` - -NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicIpDiagnosticSettings` - -The diagnostic settings of the Public IP. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-publicipdiagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `publicIpDiagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `publicIpDiagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `publicIpDiagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIPPrefixResourceId` - -Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `publicIpZones` - -Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vpnClientAadConfiguration` - -Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `vpnClientAddressPoolPrefix` - -The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vpnGatewayGeneration` - -The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'Generation1' - 'Generation2' - 'None' - ] - ``` - -### Parameter: `vpnType` - -Specifies the VPN type. - -- Required: No -- Type: string -- Default: `'RouteBased'` -- Allowed: - ```Bicep - [ - 'PolicyBased' - 'RouteBased' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `activeActive` | bool | Shows if the virtual network gateway is configured in active-active mode. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual network gateway. | -| `resourceGroupName` | string | The resource group the virtual network gateway was deployed. | -| `resourceId` | string | The resource ID of the virtual network gateway. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/public-ip-address` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep deleted file mode 100644 index ec6385b67c..0000000000 --- a/modules/network/virtual-network-gateway/main.bicep +++ /dev/null @@ -1,477 +0,0 @@ -metadata name = 'Virtual Network Gateways' -metadata description = 'This module deploys a Virtual Network Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Specifies the Virtual Network Gateway name.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it\'s not provided, a \'-pip\' suffix will be appended to the gateway\'s name.') -param gatewayPipName string = '${name}-pip1' - -@description('Optional. Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it\'s not provided, a \'-pip\' suffix will be appended to the gateway\'s name.') -param activeGatewayPipName string = '${name}-pip2' - -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixResourceId string = '' - -@description('Optional. Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones.') -param publicIpZones array = [] - -@description('Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com.') -param domainNameLabel array = [] - -@description('Required. Specifies the gateway type. E.g. VPN, ExpressRoute.') -@allowed([ - 'Vpn' - 'ExpressRoute' -]) -param gatewayType string - -@description('Optional. The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN.') -@allowed([ - 'Generation1' - 'Generation2' - 'None' -]) -param vpnGatewayGeneration string = 'None' - -@description('Required. The SKU of the Gateway.') -@allowed([ - 'Basic' - 'VpnGw1' - 'VpnGw2' - 'VpnGw3' - 'VpnGw4' - 'VpnGw5' - 'VpnGw1AZ' - 'VpnGw2AZ' - 'VpnGw3AZ' - 'VpnGw4AZ' - 'VpnGw5AZ' - 'Standard' - 'HighPerformance' - 'UltraPerformance' - 'ErGw1AZ' - 'ErGw2AZ' - 'ErGw3AZ' -]) -param skuName string - -@description('Optional. Specifies the VPN type.') -@allowed([ - 'PolicyBased' - 'RouteBased' -]) -param vpnType string = 'RouteBased' - -@description('Required. Virtual Network resource ID.') -param vNetResourceId string - -@description('Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration.') -param activeActive bool = true - -@description('Optional. Value to specify if BGP is enabled or not.') -param enableBgp bool = true - -@description('Optional. ASN value.') -param asn int = 65815 - -@description('Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network.') -param vpnClientAddressPoolPrefix string = '' - -@description('Optional. Configures this gateway to accept traffic from remote Virtual WAN networks.') -param allowVirtualWanTraffic bool = false - -@description('Optional. Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN.') -param allowRemoteVnetTraffic bool = false - -@description('Optional. disableIPSecReplayProtection flag. Used for VPN Gateways.') -param disableIPSecReplayProtection bool = false - -@description('Optional. Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription.') -param enableDnsForwarding bool = false - -@description('Optional. Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering.') -param enablePrivateIpAddress bool = false - -@description('Optional. The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting.') -param gatewayDefaultSiteLocalNetworkGatewayId string = '' - -@description('Optional. NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only.') -param natRules array = [] - -@description('Optional. EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway.') -param enableBgpRouteTranslationForNat bool = false - -@description('Optional. Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided.') -param clientRootCertData string = '' - -@description('Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet.') -param clientRevokedCertThumbprint string = '' - -@description('Optional. The diagnostic settings of the Public IP.') -param publicIpDiagnosticSettings diagnosticSettingType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided.') -param vpnClientAadConfiguration object = {} - -// ================// -// Variables // -// ================// - -// Other Variables -var zoneRedundantSkus = [ - 'VpnGw1AZ' - 'VpnGw2AZ' - 'VpnGw3AZ' - 'VpnGw4AZ' - 'VpnGw5AZ' - 'ErGw1AZ' - 'ErGw2AZ' - 'ErGw3AZ' -] -var gatewayPipSku = contains(zoneRedundantSkus, skuName) ? 'Standard' : 'Basic' -var gatewayPipAllocationMethod = contains(zoneRedundantSkus, skuName) ? 'Static' : 'Dynamic' - -var isActiveActiveValid = gatewayType != 'ExpressRoute' ? activeActive : false -var virtualGatewayPipNameVar = isActiveActiveValid ? [ - gatewayPipName - activeGatewayPipName -] : [ - gatewayPipName -] - -var vpnTypeVar = gatewayType != 'ExpressRoute' ? vpnType : 'PolicyBased' - -var isBgpValid = gatewayType != 'ExpressRoute' ? enableBgp : false -var bgpSettings = { - asn: asn -} - -// Potential configurations (active-active vs active-passive) -var ipConfiguration = isActiveActiveValid ? [ - { - properties: { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '${vNetResourceId}/subnets/GatewaySubnet' - } - publicIPAddress: { - id: az.resourceId('Microsoft.Network/publicIPAddresses', gatewayPipName) - } - } - name: 'vNetGatewayConfig1' - } - { - properties: { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '${vNetResourceId}/subnets/GatewaySubnet' - } - publicIPAddress: { - id: isActiveActiveValid ? az.resourceId('Microsoft.Network/publicIPAddresses', activeGatewayPipName) : az.resourceId('Microsoft.Network/publicIPAddresses', gatewayPipName) - } - } - name: 'vNetGatewayConfig2' - } -] : [ - { - properties: { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '${vNetResourceId}/subnets/GatewaySubnet' - } - publicIPAddress: { - id: az.resourceId('Microsoft.Network/publicIPAddresses', gatewayPipName) - } - } - name: 'vNetGatewayConfig1' - } -] - -var vpnClientConfiguration = !empty(clientRootCertData) ? { - vpnClientAddressPool: { - addressPrefixes: [ - vpnClientAddressPoolPrefix - ] - } - vpnClientRootCertificates: [ - { - name: 'RootCert1' - properties: { - PublicCertData: clientRootCertData - } - } - ] - vpnClientRevokedCertificates: !empty(clientRevokedCertThumbprint) ? [ - { - name: 'RevokedCert1' - properties: { - Thumbprint: clientRevokedCertThumbprint - } - } - ] : null -} : !empty(vpnClientAadConfiguration) ? { - vpnClientAddressPool: { - addressPrefixes: [ - vpnClientAddressPoolPrefix - ] - } - aadTenant: vpnClientAadConfiguration.aadTenant - aadAudience: vpnClientAadConfiguration.aadAudience - aadIssuer: vpnClientAadConfiguration.aadIssuer - vpnAuthenticationTypes: vpnClientAadConfiguration.vpnAuthenticationTypes - vpnClientProtocols: vpnClientAadConfiguration.vpnClientProtocols -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -// ================// -// Deployments // -// ================// - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -// Public IPs -@batchSize(1) -module publicIPAddress '../public-ip-address/main.bicep' = [for (virtualGatewayPublicIpName, index) in virtualGatewayPipNameVar: { - name: virtualGatewayPublicIpName - params: { - name: virtualGatewayPublicIpName - diagnosticSettings: publicIpDiagnosticSettings - domainNameLabel: length(virtualGatewayPipNameVar) == length(domainNameLabel) ? domainNameLabel[index] : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - lock: lock - publicIPAllocationMethod: gatewayPipAllocationMethod - publicIPPrefixResourceId: !empty(publicIPPrefixResourceId) ? publicIPPrefixResourceId : '' - tags: tags - skuName: gatewayPipSku - zones: contains(zoneRedundantSkus, skuName) ? publicIpZones : [] - } -}] - -// VNET Gateway -// ============ -resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - ipConfigurations: ipConfiguration - activeActive: isActiveActiveValid - allowRemoteVnetTraffic: allowRemoteVnetTraffic - allowVirtualWanTraffic: allowVirtualWanTraffic - enableBgp: isBgpValid - bgpSettings: isBgpValid ? bgpSettings : null - disableIPSecReplayProtection: disableIPSecReplayProtection - enableDnsForwarding: gatewayType == 'ExpressRoute' ? enableDnsForwarding : null - enablePrivateIpAddress: enablePrivateIpAddress - enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat - gatewayType: gatewayType - gatewayDefaultSite: !empty(gatewayDefaultSiteLocalNetworkGatewayId) ? { - id: gatewayDefaultSiteLocalNetworkGatewayId - } : null - sku: { - name: skuName - tier: skuName - } - vpnType: vpnTypeVar - vpnClientConfiguration: !empty(vpnClientAddressPoolPrefix) ? vpnClientConfiguration : null - vpnGatewayGeneration: gatewayType == 'Vpn' ? vpnGatewayGeneration : 'None' - } - dependsOn: [ - publicIPAddress - ] -} - -module virtualNetworkGateway_natRules 'nat-rule/main.bicep' = [for (natRule, index) in natRules: { - name: '${deployment().name}-NATRule-${index}' - params: { - name: natRule.name - virtualNetworkGatewayName: virtualNetworkGateway.name - externalMappings: contains(natRule, 'externalMappings') ? natRule.externalMappings : [] - internalMappings: contains(natRule, 'internalMappings') ? natRule.internalMappings : [] - ipConfigurationId: contains(natRule, 'ipConfigurationId') ? natRule.ipConfigurationId : '' - mode: contains(natRule, 'mode') ? natRule.mode : '' - type: contains(natRule, 'type') ? natRule.type : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: virtualNetworkGateway -} - -resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: virtualNetworkGateway -}] - -resource virtualNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(virtualNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: virtualNetworkGateway -}] - -// ================// -// Outputs // -// ================// -@description('The resource group the virtual network gateway was deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the virtual network gateway.') -output name string = virtualNetworkGateway.name - -@description('The resource ID of the virtual network gateway.') -output resourceId string = virtualNetworkGateway.id - -@description('Shows if the virtual network gateway is configured in active-active mode.') -output activeActive bool = virtualNetworkGateway.properties.activeActive - -@description('The location the resource was deployed into.') -output location string = virtualNetworkGateway.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json deleted file mode 100644 index 7180fe35f6..0000000000 --- a/modules/network/virtual-network-gateway/main.json +++ /dev/null @@ -1,1353 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15357828351524045583" - }, - "name": "Virtual Network Gateways", - "description": "This module deploys a Virtual Network Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the Virtual Network Gateway name." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "gatewayPipName": { - "type": "string", - "defaultValue": "[format('{0}-pip1', parameters('name'))]", - "metadata": { - "description": "Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name." - } - }, - "activeGatewayPipName": { - "type": "string", - "defaultValue": "[format('{0}-pip2', parameters('name'))]", - "metadata": { - "description": "Optional. Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIpZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones." - } - }, - "domainNameLabel": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com." - } - }, - "gatewayType": { - "type": "string", - "allowedValues": [ - "Vpn", - "ExpressRoute" - ], - "metadata": { - "description": "Required. Specifies the gateway type. E.g. VPN, ExpressRoute." - } - }, - "vpnGatewayGeneration": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Generation1", - "Generation2", - "None" - ], - "metadata": { - "description": "Optional. The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN." - } - }, - "skuName": { - "type": "string", - "allowedValues": [ - "Basic", - "VpnGw1", - "VpnGw2", - "VpnGw3", - "VpnGw4", - "VpnGw5", - "VpnGw1AZ", - "VpnGw2AZ", - "VpnGw3AZ", - "VpnGw4AZ", - "VpnGw5AZ", - "Standard", - "HighPerformance", - "UltraPerformance", - "ErGw1AZ", - "ErGw2AZ", - "ErGw3AZ" - ], - "metadata": { - "description": "Required. The SKU of the Gateway." - } - }, - "vpnType": { - "type": "string", - "defaultValue": "RouteBased", - "allowedValues": [ - "PolicyBased", - "RouteBased" - ], - "metadata": { - "description": "Optional. Specifies the VPN type." - } - }, - "vNetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Virtual Network resource ID." - } - }, - "activeActive": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration." - } - }, - "enableBgp": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value to specify if BGP is enabled or not." - } - }, - "asn": { - "type": "int", - "defaultValue": 65815, - "metadata": { - "description": "Optional. ASN value." - } - }, - "vpnClientAddressPoolPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network." - } - }, - "allowVirtualWanTraffic": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Configures this gateway to accept traffic from remote Virtual WAN networks." - } - }, - "allowRemoteVnetTraffic": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN." - } - }, - "disableIPSecReplayProtection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. disableIPSecReplayProtection flag. Used for VPN Gateways." - } - }, - "enableDnsForwarding": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription." - } - }, - "enablePrivateIpAddress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering." - } - }, - "gatewayDefaultSiteLocalNetworkGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting." - } - }, - "natRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only." - } - }, - "enableBgpRouteTranslationForNat": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. EnableBgpRouteTranslationForNat flag. Can only be used when \"natRules\" are enabled on the Virtual Network Gateway." - } - }, - "clientRootCertData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided." - } - }, - "clientRevokedCertThumbprint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet." - } - }, - "publicIpDiagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the Public IP." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "vpnClientAadConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided." - } - } - }, - "variables": { - "zoneRedundantSkus": [ - "VpnGw1AZ", - "VpnGw2AZ", - "VpnGw3AZ", - "VpnGw4AZ", - "VpnGw5AZ", - "ErGw1AZ", - "ErGw2AZ", - "ErGw3AZ" - ], - "gatewayPipSku": "[if(contains(variables('zoneRedundantSkus'), parameters('skuName')), 'Standard', 'Basic')]", - "gatewayPipAllocationMethod": "[if(contains(variables('zoneRedundantSkus'), parameters('skuName')), 'Static', 'Dynamic')]", - "isActiveActiveValid": "[if(not(equals(parameters('gatewayType'), 'ExpressRoute')), parameters('activeActive'), false())]", - "virtualGatewayPipNameVar": "[if(variables('isActiveActiveValid'), createArray(parameters('gatewayPipName'), parameters('activeGatewayPipName')), createArray(parameters('gatewayPipName')))]", - "vpnTypeVar": "[if(not(equals(parameters('gatewayType'), 'ExpressRoute')), parameters('vpnType'), 'PolicyBased')]", - "isBgpValid": "[if(not(equals(parameters('gatewayType'), 'ExpressRoute')), parameters('enableBgp'), false())]", - "bgpSettings": { - "asn": "[parameters('asn')]" - }, - "ipConfiguration": "[if(variables('isActiveActiveValid'), createArray(createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName')))), 'name', 'vNetGatewayConfig1'), createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', if(variables('isActiveActiveValid'), resourceId('Microsoft.Network/publicIPAddresses', parameters('activeGatewayPipName')), resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName'))))), 'name', 'vNetGatewayConfig2')), createArray(createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName')))), 'name', 'vNetGatewayConfig1')))]", - "vpnClientConfiguration": "[if(not(empty(parameters('clientRootCertData'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'vpnClientRootCertificates', createArray(createObject('name', 'RootCert1', 'properties', createObject('PublicCertData', parameters('clientRootCertData')))), 'vpnClientRevokedCertificates', if(not(empty(parameters('clientRevokedCertThumbprint'))), createArray(createObject('name', 'RevokedCert1', 'properties', createObject('Thumbprint', parameters('clientRevokedCertThumbprint')))), null())), if(not(empty(parameters('vpnClientAadConfiguration'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'aadTenant', parameters('vpnClientAadConfiguration').aadTenant, 'aadAudience', parameters('vpnClientAadConfiguration').aadAudience, 'aadIssuer', parameters('vpnClientAadConfiguration').aadIssuer, 'vpnAuthenticationTypes', parameters('vpnClientAadConfiguration').vpnAuthenticationTypes, 'vpnClientProtocols', parameters('vpnClientAadConfiguration').vpnClientProtocols), null()))]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualNetworkGateway": { - "type": "Microsoft.Network/virtualNetworkGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "ipConfigurations": "[variables('ipConfiguration')]", - "activeActive": "[variables('isActiveActiveValid')]", - "allowRemoteVnetTraffic": "[parameters('allowRemoteVnetTraffic')]", - "allowVirtualWanTraffic": "[parameters('allowVirtualWanTraffic')]", - "enableBgp": "[variables('isBgpValid')]", - "bgpSettings": "[if(variables('isBgpValid'), variables('bgpSettings'), null())]", - "disableIPSecReplayProtection": "[parameters('disableIPSecReplayProtection')]", - "enableDnsForwarding": "[if(equals(parameters('gatewayType'), 'ExpressRoute'), parameters('enableDnsForwarding'), null())]", - "enablePrivateIpAddress": "[parameters('enablePrivateIpAddress')]", - "enableBgpRouteTranslationForNat": "[parameters('enableBgpRouteTranslationForNat')]", - "gatewayType": "[parameters('gatewayType')]", - "gatewayDefaultSite": "[if(not(empty(parameters('gatewayDefaultSiteLocalNetworkGatewayId'))), createObject('id', parameters('gatewayDefaultSiteLocalNetworkGatewayId')), null())]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuName')]" - }, - "vpnType": "[variables('vpnTypeVar')]", - "vpnClientConfiguration": "[if(not(empty(parameters('vpnClientAddressPoolPrefix'))), variables('vpnClientConfiguration'), null())]", - "vpnGatewayGeneration": "[if(equals(parameters('gatewayType'), 'Vpn'), parameters('vpnGatewayGeneration'), 'None')]" - }, - "dependsOn": [ - "publicIPAddress" - ] - }, - "virtualNetworkGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "virtualNetworkGateway" - ] - }, - "virtualNetworkGateway_diagnosticSettings": { - "copy": { - "name": "virtualNetworkGateway_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "virtualNetworkGateway" - ] - }, - "virtualNetworkGateway_roleAssignments": { - "copy": { - "name": "virtualNetworkGateway_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "virtualNetworkGateway" - ] - }, - "publicIPAddress": { - "copy": { - "name": "publicIPAddress", - "count": "[length(variables('virtualGatewayPipNameVar'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[variables('virtualGatewayPipNameVar')[copyIndex()]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('virtualGatewayPipNameVar')[copyIndex()]]" - }, - "diagnosticSettings": { - "value": "[parameters('publicIpDiagnosticSettings')]" - }, - "domainNameLabel": "[if(equals(length(variables('virtualGatewayPipNameVar')), length(parameters('domainNameLabel'))), createObject('value', parameters('domainNameLabel')[copyIndex()]), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, - "publicIPAllocationMethod": { - "value": "[variables('gatewayPipAllocationMethod')]" - }, - "publicIPPrefixResourceId": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('value', parameters('publicIPPrefixResourceId')), createObject('value', ''))]", - "tags": { - "value": "[parameters('tags')]" - }, - "skuName": { - "value": "[variables('gatewayPipSku')]" - }, - "zones": "[if(contains(variables('zoneRedundantSkus'), parameters('skuName')), createObject('value', parameters('publicIpZones')), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15536304828480480757" - }, - "name": "Public IP Addresses", - "description": "This module deploys a Public IP Address.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "defaultValue": "Static", - "allowedValues": [ - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Basic", - "Standard" - ], - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Regional", - "allowedValues": [ - "Global", - "Regional" - ], - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "zones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "defaultValue": "IPv4", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "metadata": { - "description": "Optional. IP address version." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "publicIpAddress": { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "zones": "[parameters('zones')]", - "properties": { - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'domainNameLabelScope', parameters('domainNameLabelScope'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", - "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", - "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", - "idleTimeoutInMinutes": 4, - "ipTags": [] - } - }, - "publicIpAddress_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_diagnosticSettings": { - "copy": { - "name": "publicIpAddress_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - }, - "publicIpAddress_roleAssignments": { - "copy": { - "name": "publicIpAddress_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "publicIpAddress" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the public IP address was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the public IP address." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - }, - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - }, - "ipAddress": { - "type": "string", - "metadata": { - "description": "The public IP address of the public IP address resource." - }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" - } - } - } - } - }, - "virtualNetworkGateway_natRules": { - "copy": { - "name": "virtualNetworkGateway_natRules", - "count": "[length(parameters('natRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NATRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('natRules')[copyIndex()].name]" - }, - "virtualNetworkGatewayName": { - "value": "[parameters('name')]" - }, - "externalMappings": "[if(contains(parameters('natRules')[copyIndex()], 'externalMappings'), createObject('value', parameters('natRules')[copyIndex()].externalMappings), createObject('value', createArray()))]", - "internalMappings": "[if(contains(parameters('natRules')[copyIndex()], 'internalMappings'), createObject('value', parameters('natRules')[copyIndex()].internalMappings), createObject('value', createArray()))]", - "ipConfigurationId": "[if(contains(parameters('natRules')[copyIndex()], 'ipConfigurationId'), createObject('value', parameters('natRules')[copyIndex()].ipConfigurationId), createObject('value', ''))]", - "mode": "[if(contains(parameters('natRules')[copyIndex()], 'mode'), createObject('value', parameters('natRules')[copyIndex()].mode), createObject('value', ''))]", - "type": "[if(contains(parameters('natRules')[copyIndex()], 'type'), createObject('value', parameters('natRules')[copyIndex()].type), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10871428827476692387" - }, - "name": "VPN Gateway NAT Rules", - "description": "This module deploys a Virtual Network Gateway NAT Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NAT rule." - } - }, - "virtualNetworkGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment." - } - }, - "externalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range." - } - }, - "internalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range." - } - }, - "ipConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "EgressSnat", - "IngressSnat" - ], - "metadata": { - "description": "Optional. The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualNetworkGateways/natRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkGatewayName'), parameters('name'))]", - "properties": { - "externalMappings": "[parameters('externalMappings')]", - "internalMappings": "[parameters('internalMappings')]", - "ipConfigurationId": "[if(not(empty(parameters('ipConfigurationId'))), parameters('ipConfigurationId'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "type": "[if(not(empty(parameters('type'))), parameters('type'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the NAT rule." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworkGateways/natRules', parameters('virtualNetworkGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "virtualNetworkGateway" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network gateway was deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network gateway." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network gateway." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" - }, - "activeActive": { - "type": "bool", - "metadata": { - "description": "Shows if the virtual network gateway is configured in active-active mode." - }, - "value": "[reference('virtualNetworkGateway').activeActive]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualNetworkGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-network-gateway/nat-rule/README.md b/modules/network/virtual-network-gateway/nat-rule/README.md deleted file mode 100644 index 000683efbc..0000000000 --- a/modules/network/virtual-network-gateway/nat-rule/README.md +++ /dev/null @@ -1,132 +0,0 @@ -# VPN Gateway NAT Rules `[Microsoft.Network/virtualNetworkGateways/natRules]` - -This module deploys a Virtual Network Gateway NAT Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/virtualNetworkGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworkGateways/natRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the NAT rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualNetworkGatewayName`](#parameter-virtualnetworkgatewayname) | string | The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`externalMappings`](#parameter-externalmappings) | array | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | -| [`internalMappings`](#parameter-internalmappings) | array | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | -| [`ipConfigurationId`](#parameter-ipconfigurationid) | string | A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. | -| [`mode`](#parameter-mode) | string | The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. | -| [`type`](#parameter-type) | string | The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | - -### Parameter: `name` - -The name of the NAT rule. - -- Required: Yes -- Type: string - -### Parameter: `virtualNetworkGatewayName` - -The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `externalMappings` - -An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `internalMappings` - -An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipConfigurationId` - -A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `mode` - -The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'EgressSnat' - 'IngressSnat' - ] - ``` - -### Parameter: `type` - -The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Dynamic' - 'Static' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the NAT rule. | -| `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into. | -| `resourceId` | string | The resource ID of the NAT rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/virtual-network-gateway/nat-rule/main.bicep b/modules/network/virtual-network-gateway/nat-rule/main.bicep deleted file mode 100644 index 5410c01508..0000000000 --- a/modules/network/virtual-network-gateway/nat-rule/main.bicep +++ /dev/null @@ -1,74 +0,0 @@ -metadata name = 'VPN Gateway NAT Rules' -metadata description = 'This module deploys a Virtual Network Gateway NAT Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the NAT rule.') -param name string - -@description('Conditional. The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment.') -param virtualNetworkGatewayName string - -@description('Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.') -param externalMappings array = [] - -@description('Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.') -param internalMappings array = [] - -@description('Optional. A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances.') -param ipConfigurationId string = '' - -@description('Optional. The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub\'s site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub\'s Site-to-site Virtual Network gateway.') -@allowed([ - '' - 'EgressSnat' - 'IngressSnat' -]) -param mode string = '' - -@description('Optional. The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability.') -@allowed([ - '' - 'Dynamic' - 'Static' -]) -param type string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2023-04-01' existing = { - name: virtualNetworkGatewayName -} - -resource natRule 'Microsoft.Network/virtualNetworkGateways/natRules@2023-04-01' = { - name: name - parent: virtualNetworkGateway - properties: { - externalMappings: externalMappings - internalMappings: internalMappings - ipConfigurationId: !empty(ipConfigurationId) ? ipConfigurationId : null - mode: !empty(mode) ? any(mode) : null - type: !empty(type) ? any(type) : null - } -} - -@description('The name of the NAT rule.') -output name string = natRule.name - -@description('The resource ID of the NAT rule.') -output resourceId string = natRule.id - -@description('The name of the resource group the NAT rule was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/virtual-network-gateway/nat-rule/main.json b/modules/network/virtual-network-gateway/nat-rule/main.json deleted file mode 100644 index b1c5884076..0000000000 --- a/modules/network/virtual-network-gateway/nat-rule/main.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10871428827476692387" - }, - "name": "VPN Gateway NAT Rules", - "description": "This module deploys a Virtual Network Gateway NAT Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NAT rule." - } - }, - "virtualNetworkGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment." - } - }, - "externalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range." - } - }, - "internalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range." - } - }, - "ipConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "EgressSnat", - "IngressSnat" - ], - "metadata": { - "description": "Optional. The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualNetworkGateways/natRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkGatewayName'), parameters('name'))]", - "properties": { - "externalMappings": "[parameters('externalMappings')]", - "internalMappings": "[parameters('internalMappings')]", - "ipConfigurationId": "[if(not(empty(parameters('ipConfigurationId'))), parameters('ipConfigurationId'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "type": "[if(not(empty(parameters('type'))), parameters('type'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the NAT rule." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworkGateways/natRules', parameters('virtualNetworkGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-network-gateway/nat-rule/version.json b/modules/network/virtual-network-gateway/nat-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-network-gateway/nat-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep deleted file mode 100644 index 9fcc9d5821..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'GatewaySubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output vnetResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep deleted file mode 100644 index a6e2410992..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep +++ /dev/null @@ -1,134 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvngavpn' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'VpnGw2AZ' - gatewayType: 'Vpn' - vNetResourceId: nestedDependencies.outputs.vnetResourceId - activeActive: false - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - domainNameLabel: [ - '${namePrefix}-dm-${serviceShort}' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIpZones: [ - '1' - '2' - '3' - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - vpnClientAadConfiguration: { - // The Application ID of the "Azure VPN" Azure AD Enterprise App for Azure Public - aadAudience: '41b23e61-6c1e-4545-b367-cd054e0ed4b4' - aadIssuer: 'https://sts.windows.net/${tenant().tenantId}/' - aadTenant: '${environment().authentication.loginEndpoint}/${tenant().tenantId}/' - vpnAuthenticationTypes: [ - 'AAD' - ] - vpnClientProtocols: [ - 'OpenVPN' - ] - } - vpnType: 'RouteBased' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep deleted file mode 100644 index 9fcc9d5821..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep +++ /dev/null @@ -1,41 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'GatewaySubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network.') -output vnetResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep deleted file mode 100644 index 272b39ce1f..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep +++ /dev/null @@ -1,111 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvger' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'ErGw1AZ' - gatewayType: 'ExpressRoute' - vNetResourceId: nestedDependencies.outputs.vnetResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - domainNameLabel: [ - '${namePrefix}-dm-${serviceShort}' - ] - gatewayPipName: '${namePrefix}-pip-${serviceShort}' - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Contact: 'test.user@testcompany.com' - CostCenter: '' - Environment: 'Validation' - PurchaseOrder: '' - Role: 'DeploymentValidation' - ServiceName: 'DeploymentValidation' - } - publicIpZones: [ - '1' - '2' - '3' - ] - } -}] diff --git a/modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep deleted file mode 100644 index ab4fdf887a..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Local Network Gateway to create.') -param localNetworkGatewayName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'GatewaySubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2023-04-01' = { - name: localNetworkGatewayName - location: location - properties: { - gatewayIpAddress: '100.100.100.100' - localNetworkAddressSpace: { - addressPrefixes: [ - '192.168.0.0/24' - ] - } - } -} - -@description('The resource ID of the created Virtual Network.') -output vnetResourceId string = virtualNetwork.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Local Network Gateway.') -output localNetworkGatewayResourceId string = localNetworkGateway.id diff --git a/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep deleted file mode 100644 index 3f983e947f..0000000000 --- a/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep +++ /dev/null @@ -1,153 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgvpn' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - localNetworkGatewayName: 'dep-${namePrefix}-lng-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - vpnGatewayGeneration: 'Generation2' - skuName: 'VpnGw2AZ' - gatewayType: 'Vpn' - vNetResourceId: nestedDependencies.outputs.vnetResourceId - activeActive: true - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - domainNameLabel: [ - '${namePrefix}-dm-${serviceShort}' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIpZones: [ - '1' - '2' - '3' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - vpnType: 'RouteBased' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - enablePrivateIpAddress: true - gatewayDefaultSiteLocalNetworkGatewayId: nestedDependencies.outputs.localNetworkGatewayResourceId - disableIPSecReplayProtection: true - allowRemoteVnetTraffic: true - natRules: [ - { - name: 'nat-rule-1-static-IngressSnat' - type: 'Static' - mode: 'IngressSnat' - internalMappings: [ - { - addressSpace: '10.100.0.0/24' - portRange: '100' - } - ] - externalMappings: [ - { - addressSpace: '192.168.0.0/24' - portRange: '100' - } - ] - } - { - name: 'nat-rule-2-dynamic-EgressSnat' - type: 'Dynamic' - mode: 'EgressSnat' - internalMappings: [ - { - addressSpace: '172.16.0.0/26' - } - ] - externalMappings: [ - { - addressSpace: '10.200.0.0/26' - } - ] - } - ] - enableBgpRouteTranslationForNat: true - } -}] diff --git a/modules/network/virtual-network-gateway/version.json b/modules/network/virtual-network-gateway/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-network-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-network/MOVED-TO-AVM.md b/modules/network/virtual-network/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/virtual-network/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 204295260a..b3f13c6c8b 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -1,1045 +1,7 @@ -# Virtual Networks `[Microsoft.Network/virtualNetworks]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/virtual-network](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/virtual-network).** -This module deploys a Virtual Network (vNet). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/virtual-network). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/virtualNetworks` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks) | -| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | -| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/virtualNetworkPeerings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-network:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Vnetpeering](#example-3-vnetpeering) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvnmin' - params: { - // Required parameters - addressPrefixes: [ - '10.0.0.0/16' - ] - name: 'nvnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefixes": { - "value": [ - "10.0.0.0/16" - ] - }, - "name": { - "value": "nvnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvnmax' - params: { - // Required parameters - addressPrefixes: [ - '' - ] - name: 'nvnmax001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - dnsServers: [ - '10.0.1.4' - '10.0.1.5' - ] - enableDefaultTelemetry: '' - flowTimeoutInMinutes: 20 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - subnets: [ - { - addressPrefix: '' - name: 'GatewaySubnet' - } - { - addressPrefix: '' - name: 'az-subnet-x-001' - networkSecurityGroupId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - routeTableId: '' - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - { - service: 'Microsoft.Sql' - } - ] - } - { - addressPrefix: '' - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - name: 'az-subnet-x-002' - } - { - addressPrefix: '' - name: 'az-subnet-x-003' - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefixes": { - "value": [ - "" - ] - }, - "name": { - "value": "nvnmax001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "dnsServers": { - "value": [ - "10.0.1.4", - "10.0.1.5" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "flowTimeoutInMinutes": { - "value": 20 - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "subnets": { - "value": [ - { - "addressPrefix": "", - "name": "GatewaySubnet" - }, - { - "addressPrefix": "", - "name": "az-subnet-x-001", - "networkSecurityGroupId": "", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "routeTableId": "", - "serviceEndpoints": [ - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.Sql" - } - ] - }, - { - "addressPrefix": "", - "delegations": [ - { - "name": "netappDel", - "properties": { - "serviceName": "Microsoft.Netapp/volumes" - } - } - ], - "name": "az-subnet-x-002" - }, - { - "addressPrefix": "", - "name": "az-subnet-x-003", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Vnetpeering_ - -

- -via Bicep module - -```bicep -module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvnpeer' - params: { - // Required parameters - addressPrefixes: [ - '10.1.0.0/24' - ] - name: 'nvnpeer001' - // Non-required parameters - enableDefaultTelemetry: '' - peerings: [ - { - allowForwardedTraffic: true - allowGatewayTransit: false - allowVirtualNetworkAccess: true - remotePeeringAllowForwardedTraffic: true - remotePeeringAllowVirtualNetworkAccess: true - remotePeeringEnabled: true - remotePeeringName: 'customName' - remoteVirtualNetworkId: '' - useRemoteGateways: false - } - ] - subnets: [ - { - addressPrefix: '10.1.0.0/26' - name: 'GatewaySubnet' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefixes": { - "value": [ - "10.1.0.0/24" - ] - }, - "name": { - "value": "nvnpeer001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "peerings": { - "value": [ - { - "allowForwardedTraffic": true, - "allowGatewayTransit": false, - "allowVirtualNetworkAccess": true, - "remotePeeringAllowForwardedTraffic": true, - "remotePeeringAllowVirtualNetworkAccess": true, - "remotePeeringEnabled": true, - "remotePeeringName": "customName", - "remoteVirtualNetworkId": "", - "useRemoteGateways": false - } - ] - }, - "subnets": { - "value": [ - { - "addressPrefix": "10.1.0.0/26", - "name": "GatewaySubnet" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvnwaf' - params: { - // Required parameters - addressPrefixes: [ - '' - ] - name: 'nvnwaf001' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - dnsServers: [ - '10.0.1.4' - '10.0.1.5' - ] - enableDefaultTelemetry: '' - flowTimeoutInMinutes: 20 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - subnets: [ - { - addressPrefix: '' - name: 'GatewaySubnet' - } - { - addressPrefix: '' - name: 'az-subnet-x-001' - networkSecurityGroupId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - routeTableId: '' - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - { - service: 'Microsoft.Sql' - } - ] - } - { - addressPrefix: '' - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - name: 'az-subnet-x-002' - } - { - addressPrefix: '' - name: 'az-subnet-x-003' - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefixes": { - "value": [ - "" - ] - }, - "name": { - "value": "nvnwaf001" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "dnsServers": { - "value": [ - "10.0.1.4", - "10.0.1.5" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "flowTimeoutInMinutes": { - "value": 20 - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "subnets": { - "value": [ - { - "addressPrefix": "", - "name": "GatewaySubnet" - }, - { - "addressPrefix": "", - "name": "az-subnet-x-001", - "networkSecurityGroupId": "", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "routeTableId": "", - "serviceEndpoints": [ - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.Sql" - } - ] - }, - { - "addressPrefix": "", - "delegations": [ - { - "name": "netappDel", - "properties": { - "serviceName": "Microsoft.Netapp/volumes" - } - } - ], - "name": "az-subnet-x-002" - }, - { - "addressPrefix": "", - "name": "az-subnet-x-003", - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-addressprefixes) | array | An Array of 1 or more IP Address Prefixes for the Virtual Network. | -| [`name`](#parameter-name) | string | The Virtual Network (vNet) Name. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`ddosProtectionPlanId`](#parameter-ddosprotectionplanid) | string | Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`dnsServers`](#parameter-dnsservers) | array | DNS Servers associated to the Virtual Network. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`flowTimeoutInMinutes`](#parameter-flowtimeoutinminutes) | int | The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`peerings`](#parameter-peerings) | array | Virtual Network Peerings configurations. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`subnets`](#parameter-subnets) | array | An Array of subnets to deploy to the Virtual Network. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vnetEncryption`](#parameter-vnetencryption) | bool | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. | -| [`vnetEncryptionEnforcement`](#parameter-vnetencryptionenforcement) | string | If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. | - -### Parameter: `addressPrefixes` - -An Array of 1 or more IP Address Prefixes for the Virtual Network. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The Virtual Network (vNet) Name. - -- Required: Yes -- Type: string - -### Parameter: `ddosProtectionPlanId` - -Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `dnsServers` - -DNS Servers associated to the Virtual Network. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `flowTimeoutInMinutes` - -The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `peerings` - -Virtual Network Peerings configurations. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `subnets` - -An Array of subnets to deploy to the Virtual Network. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vnetEncryption` - -Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vnetEncryptionEnforcement` - -If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. - -- Required: No -- Type: string -- Default: `'AllowUnencrypted'` -- Allowed: - ```Bicep - [ - 'AllowUnencrypted' - 'DropUnencrypted' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual network. | -| `resourceGroupName` | string | The resource group the virtual network was deployed into. | -| `resourceId` | string | The resource ID of the virtual network. | -| `subnetNames` | array | The names of the deployed subnets. | -| `subnetResourceIds` | array | The resource IDs of the deployed subnets. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Considerations - -The network security group and route table resources must reside in the same resource group as the virtual network. - -### Parameter Usage: `peerings` - -As the virtual network peering array allows you to deploy not only a one-way but also two-way peering (i.e reverse), you can use the following ***additional*** properties on top of what is documented in _[virtualNetworkPeering](virtual-network-peering/README.md)_. - -| Parameter Name | Type | Default Value | Possible Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `remotePeeringEnabled` | bool | `false` | | Optional. Set to true to also deploy the reverse peering for the configured remote virtual networks to the local network | -| `remotePeeringName` | string | `'${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}'` | | Optional. The Name of Vnet Peering resource. If not provided, default value will be - | -| `remotePeeringAllowForwardedTraffic` | bool | `true` | | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | -| `remotePeeringAllowGatewayTransit` | bool | `false` | | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. | -| `remotePeeringAllowVirtualNetworkAccess` | bool | `true` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | -| `remotePeeringDoNotVerifyRemoteGateways` | bool | `true` | | Optional. If we need to verify the provisioning state of the remote gateway. | -| `remotePeeringUseRemoteGateways` | bool | `false` | | Optional. If remote gateways can be used on this virtual network. If the flag is set to `true`, and allowGatewayTransit on local peering is also `true`, virtual network will use gateways of local virtual network for transit. Only one peering can have this flag set to `true`. This flag cannot be set if virtual network already has a gateway. | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep deleted file mode 100644 index 59201d89b2..0000000000 --- a/modules/network/virtual-network/main.bicep +++ /dev/null @@ -1,329 +0,0 @@ -metadata name = 'Virtual Networks' -metadata description = 'This module deploys a Virtual Network (vNet).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The Virtual Network (vNet) Name.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. An Array of 1 or more IP Address Prefixes for the Virtual Network.') -param addressPrefixes array - -@description('Optional. An Array of subnets to deploy to the Virtual Network.') -param subnets array = [] - -@description('Optional. DNS Servers associated to the Virtual Network.') -param dnsServers array = [] - -@description('Optional. Resource ID of the DDoS protection plan to assign the VNET to. If it\'s left blank, DDoS protection will not be configured. If it\'s provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription.') -param ddosProtectionPlanId string = '' - -@description('Optional. Virtual Network Peerings configurations.') -param peerings array = [] - -@description('Optional. Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property.') -param vnetEncryption bool = false - -@allowed([ - 'AllowUnencrypted' - 'DropUnencrypted' -]) -@description('Optional. If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled.') -param vnetEncryptionEnforcement string = 'AllowUnencrypted' - -@maxValue(30) -@description('Optional. The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null.') -param flowTimeoutInMinutes int = 0 - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var dnsServersVar = { - dnsServers: array(dnsServers) -} - -var ddosProtectionPlan = { - id: ddosProtectionPlanId -} - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - addressSpace: { - addressPrefixes: addressPrefixes - } - ddosProtectionPlan: !empty(ddosProtectionPlanId) ? ddosProtectionPlan : null - dhcpOptions: !empty(dnsServers) ? dnsServersVar : null - enableDdosProtection: !empty(ddosProtectionPlanId) - encryption: vnetEncryption == true ? { - enabled: vnetEncryption - enforcement: vnetEncryptionEnforcement - } : null - flowTimeoutInMinutes: flowTimeoutInMinutes != 0 ? flowTimeoutInMinutes : null - subnets: [for subnet in subnets: { - name: subnet.name - properties: { - addressPrefix: subnet.addressPrefix - addressPrefixes: contains(subnet, 'addressPrefixes') ? subnet.addressPrefixes : [] - applicationGatewayIPConfigurations: contains(subnet, 'applicationGatewayIPConfigurations') ? subnet.applicationGatewayIPConfigurations : [] - delegations: contains(subnet, 'delegations') ? subnet.delegations : [] - ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : [] - natGateway: contains(subnet, 'natGatewayId') ? { - id: subnet.natGatewayId - } : null - networkSecurityGroup: contains(subnet, 'networkSecurityGroupId') ? { - id: subnet.networkSecurityGroupId - } : null - privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : null - privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : null - routeTable: contains(subnet, 'routeTableId') ? { - id: subnet.routeTableId - } : null - serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : [] - serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : [] - } - }] - } -} - -//NOTE Start: ------------------------------------ -// The below module (virtualNetwork_subnets) is a duplicate of the child resource (subnets) defined in the parent module (virtualNetwork). -// The reason it exists so that deployment validation tests can be performed on the child module (subnets), in case that module needed to be deployed alone outside of this template. -// The reason for duplication is due to the current design for the (virtualNetworks) resource from Azure, where if the child module (subnets) does not exist within it, causes -// an issue, where the child resource (subnets) gets all of its properties removed, hence not as 'idempotent' as it should be. See https://github.com/Azure/azure-quickstart-templates/issues/2786 for more details. -// You can safely remove the below child module (virtualNetwork_subnets) in your consumption of the module (virtualNetworks) to reduce the template size and duplication. -//NOTE End : ------------------------------------ - -module virtualNetwork_subnets 'subnet/main.bicep' = [for (subnet, index) in subnets: { - name: '${uniqueString(deployment().name, location)}-subnet-${index}' - params: { - virtualNetworkName: virtualNetwork.name - name: subnet.name - addressPrefix: subnet.addressPrefix - addressPrefixes: contains(subnet, 'addressPrefixes') ? subnet.addressPrefixes : [] - applicationGatewayIPConfigurations: contains(subnet, 'applicationGatewayIPConfigurations') ? subnet.applicationGatewayIPConfigurations : [] - delegations: contains(subnet, 'delegations') ? subnet.delegations : [] - ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : [] - natGatewayId: contains(subnet, 'natGatewayId') ? subnet.natGatewayId : '' - networkSecurityGroupId: contains(subnet, 'networkSecurityGroupId') ? subnet.networkSecurityGroupId : '' - privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : '' - privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : '' - roleAssignments: contains(subnet, 'roleAssignments') ? subnet.roleAssignments : [] - routeTableId: contains(subnet, 'routeTableId') ? subnet.routeTableId : '' - serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : [] - serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// Local to Remote peering -module virtualNetwork_peering_local 'virtual-network-peering/main.bicep' = [for (peering, index) in peerings: { - name: '${uniqueString(deployment().name, location)}-virtualNetworkPeering-local-${index}' - params: { - localVnetName: virtualNetwork.name - remoteVirtualNetworkId: peering.remoteVirtualNetworkId - name: contains(peering, 'name') ? peering.name : '${name}-${last(split(peering.remoteVirtualNetworkId, '/'))}' - allowForwardedTraffic: contains(peering, 'allowForwardedTraffic') ? peering.allowForwardedTraffic : true - allowGatewayTransit: contains(peering, 'allowGatewayTransit') ? peering.allowGatewayTransit : false - allowVirtualNetworkAccess: contains(peering, 'allowVirtualNetworkAccess') ? peering.allowVirtualNetworkAccess : true - doNotVerifyRemoteGateways: contains(peering, 'doNotVerifyRemoteGateways') ? peering.doNotVerifyRemoteGateways : true - useRemoteGateways: contains(peering, 'useRemoteGateways') ? peering.useRemoteGateways : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// Remote to local peering (reverse) -module virtualNetwork_peering_remote 'virtual-network-peering/main.bicep' = [for (peering, index) in peerings: if (contains(peering, 'remotePeeringEnabled') ? peering.remotePeeringEnabled == true : false) { - name: '${uniqueString(deployment().name, location)}-virtualNetworkPeering-remote-${index}' - scope: resourceGroup(split(peering.remoteVirtualNetworkId, '/')[2], split(peering.remoteVirtualNetworkId, '/')[4]) - params: { - localVnetName: last(split(peering.remoteVirtualNetworkId, '/'))! - remoteVirtualNetworkId: virtualNetwork.id - name: contains(peering, 'remotePeeringName') ? peering.remotePeeringName : '${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}' - allowForwardedTraffic: contains(peering, 'remotePeeringAllowForwardedTraffic') ? peering.remotePeeringAllowForwardedTraffic : true - allowGatewayTransit: contains(peering, 'remotePeeringAllowGatewayTransit') ? peering.remotePeeringAllowGatewayTransit : false - allowVirtualNetworkAccess: contains(peering, 'remotePeeringAllowVirtualNetworkAccess') ? peering.remotePeeringAllowVirtualNetworkAccess : true - doNotVerifyRemoteGateways: contains(peering, 'remotePeeringDoNotVerifyRemoteGateways') ? peering.remotePeeringDoNotVerifyRemoteGateways : true - useRemoteGateways: contains(peering, 'remotePeeringUseRemoteGateways') ? peering.remotePeeringUseRemoteGateways : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource virtualNetwork_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: virtualNetwork -} - -resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: virtualNetwork -}] - -resource virtualNetwork_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(virtualNetwork.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: virtualNetwork -}] - -@description('The resource group the virtual network was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the virtual network.') -output resourceId string = virtualNetwork.id - -@description('The name of the virtual network.') -output name string = virtualNetwork.name - -@description('The names of the deployed subnets.') -output subnetNames array = [for subnet in subnets: subnet.name] - -@description('The resource IDs of the deployed subnets.') -output subnetResourceIds array = [for subnet in subnets: az.resourceId('Microsoft.Network/virtualNetworks/subnets', name, subnet.name)] - -@description('The location the resource was deployed into.') -output location string = virtualNetwork.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json deleted file mode 100644 index 532eb7a1ed..0000000000 --- a/modules/network/virtual-network/main.json +++ /dev/null @@ -1,1198 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13961908066049055170" - }, - "name": "Virtual Networks", - "description": "This module deploys a Virtual Network (vNet).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The Virtual Network (vNet) Name." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "addressPrefixes": { - "type": "array", - "metadata": { - "description": "Required. An Array of 1 or more IP Address Prefixes for the Virtual Network." - } - }, - "subnets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An Array of subnets to deploy to the Virtual Network." - } - }, - "dnsServers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. DNS Servers associated to the Virtual Network." - } - }, - "ddosProtectionPlanId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription." - } - }, - "peerings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Virtual Network Peerings configurations." - } - }, - "vnetEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property." - } - }, - "vnetEncryptionEnforcement": { - "type": "string", - "defaultValue": "AllowUnencrypted", - "allowedValues": [ - "AllowUnencrypted", - "DropUnencrypted" - ], - "metadata": { - "description": "Optional. If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled." - } - }, - "flowTimeoutInMinutes": { - "type": "int", - "defaultValue": 0, - "maxValue": 30, - "metadata": { - "description": "Optional. The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "dnsServersVar": { - "dnsServers": "[array(parameters('dnsServers'))]" - }, - "ddosProtectionPlan": { - "id": "[parameters('ddosProtectionPlanId')]" - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualNetwork": { - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "subnets", - "count": "[length(parameters('subnets'))]", - "input": { - "name": "[parameters('subnets')[copyIndex('subnets')].name]", - "properties": { - "addressPrefix": "[parameters('subnets')[copyIndex('subnets')].addressPrefix]", - "addressPrefixes": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'addressPrefixes'), parameters('subnets')[copyIndex('subnets')].addressPrefixes, createArray())]", - "applicationGatewayIPConfigurations": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'applicationGatewayIPConfigurations'), parameters('subnets')[copyIndex('subnets')].applicationGatewayIPConfigurations, createArray())]", - "delegations": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'delegations'), parameters('subnets')[copyIndex('subnets')].delegations, createArray())]", - "ipAllocations": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'ipAllocations'), parameters('subnets')[copyIndex('subnets')].ipAllocations, createArray())]", - "natGateway": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'natGatewayId'), createObject('id', parameters('subnets')[copyIndex('subnets')].natGatewayId), null())]", - "networkSecurityGroup": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'networkSecurityGroupId'), createObject('id', parameters('subnets')[copyIndex('subnets')].networkSecurityGroupId), null())]", - "privateEndpointNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'privateEndpointNetworkPolicies'), parameters('subnets')[copyIndex('subnets')].privateEndpointNetworkPolicies, null())]", - "privateLinkServiceNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'privateLinkServiceNetworkPolicies'), parameters('subnets')[copyIndex('subnets')].privateLinkServiceNetworkPolicies, null())]", - "routeTable": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'routeTableId'), createObject('id', parameters('subnets')[copyIndex('subnets')].routeTableId), null())]", - "serviceEndpoints": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'serviceEndpoints'), parameters('subnets')[copyIndex('subnets')].serviceEndpoints, createArray())]", - "serviceEndpointPolicies": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'serviceEndpointPolicies'), parameters('subnets')[copyIndex('subnets')].serviceEndpointPolicies, createArray())]" - } - } - } - ], - "addressSpace": { - "addressPrefixes": "[parameters('addressPrefixes')]" - }, - "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanId'))), variables('ddosProtectionPlan'), null())]", - "dhcpOptions": "[if(not(empty(parameters('dnsServers'))), variables('dnsServersVar'), null())]", - "enableDdosProtection": "[not(empty(parameters('ddosProtectionPlanId')))]", - "encryption": "[if(equals(parameters('vnetEncryption'), true()), createObject('enabled', parameters('vnetEncryption'), 'enforcement', parameters('vnetEncryptionEnforcement')), null())]", - "flowTimeoutInMinutes": "[if(not(equals(parameters('flowTimeoutInMinutes'), 0)), parameters('flowTimeoutInMinutes'), null())]" - } - }, - "virtualNetwork_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "virtualNetwork_diagnosticSettings": { - "copy": { - "name": "virtualNetwork_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "virtualNetwork_roleAssignments": { - "copy": { - "name": "virtualNetwork_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "virtualNetwork_subnets": { - "copy": { - "name": "virtualNetwork_subnets", - "count": "[length(parameters('subnets'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-subnet-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "virtualNetworkName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('subnets')[copyIndex()].name]" - }, - "addressPrefix": { - "value": "[parameters('subnets')[copyIndex()].addressPrefix]" - }, - "addressPrefixes": "[if(contains(parameters('subnets')[copyIndex()], 'addressPrefixes'), createObject('value', parameters('subnets')[copyIndex()].addressPrefixes), createObject('value', createArray()))]", - "applicationGatewayIPConfigurations": "[if(contains(parameters('subnets')[copyIndex()], 'applicationGatewayIPConfigurations'), createObject('value', parameters('subnets')[copyIndex()].applicationGatewayIPConfigurations), createObject('value', createArray()))]", - "delegations": "[if(contains(parameters('subnets')[copyIndex()], 'delegations'), createObject('value', parameters('subnets')[copyIndex()].delegations), createObject('value', createArray()))]", - "ipAllocations": "[if(contains(parameters('subnets')[copyIndex()], 'ipAllocations'), createObject('value', parameters('subnets')[copyIndex()].ipAllocations), createObject('value', createArray()))]", - "natGatewayId": "[if(contains(parameters('subnets')[copyIndex()], 'natGatewayId'), createObject('value', parameters('subnets')[copyIndex()].natGatewayId), createObject('value', ''))]", - "networkSecurityGroupId": "[if(contains(parameters('subnets')[copyIndex()], 'networkSecurityGroupId'), createObject('value', parameters('subnets')[copyIndex()].networkSecurityGroupId), createObject('value', ''))]", - "privateEndpointNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex()], 'privateEndpointNetworkPolicies'), createObject('value', parameters('subnets')[copyIndex()].privateEndpointNetworkPolicies), createObject('value', ''))]", - "privateLinkServiceNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex()], 'privateLinkServiceNetworkPolicies'), createObject('value', parameters('subnets')[copyIndex()].privateLinkServiceNetworkPolicies), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('subnets')[copyIndex()], 'roleAssignments'), createObject('value', parameters('subnets')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "routeTableId": "[if(contains(parameters('subnets')[copyIndex()], 'routeTableId'), createObject('value', parameters('subnets')[copyIndex()].routeTableId), createObject('value', ''))]", - "serviceEndpointPolicies": "[if(contains(parameters('subnets')[copyIndex()], 'serviceEndpointPolicies'), createObject('value', parameters('subnets')[copyIndex()].serviceEndpointPolicies), createObject('value', createArray()))]", - "serviceEndpoints": "[if(contains(parameters('subnets')[copyIndex()], 'serviceEndpoints'), createObject('value', parameters('subnets')[copyIndex()].serviceEndpoints), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17336277691652716048" - }, - "name": "Virtual Network Subnets", - "description": "This module deploys a Virtual Network Subnet.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Optional. The Name of the subnet resource." - } - }, - "virtualNetworkName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual network. Required if the template is used in a standalone deployment." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. The address prefix for the subnet." - } - }, - "networkSecurityGroupId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the network security group to assign to the subnet." - } - }, - "routeTableId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the route table to assign to the subnet." - } - }, - "serviceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The service endpoints to enable on the subnet." - } - }, - "delegations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The delegations to enable on the subnet." - } - }, - "natGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the NAT Gateway to use for the subnet." - } - }, - "privateEndpointNetworkPolicies": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Disabled", - "Enabled", - "" - ], - "metadata": { - "description": "Optional. enable or disable apply network policies on private endpoint in the subnet." - } - }, - "privateLinkServiceNetworkPolicies": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Disabled", - "Enabled", - "" - ], - "metadata": { - "description": "Optional. enable or disable apply network policies on private link service in the subnet." - } - }, - "addressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of address prefixes for the subnet." - } - }, - "applicationGatewayIPConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Application gateway IP configurations of virtual network resource." - } - }, - "ipAllocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of IpAllocation which reference this subnet." - } - }, - "serviceEndpointPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of service endpoint policies." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualNetwork": { - "existing": true, - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2023-04-01", - "name": "[parameters('virtualNetworkName')]" - }, - "subnet": { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('name'))]", - "properties": { - "addressPrefix": "[parameters('addressPrefix')]", - "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupId'))), createObject('id', parameters('networkSecurityGroupId')), null())]", - "routeTable": "[if(not(empty(parameters('routeTableId'))), createObject('id', parameters('routeTableId')), null())]", - "natGateway": "[if(not(empty(parameters('natGatewayId'))), createObject('id', parameters('natGatewayId')), null())]", - "serviceEndpoints": "[parameters('serviceEndpoints')]", - "delegations": "[parameters('delegations')]", - "privateEndpointNetworkPolicies": "[if(not(empty(parameters('privateEndpointNetworkPolicies'))), parameters('privateEndpointNetworkPolicies'), null())]", - "privateLinkServiceNetworkPolicies": "[if(not(empty(parameters('privateLinkServiceNetworkPolicies'))), parameters('privateLinkServiceNetworkPolicies'), null())]", - "addressPrefixes": "[parameters('addressPrefixes')]", - "applicationGatewayIPConfigurations": "[parameters('applicationGatewayIPConfigurations')]", - "ipAllocations": "[parameters('ipAllocations')]", - "serviceEndpointPolicies": "[parameters('serviceEndpointPolicies')]" - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "subnet_roleAssignments": { - "copy": { - "name": "subnet_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "subnet" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network peering was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network peering." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network peering." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" - }, - "subnetAddressPrefix": { - "type": "string", - "metadata": { - "description": "The address prefix for the subnet." - }, - "value": "[reference('subnet').addressPrefix]" - }, - "subnetAddressPrefixes": { - "type": "array", - "metadata": { - "description": "List of address prefixes for the subnet." - }, - "value": "[if(not(empty(parameters('addressPrefixes'))), reference('subnet').addressPrefixes, createArray())]" - } - } - } - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "virtualNetwork_peering_local": { - "copy": { - "name": "virtualNetwork_peering_local", - "count": "[length(parameters('peerings'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-virtualNetworkPeering-local-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "localVnetName": { - "value": "[parameters('name')]" - }, - "remoteVirtualNetworkId": { - "value": "[parameters('peerings')[copyIndex()].remoteVirtualNetworkId]" - }, - "name": "[if(contains(parameters('peerings')[copyIndex()], 'name'), createObject('value', parameters('peerings')[copyIndex()].name), createObject('value', format('{0}-{1}', parameters('name'), last(split(parameters('peerings')[copyIndex()].remoteVirtualNetworkId, '/')))))]", - "allowForwardedTraffic": "[if(contains(parameters('peerings')[copyIndex()], 'allowForwardedTraffic'), createObject('value', parameters('peerings')[copyIndex()].allowForwardedTraffic), createObject('value', true()))]", - "allowGatewayTransit": "[if(contains(parameters('peerings')[copyIndex()], 'allowGatewayTransit'), createObject('value', parameters('peerings')[copyIndex()].allowGatewayTransit), createObject('value', false()))]", - "allowVirtualNetworkAccess": "[if(contains(parameters('peerings')[copyIndex()], 'allowVirtualNetworkAccess'), createObject('value', parameters('peerings')[copyIndex()].allowVirtualNetworkAccess), createObject('value', true()))]", - "doNotVerifyRemoteGateways": "[if(contains(parameters('peerings')[copyIndex()], 'doNotVerifyRemoteGateways'), createObject('value', parameters('peerings')[copyIndex()].doNotVerifyRemoteGateways), createObject('value', true()))]", - "useRemoteGateways": "[if(contains(parameters('peerings')[copyIndex()], 'useRemoteGateways'), createObject('value', parameters('peerings')[copyIndex()].useRemoteGateways), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17147360311358108540" - }, - "name": "Virtual Network Peerings", - "description": "This module deploys a Virtual Network Peering.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]", - "metadata": { - "description": "Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName." - } - }, - "localVnetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment." - } - }, - "remoteVirtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID." - } - }, - "allowForwardedTraffic": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true." - } - }, - "allowGatewayTransit": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false." - } - }, - "allowVirtualNetworkAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true." - } - }, - "doNotVerifyRemoteGateways": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If we need to verify the provisioning state of the remote gateway. Default is true." - } - }, - "useRemoteGateways": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('localVnetName'), parameters('name'))]", - "properties": { - "allowForwardedTraffic": "[parameters('allowForwardedTraffic')]", - "allowGatewayTransit": "[parameters('allowGatewayTransit')]", - "allowVirtualNetworkAccess": "[parameters('allowVirtualNetworkAccess')]", - "doNotVerifyRemoteGateways": "[parameters('doNotVerifyRemoteGateways')]", - "useRemoteGateways": "[parameters('useRemoteGateways')]", - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkId')]" - } - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network peering was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network peering." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network peering." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('localVnetName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "virtualNetwork_peering_remote": { - "copy": { - "name": "virtualNetwork_peering_remote", - "count": "[length(parameters('peerings'))]" - }, - "condition": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringEnabled'), equals(parameters('peerings')[copyIndex()].remotePeeringEnabled, true()), false())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-virtualNetworkPeering-remote-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[split(parameters('peerings')[copyIndex()].remoteVirtualNetworkId, '/')[2]]", - "resourceGroup": "[split(parameters('peerings')[copyIndex()].remoteVirtualNetworkId, '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "localVnetName": { - "value": "[last(split(parameters('peerings')[copyIndex()].remoteVirtualNetworkId, '/'))]" - }, - "remoteVirtualNetworkId": { - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - }, - "name": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringName'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringName), createObject('value', format('{0}-{1}', last(split(parameters('peerings')[copyIndex()].remoteVirtualNetworkId, '/')), parameters('name'))))]", - "allowForwardedTraffic": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringAllowForwardedTraffic'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringAllowForwardedTraffic), createObject('value', true()))]", - "allowGatewayTransit": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringAllowGatewayTransit'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringAllowGatewayTransit), createObject('value', false()))]", - "allowVirtualNetworkAccess": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringAllowVirtualNetworkAccess'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringAllowVirtualNetworkAccess), createObject('value', true()))]", - "doNotVerifyRemoteGateways": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringDoNotVerifyRemoteGateways'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringDoNotVerifyRemoteGateways), createObject('value', true()))]", - "useRemoteGateways": "[if(contains(parameters('peerings')[copyIndex()], 'remotePeeringUseRemoteGateways'), createObject('value', parameters('peerings')[copyIndex()].remotePeeringUseRemoteGateways), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17147360311358108540" - }, - "name": "Virtual Network Peerings", - "description": "This module deploys a Virtual Network Peering.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]", - "metadata": { - "description": "Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName." - } - }, - "localVnetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment." - } - }, - "remoteVirtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID." - } - }, - "allowForwardedTraffic": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true." - } - }, - "allowGatewayTransit": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false." - } - }, - "allowVirtualNetworkAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true." - } - }, - "doNotVerifyRemoteGateways": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If we need to verify the provisioning state of the remote gateway. Default is true." - } - }, - "useRemoteGateways": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('localVnetName'), parameters('name'))]", - "properties": { - "allowForwardedTraffic": "[parameters('allowForwardedTraffic')]", - "allowGatewayTransit": "[parameters('allowGatewayTransit')]", - "allowVirtualNetworkAccess": "[parameters('allowVirtualNetworkAccess')]", - "doNotVerifyRemoteGateways": "[parameters('doNotVerifyRemoteGateways')]", - "useRemoteGateways": "[parameters('useRemoteGateways')]", - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkId')]" - } - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network peering was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network peering." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network peering." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('localVnetName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "virtualNetwork" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network." - }, - "value": "[parameters('name')]" - }, - "subnetNames": { - "type": "array", - "metadata": { - "description": "The names of the deployed subnets." - }, - "copy": { - "count": "[length(parameters('subnets'))]", - "input": "[parameters('subnets')[copyIndex()].name]" - } - }, - "subnetResourceIds": { - "type": "array", - "metadata": { - "description": "The resource IDs of the deployed subnets." - }, - "copy": { - "count": "[length(parameters('subnets'))]", - "input": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), parameters('subnets')[copyIndex()].name)]" - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualNetwork', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md deleted file mode 100644 index dc3d90591a..0000000000 --- a/modules/network/virtual-network/subnet/README.md +++ /dev/null @@ -1,292 +0,0 @@ -# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` - -This module deploys a Virtual Network Subnet. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefix`](#parameter-addressprefix) | string | The address prefix for the subnet. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualNetworkName`](#parameter-virtualnetworkname) | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-addressprefixes) | array | List of address prefixes for the subnet. | -| [`applicationGatewayIPConfigurations`](#parameter-applicationgatewayipconfigurations) | array | Application gateway IP configurations of virtual network resource. | -| [`delegations`](#parameter-delegations) | array | The delegations to enable on the subnet. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipAllocations`](#parameter-ipallocations) | array | Array of IpAllocation which reference this subnet. | -| [`name`](#parameter-name) | string | The Name of the subnet resource. | -| [`natGatewayId`](#parameter-natgatewayid) | string | The resource ID of the NAT Gateway to use for the subnet. | -| [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | -| [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | -| [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | -| [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | -| [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | - -### Parameter: `addressPrefix` - -The address prefix for the subnet. - -- Required: Yes -- Type: string - -### Parameter: `virtualNetworkName` - -The name of the parent virtual network. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `addressPrefixes` - -List of address prefixes for the subnet. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `applicationGatewayIPConfigurations` - -Application gateway IP configurations of virtual network resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `delegations` - -The delegations to enable on the subnet. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipAllocations` - -Array of IpAllocation which reference this subnet. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `name` - -The Name of the subnet resource. - -- Required: Yes -- Type: string - -### Parameter: `natGatewayId` - -The resource ID of the NAT Gateway to use for the subnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `networkSecurityGroupId` - -The resource ID of the network security group to assign to the subnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `privateEndpointNetworkPolicies` - -enable or disable apply network policies on private endpoint in the subnet. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `privateLinkServiceNetworkPolicies` - -enable or disable apply network policies on private link service in the subnet. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `routeTableId` - -The resource ID of the route table to assign to the subnet. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `serviceEndpointPolicies` - -An array of service endpoint policies. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `serviceEndpoints` - -The service endpoints to enable on the subnet. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network peering. | -| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | -| `resourceId` | string | The resource ID of the virtual network peering. | -| `subnetAddressPrefix` | string | The address prefix for the subnet. | -| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | - -## Cross-referenced modules - -_None_ - -## Notes - -The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". diff --git a/modules/network/virtual-network/subnet/main.bicep b/modules/network/virtual-network/subnet/main.bicep deleted file mode 100644 index 3e8d129499..0000000000 --- a/modules/network/virtual-network/subnet/main.bicep +++ /dev/null @@ -1,166 +0,0 @@ -metadata name = 'Virtual Network Subnets' -metadata description = 'This module deploys a Virtual Network Subnet.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The Name of the subnet resource.') -param name string - -@description('Conditional. The name of the parent virtual network. Required if the template is used in a standalone deployment.') -param virtualNetworkName string - -@description('Required. The address prefix for the subnet.') -param addressPrefix string - -@description('Optional. The resource ID of the network security group to assign to the subnet.') -param networkSecurityGroupId string = '' - -@description('Optional. The resource ID of the route table to assign to the subnet.') -param routeTableId string = '' - -@description('Optional. The service endpoints to enable on the subnet.') -param serviceEndpoints array = [] - -@description('Optional. The delegations to enable on the subnet.') -param delegations array = [] - -@description('Optional. The resource ID of the NAT Gateway to use for the subnet.') -param natGatewayId string = '' - -@description('Optional. enable or disable apply network policies on private endpoint in the subnet.') -@allowed([ - 'Disabled' - 'Enabled' - '' -]) -param privateEndpointNetworkPolicies string = '' - -@description('Optional. enable or disable apply network policies on private link service in the subnet.') -@allowed([ - 'Disabled' - 'Enabled' - '' -]) -param privateLinkServiceNetworkPolicies string = '' - -@description('Optional. List of address prefixes for the subnet.') -param addressPrefixes array = [] - -@description('Optional. Application gateway IP configurations of virtual network resource.') -param applicationGatewayIPConfigurations array = [] - -@description('Optional. Array of IpAllocation which reference this subnet.') -param ipAllocations array = [] - -@description('Optional. An array of service endpoint policies.') -param serviceEndpointPolicies array = [] - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' existing = { - name: virtualNetworkName -} - -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = { - name: name - parent: virtualNetwork - properties: { - addressPrefix: addressPrefix - networkSecurityGroup: !empty(networkSecurityGroupId) ? { - id: networkSecurityGroupId - } : null - routeTable: !empty(routeTableId) ? { - id: routeTableId - } : null - natGateway: !empty(natGatewayId) ? { - id: natGatewayId - } : null - serviceEndpoints: serviceEndpoints - delegations: delegations - privateEndpointNetworkPolicies: !empty(privateEndpointNetworkPolicies) ? any(privateEndpointNetworkPolicies) : null - privateLinkServiceNetworkPolicies: !empty(privateLinkServiceNetworkPolicies) ? any(privateLinkServiceNetworkPolicies) : null - addressPrefixes: addressPrefixes - applicationGatewayIPConfigurations: applicationGatewayIPConfigurations - ipAllocations: ipAllocations - serviceEndpointPolicies: serviceEndpointPolicies - } -} - -resource subnet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(subnet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: subnet -}] - -@description('The resource group the virtual network peering was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the virtual network peering.') -output name string = subnet.name - -@description('The resource ID of the virtual network peering.') -output resourceId string = subnet.id - -@description('The address prefix for the subnet.') -output subnetAddressPrefix string = subnet.properties.addressPrefix - -@description('List of address prefixes for the subnet.') -output subnetAddressPrefixes array = !empty(addressPrefixes) ? subnet.properties.addressPrefixes : [] -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json deleted file mode 100644 index dd6acc468b..0000000000 --- a/modules/network/virtual-network/subnet/main.json +++ /dev/null @@ -1,316 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17336277691652716048" - }, - "name": "Virtual Network Subnets", - "description": "This module deploys a Virtual Network Subnet.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Optional. The Name of the subnet resource." - } - }, - "virtualNetworkName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent virtual network. Required if the template is used in a standalone deployment." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. The address prefix for the subnet." - } - }, - "networkSecurityGroupId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the network security group to assign to the subnet." - } - }, - "routeTableId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the route table to assign to the subnet." - } - }, - "serviceEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The service endpoints to enable on the subnet." - } - }, - "delegations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The delegations to enable on the subnet." - } - }, - "natGatewayId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the NAT Gateway to use for the subnet." - } - }, - "privateEndpointNetworkPolicies": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Disabled", - "Enabled", - "" - ], - "metadata": { - "description": "Optional. enable or disable apply network policies on private endpoint in the subnet." - } - }, - "privateLinkServiceNetworkPolicies": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Disabled", - "Enabled", - "" - ], - "metadata": { - "description": "Optional. enable or disable apply network policies on private link service in the subnet." - } - }, - "addressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of address prefixes for the subnet." - } - }, - "applicationGatewayIPConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Application gateway IP configurations of virtual network resource." - } - }, - "ipAllocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of IpAllocation which reference this subnet." - } - }, - "serviceEndpointPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of service endpoint policies." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualNetwork": { - "existing": true, - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2023-04-01", - "name": "[parameters('virtualNetworkName')]" - }, - "subnet": { - "type": "Microsoft.Network/virtualNetworks/subnets", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('name'))]", - "properties": { - "addressPrefix": "[parameters('addressPrefix')]", - "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupId'))), createObject('id', parameters('networkSecurityGroupId')), null())]", - "routeTable": "[if(not(empty(parameters('routeTableId'))), createObject('id', parameters('routeTableId')), null())]", - "natGateway": "[if(not(empty(parameters('natGatewayId'))), createObject('id', parameters('natGatewayId')), null())]", - "serviceEndpoints": "[parameters('serviceEndpoints')]", - "delegations": "[parameters('delegations')]", - "privateEndpointNetworkPolicies": "[if(not(empty(parameters('privateEndpointNetworkPolicies'))), parameters('privateEndpointNetworkPolicies'), null())]", - "privateLinkServiceNetworkPolicies": "[if(not(empty(parameters('privateLinkServiceNetworkPolicies'))), parameters('privateLinkServiceNetworkPolicies'), null())]", - "addressPrefixes": "[parameters('addressPrefixes')]", - "applicationGatewayIPConfigurations": "[parameters('applicationGatewayIPConfigurations')]", - "ipAllocations": "[parameters('ipAllocations')]", - "serviceEndpointPolicies": "[parameters('serviceEndpointPolicies')]" - }, - "dependsOn": [ - "virtualNetwork" - ] - }, - "subnet_roleAssignments": { - "copy": { - "name": "subnet_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "subnet" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network peering was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network peering." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network peering." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" - }, - "subnetAddressPrefix": { - "type": "string", - "metadata": { - "description": "The address prefix for the subnet." - }, - "value": "[reference('subnet').addressPrefix]" - }, - "subnetAddressPrefixes": { - "type": "array", - "metadata": { - "description": "List of address prefixes for the subnet." - }, - "value": "[if(not(empty(parameters('addressPrefixes'))), reference('subnet').addressPrefixes, createArray())]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-network/subnet/version.json b/modules/network/virtual-network/subnet/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-network/subnet/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-network/tests/e2e/defaults/main.test.bicep b/modules/network/virtual-network/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 80ad958cf8..0000000000 --- a/modules/network/virtual-network/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,51 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvnmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - addressPrefixes: [ - '10.0.0.0/16' - ] - } -} diff --git a/modules/network/virtual-network/tests/e2e/max/dependencies.bicep b/modules/network/virtual-network/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 065c08da1e..0000000000 --- a/modules/network/virtual-network/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,35 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location -} - -@description('The resource ID of the created Route Table.') -output routeTableResourceId string = routeTable.id - -@description('The resource ID of the created Network Security Group.') -output networkSecurityGroupResourceId string = networkSecurityGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network/tests/e2e/max/main.test.bicep b/modules/network/virtual-network/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7181d9a40f..0000000000 --- a/modules/network/virtual-network/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,166 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvnmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var addressPrefix = '10.0.0.0/16' -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - addressPrefixes: [ - addressPrefix - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - dnsServers: [ - '10.0.1.4' - '10.0.1.5' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - flowTimeoutInMinutes: 20 - subnets: [ - { - addressPrefix: cidrSubnet(addressPrefix, 24, 0) - name: 'GatewaySubnet' - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 1) - name: '${namePrefix}-az-subnet-x-001' - networkSecurityGroupId: nestedDependencies.outputs.networkSecurityGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - routeTableId: nestedDependencies.outputs.routeTableResourceId - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - { - service: 'Microsoft.Sql' - } - ] - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 2) - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - name: '${namePrefix}-az-subnet-x-002' - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 3) - name: '${namePrefix}-az-subnet-x-003' - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep b/modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep deleted file mode 100644 index b600e9ea7e..0000000000 --- a/modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep +++ /dev/null @@ -1,30 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network.') -output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep b/modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep deleted file mode 100644 index ba786f42f1..0000000000 --- a/modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep +++ /dev/null @@ -1,80 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvnpeer' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - addressPrefixes: [ - '10.1.0.0/24' - ] - subnets: [ - { - addressPrefix: '10.1.0.0/26' - name: 'GatewaySubnet' - } - ] - peerings: [ - { - allowForwardedTraffic: true - allowGatewayTransit: false - allowVirtualNetworkAccess: true - remotePeeringAllowForwardedTraffic: true - remotePeeringAllowVirtualNetworkAccess: true - remotePeeringEnabled: true - remotePeeringName: 'customName' - remoteVirtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId - useRemoteGateways: false - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 065c08da1e..0000000000 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,35 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location -} - -@description('The resource ID of the created Route Table.') -output routeTableResourceId string = routeTable.id - -@description('The resource ID of the created Network Security Group.') -output networkSecurityGroupResourceId string = networkSecurityGroup.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index c2702cfe9f..0000000000 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,149 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvnwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -var addressPrefix = '10.0.0.0/16' -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - addressPrefixes: [ - addressPrefix - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - dnsServers: [ - '10.0.1.4' - '10.0.1.5' - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - flowTimeoutInMinutes: 20 - subnets: [ - { - addressPrefix: cidrSubnet(addressPrefix, 24, 0) - name: 'GatewaySubnet' - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 1) - name: '${namePrefix}-az-subnet-x-001' - networkSecurityGroupId: nestedDependencies.outputs.networkSecurityGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - routeTableId: nestedDependencies.outputs.routeTableResourceId - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - { - service: 'Microsoft.Sql' - } - ] - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 2) - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - name: '${namePrefix}-az-subnet-x-002' - } - { - addressPrefix: cidrSubnet(addressPrefix, 24, 3) - name: '${namePrefix}-az-subnet-x-003' - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/network/virtual-network/version.json b/modules/network/virtual-network/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-network/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-network/virtual-network-peering/README.md b/modules/network/virtual-network/virtual-network-peering/README.md deleted file mode 100644 index 6b9779648d..0000000000 --- a/modules/network/virtual-network/virtual-network-peering/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# Virtual Network Peerings `[Microsoft.Network/virtualNetworks/virtualNetworkPeerings]` - -This module deploys a Virtual Network Peering. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/virtualNetworkPeerings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`remoteVirtualNetworkId`](#parameter-remotevirtualnetworkid) | string | The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`localVnetName`](#parameter-localvnetname) | string | The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowForwardedTraffic`](#parameter-allowforwardedtraffic) | bool | Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | -| [`allowGatewayTransit`](#parameter-allowgatewaytransit) | bool | If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | -| [`allowVirtualNetworkAccess`](#parameter-allowvirtualnetworkaccess) | bool | Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | -| [`doNotVerifyRemoteGateways`](#parameter-donotverifyremotegateways) | bool | If we need to verify the provisioning state of the remote gateway. Default is true. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. | -| [`useRemoteGateways`](#parameter-useremotegateways) | bool | If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. | - -### Parameter: `remoteVirtualNetworkId` - -The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. - -- Required: Yes -- Type: string - -### Parameter: `localVnetName` - -The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allowForwardedTraffic` - -Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `allowGatewayTransit` - -If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `allowVirtualNetworkAccess` - -Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `doNotVerifyRemoteGateways` - -If we need to verify the provisioning state of the remote gateway. Default is true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. - -- Required: No -- Type: string -- Default: `[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]` - -### Parameter: `useRemoteGateways` - -If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network peering. | -| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | -| `resourceId` | string | The resource ID of the virtual network peering. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/virtual-network/virtual-network-peering/main.bicep b/modules/network/virtual-network/virtual-network-peering/main.bicep deleted file mode 100644 index 861b4727d3..0000000000 --- a/modules/network/virtual-network/virtual-network-peering/main.bicep +++ /dev/null @@ -1,70 +0,0 @@ -metadata name = 'Virtual Network Peerings' -metadata description = 'This module deploys a Virtual Network Peering.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName.') -param name string = '${localVnetName}-${last(split(remoteVirtualNetworkId, '/'))}' - -@description('Conditional. The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment.') -param localVnetName string - -@description('Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID.') -param remoteVirtualNetworkId string - -@description('Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true.') -param allowForwardedTraffic bool = true - -@description('Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false.') -param allowGatewayTransit bool = false - -@description('Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true.') -param allowVirtualNetworkAccess bool = true - -@description('Optional. If we need to verify the provisioning state of the remote gateway. Default is true.') -param doNotVerifyRemoteGateways bool = true - -@description('Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false.') -param useRemoteGateways bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' existing = { - name: localVnetName -} - -resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-04-01' = { - name: name - parent: virtualNetwork - properties: { - allowForwardedTraffic: allowForwardedTraffic - allowGatewayTransit: allowGatewayTransit - allowVirtualNetworkAccess: allowVirtualNetworkAccess - doNotVerifyRemoteGateways: doNotVerifyRemoteGateways - useRemoteGateways: useRemoteGateways - remoteVirtualNetwork: { - id: remoteVirtualNetworkId - } - } -} - -@description('The resource group the virtual network peering was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the virtual network peering.') -output name string = virtualNetworkPeering.name - -@description('The resource ID of the virtual network peering.') -output resourceId string = virtualNetworkPeering.id diff --git a/modules/network/virtual-network/virtual-network-peering/main.json b/modules/network/virtual-network/virtual-network-peering/main.json deleted file mode 100644 index 3308100208..0000000000 --- a/modules/network/virtual-network/virtual-network-peering/main.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17147360311358108540" - }, - "name": "Virtual Network Peerings", - "description": "This module deploys a Virtual Network Peering.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]", - "metadata": { - "description": "Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName." - } - }, - "localVnetName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment." - } - }, - "remoteVirtualNetworkId": { - "type": "string", - "metadata": { - "description": "Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID." - } - }, - "allowForwardedTraffic": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true." - } - }, - "allowGatewayTransit": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false." - } - }, - "allowVirtualNetworkAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true." - } - }, - "doNotVerifyRemoteGateways": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If we need to verify the provisioning state of the remote gateway. Default is true." - } - }, - "useRemoteGateways": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('localVnetName'), parameters('name'))]", - "properties": { - "allowForwardedTraffic": "[parameters('allowForwardedTraffic')]", - "allowGatewayTransit": "[parameters('allowGatewayTransit')]", - "allowVirtualNetworkAccess": "[parameters('allowVirtualNetworkAccess')]", - "doNotVerifyRemoteGateways": "[parameters('doNotVerifyRemoteGateways')]", - "useRemoteGateways": "[parameters('useRemoteGateways')]", - "remoteVirtualNetwork": { - "id": "[parameters('remoteVirtualNetworkId')]" - } - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual network peering was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual network peering." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network peering." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('localVnetName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-network/virtual-network-peering/version.json b/modules/network/virtual-network/virtual-network-peering/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-network/virtual-network-peering/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/virtual-wan/MOVED-TO-AVM.md b/modules/network/virtual-wan/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/virtual-wan/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 20868b8137..bc095ebaa9 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -1,520 +1,7 @@ -# Virtual WANs `[Microsoft.Network/virtualWans]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/virtual-wan](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/virtual-wan).** -This module deploys a Virtual WAN. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/virtual-wan). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/virtualWans` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualWans) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-wan:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvwmin' - params: { - // Required parameters - name: 'nvwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvwmax' - params: { - // Required parameters - name: 'nvwmax001' - // Non-required parameters - allowBranchToBranchTraffic: true - allowVnetToVnetTraffic: true - disableVpnEncryption: true - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - type: 'Basic' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvwmax001" - }, - // Non-required parameters - "allowBranchToBranchTraffic": { - "value": true - }, - "allowVnetToVnetTraffic": { - "value": true - }, - "disableVpnEncryption": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "type": { - "value": "Basic" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvwwaf' - params: { - // Required parameters - name: 'nvwwaf001' - // Non-required parameters - allowBranchToBranchTraffic: true - allowVnetToVnetTraffic: true - disableVpnEncryption: true - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - type: 'Basic' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvwwaf001" - }, - // Non-required parameters - "allowBranchToBranchTraffic": { - "value": true - }, - "allowVnetToVnetTraffic": { - "value": true - }, - "disableVpnEncryption": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "type": { - "value": "Basic" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Virtual WAN. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowBranchToBranchTraffic`](#parameter-allowbranchtobranchtraffic) | bool | True if branch to branch traffic is allowed. | -| [`allowVnetToVnetTraffic`](#parameter-allowvnettovnettraffic) | bool | True if VNET to VNET traffic is allowed. | -| [`disableVpnEncryption`](#parameter-disablevpnencryption) | bool | VPN encryption to be disabled or not. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`type`](#parameter-type) | string | The type of the Virtual WAN. | - -### Parameter: `name` - -Name of the Virtual WAN. - -- Required: Yes -- Type: string - -### Parameter: `allowBranchToBranchTraffic` - -True if branch to branch traffic is allowed. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `allowVnetToVnetTraffic` - -True if VNET to VNET traffic is allowed. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableVpnEncryption` - -VPN encryption to be disabled or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location where all resources will be created. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `type` - -The type of the Virtual WAN. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Standard' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual WAN. | -| `resourceGroupName` | string | The resource group the virtual WAN was deployed into. | -| `resourceId` | string | The resource ID of the virtual WAN. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep deleted file mode 100644 index b108e4573b..0000000000 --- a/modules/network/virtual-wan/main.bicep +++ /dev/null @@ -1,140 +0,0 @@ -metadata name = 'Virtual WANs' -metadata description = 'This module deploys a Virtual WAN.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Location where all resources will be created.') -param location string = resourceGroup().location - -@description('Required. Name of the Virtual WAN.') -param name string - -@description('Optional. The type of the Virtual WAN.') -@allowed([ - 'Standard' - 'Basic' -]) -param type string = 'Standard' - -@description('Optional. True if branch to branch traffic is allowed.') -param allowBranchToBranchTraffic bool = false - -@description('Optional. True if VNET to VNET traffic is allowed.') -param allowVnetToVnetTraffic bool = false - -@description('Optional. VPN encryption to be disabled or not.') -param disableVpnEncryption bool = false - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - allowBranchToBranchTraffic: allowBranchToBranchTraffic - allowVnetToVnetTraffic: allowVnetToVnetTraffic ? allowVnetToVnetTraffic : null - disableVpnEncryption: disableVpnEncryption - type: type - } -} - -resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: virtualWan -} - -resource virtualWan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(virtualWan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: virtualWan -}] - -@description('The name of the virtual WAN.') -output name string = virtualWan.name - -@description('The resource ID of the virtual WAN.') -output resourceId string = virtualWan.id - -@description('The resource group the virtual WAN was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = virtualWan.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json deleted file mode 100644 index 99e7a9e7ca..0000000000 --- a/modules/network/virtual-wan/main.json +++ /dev/null @@ -1,286 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3497109504339292909" - }, - "name": "Virtual WANs", - "description": "This module deploys a Virtual WAN.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location where all resources will be created." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Virtual WAN." - } - }, - "type": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "Basic" - ], - "metadata": { - "description": "Optional. The type of the Virtual WAN." - } - }, - "allowBranchToBranchTraffic": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. True if branch to branch traffic is allowed." - } - }, - "allowVnetToVnetTraffic": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. True if VNET to VNET traffic is allowed." - } - }, - "disableVpnEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. VPN encryption to be disabled or not." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "virtualWan": { - "type": "Microsoft.Network/virtualWans", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "allowBranchToBranchTraffic": "[parameters('allowBranchToBranchTraffic')]", - "allowVnetToVnetTraffic": "[if(parameters('allowVnetToVnetTraffic'), parameters('allowVnetToVnetTraffic'), null())]", - "disableVpnEncryption": "[parameters('disableVpnEncryption')]", - "type": "[parameters('type')]" - } - }, - "virtualWan_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "virtualWan" - ] - }, - "virtualWan_roleAssignments": { - "copy": { - "name": "virtualWan_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/virtualWans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "virtualWan" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the virtual WAN." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual WAN." - }, - "value": "[resourceId('Microsoft.Network/virtualWans', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the virtual WAN was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualWan', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep b/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 85f5f16915..0000000000 --- a/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvwmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/network/virtual-wan/tests/e2e/max/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/virtual-wan/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep deleted file mode 100644 index 9079c1e718..0000000000 --- a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,87 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - allowBranchToBranchTraffic: true - allowVnetToVnetTraffic: true - disableVpnEncryption: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - type: 'Basic' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 7bccc274c5..0000000000 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,70 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - allowBranchToBranchTraffic: true - allowVnetToVnetTraffic: true - disableVpnEncryption: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - type: 'Basic' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/virtual-wan/version.json b/modules/network/virtual-wan/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/virtual-wan/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/vpn-gateway/MOVED-TO-AVM.md b/modules/network/vpn-gateway/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/vpn-gateway/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 64f362aedb..e902f73c36 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -1,626 +1,7 @@ -# VPN Gateways `[Microsoft.Network/vpnGateways]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/vpn-gateway](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/vpn-gateway).** -This module deploys a VPN Gateway. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/vpn-gateway). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Network/vpnGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways) | -| `Microsoft.Network/vpnGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/natRules) | -| `Microsoft.Network/vpnGateways/vpnConnections` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/vpnConnections) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-gateway:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgmin' - params: { - // Required parameters - name: 'nvgmin001' - virtualHubResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvgmin001" - }, - "virtualHubResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgmax' - params: { - // Required parameters - name: 'nvgmax001' - virtualHubResourceId: '' - // Non-required parameters - bgpSettings: { - asn: 65515 - peerWeight: 0 - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - natRules: [ - { - externalMappings: [ - { - addressSpace: '192.168.21.0/24' - } - ] - internalMappings: [ - { - addressSpace: '10.4.0.0/24' - } - ] - mode: 'EgressSnat' - name: 'natRule1' - type: 'Static' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vpnConnections: [ - { - connectionBandwidth: 100 - enableBgp: false - enableInternetSecurity: true - enableRateLimiting: false - name: '' - remoteVpnSiteResourceId: '' - routingWeight: 0 - useLocalAzureIpAddress: false - usePolicyBasedTrafficSelectors: false - vpnConnectionProtocolType: 'IKEv2' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvgmax001" - }, - "virtualHubResourceId": { - "value": "" - }, - // Non-required parameters - "bgpSettings": { - "value": { - "asn": 65515, - "peerWeight": 0 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "natRules": { - "value": [ - { - "externalMappings": [ - { - "addressSpace": "192.168.21.0/24" - } - ], - "internalMappings": [ - { - "addressSpace": "10.4.0.0/24" - } - ], - "mode": "EgressSnat", - "name": "natRule1", - "type": "Static" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vpnConnections": { - "value": [ - { - "connectionBandwidth": 100, - "enableBgp": false, - "enableInternetSecurity": true, - "enableRateLimiting": false, - "name": "", - "remoteVpnSiteResourceId": "", - "routingWeight": 0, - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "vpnConnectionProtocolType": "IKEv2" - } - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgwaf' - params: { - // Required parameters - name: 'nvgwaf001' - virtualHubResourceId: '' - // Non-required parameters - bgpSettings: { - asn: 65515 - peerWeight: 0 - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - natRules: [ - { - externalMappings: [ - { - addressSpace: '192.168.21.0/24' - } - ] - internalMappings: [ - { - addressSpace: '10.4.0.0/24' - } - ] - mode: 'EgressSnat' - name: 'natRule1' - type: 'Static' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vpnConnections: [ - { - connectionBandwidth: 100 - enableBgp: false - enableInternetSecurity: true - enableRateLimiting: false - name: '' - remoteVpnSiteResourceId: '' - routingWeight: 0 - useLocalAzureIpAddress: false - usePolicyBasedTrafficSelectors: false - vpnConnectionProtocolType: 'IKEv2' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvgwaf001" - }, - "virtualHubResourceId": { - "value": "" - }, - // Non-required parameters - "bgpSettings": { - "value": { - "asn": 65515, - "peerWeight": 0 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "natRules": { - "value": [ - { - "externalMappings": [ - { - "addressSpace": "192.168.21.0/24" - } - ], - "internalMappings": [ - { - "addressSpace": "10.4.0.0/24" - } - ], - "mode": "EgressSnat", - "name": "natRule1", - "type": "Static" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vpnConnections": { - "value": [ - { - "connectionBandwidth": 100, - "enableBgp": false, - "enableInternetSecurity": true, - "enableRateLimiting": false, - "name": "", - "remoteVpnSiteResourceId": "", - "routingWeight": 0, - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "vpnConnectionProtocolType": "IKEv2" - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the VPN gateway. | -| [`virtualHubResourceId`](#parameter-virtualhubresourceid) | string | The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`bgpSettings`](#parameter-bgpsettings) | object | BGP settings details. | -| [`enableBgpRouteTranslationForNat`](#parameter-enablebgproutetranslationfornat) | bool | Enable BGP routes translation for NAT on this VPN gateway. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`isRoutingPreferenceInternet`](#parameter-isroutingpreferenceinternet) | bool | Enable routing preference property for the public IP interface of the VPN gateway. | -| [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`natRules`](#parameter-natrules) | array | List of all the NAT Rules to associate with the gateway. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vpnConnections`](#parameter-vpnconnections) | array | The VPN connections to create in the VPN gateway. | -| [`vpnGatewayScaleUnit`](#parameter-vpngatewayscaleunit) | int | The scale unit for this VPN gateway. | - -### Parameter: `name` - -Name of the VPN gateway. - -- Required: Yes -- Type: string - -### Parameter: `virtualHubResourceId` - -The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. - -- Required: Yes -- Type: string - -### Parameter: `bgpSettings` - -BGP settings details. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableBgpRouteTranslationForNat` - -Enable BGP routes translation for NAT on this VPN gateway. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `isRoutingPreferenceInternet` - -Enable routing preference property for the public IP interface of the VPN gateway. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location where all resources will be created. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `natRules` - -List of all the NAT Rules to associate with the gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vpnConnections` - -The VPN connections to create in the VPN gateway. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `vpnGatewayScaleUnit` - -The scale unit for this VPN gateway. - -- Required: No -- Type: int -- Default: `2` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VPN gateway. | -| `resourceGroupName` | string | The name of the resource group the VPN gateway was deployed into. | -| `resourceId` | string | The resource ID of the VPN gateway. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `bgpSettings` - -

- -Parameter JSON format - -```json -"bgpSettings": { - "asn": 65515, - "peerWeight": 0, - "bgpPeeringAddresses": [ - { - "ipconfigurationId": "Instance0", - "defaultBgpIpAddresses": [ - "10.0.0.12" - ], - "customBgpIpAddresses": [], - "tunnelIpAddresses": [ - "20.84.35.53", - "10.0.0.4" - ] - }, - { - "ipconfigurationId": "Instance1", - "defaultBgpIpAddresses": [ - "10.0.0.13" - ], - "customBgpIpAddresses": [], - "tunnelIpAddresses": [ - "20.84.34.225", - "10.0.0.5" - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -bgpSettings: { - asn: 65515 - peerWeight: 0 - bgpPeeringAddresses: [ - { - ipconfigurationId: 'Instance0' - defaultBgpIpAddresses: [ - '10.0.0.12' - ] - customBgpIpAddresses: [] - tunnelIpAddresses: [ - '20.84.35.53' - '10.0.0.4' - ] - } - { - ipconfigurationId: 'Instance1' - defaultBgpIpAddresses: [ - '10.0.0.13' - ] - customBgpIpAddresses: [] - tunnelIpAddresses: [ - '20.84.34.225' - '10.0.0.5' - ] - } - ] -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/vpn-gateway/main.bicep b/modules/network/vpn-gateway/main.bicep deleted file mode 100644 index 943525aca2..0000000000 --- a/modules/network/vpn-gateway/main.bicep +++ /dev/null @@ -1,158 +0,0 @@ -metadata name = 'VPN Gateways' -metadata description = 'This module deploys a VPN Gateway.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the VPN gateway.') -param name string - -@description('Optional. Location where all resources will be created.') -param location string = resourceGroup().location - -@description('Optional. The VPN connections to create in the VPN gateway.') -param vpnConnections array = [] - -@description('Optional. List of all the NAT Rules to associate with the gateway.') -param natRules array = [] - -@description('Required. The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location.') -param virtualHubResourceId string - -@description('Optional. BGP settings details.') -param bgpSettings object = {} - -@description('Optional. Enable BGP routes translation for NAT on this VPN gateway.') -param enableBgpRouteTranslationForNat bool = false - -@description('Optional. Enable routing preference property for the public IP interface of the VPN gateway.') -param isRoutingPreferenceInternet bool = false - -@description('Optional. The scale unit for this VPN gateway.') -param vpnGatewayScaleUnit int = 2 - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource vpnGateway 'Microsoft.Network/vpnGateways@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - bgpSettings: bgpSettings - enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat - isRoutingPreferenceInternet: isRoutingPreferenceInternet - vpnGatewayScaleUnit: vpnGatewayScaleUnit - connections: [for (connection, index) in vpnConnections: { - name: connection.name - properties: { - connectionBandwidth: connection.?connectionBandwidth - enableBgp: connection.?enableBgp - enableInternetSecurity: connection.?enableInternetSecurity - remoteVpnSite: contains(connection, 'remoteVpnSiteResourceId') ? { - id: connection.remoteVpnSiteResourceId - } : null - enableRateLimiting: connection.?enableRateLimiting - routingConfiguration: connection.?routingConfiguration - routingWeight: connection.?routingWeight - sharedKey: connection.?sharedKey - useLocalAzureIpAddress: connection.?useLocalAzureIpAddress - usePolicyBasedTrafficSelectors: connection.?usePolicyBasedTrafficSelectors - vpnConnectionProtocolType: connection.?vpnConnectionProtocolType - ipsecPolicies: connection.?ipsecPolicies - trafficSelectorPolicies: connection.?trafficSelectorPolicies - vpnLinkConnections: connection.?vpnLinkConnections - } - }] - virtualHub: { - id: virtualHubResourceId - } - } -} - -resource vpnGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: vpnGateway -} - -module vpnGateway_natRules 'nat-rule/main.bicep' = [for (natRule, index) in natRules: { - name: '${deployment().name}-NATRule-${index}' - params: { - name: natRule.name - vpnGatewayName: vpnGateway.name - externalMappings: contains(natRule, 'externalMappings') ? natRule.externalMappings : [] - internalMappings: contains(natRule, 'internalMappings') ? natRule.internalMappings : [] - ipConfigurationId: contains(natRule, 'ipConfigurationId') ? natRule.ipConfigurationId : '' - mode: contains(natRule, 'mode') ? natRule.mode : '' - type: contains(natRule, 'type') ? natRule.type : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module vpnGateway_vpnConnections 'vpn-connection/main.bicep' = [for (connection, index) in vpnConnections: { - name: '${deployment().name}-Connection-${index}' - params: { - name: connection.name - vpnGatewayName: vpnGateway.name - connectionBandwidth: connection.?connectionBandwidth - enableBgp: connection.?enableBgp - enableInternetSecurity: connection.?enableInternetSecurity - remoteVpnSiteResourceId: connection.?remoteVpnSiteResourceId - enableRateLimiting: connection.?enableRateLimiting - routingConfiguration: connection.?routingConfiguration - routingWeight: connection.?routingWeight - sharedKey: connection.?sharedKey - useLocalAzureIpAddress: connection.?useLocalAzureIpAddress - usePolicyBasedTrafficSelectors: connection.?usePolicyBasedTrafficSelectors - vpnConnectionProtocolType: connection.?vpnConnectionProtocolType - enableDefaultTelemetry: connection.?ipsecPolicies - trafficSelectorPolicies: connection.?trafficSelectorPolicies - vpnLinkConnections: connection.?vpnLinkConnections - } -}] - -@description('The name of the VPN gateway.') -output name string = vpnGateway.name - -@description('The resource ID of the VPN gateway.') -output resourceId string = vpnGateway.id - -@description('The name of the resource group the VPN gateway was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = vpnGateway.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json deleted file mode 100644 index 07ddb84961..0000000000 --- a/modules/network/vpn-gateway/main.json +++ /dev/null @@ -1,659 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12893789800987585694" - }, - "name": "VPN Gateways", - "description": "This module deploys a VPN Gateway.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the VPN gateway." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location where all resources will be created." - } - }, - "vpnConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The VPN connections to create in the VPN gateway." - } - }, - "natRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all the NAT Rules to associate with the gateway." - } - }, - "virtualHubResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location." - } - }, - "bgpSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. BGP settings details." - } - }, - "enableBgpRouteTranslationForNat": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable BGP routes translation for NAT on this VPN gateway." - } - }, - "isRoutingPreferenceInternet": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable routing preference property for the public IP interface of the VPN gateway." - } - }, - "vpnGatewayScaleUnit": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The scale unit for this VPN gateway." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "vpnGateway": { - "type": "Microsoft.Network/vpnGateways", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "connections", - "count": "[length(parameters('vpnConnections'))]", - "input": { - "name": "[parameters('vpnConnections')[copyIndex('connections')].name]", - "properties": { - "connectionBandwidth": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'connectionBandwidth')]", - "enableBgp": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableBgp')]", - "enableInternetSecurity": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableInternetSecurity')]", - "remoteVpnSite": "[if(contains(parameters('vpnConnections')[copyIndex('connections')], 'remoteVpnSiteResourceId'), createObject('id', parameters('vpnConnections')[copyIndex('connections')].remoteVpnSiteResourceId), null())]", - "enableRateLimiting": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableRateLimiting')]", - "routingConfiguration": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'routingConfiguration')]", - "routingWeight": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'routingWeight')]", - "sharedKey": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'sharedKey')]", - "useLocalAzureIpAddress": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'useLocalAzureIpAddress')]", - "usePolicyBasedTrafficSelectors": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'usePolicyBasedTrafficSelectors')]", - "vpnConnectionProtocolType": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'vpnConnectionProtocolType')]", - "ipsecPolicies": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'ipsecPolicies')]", - "trafficSelectorPolicies": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'trafficSelectorPolicies')]", - "vpnLinkConnections": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'vpnLinkConnections')]" - } - } - } - ], - "bgpSettings": "[parameters('bgpSettings')]", - "enableBgpRouteTranslationForNat": "[parameters('enableBgpRouteTranslationForNat')]", - "isRoutingPreferenceInternet": "[parameters('isRoutingPreferenceInternet')]", - "vpnGatewayScaleUnit": "[parameters('vpnGatewayScaleUnit')]", - "virtualHub": { - "id": "[parameters('virtualHubResourceId')]" - } - } - }, - "vpnGateway_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/vpnGateways/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "vpnGateway" - ] - }, - "vpnGateway_natRules": { - "copy": { - "name": "vpnGateway_natRules", - "count": "[length(parameters('natRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NATRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('natRules')[copyIndex()].name]" - }, - "vpnGatewayName": { - "value": "[parameters('name')]" - }, - "externalMappings": "[if(contains(parameters('natRules')[copyIndex()], 'externalMappings'), createObject('value', parameters('natRules')[copyIndex()].externalMappings), createObject('value', createArray()))]", - "internalMappings": "[if(contains(parameters('natRules')[copyIndex()], 'internalMappings'), createObject('value', parameters('natRules')[copyIndex()].internalMappings), createObject('value', createArray()))]", - "ipConfigurationId": "[if(contains(parameters('natRules')[copyIndex()], 'ipConfigurationId'), createObject('value', parameters('natRules')[copyIndex()].ipConfigurationId), createObject('value', ''))]", - "mode": "[if(contains(parameters('natRules')[copyIndex()], 'mode'), createObject('value', parameters('natRules')[copyIndex()].mode), createObject('value', ''))]", - "type": "[if(contains(parameters('natRules')[copyIndex()], 'type'), createObject('value', parameters('natRules')[copyIndex()].type), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2150556463317760652" - }, - "name": "VPN Gateway NAT Rules", - "description": "This module deploys a VPN Gateway NAT Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NAT rule." - } - }, - "vpnGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment." - } - }, - "externalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range." - } - }, - "internalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range." - } - }, - "ipConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "EgressSnat", - "IngressSnat" - ], - "metadata": { - "description": "Optional. The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/vpnGateways/natRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('vpnGatewayName'), parameters('name'))]", - "properties": { - "externalMappings": "[parameters('externalMappings')]", - "internalMappings": "[parameters('internalMappings')]", - "ipConfigurationId": "[if(not(empty(parameters('ipConfigurationId'))), parameters('ipConfigurationId'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "type": "[if(not(empty(parameters('type'))), parameters('type'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the NAT rule." - }, - "value": "[resourceId('Microsoft.Network/vpnGateways/natRules', parameters('vpnGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vpnGateway" - ] - }, - "vpnGateway_vpnConnections": { - "copy": { - "name": "vpnGateway_vpnConnections", - "count": "[length(parameters('vpnConnections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Connection-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('vpnConnections')[copyIndex()].name]" - }, - "vpnGatewayName": { - "value": "[parameters('name')]" - }, - "connectionBandwidth": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'connectionBandwidth')]" - }, - "enableBgp": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableBgp')]" - }, - "enableInternetSecurity": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableInternetSecurity')]" - }, - "remoteVpnSiteResourceId": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'remoteVpnSiteResourceId')]" - }, - "enableRateLimiting": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableRateLimiting')]" - }, - "routingConfiguration": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'routingConfiguration')]" - }, - "routingWeight": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'routingWeight')]" - }, - "sharedKey": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'sharedKey')]" - }, - "useLocalAzureIpAddress": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'useLocalAzureIpAddress')]" - }, - "usePolicyBasedTrafficSelectors": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'usePolicyBasedTrafficSelectors')]" - }, - "vpnConnectionProtocolType": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'vpnConnectionProtocolType')]" - }, - "enableDefaultTelemetry": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'ipsecPolicies')]" - }, - "trafficSelectorPolicies": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'trafficSelectorPolicies')]" - }, - "vpnLinkConnections": { - "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'vpnLinkConnections')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6383697389251029881" - }, - "name": "VPN Gateway VPN Connections", - "description": "This module deploys a VPN Gateway VPN Connection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the VPN connection." - } - }, - "vpnGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment." - } - }, - "ipsecPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IPSec policies to be considered by this connection." - } - }, - "trafficSelectorPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The traffic selector policies to be considered by this connection." - } - }, - "vpnLinkConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all VPN site link connections to the gateway." - } - }, - "routingConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Routing configuration indicating the associated and propagated route tables for this connection." - } - }, - "usePolicyBasedTrafficSelectors": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable policy-based traffic selectors." - } - }, - "useLocalAzureIpAddress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use local Azure IP to initiate connection." - } - }, - "enableRateLimiting": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable rate limiting." - } - }, - "enableInternetSecurity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable internet security." - } - }, - "enableBgp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable BGP flag." - } - }, - "routingWeight": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Routing weight for VPN connection." - } - }, - "connectionBandwidth": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. Expected bandwidth in MBPS." - } - }, - "vpnConnectionProtocolType": { - "type": "string", - "defaultValue": "IKEv2", - "allowedValues": [ - "IKEv1", - "IKEv2" - ], - "metadata": { - "description": "Optional. Gateway connection protocol." - } - }, - "sharedKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SharedKey for the VPN connection." - } - }, - "remoteVpnSiteResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Reference to a VPN site to link to." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/vpnGateways/vpnConnections", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('vpnGatewayName'), parameters('name'))]", - "properties": { - "connectionBandwidth": "[parameters('connectionBandwidth')]", - "enableBgp": "[parameters('enableBgp')]", - "enableInternetSecurity": "[parameters('enableInternetSecurity')]", - "enableRateLimiting": "[parameters('enableRateLimiting')]", - "ipsecPolicies": "[parameters('ipsecPolicies')]", - "remoteVpnSite": "[if(not(empty(parameters('remoteVpnSiteResourceId'))), createObject('id', parameters('remoteVpnSiteResourceId')), null())]", - "routingConfiguration": "[parameters('routingConfiguration')]", - "routingWeight": "[parameters('routingWeight')]", - "sharedKey": "[parameters('sharedKey')]", - "trafficSelectorPolicies": "[parameters('trafficSelectorPolicies')]", - "useLocalAzureIpAddress": "[parameters('useLocalAzureIpAddress')]", - "usePolicyBasedTrafficSelectors": "[parameters('usePolicyBasedTrafficSelectors')]", - "vpnConnectionProtocolType": "[parameters('vpnConnectionProtocolType')]", - "vpnLinkConnections": "[parameters('vpnLinkConnections')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the VPN connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the VPN connection." - }, - "value": "[resourceId('Microsoft.Network/vpnGateways/vpnConnections', parameters('vpnGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the VPN connection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "vpnGateway" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the VPN gateway." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the VPN gateway." - }, - "value": "[resourceId('Microsoft.Network/vpnGateways', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the VPN gateway was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('vpnGateway', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/vpn-gateway/nat-rule/README.md b/modules/network/vpn-gateway/nat-rule/README.md deleted file mode 100644 index f53cf33f2f..0000000000 --- a/modules/network/vpn-gateway/nat-rule/README.md +++ /dev/null @@ -1,132 +0,0 @@ -# VPN Gateway NAT Rules `[Microsoft.Network/vpnGateways/natRules]` - -This module deploys a VPN Gateway NAT Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/vpnGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/natRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the NAT rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`vpnGatewayName`](#parameter-vpngatewayname) | string | The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`externalMappings`](#parameter-externalmappings) | array | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | -| [`internalMappings`](#parameter-internalmappings) | array | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | -| [`ipConfigurationId`](#parameter-ipconfigurationid) | string | A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. | -| [`mode`](#parameter-mode) | string | The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. | -| [`type`](#parameter-type) | string | The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | - -### Parameter: `name` - -The name of the NAT rule. - -- Required: Yes -- Type: string - -### Parameter: `vpnGatewayName` - -The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `externalMappings` - -An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `internalMappings` - -An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipConfigurationId` - -A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `mode` - -The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'EgressSnat' - 'IngressSnat' - ] - ``` - -### Parameter: `type` - -The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Dynamic' - 'Static' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the NAT rule. | -| `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into. | -| `resourceId` | string | The resource ID of the NAT rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/vpn-gateway/nat-rule/main.bicep b/modules/network/vpn-gateway/nat-rule/main.bicep deleted file mode 100644 index 8ab92f9e52..0000000000 --- a/modules/network/vpn-gateway/nat-rule/main.bicep +++ /dev/null @@ -1,74 +0,0 @@ -metadata name = 'VPN Gateway NAT Rules' -metadata description = 'This module deploys a VPN Gateway NAT Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the NAT rule.') -param name string - -@description('Conditional. The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment.') -param vpnGatewayName string - -@description('Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.') -param externalMappings array = [] - -@description('Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.') -param internalMappings array = [] - -@description('Optional. A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances.') -param ipConfigurationId string = '' - -@description('Optional. The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub\'s site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub\'s Site-to-site VPN gateway.') -@allowed([ - '' - 'EgressSnat' - 'IngressSnat' -]) -param mode string = '' - -@description('Optional. The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability.') -@allowed([ - '' - 'Dynamic' - 'Static' -]) -param type string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource vpnGateway 'Microsoft.Network/vpnGateways@2023-04-01' existing = { - name: vpnGatewayName -} - -resource natRule 'Microsoft.Network/vpnGateways/natRules@2023-04-01' = { - name: name - parent: vpnGateway - properties: { - externalMappings: externalMappings - internalMappings: internalMappings - ipConfigurationId: !empty(ipConfigurationId) ? ipConfigurationId : null - mode: !empty(mode) ? any(mode) : null - type: !empty(type) ? any(type) : null - } -} - -@description('The name of the NAT rule.') -output name string = natRule.name - -@description('The resource ID of the NAT rule.') -output resourceId string = natRule.id - -@description('The name of the resource group the NAT rule was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/vpn-gateway/nat-rule/main.json b/modules/network/vpn-gateway/nat-rule/main.json deleted file mode 100644 index 2e03c8868b..0000000000 --- a/modules/network/vpn-gateway/nat-rule/main.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2150556463317760652" - }, - "name": "VPN Gateway NAT Rules", - "description": "This module deploys a VPN Gateway NAT Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the NAT rule." - } - }, - "vpnGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment." - } - }, - "externalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range." - } - }, - "internalMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range." - } - }, - "ipConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "EgressSnat", - "IngressSnat" - ], - "metadata": { - "description": "Optional. The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Dynamic", - "Static" - ], - "metadata": { - "description": "Optional. The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/vpnGateways/natRules", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('vpnGatewayName'), parameters('name'))]", - "properties": { - "externalMappings": "[parameters('externalMappings')]", - "internalMappings": "[parameters('internalMappings')]", - "ipConfigurationId": "[if(not(empty(parameters('ipConfigurationId'))), parameters('ipConfigurationId'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "type": "[if(not(empty(parameters('type'))), parameters('type'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the NAT rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the NAT rule." - }, - "value": "[resourceId('Microsoft.Network/vpnGateways/natRules', parameters('vpnGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the NAT rule was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/vpn-gateway/nat-rule/version.json b/modules/network/vpn-gateway/nat-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/vpn-gateway/nat-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 3b2439f31c..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,27 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. The name of the Virtual Hub to create.') -param virtualHubName string - -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-01-01' = { - name: virtualHubName - location: location - properties: { - virtualWan: { - id: virtualWan.id - } - addressPrefix: '10.1.0.0/16' - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id diff --git a/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 49411aaf37..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,59 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualHubName: 'dep-${namePrefix}-vh-${serviceShort}' - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId - } -}] diff --git a/modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a15b268388..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. The name of the Virtual Hub to create.') -param virtualHubName string - -@description('Optional. The name of the VPN Site to create.') -param vpnSiteName string - -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-01-01' = { - name: virtualHubName - location: location - properties: { - virtualWan: { - id: virtualWan.id - } - addressPrefix: '10.0.0.0/24' - } -} - -resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { - name: vpnSiteName - location: location - properties: { - virtualWan: { - id: virtualWan.id - } - addressSpace: { - addressPrefixes: [ - '10.1.0.0/16' - ] - } - ipAddress: '10.1.0.0' - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id - -@description('The resource ID of the created VPN site.') -output vpnSiteResourceId string = vpnSite.id diff --git a/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep deleted file mode 100644 index 14d39aec03..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,103 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualHubName: 'dep-${namePrefix}-vh-${serviceShort}' - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - vpnSiteName: 'dep-${namePrefix}-vs-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId - bgpSettings: { - asn: 65515 - peerWeight: 0 - } - vpnConnections: [ - { - connectionBandwidth: 100 - enableBgp: false - name: 'Connection-${last(split(nestedDependencies.outputs.vpnSiteResourceId, '/'))}' - remoteVpnSiteResourceId: nestedDependencies.outputs.vpnSiteResourceId - enableInternetSecurity: true - vpnConnectionProtocolType: 'IKEv2' - enableRateLimiting: false - useLocalAzureIpAddress: false - usePolicyBasedTrafficSelectors: false - routingWeight: 0 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - natRules: [ - { - externalMappings: [ - { - addressSpace: '192.168.21.0/24' - } - ] - internalMappings: [ - { - addressSpace: '10.4.0.0/24' - } - ] - mode: 'EgressSnat' - name: 'natRule1' - type: 'Static' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a15b268388..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. The name of the Virtual Hub to create.') -param virtualHubName string - -@description('Optional. The name of the VPN Site to create.') -param vpnSiteName string - -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -resource virtualHub 'Microsoft.Network/virtualHubs@2022-01-01' = { - name: virtualHubName - location: location - properties: { - virtualWan: { - id: virtualWan.id - } - addressPrefix: '10.0.0.0/24' - } -} - -resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { - name: vpnSiteName - location: location - properties: { - virtualWan: { - id: virtualWan.id - } - addressSpace: { - addressPrefixes: [ - '10.1.0.0/16' - ] - } - ipAddress: '10.1.0.0' - } -} - -@description('The resource ID of the created Virtual Hub.') -output virtualHubResourceId string = virtualHub.id - -@description('The resource ID of the created VPN site.') -output vpnSiteResourceId string = vpnSite.id diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 96e00bdab5..0000000000 --- a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,103 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualHubName: 'dep-${namePrefix}-vh-${serviceShort}' - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - vpnSiteName: 'dep-${namePrefix}-vs-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId - bgpSettings: { - asn: 65515 - peerWeight: 0 - } - vpnConnections: [ - { - connectionBandwidth: 100 - enableBgp: false - name: 'Connection-${last(split(nestedDependencies.outputs.vpnSiteResourceId, '/'))}' - remoteVpnSiteResourceId: nestedDependencies.outputs.vpnSiteResourceId - enableInternetSecurity: true - vpnConnectionProtocolType: 'IKEv2' - enableRateLimiting: false - useLocalAzureIpAddress: false - usePolicyBasedTrafficSelectors: false - routingWeight: 0 - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - natRules: [ - { - externalMappings: [ - { - addressSpace: '192.168.21.0/24' - } - ] - internalMappings: [ - { - addressSpace: '10.4.0.0/24' - } - ] - mode: 'EgressSnat' - name: 'natRule1' - type: 'Static' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/network/vpn-gateway/version.json b/modules/network/vpn-gateway/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/vpn-gateway/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/vpn-gateway/vpn-connection/README.md b/modules/network/vpn-gateway/vpn-connection/README.md deleted file mode 100644 index 5b7275f37e..0000000000 --- a/modules/network/vpn-gateway/vpn-connection/README.md +++ /dev/null @@ -1,264 +0,0 @@ -# VPN Gateway VPN Connections `[Microsoft.Network/vpnGateways/vpnConnections]` - -This module deploys a VPN Gateway VPN Connection. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Network/vpnGateways/vpnConnections` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/vpnConnections) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the VPN connection. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`vpnGatewayName`](#parameter-vpngatewayname) | string | The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectionBandwidth`](#parameter-connectionbandwidth) | int | Expected bandwidth in MBPS. | -| [`enableBgp`](#parameter-enablebgp) | bool | Enable BGP flag. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableInternetSecurity`](#parameter-enableinternetsecurity) | bool | Enable internet security. | -| [`enableRateLimiting`](#parameter-enableratelimiting) | bool | Enable rate limiting. | -| [`ipsecPolicies`](#parameter-ipsecpolicies) | array | The IPSec policies to be considered by this connection. | -| [`remoteVpnSiteResourceId`](#parameter-remotevpnsiteresourceid) | string | Reference to a VPN site to link to. | -| [`routingConfiguration`](#parameter-routingconfiguration) | object | Routing configuration indicating the associated and propagated route tables for this connection. | -| [`routingWeight`](#parameter-routingweight) | int | Routing weight for VPN connection. | -| [`sharedKey`](#parameter-sharedkey) | securestring | SharedKey for the VPN connection. | -| [`trafficSelectorPolicies`](#parameter-trafficselectorpolicies) | array | The traffic selector policies to be considered by this connection. | -| [`useLocalAzureIpAddress`](#parameter-uselocalazureipaddress) | bool | Use local Azure IP to initiate connection. | -| [`usePolicyBasedTrafficSelectors`](#parameter-usepolicybasedtrafficselectors) | bool | Enable policy-based traffic selectors. | -| [`vpnConnectionProtocolType`](#parameter-vpnconnectionprotocoltype) | string | Gateway connection protocol. | -| [`vpnLinkConnections`](#parameter-vpnlinkconnections) | array | List of all VPN site link connections to the gateway. | - -### Parameter: `name` - -The name of the VPN connection. - -- Required: Yes -- Type: string - -### Parameter: `vpnGatewayName` - -The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `connectionBandwidth` - -Expected bandwidth in MBPS. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `enableBgp` - -Enable BGP flag. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableInternetSecurity` - -Enable internet security. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableRateLimiting` - -Enable rate limiting. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `ipsecPolicies` - -The IPSec policies to be considered by this connection. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `remoteVpnSiteResourceId` - -Reference to a VPN site to link to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `routingConfiguration` - -Routing configuration indicating the associated and propagated route tables for this connection. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `routingWeight` - -Routing weight for VPN connection. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `sharedKey` - -SharedKey for the VPN connection. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `trafficSelectorPolicies` - -The traffic selector policies to be considered by this connection. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `useLocalAzureIpAddress` - -Use local Azure IP to initiate connection. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `usePolicyBasedTrafficSelectors` - -Enable policy-based traffic selectors. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vpnConnectionProtocolType` - -Gateway connection protocol. - -- Required: No -- Type: string -- Default: `'IKEv2'` -- Allowed: - ```Bicep - [ - 'IKEv1' - 'IKEv2' - ] - ``` - -### Parameter: `vpnLinkConnections` - -List of all VPN site link connections to the gateway. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the VPN connection. | -| `resourceGroupName` | string | The name of the resource group the VPN connection was deployed into. | -| `resourceId` | string | The resource ID of the VPN connection. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `routingConfiguration` - -

- -Parameter JSON format - -```json -"routingConfiguration": { - "associatedRouteTable": { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable" - }, - "propagatedRouteTables": { - "labels": [ - "default" - ], - "ids": [ - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable" - } - ] - }, - "vnetRoutes": { - "staticRoutes": [] - } -} -``` - -
- -
- -Bicep format - -```bicep -routingConfiguration: { - associatedRouteTable: { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable' - } - propagatedRouteTables: { - labels: [ - 'default' - ] - ids: [ - { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable' - } - ] - } - vnetRoutes: { - staticRoutes: [] - } -} -``` - -
-

diff --git a/modules/network/vpn-gateway/vpn-connection/main.bicep b/modules/network/vpn-gateway/vpn-connection/main.bicep deleted file mode 100644 index 8a72835671..0000000000 --- a/modules/network/vpn-gateway/vpn-connection/main.bicep +++ /dev/null @@ -1,107 +0,0 @@ -metadata name = 'VPN Gateway VPN Connections' -metadata description = 'This module deploys a VPN Gateway VPN Connection.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the VPN connection.') -param name string - -@description('Conditional. The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment.') -param vpnGatewayName string - -@description('Optional. The IPSec policies to be considered by this connection.') -param ipsecPolicies array = [] - -@description('Optional. The traffic selector policies to be considered by this connection.') -param trafficSelectorPolicies array = [] - -@description('Optional. List of all VPN site link connections to the gateway.') -param vpnLinkConnections array = [] - -@description('Optional. Routing configuration indicating the associated and propagated route tables for this connection.') -param routingConfiguration object = {} - -@description('Optional. Enable policy-based traffic selectors.') -param usePolicyBasedTrafficSelectors bool = false - -@description('Optional. Use local Azure IP to initiate connection.') -param useLocalAzureIpAddress bool = false - -@description('Optional. Enable rate limiting.') -param enableRateLimiting bool = false - -@description('Optional. Enable internet security.') -param enableInternetSecurity bool = false - -@description('Optional. Enable BGP flag.') -param enableBgp bool = false - -@description('Optional. Routing weight for VPN connection.') -param routingWeight int = 0 - -@description('Optional. Expected bandwidth in MBPS.') -param connectionBandwidth int = 10 - -@description('Optional. Gateway connection protocol.') -@allowed([ - 'IKEv1' - 'IKEv2' -]) -param vpnConnectionProtocolType string = 'IKEv2' - -@description('Optional. SharedKey for the VPN connection.') -@secure() -param sharedKey string = '' - -@description('Optional. Reference to a VPN site to link to.') -param remoteVpnSiteResourceId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource vpnGateway 'Microsoft.Network/vpnGateways@2023-04-01' existing = { - name: vpnGatewayName -} - -resource vpnConnection 'Microsoft.Network/vpnGateways/vpnConnections@2023-04-01' = { - name: name - parent: vpnGateway - properties: { - connectionBandwidth: connectionBandwidth - enableBgp: enableBgp - enableInternetSecurity: enableInternetSecurity - enableRateLimiting: enableRateLimiting - ipsecPolicies: ipsecPolicies - remoteVpnSite: !empty(remoteVpnSiteResourceId) ? { - id: remoteVpnSiteResourceId - } : null - routingConfiguration: routingConfiguration - routingWeight: routingWeight - sharedKey: sharedKey - trafficSelectorPolicies: trafficSelectorPolicies - useLocalAzureIpAddress: useLocalAzureIpAddress - usePolicyBasedTrafficSelectors: usePolicyBasedTrafficSelectors - vpnConnectionProtocolType: vpnConnectionProtocolType - vpnLinkConnections: vpnLinkConnections - } -} - -@description('The name of the VPN connection.') -output name string = vpnConnection.name - -@description('The resource ID of the VPN connection.') -output resourceId string = vpnConnection.id - -@description('The name of the resource group the VPN connection was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/network/vpn-gateway/vpn-connection/main.json b/modules/network/vpn-gateway/vpn-connection/main.json deleted file mode 100644 index 84a6dfdf0b..0000000000 --- a/modules/network/vpn-gateway/vpn-connection/main.json +++ /dev/null @@ -1,197 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6383697389251029881" - }, - "name": "VPN Gateway VPN Connections", - "description": "This module deploys a VPN Gateway VPN Connection.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the VPN connection." - } - }, - "vpnGatewayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment." - } - }, - "ipsecPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The IPSec policies to be considered by this connection." - } - }, - "trafficSelectorPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The traffic selector policies to be considered by this connection." - } - }, - "vpnLinkConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all VPN site link connections to the gateway." - } - }, - "routingConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Routing configuration indicating the associated and propagated route tables for this connection." - } - }, - "usePolicyBasedTrafficSelectors": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable policy-based traffic selectors." - } - }, - "useLocalAzureIpAddress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use local Azure IP to initiate connection." - } - }, - "enableRateLimiting": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable rate limiting." - } - }, - "enableInternetSecurity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable internet security." - } - }, - "enableBgp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable BGP flag." - } - }, - "routingWeight": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Routing weight for VPN connection." - } - }, - "connectionBandwidth": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. Expected bandwidth in MBPS." - } - }, - "vpnConnectionProtocolType": { - "type": "string", - "defaultValue": "IKEv2", - "allowedValues": [ - "IKEv1", - "IKEv2" - ], - "metadata": { - "description": "Optional. Gateway connection protocol." - } - }, - "sharedKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SharedKey for the VPN connection." - } - }, - "remoteVpnSiteResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Reference to a VPN site to link to." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/vpnGateways/vpnConnections", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('vpnGatewayName'), parameters('name'))]", - "properties": { - "connectionBandwidth": "[parameters('connectionBandwidth')]", - "enableBgp": "[parameters('enableBgp')]", - "enableInternetSecurity": "[parameters('enableInternetSecurity')]", - "enableRateLimiting": "[parameters('enableRateLimiting')]", - "ipsecPolicies": "[parameters('ipsecPolicies')]", - "remoteVpnSite": "[if(not(empty(parameters('remoteVpnSiteResourceId'))), createObject('id', parameters('remoteVpnSiteResourceId')), null())]", - "routingConfiguration": "[parameters('routingConfiguration')]", - "routingWeight": "[parameters('routingWeight')]", - "sharedKey": "[parameters('sharedKey')]", - "trafficSelectorPolicies": "[parameters('trafficSelectorPolicies')]", - "useLocalAzureIpAddress": "[parameters('useLocalAzureIpAddress')]", - "usePolicyBasedTrafficSelectors": "[parameters('usePolicyBasedTrafficSelectors')]", - "vpnConnectionProtocolType": "[parameters('vpnConnectionProtocolType')]", - "vpnLinkConnections": "[parameters('vpnLinkConnections')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the VPN connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the VPN connection." - }, - "value": "[resourceId('Microsoft.Network/vpnGateways/vpnConnections', parameters('vpnGatewayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the VPN connection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/network/vpn-gateway/vpn-connection/version.json b/modules/network/vpn-gateway/vpn-connection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/vpn-gateway/vpn-connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/network/vpn-site/MOVED-TO-AVM.md b/modules/network/vpn-site/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/network/vpn-site/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index d84b75f8c5..1843a6d4e2 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -1,754 +1,7 @@ -# VPN Sites `[Microsoft.Network/vpnSites]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/network/vpn-site](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/network/vpn-site).** -This module deploys a VPN Site. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/network/vpn-site). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/vpnSites` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnSites) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-site:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvsmin' - params: { - // Required parameters - name: 'nvsmin' - virtualWanId: '' - // Non-required parameters - addressPrefixes: [ - '10.0.0.0/16' - ] - enableDefaultTelemetry: '' - ipAddress: '1.2.3.4' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvsmin" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "addressPrefixes": { - "value": [ - "10.0.0.0/16" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddress": { - "value": "1.2.3.4" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvsmax' - params: { - // Required parameters - name: 'nvsmax' - virtualWanId: '' - // Non-required parameters - deviceProperties: { - linkSpeedInMbps: 0 - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - o365Policy: { - breakOutCategories: { - allow: true - default: true - optimize: true - } - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'valueA' - tagB: 'valueB' - } - vpnSiteLinks: [ - { - name: 'vSite-nvsmax' - properties: { - bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - } - ipAddress: '1.2.3.4' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - { - name: 'Link1' - properties: { - bgpProperties: { - asn: 65020 - bgpPeeringAddress: '192.168.1.0' - } - ipAddress: '2.2.2.2' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvsmax" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "deviceProperties": { - "value": { - "linkSpeedInMbps": 0 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "o365Policy": { - "value": { - "breakOutCategories": { - "allow": true, - "default": true, - "optimize": true - } - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "tagA": "valueA", - "tagB": "valueB" - } - }, - "vpnSiteLinks": { - "value": [ - { - "name": "vSite-nvsmax", - "properties": { - "bgpProperties": { - "asn": 65010, - "bgpPeeringAddress": "1.1.1.1" - }, - "ipAddress": "1.2.3.4", - "linkProperties": { - "linkProviderName": "contoso", - "linkSpeedInMbps": 5 - } - } - }, - { - "name": "Link1", - "properties": { - "bgpProperties": { - "asn": 65020, - "bgpPeeringAddress": "192.168.1.0" - }, - "ipAddress": "2.2.2.2", - "linkProperties": { - "linkProviderName": "contoso", - "linkSpeedInMbps": 5 - } - } - } - ] - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvswaf' - params: { - // Required parameters - name: 'nvswaf' - virtualWanId: '' - // Non-required parameters - deviceProperties: { - linkSpeedInMbps: 0 - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - o365Policy: { - breakOutCategories: { - allow: true - default: true - optimize: true - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'valueA' - tagB: 'valueB' - } - vpnSiteLinks: [ - { - name: 'vSite-nvswaf' - properties: { - bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - } - ipAddress: '1.2.3.4' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - { - name: 'Link1' - properties: { - bgpProperties: { - asn: 65020 - bgpPeeringAddress: '192.168.1.0' - } - ipAddress: '2.2.2.2' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvswaf" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "deviceProperties": { - "value": { - "linkSpeedInMbps": 0 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "o365Policy": { - "value": { - "breakOutCategories": { - "allow": true, - "default": true, - "optimize": true - } - } - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "tagA": "valueA", - "tagB": "valueB" - } - }, - "vpnSiteLinks": { - "value": [ - { - "name": "vSite-nvswaf", - "properties": { - "bgpProperties": { - "asn": 65010, - "bgpPeeringAddress": "1.1.1.1" - }, - "ipAddress": "1.2.3.4", - "linkProperties": { - "linkProviderName": "contoso", - "linkSpeedInMbps": 5 - } - } - }, - { - "name": "Link1", - "properties": { - "bgpProperties": { - "asn": 65020, - "bgpPeeringAddress": "192.168.1.0" - }, - "ipAddress": "2.2.2.2", - "linkProperties": { - "linkProviderName": "contoso", - "linkSpeedInMbps": 5 - } - } - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the VPN Site. | -| [`virtualWanId`](#parameter-virtualwanid) | string | Resource ID of the virtual WAN to link to. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-addressprefixes) | array | An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. | -| [`bgpProperties`](#parameter-bgpproperties) | object | BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deviceProperties`](#parameter-deviceproperties) | object | List of properties of the device. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipAddress`](#parameter-ipaddress) | string | The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. | -| [`isSecuritySite`](#parameter-issecuritysite) | bool | IsSecuritySite flag. | -| [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`o365Policy`](#parameter-o365policy) | object | The Office365 breakout policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`vpnSiteLinks`](#parameter-vpnsitelinks) | array | List of all VPN site links. | - -### Parameter: `name` - -Name of the VPN Site. - -- Required: Yes -- Type: string - -### Parameter: `virtualWanId` - -Resource ID of the virtual WAN to link to. - -- Required: Yes -- Type: string - -### Parameter: `addressPrefixes` - -An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `bgpProperties` - -BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `deviceProperties` - -List of properties of the device. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipAddress` - -The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `isSecuritySite` - -IsSecuritySite flag. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location where all resources will be created. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `o365Policy` - -The Office365 breakout policy. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `vpnSiteLinks` - -List of all VPN site links. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VPN site. | -| `resourceGroupName` | string | The resource group the VPN site was deployed into. | -| `resourceId` | string | The resource ID of the VPN site. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage `deviceProperties` - -

- -Parameter JSON format - -```json -"deviceProperties": { - "value": { - "deviceModel": "morty", - "deviceVendor": "contoso", - "linkSpeedInMbps": 0 - } -} -``` - -
- - -
- -Bicep format - -```bicep -deviceProperties: { - deviceModel: 'morty' - deviceVendor: 'contoso' - linkSpeedInMbps: 0 -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep deleted file mode 100644 index 182a3ef359..0000000000 --- a/modules/network/vpn-site/main.bicep +++ /dev/null @@ -1,156 +0,0 @@ -metadata name = 'VPN Sites' -metadata description = 'This module deploys a VPN Site.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the VPN Site.') -param name string - -@description('Required. Resource ID of the virtual WAN to link to.') -param virtualWanId string - -@description('Optional. Location where all resources will be created.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Conditional. An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured.') -param addressPrefixes array = [] - -@description('Conditional. BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured.') -param bgpProperties object = {} - -@description('Optional. List of properties of the device.') -param deviceProperties object = {} - -@description('Optional. The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead.') -param ipAddress string = '' - -@description('Optional. IsSecuritySite flag.') -param isSecuritySite bool = false - -@description('Optional. The Office365 breakout policy.') -param o365Policy object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. List of all VPN site links.') -param vpnSiteLinks array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { - name: name - location: location - tags: tags - properties: { - addressSpace: !empty(addressPrefixes) ? { - addressPrefixes: addressPrefixes - } : null - bgpProperties: !empty(bgpProperties) ? bgpProperties : null - deviceProperties: !empty(deviceProperties) ? deviceProperties : null - ipAddress: !empty(ipAddress) ? ipAddress : null - isSecuritySite: isSecuritySite - o365Policy: !empty(o365Policy) ? o365Policy : null - virtualWan: { - id: virtualWanId - } - vpnSiteLinks: !empty(vpnSiteLinks) ? vpnSiteLinks : null - } -} - -resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: vpnSite -} - -resource vpnSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(vpnSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: vpnSite -}] - -@description('The name of the VPN site.') -output name string = vpnSite.name - -@description('The resource ID of the VPN site.') -output resourceId string = vpnSite.id - -@description('The resource group the VPN site was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = vpnSite.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json deleted file mode 100644 index f7300ea789..0000000000 --- a/modules/network/vpn-site/main.json +++ /dev/null @@ -1,315 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3174704764297333181" - }, - "name": "VPN Sites", - "description": "This module deploys a VPN Site.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the VPN Site." - } - }, - "virtualWanId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual WAN to link to." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location where all resources will be created." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "addressPrefixes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured." - } - }, - "bgpProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured." - } - }, - "deviceProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. List of properties of the device." - } - }, - "ipAddress": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead." - } - }, - "isSecuritySite": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. IsSecuritySite flag." - } - }, - "o365Policy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The Office365 breakout policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "vpnSiteLinks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all VPN site links." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "vpnSite": { - "type": "Microsoft.Network/vpnSites", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "addressSpace": "[if(not(empty(parameters('addressPrefixes'))), createObject('addressPrefixes', parameters('addressPrefixes')), null())]", - "bgpProperties": "[if(not(empty(parameters('bgpProperties'))), parameters('bgpProperties'), null())]", - "deviceProperties": "[if(not(empty(parameters('deviceProperties'))), parameters('deviceProperties'), null())]", - "ipAddress": "[if(not(empty(parameters('ipAddress'))), parameters('ipAddress'), null())]", - "isSecuritySite": "[parameters('isSecuritySite')]", - "o365Policy": "[if(not(empty(parameters('o365Policy'))), parameters('o365Policy'), null())]", - "virtualWan": { - "id": "[parameters('virtualWanId')]" - }, - "vpnSiteLinks": "[if(not(empty(parameters('vpnSiteLinks'))), parameters('vpnSiteLinks'), null())]" - } - }, - "vpnSite_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "vpnSite" - ] - }, - "vpnSite_roleAssignments": { - "copy": { - "name": "vpnSite_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/vpnSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "vpnSite" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the VPN site." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the VPN site." - }, - "value": "[resourceId('Microsoft.Network/vpnSites', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the VPN site was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('vpnSite', '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep b/modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index bb151ad9d8..0000000000 --- a/modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep b/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index e765763573..0000000000 --- a/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,62 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - addressPrefixes: [ - '10.0.0.0/16' - ] - ipAddress: '1.2.3.4' - } -}] diff --git a/modules/network/vpn-site/tests/e2e/max/dependencies.bicep b/modules/network/vpn-site/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8e2694c27f..0000000000 --- a/modules/network/vpn-site/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/vpn-site/tests/e2e/max/main.test.bicep b/modules/network/vpn-site/tests/e2e/max/main.test.bicep deleted file mode 100644 index d57e267bbb..0000000000 --- a/modules/network/vpn-site/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,125 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'valueA' - tagB: 'valueB' - } - deviceProperties: { - linkSpeedInMbps: 0 - } - vpnSiteLinks: [ - { - name: '${namePrefix}-vSite-${serviceShort}' - properties: { - bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - } - ipAddress: '1.2.3.4' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - { - name: 'Link1' - properties: { - bgpProperties: { - asn: 65020 - bgpPeeringAddress: '192.168.1.0' - } - ipAddress: '2.2.2.2' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - ] - o365Policy: { - breakOutCategories: { - optimize: true - allow: true - default: true - } - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8e2694c27f..0000000000 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,24 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the virtual WAN to create.') -param virtualWANName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { - name: virtualWANName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Virtual WAN.') -output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 3b996255bc..0000000000 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,108 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'valueA' - tagB: 'valueB' - } - deviceProperties: { - linkSpeedInMbps: 0 - } - vpnSiteLinks: [ - { - name: '${namePrefix}-vSite-${serviceShort}' - properties: { - bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - } - ipAddress: '1.2.3.4' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - { - name: 'Link1' - properties: { - bgpProperties: { - asn: 65020 - bgpPeeringAddress: '192.168.1.0' - } - ipAddress: '2.2.2.2' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } - ] - o365Policy: { - breakOutCategories: { - optimize: true - allow: true - default: true - } - } - } -}] diff --git a/modules/network/vpn-site/version.json b/modules/network/vpn-site/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/network/vpn-site/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/MOVED-TO-AVM.md b/modules/operational-insights/workspace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/operational-insights/workspace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 817891fcc3..d00ebedeb7 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -1,1951 +1,7 @@ -# Log Analytics Workspaces `[Microsoft.OperationalInsights/workspaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/operational-insights/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/operational-insights/workspace).** -This module deploys a Log Analytics Workspace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/operational-insights/workspace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.OperationalInsights/workspaces` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2022-10-01/workspaces) | -| `Microsoft.OperationalInsights/workspaces/dataExports` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/dataExports) | -| `Microsoft.OperationalInsights/workspaces/dataSources` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/dataSources) | -| `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) | -| `Microsoft.OperationalInsights/workspaces/linkedStorageAccounts` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedStorageAccounts) | -| `Microsoft.OperationalInsights/workspaces/savedSearches` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/savedSearches) | -| `Microsoft.OperationalInsights/workspaces/storageInsightConfigs` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/storageInsightConfigs) | -| `Microsoft.OperationalInsights/workspaces/tables` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2022-10-01/workspaces/tables) | -| `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/operational-insights.workspace:1.0.0`. - -- [Adv](#example-1-adv) -- [Using only defaults](#example-2-using-only-defaults) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Adv_ - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwadv' - params: { - // Required parameters - name: 'oiwadv001' - // Non-required parameters - dailyQuotaGb: 10 - dataExports: [ - { - destination: { - metaData: { - eventHubName: '' - } - resourceId: '' - } - enable: true - name: 'eventHubExport' - tableNames: [ - 'Alert' - 'InsightsMetrics' - ] - } - { - destination: { - resourceId: '' - } - enable: true - name: 'storageAccountExport' - tableNames: [ - 'Operation' - ] - } - ] - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: '' - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: '' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: '' - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - tables: [ - { - name: 'CustomTableBasic_CL' - retentionInDays: 60 - schema: { - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'RawData' - type: 'String' - } - ] - name: 'CustomTableBasic_CL' - } - totalRetentionInDays: 90 - } - { - name: 'CustomTableAdvanced_CL' - schema: { - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'EventTime' - type: 'DateTime' - } - { - name: 'EventLevel' - type: 'String' - } - { - name: 'EventCode' - type: 'Int' - } - { - name: 'Message' - type: 'String' - } - { - name: 'RawData' - type: 'String' - } - ] - name: 'CustomTableAdvanced_CL' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - useResourcePermissions: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "oiwadv001" - }, - // Non-required parameters - "dailyQuotaGb": { - "value": 10 - }, - "dataExports": { - "value": [ - { - "destination": { - "metaData": { - "eventHubName": "" - }, - "resourceId": "" - }, - "enable": true, - "name": "eventHubExport", - "tableNames": [ - "Alert", - "InsightsMetrics" - ] - }, - { - "destination": { - "resourceId": "" - }, - "enable": true, - "name": "storageAccountExport", - "tableNames": [ - "Operation" - ] - } - ] - }, - "dataSources": { - "value": [ - { - "eventLogName": "Application", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ], - "kind": "WindowsEvent", - "name": "applicationEvent" - }, - { - "counterName": "% Processor Time", - "instanceName": "*", - "intervalSeconds": 60, - "kind": "WindowsPerformanceCounter", - "name": "windowsPerfCounter1", - "objectName": "Processor" - }, - { - "kind": "IISLogs", - "name": "sampleIISLog1", - "state": "OnPremiseEnabled" - }, - { - "kind": "LinuxSyslog", - "name": "sampleSyslog1", - "syslogName": "kern", - "syslogSeverities": [ - { - "severity": "emerg" - }, - { - "severity": "alert" - }, - { - "severity": "crit" - }, - { - "severity": "err" - }, - { - "severity": "warning" - } - ] - }, - { - "kind": "LinuxSyslogCollection", - "name": "sampleSyslogCollection1", - "state": "Enabled" - }, - { - "instanceName": "*", - "intervalSeconds": 10, - "kind": "LinuxPerformanceObject", - "name": "sampleLinuxPerf1", - "objectName": "Logical Disk", - "syslogSeverities": [ - { - "counterName": "% Used Inodes" - }, - { - "counterName": "Free Megabytes" - }, - { - "counterName": "% Used Space" - }, - { - "counterName": "Disk Transfers/sec" - }, - { - "counterName": "Disk Reads/sec" - }, - { - "counterName": "Disk Writes/sec" - } - ] - }, - { - "kind": "LinuxPerformanceCollection", - "name": "sampleLinuxPerfCollection1", - "state": "Enabled" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gallerySolutions": { - "value": [ - { - "name": "AzureAutomation", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] - }, - "linkedServices": { - "value": [ - { - "name": "Automation", - "resourceId": "" - } - ] - }, - "linkedStorageAccounts": { - "value": [ - { - "name": "Query", - "resourceId": "" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "publicNetworkAccessForIngestion": { - "value": "Disabled" - }, - "publicNetworkAccessForQuery": { - "value": "Disabled" - }, - "savedSearches": { - "value": [ - { - "category": "VDC Saved Searches", - "displayName": "VMSS Instance Count2", - "name": "VMSSQueries", - "query": "Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer" - } - ] - }, - "storageInsightsConfigs": { - "value": [ - { - "storageAccountResourceId": "", - "tables": [ - "LinuxsyslogVer2v0", - "WADETWEventTable", - "WADServiceFabric*EventTable", - "WADWindowsEventLogsTable" - ] - } - ] - }, - "tables": { - "value": [ - { - "name": "CustomTableBasic_CL", - "retentionInDays": 60, - "schema": { - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "RawData", - "type": "String" - } - ], - "name": "CustomTableBasic_CL" - }, - "totalRetentionInDays": 90 - }, - { - "name": "CustomTableAdvanced_CL", - "schema": { - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventTime", - "type": "DateTime" - }, - { - "name": "EventLevel", - "type": "String" - }, - { - "name": "EventCode", - "type": "Int" - }, - { - "name": "Message", - "type": "String" - }, - { - "name": "RawData", - "type": "String" - } - ], - "name": "CustomTableAdvanced_CL" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "useResourcePermissions": { - "value": true - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwmin' - params: { - // Required parameters - name: 'oiwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "oiwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwmax' - params: { - // Required parameters - name: 'oiwmax001' - // Non-required parameters - dailyQuotaGb: 10 - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: '' - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: '' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: '' - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - useResourcePermissions: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "oiwmax001" - }, - // Non-required parameters - "dailyQuotaGb": { - "value": 10 - }, - "dataSources": { - "value": [ - { - "eventLogName": "Application", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ], - "kind": "WindowsEvent", - "name": "applicationEvent" - }, - { - "counterName": "% Processor Time", - "instanceName": "*", - "intervalSeconds": 60, - "kind": "WindowsPerformanceCounter", - "name": "windowsPerfCounter1", - "objectName": "Processor" - }, - { - "kind": "IISLogs", - "name": "sampleIISLog1", - "state": "OnPremiseEnabled" - }, - { - "kind": "LinuxSyslog", - "name": "sampleSyslog1", - "syslogName": "kern", - "syslogSeverities": [ - { - "severity": "emerg" - }, - { - "severity": "alert" - }, - { - "severity": "crit" - }, - { - "severity": "err" - }, - { - "severity": "warning" - } - ] - }, - { - "kind": "LinuxSyslogCollection", - "name": "sampleSyslogCollection1", - "state": "Enabled" - }, - { - "instanceName": "*", - "intervalSeconds": 10, - "kind": "LinuxPerformanceObject", - "name": "sampleLinuxPerf1", - "objectName": "Logical Disk", - "syslogSeverities": [ - { - "counterName": "% Used Inodes" - }, - { - "counterName": "Free Megabytes" - }, - { - "counterName": "% Used Space" - }, - { - "counterName": "Disk Transfers/sec" - }, - { - "counterName": "Disk Reads/sec" - }, - { - "counterName": "Disk Writes/sec" - } - ] - }, - { - "kind": "LinuxPerformanceCollection", - "name": "sampleLinuxPerfCollection1", - "state": "Enabled" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gallerySolutions": { - "value": [ - { - "name": "AzureAutomation", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] - }, - "linkedServices": { - "value": [ - { - "name": "Automation", - "resourceId": "" - } - ] - }, - "linkedStorageAccounts": { - "value": [ - { - "name": "Query", - "resourceId": "" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "publicNetworkAccessForIngestion": { - "value": "Disabled" - }, - "publicNetworkAccessForQuery": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "savedSearches": { - "value": [ - { - "category": "VDC Saved Searches", - "displayName": "VMSS Instance Count2", - "name": "VMSSQueries", - "query": "Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer" - } - ] - }, - "storageInsightsConfigs": { - "value": [ - { - "storageAccountResourceId": "", - "tables": [ - "LinuxsyslogVer2v0", - "WADETWEventTable", - "WADServiceFabric*EventTable", - "WADWindowsEventLogsTable" - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "useResourcePermissions": { - "value": true - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwwaf' - params: { - // Required parameters - name: 'oiwwaf001' - // Non-required parameters - dailyQuotaGb: 10 - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: '' - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: '' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: '' - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - useResourcePermissions: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "oiwwaf001" - }, - // Non-required parameters - "dailyQuotaGb": { - "value": 10 - }, - "dataSources": { - "value": [ - { - "eventLogName": "Application", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ], - "kind": "WindowsEvent", - "name": "applicationEvent" - }, - { - "counterName": "% Processor Time", - "instanceName": "*", - "intervalSeconds": 60, - "kind": "WindowsPerformanceCounter", - "name": "windowsPerfCounter1", - "objectName": "Processor" - }, - { - "kind": "IISLogs", - "name": "sampleIISLog1", - "state": "OnPremiseEnabled" - }, - { - "kind": "LinuxSyslog", - "name": "sampleSyslog1", - "syslogName": "kern", - "syslogSeverities": [ - { - "severity": "emerg" - }, - { - "severity": "alert" - }, - { - "severity": "crit" - }, - { - "severity": "err" - }, - { - "severity": "warning" - } - ] - }, - { - "kind": "LinuxSyslogCollection", - "name": "sampleSyslogCollection1", - "state": "Enabled" - }, - { - "instanceName": "*", - "intervalSeconds": 10, - "kind": "LinuxPerformanceObject", - "name": "sampleLinuxPerf1", - "objectName": "Logical Disk", - "syslogSeverities": [ - { - "counterName": "% Used Inodes" - }, - { - "counterName": "Free Megabytes" - }, - { - "counterName": "% Used Space" - }, - { - "counterName": "Disk Transfers/sec" - }, - { - "counterName": "Disk Reads/sec" - }, - { - "counterName": "Disk Writes/sec" - } - ] - }, - { - "kind": "LinuxPerformanceCollection", - "name": "sampleLinuxPerfCollection1", - "state": "Enabled" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "gallerySolutions": { - "value": [ - { - "name": "AzureAutomation", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] - }, - "linkedServices": { - "value": [ - { - "name": "Automation", - "resourceId": "" - } - ] - }, - "linkedStorageAccounts": { - "value": [ - { - "name": "Query", - "resourceId": "" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "publicNetworkAccessForIngestion": { - "value": "Disabled" - }, - "publicNetworkAccessForQuery": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "savedSearches": { - "value": [ - { - "category": "VDC Saved Searches", - "displayName": "VMSS Instance Count2", - "name": "VMSSQueries", - "query": "Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer" - } - ] - }, - "storageInsightsConfigs": { - "value": [ - { - "storageAccountResourceId": "", - "tables": [ - "LinuxsyslogVer2v0", - "WADETWEventTable", - "WADServiceFabric*EventTable", - "WADWindowsEventLogsTable" - ] - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "useResourcePermissions": { - "value": true - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Log Analytics workspace. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`linkedStorageAccounts`](#parameter-linkedstorageaccounts) | array | List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`dailyQuotaGb`](#parameter-dailyquotagb) | int | The workspace daily quota for ingestion. | -| [`dataExports`](#parameter-dataexports) | array | LAW data export instances to be deployed. | -| [`dataRetention`](#parameter-dataretention) | int | Number of days data will be retained for. | -| [`dataSources`](#parameter-datasources) | array | LAW data sources to configure. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`forceCmkForQuery`](#parameter-forcecmkforquery) | bool | Indicates whether customer managed storage is mandatory for query management. | -| [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the log analytics workspace. | -| [`linkedServices`](#parameter-linkedservices) | array | List of services to be linked. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Log Analytics ingestion. | -| [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Log Analytics query. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`savedSearches`](#parameter-savedsearches) | array | Kusto Query Language searches to save. | -| [`skuCapacityReservationLevel`](#parameter-skucapacityreservationlevel) | int | The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. | -| [`skuName`](#parameter-skuname) | string | The name of the SKU. | -| [`storageInsightsConfigs`](#parameter-storageinsightsconfigs) | array | List of storage accounts to be read by the workspace. | -| [`tables`](#parameter-tables) | array | LAW custom tables to be deployed. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`useResourcePermissions`](#parameter-useresourcepermissions) | bool | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | - -### Parameter: `name` - -Name of the Log Analytics workspace. - -- Required: Yes -- Type: string - -### Parameter: `linkedStorageAccounts` - -List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dailyQuotaGb` - -The workspace daily quota for ingestion. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `dataExports` - -LAW data export instances to be deployed. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `dataRetention` - -Number of days data will be retained for. - -- Required: No -- Type: int -- Default: `365` - -### Parameter: `dataSources` - -LAW data sources to configure. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `forceCmkForQuery` - -Indicates whether customer managed storage is mandatory for query management. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gallerySolutions` - -List of gallerySolutions to be created in the log analytics workspace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `linkedServices` - -List of services to be linked. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `publicNetworkAccessForIngestion` - -The network access type for accessing Log Analytics ingestion. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `publicNetworkAccessForQuery` - -The network access type for accessing Log Analytics query. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `savedSearches` - -Kusto Query Language searches to save. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `skuCapacityReservationLevel` - -The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. - -- Required: No -- Type: int -- Default: `100` - -### Parameter: `skuName` - -The name of the SKU. - -- Required: No -- Type: string -- Default: `'PerGB2018'` -- Allowed: - ```Bicep - [ - 'CapacityReservation' - 'Free' - 'LACluster' - 'PerGB2018' - 'PerNode' - 'Premium' - 'Standalone' - 'Standard' - ] - ``` - -### Parameter: `storageInsightsConfigs` - -List of storage accounts to be read by the workspace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tables` - -LAW custom tables to be deployed. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `useResourcePermissions` - -Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `logAnalyticsWorkspaceId` | string | The ID associated with the workspace. | -| `name` | string | The name of the deployed log analytics workspace. | -| `resourceGroupName` | string | The resource group of the deployed log analytics workspace. | -| `resourceId` | string | The resource ID of the deployed log analytics workspace. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/operations-management/solution` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/operational-insights/workspace/data-export/README.md b/modules/operational-insights/workspace/data-export/README.md deleted file mode 100644 index 1e9ab320e3..0000000000 --- a/modules/operational-insights/workspace/data-export/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# Log Analytics Workspace Data Exports `[Microsoft.OperationalInsights/workspaces/dataExports]` - -This module deploys a Log Analytics Workspace Data Export. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/dataExports` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/dataExports) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The data export rule name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`destination`](#parameter-destination) | object | Destination properties. | -| [`enable`](#parameter-enable) | bool | Active when enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`tableNames`](#parameter-tablenames) | array | An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. | - -### Parameter: `name` - -The data export rule name. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent workspaces. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `destination` - -Destination properties. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enable` - -Active when enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tableNames` - -An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the data export. | -| `resourceGroupName` | string | The name of the resource group the data export was created in. | -| `resourceId` | string | The resource ID of the data export. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/data-export/main.bicep b/modules/operational-insights/workspace/data-export/main.bicep deleted file mode 100644 index d5aeb5e205..0000000000 --- a/modules/operational-insights/workspace/data-export/main.bicep +++ /dev/null @@ -1,70 +0,0 @@ -metadata name = 'Log Analytics Workspace Data Exports' -metadata description = 'This module deploys a Log Analytics Workspace Data Export.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@description('Required. The data export rule name.') -@minLength(4) -@maxLength(63) -param name string - -@description('Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Optional. Destination properties.') -param destination object = {} - -@description('Optional. Active when enabled.') -param enable bool = false - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. An array of tables to export, for example: [\'Heartbeat\', \'SecurityEvent\'].') -param tableNames array = [] - -// =============== // -// Deployments // -// =============== // - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: workspaceName -} - -resource dataExport 'Microsoft.OperationalInsights/workspaces/dataExports@2020-08-01' = { - parent: workspace - name: name - properties: { - destination: destination - enable: enable - tableNames: tableNames - } -} - -// =========== // -// Outputs // -// =========== // - -@description('The name of the data export.') -output name string = dataExport.name - -@description('The resource ID of the data export.') -output resourceId string = dataExport.id - -@description('The name of the resource group the data export was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/operational-insights/workspace/data-export/main.json b/modules/operational-insights/workspace/data-export/main.json deleted file mode 100644 index a59c427049..0000000000 --- a/modules/operational-insights/workspace/data-export/main.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17342339934568813477" - }, - "name": "Log Analytics Workspace Data Exports", - "description": "This module deploys a Log Analytics Workspace Data Export.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 4, - "maxLength": 63, - "metadata": { - "description": "Required. The data export rule name." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment." - } - }, - "destination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Destination properties." - } - }, - "enable": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Active when enabled." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "tableNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/dataExports", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "destination": "[parameters('destination')]", - "enable": "[parameters('enable')]", - "tableNames": "[parameters('tableNames')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the data export." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the data export." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/dataExports', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the data export was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/data-export/version.json b/modules/operational-insights/workspace/data-export/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/data-export/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md deleted file mode 100644 index c06337774d..0000000000 --- a/modules/operational-insights/workspace/data-source/README.md +++ /dev/null @@ -1,200 +0,0 @@ -# Log Analytics Workspace Datasources `[Microsoft.OperationalInsights/workspaces/dataSources]` - -This module deploys a Log Analytics Workspace Data Source. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/dataSources` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/dataSources) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | The kind of the DataSource. | -| [`name`](#parameter-name) | string | Name of the solution. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`counterName`](#parameter-countername) | string | Counter name to configure when kind is WindowsPerformanceCounter. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventLogName`](#parameter-eventlogname) | string | Windows event log name to configure when kind is WindowsEvent. | -| [`eventTypes`](#parameter-eventtypes) | array | Windows event types to configure when kind is WindowsEvent. | -| [`instanceName`](#parameter-instancename) | string | Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| [`intervalSeconds`](#parameter-intervalseconds) | int | Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| [`linkedResourceId`](#parameter-linkedresourceid) | string | Resource ID of the resource to be linked. | -| [`objectName`](#parameter-objectname) | string | Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| [`performanceCounters`](#parameter-performancecounters) | array | List of counters to configure when the kind is LinuxPerformanceObject. | -| [`state`](#parameter-state) | string | State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. | -| [`syslogName`](#parameter-syslogname) | string | System log to configure when kind is LinuxSyslog. | -| [`syslogSeverities`](#parameter-syslogseverities) | array | Severities to configure when kind is LinuxSyslog. | -| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | - -### Parameter: `kind` - -The kind of the DataSource. - -- Required: No -- Type: string -- Default: `'AzureActivityLog'` -- Allowed: - ```Bicep - [ - 'AzureActivityLog' - 'IISLogs' - 'LinuxPerformanceCollection' - 'LinuxPerformanceObject' - 'LinuxSyslog' - 'LinuxSyslogCollection' - 'WindowsEvent' - 'WindowsPerformanceCounter' - ] - ``` - -### Parameter: `name` - -Name of the solution. - -- Required: Yes -- Type: string - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `counterName` - -Counter name to configure when kind is WindowsPerformanceCounter. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventLogName` - -Windows event log name to configure when kind is WindowsEvent. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `eventTypes` - -Windows event types to configure when kind is WindowsEvent. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `instanceName` - -Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. - -- Required: No -- Type: string -- Default: `'*'` - -### Parameter: `intervalSeconds` - -Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. - -- Required: No -- Type: int -- Default: `60` - -### Parameter: `linkedResourceId` - -Resource ID of the resource to be linked. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `objectName` - -Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `performanceCounters` - -List of counters to configure when the kind is LinuxPerformanceObject. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `state` - -State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `syslogName` - -System log to configure when kind is LinuxSyslog. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `syslogSeverities` - -Severities to configure when kind is LinuxSyslog. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags to configure in the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed data source. | -| `resourceGroupName` | string | The resource group where the data source is deployed. | -| `resourceId` | string | The resource ID of the deployed data source. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/data-source/main.bicep b/modules/operational-insights/workspace/data-source/main.bicep deleted file mode 100644 index 7322f62ece..0000000000 --- a/modules/operational-insights/workspace/data-source/main.bicep +++ /dev/null @@ -1,106 +0,0 @@ -metadata name = 'Log Analytics Workspace Datasources' -metadata description = 'This module deploys a Log Analytics Workspace Data Source.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.') -param logAnalyticsWorkspaceName string - -@description('Required. Name of the solution.') -param name string - -@description('Required. The kind of the DataSource.') -@allowed([ - 'AzureActivityLog' - 'WindowsEvent' - 'WindowsPerformanceCounter' - 'IISLogs' - 'LinuxSyslog' - 'LinuxSyslogCollection' - 'LinuxPerformanceObject' - 'LinuxPerformanceCollection' -]) -param kind string = 'AzureActivityLog' - -@description('Optional. Tags to configure in the resource.') -param tags object? - -@description('Optional. Resource ID of the resource to be linked.') -param linkedResourceId string = '' - -@description('Optional. Windows event log name to configure when kind is WindowsEvent.') -param eventLogName string = '' - -@description('Optional. Windows event types to configure when kind is WindowsEvent.') -param eventTypes array = [] - -@description('Optional. Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject.') -param objectName string = '' - -@description('Optional. Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject.') -param instanceName string = '*' - -@description('Optional. Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject.') -param intervalSeconds int = 60 - -@description('Optional. List of counters to configure when the kind is LinuxPerformanceObject.') -param performanceCounters array = [] - -@description('Optional. Counter name to configure when kind is WindowsPerformanceCounter.') -param counterName string = '' - -@description('Optional. State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection.') -param state string = '' - -@description('Optional. System log to configure when kind is LinuxSyslog.') -param syslogName string = '' - -@description('Optional. Severities to configure when kind is LinuxSyslog.') -param syslogSeverities array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: logAnalyticsWorkspaceName -} - -resource dataSource 'Microsoft.OperationalInsights/workspaces/dataSources@2020-08-01' = { - name: name - parent: workspace - kind: kind - tags: tags - properties: { - linkedResourceId: !empty(kind) && kind == 'AzureActivityLog' ? linkedResourceId : null - eventLogName: !empty(kind) && kind == 'WindowsEvent' ? eventLogName : null - eventTypes: !empty(kind) && kind == 'WindowsEvent' ? eventTypes : null - objectName: !empty(kind) && (kind == 'WindowsPerformanceCounter' || kind == 'LinuxPerformanceObject') ? objectName : null - instanceName: !empty(kind) && (kind == 'WindowsPerformanceCounter' || kind == 'LinuxPerformanceObject') ? instanceName : null - intervalSeconds: !empty(kind) && (kind == 'WindowsPerformanceCounter' || kind == 'LinuxPerformanceObject') ? intervalSeconds : null - counterName: !empty(kind) && kind == 'WindowsPerformanceCounter' ? counterName : null - state: !empty(kind) && (kind == 'IISLogs' || kind == 'LinuxSyslogCollection' || kind == 'LinuxPerformanceCollection') ? state : null - syslogName: !empty(kind) && kind == 'LinuxSyslog' ? syslogName : null - syslogSeverities: !empty(kind) && (kind == 'LinuxSyslog' || kind == 'LinuxPerformanceObject') ? syslogSeverities : null - performanceCounters: !empty(kind) && kind == 'LinuxPerformanceObject' ? performanceCounters : null - } -} - -@description('The resource ID of the deployed data source.') -output resourceId string = dataSource.id - -@description('The resource group where the data source is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployed data source.') -output name string = dataSource.name diff --git a/modules/operational-insights/workspace/data-source/main.json b/modules/operational-insights/workspace/data-source/main.json deleted file mode 100644 index 26eafea591..0000000000 --- a/modules/operational-insights/workspace/data-source/main.json +++ /dev/null @@ -1,205 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16555972198709151465" - }, - "name": "Log Analytics Workspace Datasources", - "description": "This module deploys a Log Analytics Workspace Data Source.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the solution." - } - }, - "kind": { - "type": "string", - "defaultValue": "AzureActivityLog", - "allowedValues": [ - "AzureActivityLog", - "WindowsEvent", - "WindowsPerformanceCounter", - "IISLogs", - "LinuxSyslog", - "LinuxSyslogCollection", - "LinuxPerformanceObject", - "LinuxPerformanceCollection" - ], - "metadata": { - "description": "Required. The kind of the DataSource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "linkedResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the resource to be linked." - } - }, - "eventLogName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Windows event log name to configure when kind is WindowsEvent." - } - }, - "eventTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Windows event types to configure when kind is WindowsEvent." - } - }, - "objectName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "instanceName": { - "type": "string", - "defaultValue": "*", - "metadata": { - "description": "Optional. Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "intervalSeconds": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "performanceCounters": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of counters to configure when the kind is LinuxPerformanceObject." - } - }, - "counterName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Counter name to configure when kind is WindowsPerformanceCounter." - } - }, - "state": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection." - } - }, - "syslogName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. System log to configure when kind is LinuxSyslog." - } - }, - "syslogSeverities": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Severities to configure when kind is LinuxSyslog." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "dataSource": { - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "properties": { - "linkedResourceId": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'AzureActivityLog')), parameters('linkedResourceId'), null())]", - "eventLogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsEvent')), parameters('eventLogName'), null())]", - "eventTypes": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsEvent')), parameters('eventTypes'), null())]", - "objectName": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('objectName'), null())]", - "instanceName": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('instanceName'), null())]", - "intervalSeconds": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('intervalSeconds'), null())]", - "counterName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsPerformanceCounter')), parameters('counterName'), null())]", - "state": "[if(and(not(empty(parameters('kind'))), or(or(equals(parameters('kind'), 'IISLogs'), equals(parameters('kind'), 'LinuxSyslogCollection')), equals(parameters('kind'), 'LinuxPerformanceCollection'))), parameters('state'), null())]", - "syslogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxSyslog')), parameters('syslogName'), null())]", - "syslogSeverities": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'LinuxSyslog'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('syslogSeverities'), null())]", - "performanceCounters": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxPerformanceObject')), parameters('performanceCounters'), null())]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed data source." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/dataSources', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the data source is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed data source." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/data-source/version.json b/modules/operational-insights/workspace/data-source/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/data-source/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/linked-service/README.md b/modules/operational-insights/workspace/linked-service/README.md deleted file mode 100644 index e9eef72244..0000000000 --- a/modules/operational-insights/workspace/linked-service/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Log Analytics Workspace Linked Services `[Microsoft.OperationalInsights/workspaces/linkedServices]` - -This module deploys a Log Analytics Workspace Linked Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the link. | -| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | -| [`writeAccessResourceId`](#parameter-writeaccessresourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. | - -### Parameter: `name` - -Name of the link. - -- Required: Yes -- Type: string - -### Parameter: `resourceId` - -The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tags` - -Tags to configure in the resource. - -- Required: No -- Type: object - -### Parameter: `writeAccessResourceId` - -The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed linked service. | -| `resourceGroupName` | string | The resource group where the linked service is deployed. | -| `resourceId` | string | The resource ID of the deployed linked service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/linked-service/main.bicep b/modules/operational-insights/workspace/linked-service/main.bicep deleted file mode 100644 index 88fdc6283a..0000000000 --- a/modules/operational-insights/workspace/linked-service/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'Log Analytics Workspace Linked Services' -metadata description = 'This module deploys a Log Analytics Workspace Linked Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.') -param logAnalyticsWorkspaceName string - -@description('Required. Name of the link.') -param name string - -@description('Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.') -param resourceId string = '' - -@description('Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access.') -param writeAccessResourceId string = '' - -@description('Optional. Tags to configure in the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: logAnalyticsWorkspaceName -} - -resource linkedService 'Microsoft.OperationalInsights/workspaces/linkedServices@2020-08-01' = { - name: name - parent: workspace - tags: tags - properties: { - resourceId: resourceId - writeAccessResourceId: empty(writeAccessResourceId) ? null : writeAccessResourceId - } -} - -@description('The name of the deployed linked service.') -output name string = linkedService.name - -@description('The resource ID of the deployed linked service.') -output resourceId string = linkedService.id - -@description('The resource group where the linked service is deployed.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/operational-insights/workspace/linked-service/main.json b/modules/operational-insights/workspace/linked-service/main.json deleted file mode 100644 index 100567f48e..0000000000 --- a/modules/operational-insights/workspace/linked-service/main.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4319942183601642190" - }, - "name": "Log Analytics Workspace Linked Services", - "description": "This module deploys a Log Analytics Workspace Linked Service.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the link." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access." - } - }, - "writeAccessResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "linkedService": { - "type": "Microsoft.OperationalInsights/workspaces/linkedServices", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resourceId": "[parameters('resourceId')]", - "writeAccessResourceId": "[if(empty(parameters('writeAccessResourceId')), null(), parameters('writeAccessResourceId'))]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed linked service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed linked service." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/linkedServices', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the linked service is deployed." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/linked-service/version.json b/modules/operational-insights/workspace/linked-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/linked-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/linked-storage-account/README.md b/modules/operational-insights/workspace/linked-storage-account/README.md deleted file mode 100644 index 983a98fe21..0000000000 --- a/modules/operational-insights/workspace/linked-storage-account/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Log Analytics Workspace Linked Storage Accounts `[Microsoft.OperationalInsights/workspaces/linkedStorageAccounts]` - -This module deploys a Log Analytics Workspace Linked Storage Account. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/linkedStorageAccounts` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedStorageAccounts) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the link. | -| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -Name of the link. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Alerts' - 'AzureWatson' - 'CustomLogs' - 'Query' - ] - ``` - -### Parameter: `resourceId` - -The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. - -- Required: Yes -- Type: string - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed linked storage account. | -| `resourceGroupName` | string | The resource group where the linked storage account is deployed. | -| `resourceId` | string | The resource ID of the deployed linked storage account. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/linked-storage-account/main.bicep b/modules/operational-insights/workspace/linked-storage-account/main.bicep deleted file mode 100644 index 4f69dc992a..0000000000 --- a/modules/operational-insights/workspace/linked-storage-account/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'Log Analytics Workspace Linked Storage Accounts' -metadata description = 'This module deploys a Log Analytics Workspace Linked Storage Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.') -param logAnalyticsWorkspaceName string - -@description('Required. Name of the link.') -@allowed([ - 'Query' - 'Alerts' - 'CustomLogs' - 'AzureWatson' -]) -param name string - -@description('Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.') -param resourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: logAnalyticsWorkspaceName -} - -resource linkedStorageAccount 'Microsoft.OperationalInsights/workspaces/linkedStorageAccounts@2020-08-01' = { - name: name - parent: workspace - properties: { - storageAccountIds: [ - resourceId - ] - } -} - -@description('The name of the deployed linked storage account.') -output name string = linkedStorageAccount.name - -@description('The resource ID of the deployed linked storage account.') -output resourceId string = linkedStorageAccount.id - -@description('The resource group where the linked storage account is deployed.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/operational-insights/workspace/linked-storage-account/main.json b/modules/operational-insights/workspace/linked-storage-account/main.json deleted file mode 100644 index 24f1fe2b4b..0000000000 --- a/modules/operational-insights/workspace/linked-storage-account/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9016006615324724877" - }, - "name": "Log Analytics Workspace Linked Storage Accounts", - "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "Query", - "Alerts", - "CustomLogs", - "AzureWatson" - ], - "metadata": { - "description": "Required. Name of the link." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/linkedStorageAccounts", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "properties": { - "storageAccountIds": [ - "[parameters('resourceId')]" - ] - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed linked storage account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed linked storage account." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/linkedStorageAccounts', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the linked storage account is deployed." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/linked-storage-account/version.json b/modules/operational-insights/workspace/linked-storage-account/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/linked-storage-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep deleted file mode 100644 index 83935efb70..0000000000 --- a/modules/operational-insights/workspace/main.bicep +++ /dev/null @@ -1,416 +0,0 @@ -metadata name = 'Log Analytics Workspaces' -metadata description = 'This module deploys a Log Analytics Workspace.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Log Analytics workspace.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The name of the SKU.') -@allowed([ - 'CapacityReservation' - 'Free' - 'LACluster' - 'PerGB2018' - 'PerNode' - 'Premium' - 'Standalone' - 'Standard' -]) -param skuName string = 'PerGB2018' - -@minValue(100) -@maxValue(5000) -@description('Optional. The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000.') -param skuCapacityReservationLevel int = 100 - -@description('Optional. List of storage accounts to be read by the workspace.') -param storageInsightsConfigs array = [] - -@description('Optional. List of services to be linked.') -param linkedServices array = [] - -@description('Conditional. List of Storage Accounts to be linked. Required if \'forceCmkForQuery\' is set to \'true\' and \'savedSearches\' is not empty.') -param linkedStorageAccounts array = [] - -@description('Optional. Kusto Query Language searches to save.') -param savedSearches array = [] - -@description('Optional. LAW data export instances to be deployed.') -param dataExports array = [] - -@description('Optional. LAW data sources to configure.') -param dataSources array = [] - -@description('Optional. LAW custom tables to be deployed.') -param tables array = [] - -@description('Optional. List of gallerySolutions to be created in the log analytics workspace.') -param gallerySolutions array = [] - -@description('Optional. Number of days data will be retained for.') -@minValue(0) -@maxValue(730) -param dataRetention int = 365 - -@description('Optional. The workspace daily quota for ingestion.') -@minValue(-1) -param dailyQuotaGb int = -1 - -@description('Optional. The network access type for accessing Log Analytics ingestion.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccessForIngestion string = 'Enabled' - -@description('Optional. The network access type for accessing Log Analytics query.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccessForQuery string = 'Enabled' - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -@description('Optional. Set to \'true\' to use resource or workspace permissions and \'false\' (or leave empty) to require workspace permissions.') -param useResourcePermissions bool = false - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Indicates whether customer managed storage is mandatory for query management.') -param forceCmkForQuery bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { - location: location - name: name - tags: tags - properties: { - features: { - searchVersion: 1 - enableLogAccessUsingOnlyResourcePermissions: useResourcePermissions - } - sku: { - name: skuName - capacityReservationLevel: skuName == 'CapacityReservation' ? skuCapacityReservationLevel : null - } - retentionInDays: dataRetention - workspaceCapping: { - dailyQuotaGb: dailyQuotaGb - } - publicNetworkAccessForIngestion: publicNetworkAccessForIngestion - publicNetworkAccessForQuery: publicNetworkAccessForQuery - forceCmkForQuery: forceCmkForQuery - } - identity: identity -} - -resource logAnalyticsWorkspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: logAnalyticsWorkspace -}] - -module logAnalyticsWorkspace_storageInsightConfigs 'storage-insight-config/main.bicep' = [for (storageInsightsConfig, index) in storageInsightsConfigs: { - name: '${uniqueString(deployment().name, location)}-LAW-StorageInsightsConfig-${index}' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - containers: contains(storageInsightsConfig, 'containers') ? storageInsightsConfig.containers : [] - tables: contains(storageInsightsConfig, 'tables') ? storageInsightsConfig.tables : [] - storageAccountResourceId: storageInsightsConfig.storageAccountResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_linkedServices 'linked-service/main.bicep' = [for (linkedService, index) in linkedServices: { - name: '${uniqueString(deployment().name, location)}-LAW-LinkedService-${index}' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - name: linkedService.name - resourceId: contains(linkedService, 'resourceId') ? linkedService.resourceId : '' - writeAccessResourceId: contains(linkedService, 'writeAccessResourceId') ? linkedService.writeAccessResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_linkedStorageAccounts 'linked-storage-account/main.bicep' = [for (linkedStorageAccount, index) in linkedStorageAccounts: { - name: '${uniqueString(deployment().name, location)}-LAW-LinkedStorageAccount-${index}' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - name: linkedStorageAccount.name - resourceId: linkedStorageAccount.resourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_savedSearches 'saved-search/main.bicep' = [for (savedSearch, index) in savedSearches: { - name: '${uniqueString(deployment().name, location)}-LAW-SavedSearch-${index}' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - name: '${savedSearch.name}${uniqueString(deployment().name)}' - etag: contains(savedSearch, 'eTag') ? savedSearch.etag : '*' - displayName: savedSearch.displayName - category: savedSearch.category - query: savedSearch.query - functionAlias: contains(savedSearch, 'functionAlias') ? savedSearch.functionAlias : '' - functionParameters: contains(savedSearch, 'functionParameters') ? savedSearch.functionParameters : '' - version: contains(savedSearch, 'version') ? savedSearch.version : 2 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - logAnalyticsWorkspace_linkedStorageAccounts - ] -}] - -module logAnalyticsWorkspace_dataExports 'data-export/main.bicep' = [for (dataExport, index) in dataExports: { - name: '${uniqueString(deployment().name, location)}-LAW-DataExport-${index}' - params: { - workspaceName: logAnalyticsWorkspace.name - name: dataExport.name - destination: contains(dataExport, 'destination') ? dataExport.destination : {} - enable: contains(dataExport, 'enable') ? dataExport.enable : false - tableNames: contains(dataExport, 'tableNames') ? dataExport.tableNames : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_dataSources 'data-source/main.bicep' = [for (dataSource, index) in dataSources: { - name: '${uniqueString(deployment().name, location)}-LAW-DataSource-${index}' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - name: dataSource.name - kind: dataSource.kind - linkedResourceId: contains(dataSource, 'linkedResourceId') ? dataSource.linkedResourceId : '' - eventLogName: contains(dataSource, 'eventLogName') ? dataSource.eventLogName : '' - eventTypes: contains(dataSource, 'eventTypes') ? dataSource.eventTypes : [] - objectName: contains(dataSource, 'objectName') ? dataSource.objectName : '' - instanceName: contains(dataSource, 'instanceName') ? dataSource.instanceName : '' - intervalSeconds: contains(dataSource, 'intervalSeconds') ? dataSource.intervalSeconds : 60 - counterName: contains(dataSource, 'counterName') ? dataSource.counterName : '' - state: contains(dataSource, 'state') ? dataSource.state : '' - syslogName: contains(dataSource, 'syslogName') ? dataSource.syslogName : '' - syslogSeverities: contains(dataSource, 'syslogSeverities') ? dataSource.syslogSeverities : [] - performanceCounters: contains(dataSource, 'performanceCounters') ? dataSource.performanceCounters : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_tables 'table/main.bicep' = [for (table, index) in tables: { - name: '${uniqueString(deployment().name, location)}-LAW-Table-${index}' - params: { - workspaceName: logAnalyticsWorkspace.name - name: table.name - plan: contains(table, 'plan') ? table.plan : 'Analytics' - schema: contains(table, 'schema') ? table.schema : {} - retentionInDays: contains(table, 'retentionInDays') ? table.retentionInDays : -1 - totalRetentionInDays: contains(table, 'totalRetentionInDays') ? table.totalRetentionInDays : -1 - restoredLogs: contains(table, 'restoredLogs') ? table.restoredLogs : {} - searchResults: contains(table, 'searchResults') ? table.searchResults : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module logAnalyticsWorkspace_solutions '../../operations-management/solution/main.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(gallerySolutions)) { - name: '${uniqueString(deployment().name, location)}-LAW-Solution-${index}' - params: { - name: gallerySolution.name - location: location - logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - product: contains(gallerySolution, 'product') ? gallerySolution.product : 'OMSGallery' - publisher: contains(gallerySolution, 'publisher') ? gallerySolution.publisher : 'Microsoft' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: logAnalyticsWorkspace -} - -resource logAnalyticsWorkspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(logAnalyticsWorkspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: logAnalyticsWorkspace -}] - -@description('The resource ID of the deployed log analytics workspace.') -output resourceId string = logAnalyticsWorkspace.id - -@description('The resource group of the deployed log analytics workspace.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployed log analytics workspace.') -output name string = logAnalyticsWorkspace.name - -@description('The ID associated with the workspace.') -output logAnalyticsWorkspaceId string = logAnalyticsWorkspace.properties.customerId - -@description('The location the resource was deployed into.') -output location string = logAnalyticsWorkspace.location - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(logAnalyticsWorkspace.identity, 'principalId') ? logAnalyticsWorkspace.identity.principalId : '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json deleted file mode 100644 index 1fba3d4959..0000000000 --- a/modules/operational-insights/workspace/main.json +++ /dev/null @@ -1,1925 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15740533173068263805" - }, - "name": "Log Analytics Workspaces", - "description": "This module deploys a Log Analytics Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Log Analytics workspace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "PerGB2018", - "allowedValues": [ - "CapacityReservation", - "Free", - "LACluster", - "PerGB2018", - "PerNode", - "Premium", - "Standalone", - "Standard" - ], - "metadata": { - "description": "Optional. The name of the SKU." - } - }, - "skuCapacityReservationLevel": { - "type": "int", - "defaultValue": 100, - "minValue": 100, - "maxValue": 5000, - "metadata": { - "description": "Optional. The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000." - } - }, - "storageInsightsConfigs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of storage accounts to be read by the workspace." - } - }, - "linkedServices": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of services to be linked." - } - }, - "linkedStorageAccounts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Conditional. List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty." - } - }, - "savedSearches": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Kusto Query Language searches to save." - } - }, - "dataExports": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. LAW data export instances to be deployed." - } - }, - "dataSources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. LAW data sources to configure." - } - }, - "tables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. LAW custom tables to be deployed." - } - }, - "gallerySolutions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of gallerySolutions to be created in the log analytics workspace." - } - }, - "dataRetention": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 730, - "metadata": { - "description": "Optional. Number of days data will be retained for." - } - }, - "dailyQuotaGb": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "metadata": { - "description": "Optional. The workspace daily quota for ingestion." - } - }, - "publicNetworkAccessForIngestion": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Log Analytics ingestion." - } - }, - "publicNetworkAccessForQuery": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Log Analytics query." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "useResourcePermissions": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "forceCmkForQuery": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether customer managed storage is mandatory for query management." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "logAnalyticsWorkspace": { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "features": { - "searchVersion": 1, - "enableLogAccessUsingOnlyResourcePermissions": "[parameters('useResourcePermissions')]" - }, - "sku": { - "name": "[parameters('skuName')]", - "capacityReservationLevel": "[if(equals(parameters('skuName'), 'CapacityReservation'), parameters('skuCapacityReservationLevel'), null())]" - }, - "retentionInDays": "[parameters('dataRetention')]", - "workspaceCapping": { - "dailyQuotaGb": "[parameters('dailyQuotaGb')]" - }, - "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", - "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]", - "forceCmkForQuery": "[parameters('forceCmkForQuery')]" - }, - "identity": "[variables('identity')]" - }, - "logAnalyticsWorkspace_diagnosticSettings": { - "copy": { - "name": "logAnalyticsWorkspace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_roleAssignments": { - "copy": { - "name": "logAnalyticsWorkspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_storageInsightConfigs": { - "copy": { - "name": "logAnalyticsWorkspace_storageInsightConfigs", - "count": "[length(parameters('storageInsightsConfigs'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-StorageInsightsConfig-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "containers": "[if(contains(parameters('storageInsightsConfigs')[copyIndex()], 'containers'), createObject('value', parameters('storageInsightsConfigs')[copyIndex()].containers), createObject('value', createArray()))]", - "tables": "[if(contains(parameters('storageInsightsConfigs')[copyIndex()], 'tables'), createObject('value', parameters('storageInsightsConfigs')[copyIndex()].tables), createObject('value', createArray()))]", - "storageAccountResourceId": { - "value": "[parameters('storageInsightsConfigs')[copyIndex()].storageAccountResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9008031661126171508" - }, - "name": "Log Analytics Workspace Storage Insight Configs", - "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the storage insights config." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. The Azure Resource Manager ID of the storage account resource." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The names of the blob containers that the workspace should read." - } - }, - "tables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The names of the Azure tables that the workspace should read." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "storageinsightconfig": { - "type": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "containers": "[parameters('containers')]", - "tables": "[parameters('tables')]", - "storageAccount": { - "id": "[parameters('storageAccountResourceId')]", - "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2022-09-01').keys[0].value]" - } - }, - "dependsOn": [ - "storageAccount", - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed storage insights configuration." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/storageInsightConfigs', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the storage insight configuration is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the storage insights configuration." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_linkedServices": { - "copy": { - "name": "logAnalyticsWorkspace_linkedServices", - "count": "[length(parameters('linkedServices'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-LinkedService-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('linkedServices')[copyIndex()].name]" - }, - "resourceId": "[if(contains(parameters('linkedServices')[copyIndex()], 'resourceId'), createObject('value', parameters('linkedServices')[copyIndex()].resourceId), createObject('value', ''))]", - "writeAccessResourceId": "[if(contains(parameters('linkedServices')[copyIndex()], 'writeAccessResourceId'), createObject('value', parameters('linkedServices')[copyIndex()].writeAccessResourceId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4319942183601642190" - }, - "name": "Log Analytics Workspace Linked Services", - "description": "This module deploys a Log Analytics Workspace Linked Service.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the link." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access." - } - }, - "writeAccessResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "linkedService": { - "type": "Microsoft.OperationalInsights/workspaces/linkedServices", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resourceId": "[parameters('resourceId')]", - "writeAccessResourceId": "[if(empty(parameters('writeAccessResourceId')), null(), parameters('writeAccessResourceId'))]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed linked service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed linked service." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/linkedServices', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the linked service is deployed." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_linkedStorageAccounts": { - "copy": { - "name": "logAnalyticsWorkspace_linkedStorageAccounts", - "count": "[length(parameters('linkedStorageAccounts'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-LinkedStorageAccount-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('linkedStorageAccounts')[copyIndex()].name]" - }, - "resourceId": { - "value": "[parameters('linkedStorageAccounts')[copyIndex()].resourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9016006615324724877" - }, - "name": "Log Analytics Workspace Linked Storage Accounts", - "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "Query", - "Alerts", - "CustomLogs", - "AzureWatson" - ], - "metadata": { - "description": "Required. Name of the link." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/linkedStorageAccounts", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "properties": { - "storageAccountIds": [ - "[parameters('resourceId')]" - ] - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed linked storage account." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed linked storage account." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/linkedStorageAccounts', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the linked storage account is deployed." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_savedSearches": { - "copy": { - "name": "logAnalyticsWorkspace_savedSearches", - "count": "[length(parameters('savedSearches'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-SavedSearch-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[format('{0}{1}', parameters('savedSearches')[copyIndex()].name, uniqueString(deployment().name))]" - }, - "etag": "[if(contains(parameters('savedSearches')[copyIndex()], 'eTag'), createObject('value', parameters('savedSearches')[copyIndex()].etag), createObject('value', '*'))]", - "displayName": { - "value": "[parameters('savedSearches')[copyIndex()].displayName]" - }, - "category": { - "value": "[parameters('savedSearches')[copyIndex()].category]" - }, - "query": { - "value": "[parameters('savedSearches')[copyIndex()].query]" - }, - "functionAlias": "[if(contains(parameters('savedSearches')[copyIndex()], 'functionAlias'), createObject('value', parameters('savedSearches')[copyIndex()].functionAlias), createObject('value', ''))]", - "functionParameters": "[if(contains(parameters('savedSearches')[copyIndex()], 'functionParameters'), createObject('value', parameters('savedSearches')[copyIndex()].functionParameters), createObject('value', ''))]", - "version": "[if(contains(parameters('savedSearches')[copyIndex()], 'version'), createObject('value', parameters('savedSearches')[copyIndex()].version), createObject('value', 2))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8110791564584546252" - }, - "name": "Log Analytics Workspace Saved Searches", - "description": "This module deploys a Log Analytics Workspace Saved Search.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the saved search." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Display name for the search." - } - }, - "category": { - "type": "string", - "metadata": { - "description": "Required. Query category." - } - }, - "query": { - "type": "string", - "metadata": { - "description": "Required. Kusto Query to be stored." - } - }, - "tags": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "functionAlias": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The function alias if query serves as a function." - } - }, - "functionParameters": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The optional function parameters if query serves as a function. Value should be in the following format: \"param-name1:type1 = default_value1, param-name2:type2 = default_value2\". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions." - } - }, - "version": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The version number of the query language." - } - }, - "etag": { - "type": "string", - "defaultValue": "*", - "metadata": { - "description": "Optional. The ETag of the saved search. To override an existing saved search, use \"*\" or specify the current Etag." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "properties": { - "etag": "[parameters('etag')]", - "tags": "[parameters('tags')]", - "displayName": "[parameters('displayName')]", - "category": "[parameters('category')]", - "query": "[parameters('query')]", - "functionAlias": "[parameters('functionAlias')]", - "functionParameters": "[parameters('functionParameters')]", - "version": "[parameters('version')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed saved search." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the saved search is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed saved search." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace", - "logAnalyticsWorkspace_linkedStorageAccounts" - ] - }, - "logAnalyticsWorkspace_dataExports": { - "copy": { - "name": "logAnalyticsWorkspace_dataExports", - "count": "[length(parameters('dataExports'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-DataExport-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "workspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('dataExports')[copyIndex()].name]" - }, - "destination": "[if(contains(parameters('dataExports')[copyIndex()], 'destination'), createObject('value', parameters('dataExports')[copyIndex()].destination), createObject('value', createObject()))]", - "enable": "[if(contains(parameters('dataExports')[copyIndex()], 'enable'), createObject('value', parameters('dataExports')[copyIndex()].enable), createObject('value', false()))]", - "tableNames": "[if(contains(parameters('dataExports')[copyIndex()], 'tableNames'), createObject('value', parameters('dataExports')[copyIndex()].tableNames), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17342339934568813477" - }, - "name": "Log Analytics Workspace Data Exports", - "description": "This module deploys a Log Analytics Workspace Data Export.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "minLength": 4, - "maxLength": 63, - "metadata": { - "description": "Required. The data export rule name." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment." - } - }, - "destination": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Destination properties." - } - }, - "enable": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Active when enabled." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "tableNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/dataExports", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "destination": "[parameters('destination')]", - "enable": "[parameters('enable')]", - "tableNames": "[parameters('tableNames')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the data export." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the data export." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/dataExports', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the data export was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_dataSources": { - "copy": { - "name": "logAnalyticsWorkspace_dataSources", - "count": "[length(parameters('dataSources'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-DataSource-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('dataSources')[copyIndex()].name]" - }, - "kind": { - "value": "[parameters('dataSources')[copyIndex()].kind]" - }, - "linkedResourceId": "[if(contains(parameters('dataSources')[copyIndex()], 'linkedResourceId'), createObject('value', parameters('dataSources')[copyIndex()].linkedResourceId), createObject('value', ''))]", - "eventLogName": "[if(contains(parameters('dataSources')[copyIndex()], 'eventLogName'), createObject('value', parameters('dataSources')[copyIndex()].eventLogName), createObject('value', ''))]", - "eventTypes": "[if(contains(parameters('dataSources')[copyIndex()], 'eventTypes'), createObject('value', parameters('dataSources')[copyIndex()].eventTypes), createObject('value', createArray()))]", - "objectName": "[if(contains(parameters('dataSources')[copyIndex()], 'objectName'), createObject('value', parameters('dataSources')[copyIndex()].objectName), createObject('value', ''))]", - "instanceName": "[if(contains(parameters('dataSources')[copyIndex()], 'instanceName'), createObject('value', parameters('dataSources')[copyIndex()].instanceName), createObject('value', ''))]", - "intervalSeconds": "[if(contains(parameters('dataSources')[copyIndex()], 'intervalSeconds'), createObject('value', parameters('dataSources')[copyIndex()].intervalSeconds), createObject('value', 60))]", - "counterName": "[if(contains(parameters('dataSources')[copyIndex()], 'counterName'), createObject('value', parameters('dataSources')[copyIndex()].counterName), createObject('value', ''))]", - "state": "[if(contains(parameters('dataSources')[copyIndex()], 'state'), createObject('value', parameters('dataSources')[copyIndex()].state), createObject('value', ''))]", - "syslogName": "[if(contains(parameters('dataSources')[copyIndex()], 'syslogName'), createObject('value', parameters('dataSources')[copyIndex()].syslogName), createObject('value', ''))]", - "syslogSeverities": "[if(contains(parameters('dataSources')[copyIndex()], 'syslogSeverities'), createObject('value', parameters('dataSources')[copyIndex()].syslogSeverities), createObject('value', createArray()))]", - "performanceCounters": "[if(contains(parameters('dataSources')[copyIndex()], 'performanceCounters'), createObject('value', parameters('dataSources')[copyIndex()].performanceCounters), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16555972198709151465" - }, - "name": "Log Analytics Workspace Datasources", - "description": "This module deploys a Log Analytics Workspace Data Source.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the solution." - } - }, - "kind": { - "type": "string", - "defaultValue": "AzureActivityLog", - "allowedValues": [ - "AzureActivityLog", - "WindowsEvent", - "WindowsPerformanceCounter", - "IISLogs", - "LinuxSyslog", - "LinuxSyslogCollection", - "LinuxPerformanceObject", - "LinuxPerformanceCollection" - ], - "metadata": { - "description": "Required. The kind of the DataSource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "linkedResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the resource to be linked." - } - }, - "eventLogName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Windows event log name to configure when kind is WindowsEvent." - } - }, - "eventTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Windows event types to configure when kind is WindowsEvent." - } - }, - "objectName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "instanceName": { - "type": "string", - "defaultValue": "*", - "metadata": { - "description": "Optional. Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "intervalSeconds": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject." - } - }, - "performanceCounters": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of counters to configure when the kind is LinuxPerformanceObject." - } - }, - "counterName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Counter name to configure when kind is WindowsPerformanceCounter." - } - }, - "state": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection." - } - }, - "syslogName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. System log to configure when kind is LinuxSyslog." - } - }, - "syslogSeverities": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Severities to configure when kind is LinuxSyslog." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "dataSource": { - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "properties": { - "linkedResourceId": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'AzureActivityLog')), parameters('linkedResourceId'), null())]", - "eventLogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsEvent')), parameters('eventLogName'), null())]", - "eventTypes": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsEvent')), parameters('eventTypes'), null())]", - "objectName": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('objectName'), null())]", - "instanceName": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('instanceName'), null())]", - "intervalSeconds": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'WindowsPerformanceCounter'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('intervalSeconds'), null())]", - "counterName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'WindowsPerformanceCounter')), parameters('counterName'), null())]", - "state": "[if(and(not(empty(parameters('kind'))), or(or(equals(parameters('kind'), 'IISLogs'), equals(parameters('kind'), 'LinuxSyslogCollection')), equals(parameters('kind'), 'LinuxPerformanceCollection'))), parameters('state'), null())]", - "syslogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxSyslog')), parameters('syslogName'), null())]", - "syslogSeverities": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'LinuxSyslog'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('syslogSeverities'), null())]", - "performanceCounters": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxPerformanceObject')), parameters('performanceCounters'), null())]" - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed data source." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/dataSources', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the data source is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed data source." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_tables": { - "copy": { - "name": "logAnalyticsWorkspace_tables", - "count": "[length(parameters('tables'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-Table-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "workspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('tables')[copyIndex()].name]" - }, - "plan": "[if(contains(parameters('tables')[copyIndex()], 'plan'), createObject('value', parameters('tables')[copyIndex()].plan), createObject('value', 'Analytics'))]", - "schema": "[if(contains(parameters('tables')[copyIndex()], 'schema'), createObject('value', parameters('tables')[copyIndex()].schema), createObject('value', createObject()))]", - "retentionInDays": "[if(contains(parameters('tables')[copyIndex()], 'retentionInDays'), createObject('value', parameters('tables')[copyIndex()].retentionInDays), createObject('value', -1))]", - "totalRetentionInDays": "[if(contains(parameters('tables')[copyIndex()], 'totalRetentionInDays'), createObject('value', parameters('tables')[copyIndex()].totalRetentionInDays), createObject('value', -1))]", - "restoredLogs": "[if(contains(parameters('tables')[copyIndex()], 'restoredLogs'), createObject('value', parameters('tables')[copyIndex()].restoredLogs), createObject('value', createObject()))]", - "searchResults": "[if(contains(parameters('tables')[copyIndex()], 'searchResults'), createObject('value', parameters('tables')[copyIndex()].searchResults), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10977258600449669407" - }, - "name": "Log Analytics Workspace Tables", - "description": "This module deploys a Log Analytics Workspace Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the table." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "plan": { - "type": "string", - "defaultValue": "Analytics", - "allowedValues": [ - "Basic", - "Analytics" - ], - "metadata": { - "description": "Optional. Instruct the system how to handle and charge the logs ingested to this table." - } - }, - "restoredLogs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Restore parameters." - } - }, - "retentionInDays": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 730, - "metadata": { - "description": "Optional. The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention." - } - }, - "schema": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Table's schema." - } - }, - "searchResults": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters of the search job that initiated this table." - } - }, - "totalRetentionInDays": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 2555, - "metadata": { - "description": "Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "plan": "[parameters('plan')]", - "restoredLogs": "[parameters('restoredLogs')]", - "retentionInDays": "[parameters('retentionInDays')]", - "schema": "[parameters('schema')]", - "searchResults": "[parameters('searchResults')]", - "totalRetentionInDays": "[parameters('totalRetentionInDays')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the table." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the table was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "logAnalyticsWorkspace_solutions": { - "copy": { - "name": "logAnalyticsWorkspace_solutions", - "count": "[length(parameters('gallerySolutions'))]" - }, - "condition": "[not(empty(parameters('gallerySolutions')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-Solution-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('gallerySolutions')[copyIndex()].name]" - }, - "location": { - "value": "[parameters('location')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[parameters('name')]" - }, - "product": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'product'), createObject('value', parameters('gallerySolutions')[copyIndex()].product), createObject('value', 'OMSGallery'))]", - "publisher": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'publisher'), createObject('value', parameters('gallerySolutions')[copyIndex()].publisher), createObject('value', 'Microsoft'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6590935071601965866" - }, - "name": "Operations Management Solutions", - "description": "This module deploys an Operations Management Solution.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`." - } - }, - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Log Analytics workspace where the solution will be deployed/enabled." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "product": { - "type": "string", - "defaultValue": "OMSGallery", - "metadata": { - "description": "Optional. The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive." - } - }, - "publisher": { - "type": "string", - "defaultValue": "Microsoft", - "metadata": { - "description": "Optional. The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "solutionName": "[if(equals(parameters('publisher'), 'Microsoft'), format('{0}({1})', parameters('name'), parameters('logAnalyticsWorkspaceName')), parameters('name'))]", - "solutionProduct": "[if(equals(parameters('publisher'), 'Microsoft'), format('OMSGallery/{0}', parameters('name')), parameters('product'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[variables('solutionName')]", - "location": "[parameters('location')]", - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "plan": { - "name": "[variables('solutionName')]", - "promotionCode": "", - "product": "[variables('solutionProduct')]", - "publisher": "[parameters('publisher')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed solution." - }, - "value": "[variables('solutionName')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed solution." - }, - "value": "[resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the solution is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName')), '2015-11-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed log analytics workspace." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed log analytics workspace." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed log analytics workspace." - }, - "value": "[parameters('name')]" - }, - "logAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "The ID associated with the workspace." - }, - "value": "[reference('logAnalyticsWorkspace').customerId]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('logAnalyticsWorkspace', '2022-10-01', 'full').location]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity.principalId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/saved-search/README.md b/modules/operational-insights/workspace/saved-search/README.md deleted file mode 100644 index 848c79064d..0000000000 --- a/modules/operational-insights/workspace/saved-search/README.md +++ /dev/null @@ -1,140 +0,0 @@ -# Log Analytics Workspace Saved Searches `[Microsoft.OperationalInsights/workspaces/savedSearches]` - -This module deploys a Log Analytics Workspace Saved Search. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/savedSearches` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/savedSearches) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`category`](#parameter-category) | string | Query category. | -| [`displayName`](#parameter-displayname) | string | Display name for the search. | -| [`name`](#parameter-name) | string | Name of the saved search. | -| [`query`](#parameter-query) | string | Kusto Query to be stored. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`etag`](#parameter-etag) | string | The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. | -| [`functionAlias`](#parameter-functionalias) | string | The function alias if query serves as a function. | -| [`functionParameters`](#parameter-functionparameters) | string | The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. | -| [`tags`](#parameter-tags) | array | Tags to configure in the resource. | -| [`version`](#parameter-version) | int | The version number of the query language. | - -### Parameter: `category` - -Query category. - -- Required: Yes -- Type: string - -### Parameter: `displayName` - -Display name for the search. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the saved search. - -- Required: Yes -- Type: string - -### Parameter: `query` - -Kusto Query to be stored. - -- Required: Yes -- Type: string - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `etag` - -The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. - -- Required: No -- Type: string -- Default: `'*'` - -### Parameter: `functionAlias` - -The function alias if query serves as a function. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `functionParameters` - -The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags to configure in the resource. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `version` - -The version number of the query language. - -- Required: No -- Type: int -- Default: `2` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed saved search. | -| `resourceGroupName` | string | The resource group where the saved search is deployed. | -| `resourceId` | string | The resource ID of the deployed saved search. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/saved-search/main.bicep b/modules/operational-insights/workspace/saved-search/main.bicep deleted file mode 100644 index 64a698637f..0000000000 --- a/modules/operational-insights/workspace/saved-search/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Log Analytics Workspace Saved Searches' -metadata description = 'This module deploys a Log Analytics Workspace Saved Search.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.') -param logAnalyticsWorkspaceName string - -@description('Required. Name of the saved search.') -param name string - -@description('Required. Display name for the search.') -param displayName string - -@description('Required. Query category.') -param category string - -@description('Required. Kusto Query to be stored.') -param query string - -@description('Optional. Tags to configure in the resource.') -param tags array = [] - -@description('Optional. The function alias if query serves as a function.') -param functionAlias string = '' - -@description('Optional. The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions.') -param functionParameters string = '' - -@description('Optional. The version number of the query language.') -param version int = 2 - -@description('Optional. The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag.') -param etag string = '*' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: logAnalyticsWorkspaceName -} - -resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = { - name: name - parent: workspace - //etag: etag // According to API, the variable should be here, but it doesn't work here. - properties: { - etag: etag - tags: tags - displayName: displayName - category: category - query: query - functionAlias: functionAlias - functionParameters: functionParameters - version: version - } -} - -@description('The resource ID of the deployed saved search.') -output resourceId string = savedSearch.id - -@description('The resource group where the saved search is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployed saved search.') -output name string = savedSearch.name diff --git a/modules/operational-insights/workspace/saved-search/main.json b/modules/operational-insights/workspace/saved-search/main.json deleted file mode 100644 index c108b5ac43..0000000000 --- a/modules/operational-insights/workspace/saved-search/main.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8110791564584546252" - }, - "name": "Log Analytics Workspace Saved Searches", - "description": "This module deploys a Log Analytics Workspace Saved Search.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the saved search." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Display name for the search." - } - }, - "category": { - "type": "string", - "metadata": { - "description": "Required. Query category." - } - }, - "query": { - "type": "string", - "metadata": { - "description": "Required. Kusto Query to be stored." - } - }, - "tags": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "functionAlias": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The function alias if query serves as a function." - } - }, - "functionParameters": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The optional function parameters if query serves as a function. Value should be in the following format: \"param-name1:type1 = default_value1, param-name2:type2 = default_value2\". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions." - } - }, - "version": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The version number of the query language." - } - }, - "etag": { - "type": "string", - "defaultValue": "*", - "metadata": { - "description": "Optional. The ETag of the saved search. To override an existing saved search, use \"*\" or specify the current Etag." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "properties": { - "etag": "[parameters('etag')]", - "tags": "[parameters('tags')]", - "displayName": "[parameters('displayName')]", - "category": "[parameters('category')]", - "query": "[parameters('query')]", - "functionAlias": "[parameters('functionAlias')]", - "functionParameters": "[parameters('functionParameters')]", - "version": "[parameters('version')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed saved search." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the saved search is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed saved search." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/saved-search/version.json b/modules/operational-insights/workspace/saved-search/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/saved-search/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/storage-insight-config/README.md b/modules/operational-insights/workspace/storage-insight-config/README.md deleted file mode 100644 index 5f3b984a87..0000000000 --- a/modules/operational-insights/workspace/storage-insight-config/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Log Analytics Workspace Storage Insight Configs `[Microsoft.OperationalInsights/workspaces/storageInsightConfigs]` - -This module deploys a Log Analytics Workspace Storage Insight Config. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/storageInsightConfigs` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/storageInsightConfigs) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | The Azure Resource Manager ID of the storage account resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containers`](#parameter-containers) | array | The names of the blob containers that the workspace should read. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the storage insights config. | -| [`tables`](#parameter-tables) | array | The names of the Azure tables that the workspace should read. | -| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | - -### Parameter: `storageAccountResourceId` - -The Azure Resource Manager ID of the storage account resource. - -- Required: Yes -- Type: string - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `containers` - -The names of the blob containers that the workspace should read. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the storage insights config. - -- Required: No -- Type: string -- Default: `[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]` - -### Parameter: `tables` - -The names of the Azure tables that the workspace should read. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags to configure in the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the storage insights configuration. | -| `resourceGroupName` | string | The resource group where the storage insight configuration is deployed. | -| `resourceId` | string | The resource ID of the deployed storage insights configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/storage-insight-config/main.bicep b/modules/operational-insights/workspace/storage-insight-config/main.bicep deleted file mode 100644 index 5e6a2d236f..0000000000 --- a/modules/operational-insights/workspace/storage-insight-config/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Log Analytics Workspace Storage Insight Configs' -metadata description = 'This module deploys a Log Analytics Workspace Storage Insight Config.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.') -param logAnalyticsWorkspaceName string - -@description('Optional. The name of the storage insights config.') -param name string = '${last(split(storageAccountResourceId, '/'))}-stinsconfig' - -@description('Required. The Azure Resource Manager ID of the storage account resource.') -param storageAccountResourceId string - -@description('Optional. The names of the blob containers that the workspace should read.') -param containers array = [] - -@description('Optional. The names of the Azure tables that the workspace should read.') -param tables array = [] - -@description('Optional. Tags to configure in the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = { - name: last(split(storageAccountResourceId, '/'))! -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: logAnalyticsWorkspaceName -} - -resource storageinsightconfig 'Microsoft.OperationalInsights/workspaces/storageInsightConfigs@2020-08-01' = { - name: name - parent: workspace - tags: tags - properties: { - containers: containers - tables: tables - storageAccount: { - id: storageAccountResourceId - key: storageAccount.listKeys().keys[0].value - } - } -} - -@description('The resource ID of the deployed storage insights configuration.') -output resourceId string = storageinsightconfig.id - -@description('The resource group where the storage insight configuration is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the storage insights configuration.') -output name string = storageinsightconfig.name diff --git a/modules/operational-insights/workspace/storage-insight-config/main.json b/modules/operational-insights/workspace/storage-insight-config/main.json deleted file mode 100644 index a1c8b035f8..0000000000 --- a/modules/operational-insights/workspace/storage-insight-config/main.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9008031661126171508" - }, - "name": "Log Analytics Workspace Storage Insight Configs", - "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the storage insights config." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. The Azure Resource Manager ID of the storage account resource." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The names of the blob containers that the workspace should read." - } - }, - "tables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The names of the Azure tables that the workspace should read." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to configure in the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "workspace": { - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2022-10-01", - "name": "[parameters('logAnalyticsWorkspaceName')]" - }, - "storageinsightconfig": { - "type": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", - "apiVersion": "2020-08-01", - "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "containers": "[parameters('containers')]", - "tables": "[parameters('tables')]", - "storageAccount": { - "id": "[parameters('storageAccountResourceId')]", - "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2022-09-01').keys[0].value]" - } - }, - "dependsOn": [ - "storageAccount", - "workspace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed storage insights configuration." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/storageInsightConfigs', parameters('logAnalyticsWorkspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the storage insight configuration is deployed." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the storage insights configuration." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/storage-insight-config/version.json b/modules/operational-insights/workspace/storage-insight-config/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/storage-insight-config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/table/README.md b/modules/operational-insights/workspace/table/README.md deleted file mode 100644 index 5ad6220105..0000000000 --- a/modules/operational-insights/workspace/table/README.md +++ /dev/null @@ -1,132 +0,0 @@ -# Log Analytics Workspace Tables `[Microsoft.OperationalInsights/workspaces/tables]` - -This module deploys a Log Analytics Workspace Table. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationalInsights/workspaces/tables` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2022-10-01/workspaces/tables) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the table. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`plan`](#parameter-plan) | string | Instruct the system how to handle and charge the logs ingested to this table. | -| [`restoredLogs`](#parameter-restoredlogs) | object | Restore parameters. | -| [`retentionInDays`](#parameter-retentionindays) | int | The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. | -| [`schema`](#parameter-schema) | object | Table's schema. | -| [`searchResults`](#parameter-searchresults) | object | Parameters of the search job that initiated this table. | -| [`totalRetentionInDays`](#parameter-totalretentionindays) | int | The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. | - -### Parameter: `name` - -The name of the table. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent workspaces. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `plan` - -Instruct the system how to handle and charge the logs ingested to this table. - -- Required: No -- Type: string -- Default: `'Analytics'` -- Allowed: - ```Bicep - [ - 'Analytics' - 'Basic' - ] - ``` - -### Parameter: `restoredLogs` - -Restore parameters. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `retentionInDays` - -The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `schema` - -Table's schema. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `searchResults` - -Parameters of the search job that initiated this table. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `totalRetentionInDays` - -The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. - -- Required: No -- Type: int -- Default: `-1` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the table. | -| `resourceGroupName` | string | The name of the resource group the table was created in. | -| `resourceId` | string | The resource ID of the table. | - -## Cross-referenced modules - -_None_ diff --git a/modules/operational-insights/workspace/table/main.bicep b/modules/operational-insights/workspace/table/main.bicep deleted file mode 100644 index 8a99fb4921..0000000000 --- a/modules/operational-insights/workspace/table/main.bicep +++ /dev/null @@ -1,88 +0,0 @@ -metadata name = 'Log Analytics Workspace Tables' -metadata description = 'This module deploys a Log Analytics Workspace Table.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@description('Required. The name of the table.') -param name string - -@description('Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Instruct the system how to handle and charge the logs ingested to this table.') -@allowed([ - 'Basic' - 'Analytics' -]) -param plan string = 'Analytics' - -@description('Optional. Restore parameters.') -param restoredLogs object = {} - -@description('Optional. The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention.') -@minValue(-1) -@maxValue(730) -param retentionInDays int = -1 - -@description('Optional. Table\'s schema.') -param schema object = {} - -@description('Optional. Parameters of the search job that initiated this table.') -param searchResults object = {} - -@description('Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention.') -@minValue(-1) -@maxValue(2555) -param totalRetentionInDays int = -1 - -// =============== // -// Deployments // -// =============== // - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: workspaceName -} - -resource table 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = { - parent: workspace - name: name - properties: { - plan: plan - restoredLogs: restoredLogs - retentionInDays: retentionInDays - schema: schema - searchResults: searchResults - totalRetentionInDays: totalRetentionInDays - } -} - -// =========== // -// Outputs // -// =========== // - -@description('The name of the table.') -output name string = table.name - -@description('The resource ID of the table.') -output resourceId string = table.id - -@description('The name of the resource group the table was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/operational-insights/workspace/table/main.json b/modules/operational-insights/workspace/table/main.json deleted file mode 100644 index c7952b7a0d..0000000000 --- a/modules/operational-insights/workspace/table/main.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10977258600449669407" - }, - "name": "Log Analytics Workspace Tables", - "description": "This module deploys a Log Analytics Workspace Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the table." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent workspaces. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "plan": { - "type": "string", - "defaultValue": "Analytics", - "allowedValues": [ - "Basic", - "Analytics" - ], - "metadata": { - "description": "Optional. Instruct the system how to handle and charge the logs ingested to this table." - } - }, - "restoredLogs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Restore parameters." - } - }, - "retentionInDays": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 730, - "metadata": { - "description": "Optional. The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention." - } - }, - "schema": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Table's schema." - } - }, - "searchResults": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters of the search job that initiated this table." - } - }, - "totalRetentionInDays": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "maxValue": 2555, - "metadata": { - "description": "Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "plan": "[parameters('plan')]", - "restoredLogs": "[parameters('restoredLogs')]", - "retentionInDays": "[parameters('retentionInDays')]", - "schema": "[parameters('schema')]", - "searchResults": "[parameters('searchResults')]", - "totalRetentionInDays": "[parameters('totalRetentionInDays')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the table." - }, - "value": "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the table was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/operational-insights/workspace/table/version.json b/modules/operational-insights/workspace/table/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/table/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep deleted file mode 100644 index fea9a507cf..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep +++ /dev/null @@ -1,85 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Automation Account to create.') -param automationAccountName string - -@description('Required. The name of the Event Hub Workspace to create.') -param eventHubNamespaceName string - -@description('Required. The name of the Event Hub to create.') -param eventHubName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { - name: automationAccountName - location: location - properties: { - sku: { - name: 'Basic' - } - } -} - -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { - name: eventHubNamespaceName - location: location - sku: { - name: 'Basic' - tier: 'Basic' - capacity: 1 - } - properties: { - minimumTlsVersion: '1.2' - publicNetworkAccess: 'Enabled' - disableLocalAuth: false - isAutoInflateEnabled: false - maximumThroughputUnits: 0 - kafkaEnabled: false - zoneRedundant: true - } - - resource eventHub 'eventhubs@2022-10-01-preview' = { - name: eventHubName - properties: { - messageRetentionInDays: 1 - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Automation Account.') -output automationAccountResourceId string = automationAccount.id - -@description('The resource ID of the created Eventhub Namespace.') -output eventHubNamespaceResourceId string = eventHubNamespace.id - -@description('The name of the created Eventhub.') -output eventHubName string = eventHubNamespace::eventHub.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep deleted file mode 100644 index af8c5e2b55..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep +++ /dev/null @@ -1,310 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwadv' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - automationAccountName: 'dep-${namePrefix}-auto-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-ehw-${serviceShort}' - eventHubName: 'dep-${namePrefix}-eh-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dailyQuotaGb: 10 - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: nestedDependencies.outputs.automationAccountResourceId - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - useResourcePermissions: true - tables: [ - { - name: 'CustomTableBasic_CL' - schema: { - name: 'CustomTableBasic_CL' - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'RawData' - type: 'String' - } - ] - } - totalRetentionInDays: 90 - retentionInDays: 60 - } - { - name: 'CustomTableAdvanced_CL' - schema: { - name: 'CustomTableAdvanced_CL' - columns: [ - { - name: 'TimeGenerated' - type: 'DateTime' - } - { - name: 'EventTime' - type: 'DateTime' - } - { - name: 'EventLevel' - type: 'String' - } - { - name: 'EventCode' - type: 'Int' - } - { - name: 'Message' - type: 'String' - } - { - name: 'RawData' - type: 'String' - } - ] - } - } - ] - dataExports: [ - { - name: 'eventHubExport' - enable: true - destination: { - resourceId: nestedDependencies.outputs.eventHubNamespaceResourceId - metaData: { - eventHubName: nestedDependencies.outputs.eventHubName - } - } - tableNames: [ - 'Alert' - 'InsightsMetrics' - ] - } - { - name: 'storageAccountExport' - enable: true - destination: { - resourceId: nestedDependencies.outputs.storageAccountResourceId - } - tableNames: [ - 'Operation' - ] - } - ] - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 90b6203eee..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8f83c0d9a1..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,47 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Automation Account to create.') -param automationAccountName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { - name: automationAccountName - location: location - properties: { - sku: { - name: 'Basic' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Automation Account.') -output automationAccountResourceId string = automationAccount.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index ad7165b0c2..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,238 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - automationAccountName: 'dep-${namePrefix}-auto-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dailyQuotaGb: 10 - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: nestedDependencies.outputs.automationAccountResourceId - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - useResourcePermissions: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8f83c0d9a1..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,47 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Automation Account to create.') -param automationAccountName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { - name: automationAccountName - location: location - properties: { - sku: { - name: 'Basic' - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Automation Account.') -output automationAccountResourceId string = automationAccount.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e523244e4a..0000000000 --- a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,238 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - automationAccountName: 'dep-${namePrefix}-auto-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - dailyQuotaGb: 10 - dataSources: [ - { - eventLogName: 'Application' - eventTypes: [ - { - eventType: 'Error' - } - { - eventType: 'Warning' - } - { - eventType: 'Information' - } - ] - kind: 'WindowsEvent' - name: 'applicationEvent' - } - { - counterName: '% Processor Time' - instanceName: '*' - intervalSeconds: 60 - kind: 'WindowsPerformanceCounter' - name: 'windowsPerfCounter1' - objectName: 'Processor' - } - { - kind: 'IISLogs' - name: 'sampleIISLog1' - state: 'OnPremiseEnabled' - } - { - kind: 'LinuxSyslog' - name: 'sampleSyslog1' - syslogName: 'kern' - syslogSeverities: [ - { - severity: 'emerg' - } - { - severity: 'alert' - } - { - severity: 'crit' - } - { - severity: 'err' - } - { - severity: 'warning' - } - ] - } - { - kind: 'LinuxSyslogCollection' - name: 'sampleSyslogCollection1' - state: 'Enabled' - } - { - instanceName: '*' - intervalSeconds: 10 - kind: 'LinuxPerformanceObject' - name: 'sampleLinuxPerf1' - objectName: 'Logical Disk' - syslogSeverities: [ - { - counterName: '% Used Inodes' - } - { - counterName: 'Free Megabytes' - } - { - counterName: '% Used Space' - } - { - counterName: 'Disk Transfers/sec' - } - { - counterName: 'Disk Reads/sec' - } - { - counterName: 'Disk Writes/sec' - } - ] - } - { - kind: 'LinuxPerformanceCollection' - name: 'sampleLinuxPerfCollection1' - state: 'Enabled' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - gallerySolutions: [ - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - linkedServices: [ - { - name: 'Automation' - resourceId: nestedDependencies.outputs.automationAccountResourceId - } - ] - linkedStorageAccounts: [ - { - name: 'Query' - resourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicNetworkAccessForIngestion: 'Disabled' - publicNetworkAccessForQuery: 'Disabled' - savedSearches: [ - { - category: 'VDC Saved Searches' - displayName: 'VMSS Instance Count2' - name: 'VMSSQueries' - query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' - } - ] - storageInsightsConfigs: [ - { - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - tables: [ - 'LinuxsyslogVer2v0' - 'WADETWEventTable' - 'WADServiceFabric*EventTable' - 'WADWindowsEventLogsTable' - ] - } - ] - useResourcePermissions: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -}] diff --git a/modules/operational-insights/workspace/version.json b/modules/operational-insights/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operational-insights/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/operations-management/solution/MOVED-TO-AVM.md b/modules/operations-management/solution/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/operations-management/solution/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/operations-management/solution/README.md b/modules/operations-management/solution/README.md index 460d47533d..12acb02ac0 100644 --- a/modules/operations-management/solution/README.md +++ b/modules/operations-management/solution/README.md @@ -1,276 +1,7 @@ -# Operations Management Solutions `[Microsoft.OperationsManagement/solutions]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/operations-management/solution](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/operations-management/solution).** -This module deploys an Operations Management Solution. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/operations-management/solution). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/operations-management.solution:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Ms](#example-2-ms) -- [Nonms](#example-3-nonms) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-omsmin' - params: { - // Required parameters - logAnalyticsWorkspaceName: '' - name: 'Updates' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "logAnalyticsWorkspaceName": { - "value": "" - }, - "name": { - "value": "Updates" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Ms_ - -

- -via Bicep module - -```bicep -module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-omsms' - params: { - // Required parameters - logAnalyticsWorkspaceName: '' - name: 'AzureAutomation' - // Non-required parameters - enableDefaultTelemetry: '' - product: 'OMSGallery' - publisher: 'Microsoft' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "logAnalyticsWorkspaceName": { - "value": "" - }, - "name": { - "value": "AzureAutomation" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "product": { - "value": "OMSGallery" - }, - "publisher": { - "value": "Microsoft" - } - } -} -``` - -
-

- -### Example 3: _Nonms_ - -

- -via Bicep module - -```bicep -module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-omsnonms' - params: { - // Required parameters - logAnalyticsWorkspaceName: '' - name: 'omsnonms001' - // Non-required parameters - enableDefaultTelemetry: '' - product: 'nonmsTestSolutionProduct' - publisher: 'nonmsTestSolutionPublisher' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "logAnalyticsWorkspaceName": { - "value": "" - }, - "name": { - "value": "omsnonms001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "product": { - "value": "nonmsTestSolutionProduct" - }, - "publisher": { - "value": "nonmsTestSolutionPublisher" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | Name of the Log Analytics workspace where the solution will be deployed/enabled. | -| [`name`](#parameter-name) | string | Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`product`](#parameter-product) | string | The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. | -| [`publisher`](#parameter-publisher) | string | The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. | - -### Parameter: `logAnalyticsWorkspaceName` - -Name of the Log Analytics workspace where the solution will be deployed/enabled. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `product` - -The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. - -- Required: No -- Type: string -- Default: `'OMSGallery'` - -### Parameter: `publisher` - -The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. - -- Required: No -- Type: string -- Default: `'Microsoft'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed solution. | -| `resourceGroupName` | string | The resource group where the solution is deployed. | -| `resourceId` | string | The resource ID of the deployed solution. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/operations-management/solution/main.bicep b/modules/operations-management/solution/main.bicep deleted file mode 100644 index e8bd47e9e4..0000000000 --- a/modules/operations-management/solution/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Operations Management Solutions' -metadata description = 'This module deploys an Operations Management Solution.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`.') -param name string - -@description('Required. Name of the Log Analytics workspace where the solution will be deployed/enabled.') -param logAnalyticsWorkspaceName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive.') -param product string = 'OMSGallery' - -@description('Optional. The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`.') -param publisher string = 'Microsoft' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = { - name: logAnalyticsWorkspaceName -} - -var solutionName = publisher == 'Microsoft' ? '${name}(${logAnalyticsWorkspace.name})' : name - -var solutionProduct = publisher == 'Microsoft' ? 'OMSGallery/${name}' : product - -resource solution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { - name: solutionName - location: location - properties: { - workspaceResourceId: logAnalyticsWorkspace.id - } - plan: { - name: solutionName - promotionCode: '' - product: solutionProduct - publisher: publisher - } -} - -@description('The name of the deployed solution.') -output name string = solution.name - -@description('The resource ID of the deployed solution.') -output resourceId string = solution.id - -@description('The resource group where the solution is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = solution.location diff --git a/modules/operations-management/solution/main.json b/modules/operations-management/solution/main.json deleted file mode 100644 index 523630f0ec..0000000000 --- a/modules/operations-management/solution/main.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6590935071601965866" - }, - "name": "Operations Management Solutions", - "description": "This module deploys an Operations Management Solution.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`." - } - }, - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Log Analytics workspace where the solution will be deployed/enabled." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "product": { - "type": "string", - "defaultValue": "OMSGallery", - "metadata": { - "description": "Optional. The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive." - } - }, - "publisher": { - "type": "string", - "defaultValue": "Microsoft", - "metadata": { - "description": "Optional. The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "solutionName": "[if(equals(parameters('publisher'), 'Microsoft'), format('{0}({1})', parameters('name'), parameters('logAnalyticsWorkspaceName')), parameters('name'))]", - "solutionProduct": "[if(equals(parameters('publisher'), 'Microsoft'), format('OMSGallery/{0}', parameters('name')), parameters('product'))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[variables('solutionName')]", - "location": "[parameters('location')]", - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "plan": { - "name": "[variables('solutionName')]", - "promotionCode": "", - "product": "[variables('solutionProduct')]", - "publisher": "[parameters('publisher')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed solution." - }, - "value": "[variables('solutionName')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed solution." - }, - "value": "[resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group where the solution is deployed." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.OperationsManagement/solutions', variables('solutionName')), '2015-11-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep b/modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index ef3592fb5f..0000000000 --- a/modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The name of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceName string = logAnalytics.name diff --git a/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep b/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c3e69fd0ab..0000000000 --- a/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,58 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'omsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'Updates' - logAnalyticsWorkspaceName: nestedDependencies.outputs.logAnalyticsWorkspaceName - } -}] diff --git a/modules/operations-management/solution/tests/e2e/ms/dependencies.bicep b/modules/operations-management/solution/tests/e2e/ms/dependencies.bicep deleted file mode 100644 index ef3592fb5f..0000000000 --- a/modules/operations-management/solution/tests/e2e/ms/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The name of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceName string = logAnalytics.name diff --git a/modules/operations-management/solution/tests/e2e/ms/main.test.bicep b/modules/operations-management/solution/tests/e2e/ms/main.test.bicep deleted file mode 100644 index 1751e570b0..0000000000 --- a/modules/operations-management/solution/tests/e2e/ms/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'omsms' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: 'AzureAutomation' - logAnalyticsWorkspaceName: nestedDependencies.outputs.logAnalyticsWorkspaceName - product: 'OMSGallery' - publisher: 'Microsoft' - } -}] diff --git a/modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep b/modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep deleted file mode 100644 index ef3592fb5f..0000000000 --- a/modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The name of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceName string = logAnalytics.name diff --git a/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep b/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep deleted file mode 100644 index 1ddf6bddf8..0000000000 --- a/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep +++ /dev/null @@ -1,57 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'omsnonms' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - logAnalyticsWorkspaceName: nestedDependencies.outputs.logAnalyticsWorkspaceName - product: 'nonmsTestSolutionProduct' - publisher: 'nonmsTestSolutionPublisher' - } -}] diff --git a/modules/operations-management/solution/version.json b/modules/operations-management/solution/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/operations-management/solution/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index 23000704d6..7be8ed1152 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -1,686 +1,7 @@ -# Policy Insights Remediations `[Microsoft.PolicyInsights/remediations]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Policy Insights Remediation. +**This module has been evolved into the following AVM module: [avm/ptn/policy-insights/remediation](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/policy-insights/remediation).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/policy-insights/remediation). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.PolicyInsights/remediations` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PolicyInsights/2021-10-01/remediations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/policy-insights.remediation:1.0.0`. - -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) - -### Example 1: _Mg.Common_ - -
- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirmgcom' - params: { - // Required parameters - name: 'pirmgcom001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - failureThresholdPercentage: '0.5' - filtersLocations: [ - 'australiaeast' - ] - location: '' - parallelDeployments: 1 - policyDefinitionReferenceId: '' - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirmgcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "failureThresholdPercentage": { - "value": "0.5" - }, - "filtersLocations": { - "value": [ - "australiaeast" - ] - }, - "location": { - "value": "" - }, - "parallelDeployments": { - "value": 1 - }, - "policyDefinitionReferenceId": { - "value": "" - }, - "resourceCount": { - "value": 10 - }, - "resourceDiscoveryMode": { - "value": "ExistingNonCompliant" - } - } -} -``` - -
-

- -### Example 2: _Mg.Min_ - -

- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirmgmin' - params: { - // Required parameters - name: 'pirmgmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirmgmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Rg.Common_ - -

- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirrgcom' - params: { - // Required parameters - name: 'pirrgcom001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - failureThresholdPercentage: '0.5' - filtersLocations: [ - 'australiaeast' - ] - location: '' - parallelDeployments: 1 - policyDefinitionReferenceId: '' - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirrgcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "failureThresholdPercentage": { - "value": "0.5" - }, - "filtersLocations": { - "value": [ - "australiaeast" - ] - }, - "location": { - "value": "" - }, - "parallelDeployments": { - "value": 1 - }, - "policyDefinitionReferenceId": { - "value": "" - }, - "resourceCount": { - "value": 10 - }, - "resourceDiscoveryMode": { - "value": "ExistingNonCompliant" - } - } -} -``` - -
-

- -### Example 4: _Rg.Min_ - -

- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirrgmin' - params: { - // Required parameters - name: 'pirrgmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirrgmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 5: _Sub.Common_ - -

- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirsubcom' - params: { - // Required parameters - name: 'pirsubcom001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - failureThresholdPercentage: '0.5' - filtersLocations: [ - 'australiaeast' - ] - location: '' - parallelDeployments: 1 - policyDefinitionReferenceId: '' - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirsubcom001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "failureThresholdPercentage": { - "value": "0.5" - }, - "filtersLocations": { - "value": [ - "australiaeast" - ] - }, - "location": { - "value": "" - }, - "parallelDeployments": { - "value": 1 - }, - "policyDefinitionReferenceId": { - "value": "" - }, - "resourceCount": { - "value": 10 - }, - "resourceDiscoveryMode": { - "value": "ExistingNonCompliant" - } - } -} -``` - -
-

- -### Example 6: _Sub.Min_ - -

- -via Bicep module - -```bicep -module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pirsubmin' - params: { - // Required parameters - name: 'pirsubmin001' - policyAssignmentId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pirsubmin001" - }, - "policyAssignmentId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`managementGroupId`](#parameter-managementgroupid) | string | The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | The target scope for the remediation. The name of the resource group for the policy assignment. | -| [`subscriptionId`](#parameter-subscriptionid) | string | The target scope for the remediation. The subscription ID of the subscription for the policy assignment. | - -### Parameter: `name` - -Specifies the name of the policy remediation. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `failureThresholdPercentage` - -The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. - -- Required: No -- Type: string -- Default: `'1'` - -### Parameter: `filtersLocations` - -The filters that will be applied to determine which resources to remediate. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `managementGroupId` - -The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `parallelDeployments` - -Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `policyDefinitionReferenceId` - -The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceCount` - -Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. - -- Required: No -- Type: int -- Default: `500` - -### Parameter: `resourceDiscoveryMode` - -The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. - -- Required: No -- Type: string -- Default: `'ExistingNonCompliant'` -- Allowed: - ```Bicep - [ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' - ] - ``` - -### Parameter: `resourceGroupName` - -The target scope for the remediation. The name of the resource group for the policy assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionId` - -The target scope for the remediation. The subscription ID of the subscription for the policy assignment. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remediation. | -| `resourceId` | string | The resource ID of the remediation. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - - -### Module Usage Guidance - -In general, resources under the `Microsoft.PolicyInsights` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.PolicyInsights` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module remediation 'br:bicepregistry.azurecr.io/bicep/modules/policyinsights.remediations.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module remediation 'yourpath/module/Authorization.policyinsights/subscription/main.bicep' = {} -``` +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/policy-insights/remediation/main.bicep b/modules/policy-insights/remediation/main.bicep deleted file mode 100644 index efd36ac85d..0000000000 --- a/modules/policy-insights/remediation/main.bicep +++ /dev/null @@ -1,127 +0,0 @@ -metadata name = 'Policy Insights Remediations' -metadata description = 'This module deploys a Policy Insights Remediation.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy remediation.') -param name string - -@sys.description('Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail.') -param failureThresholdPercentage string = '1' - -@sys.description('Optional. The filters that will be applied to determine which resources to remediate.') -param filtersLocations array = [] - -@sys.description('Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used.') -@minValue(1) -@maxValue(30) -param parallelDeployments int = 10 - -@sys.description('Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used.') -@minValue(1) -@maxValue(50000) -param resourceCount int = 500 - -@sys.description('Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified.') -@allowed([ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' -]) -param resourceDiscoveryMode string = 'ExistingNonCompliant' - -@sys.description('Required. The resource ID of the policy assignment that should be remediated.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.') -param policyDefinitionReferenceId string = '' - -@sys.description('Optional. The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.') -param managementGroupId string = managementGroup().name - -@sys.description('Optional. The target scope for the remediation. The subscription ID of the subscription for the policy assignment.') -param subscriptionId string = '' - -@sys.description('Optional. The target scope for the remediation. The name of the resource group for the policy assignment.') -param resourceGroupName string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module remediation_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-Remediation-MG-Module' - scope: managementGroup(managementGroupId) - params: { - enableDefaultTelemetry: enableReferencedModulesTelemetry - name: name - location: location - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - filtersLocations: filtersLocations - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - parallelDeployments: parallelDeployments - failureThresholdPercentage: failureThresholdPercentage - } -} - -module remediation_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${uniqueString(deployment().name, location)}-Remediation-Sub-Module' - scope: subscription(subscriptionId) - params: { - enableDefaultTelemetry: enableReferencedModulesTelemetry - name: name - location: location - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - filtersLocations: filtersLocations - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - parallelDeployments: parallelDeployments - failureThresholdPercentage: failureThresholdPercentage - } -} - -module remediation_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${uniqueString(deployment().name, location)}-Remediation-RG-Module' - scope: resourceGroup(subscriptionId, resourceGroupName) - params: { - enableDefaultTelemetry: enableReferencedModulesTelemetry - name: name - location: location - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - filtersLocations: filtersLocations - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - parallelDeployments: parallelDeployments - failureThresholdPercentage: failureThresholdPercentage - } -} - -@sys.description('The name of the remediation.') -output name string = empty(subscriptionId) && empty(resourceGroupName) ? remediation_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? remediation_sub.outputs.name : remediation_rg.outputs.name) - -@description('The resource ID of the remediation.') -output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? remediation_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? remediation_sub.outputs.resourceId : remediation_rg.outputs.resourceId) - -@sys.description('The location the resource was deployed into.') -output location string = empty(subscriptionId) && empty(resourceGroupName) ? remediation_mg.outputs.location : (!empty(subscriptionId) && empty(resourceGroupName) ? remediation_sub.outputs.location : remediation_rg.outputs.location) diff --git a/modules/policy-insights/remediation/main.json b/modules/policy-insights/remediation/main.json deleted file mode 100644 index 4d0779c55a..0000000000 --- a/modules/policy-insights/remediation/main.json +++ /dev/null @@ -1,750 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9716129657217536595" - }, - "name": "Policy Insights Remediations", - "description": "This module deploys a Policy Insights Remediation.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The target scope for the remediation. The subscription ID of the subscription for the policy assignment." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The target scope for the remediation. The name of the resource group for the policy assignment." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Remediation-MG-Module', uniqueString(deployment().name, parameters('location')))]", - "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "name": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceId": { - "value": "[parameters('policyDefinitionReferenceId')]" - }, - "filtersLocations": { - "value": "[parameters('filtersLocations')]" - }, - "resourceCount": { - "value": "[parameters('resourceCount')]" - }, - "resourceDiscoveryMode": { - "value": "[parameters('resourceDiscoveryMode')]" - }, - "parallelDeployments": { - "value": "[parameters('parallelDeployments')]" - }, - "failureThresholdPercentage": { - "value": "[parameters('failureThresholdPercentage')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11915278545941211218" - }, - "name": "Policy Insights Remediations (Management Group scope)", - "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Remediation-Sub-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "name": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceId": { - "value": "[parameters('policyDefinitionReferenceId')]" - }, - "filtersLocations": { - "value": "[parameters('filtersLocations')]" - }, - "resourceCount": { - "value": "[parameters('resourceCount')]" - }, - "resourceDiscoveryMode": { - "value": "[parameters('resourceDiscoveryMode')]" - }, - "parallelDeployments": { - "value": "[parameters('parallelDeployments')]" - }, - "failureThresholdPercentage": { - "value": "[parameters('failureThresholdPercentage')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15638854500024270747" - }, - "name": "Policy Insights Remediations (Subscription scope)", - "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[subscriptionResourceId('Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } - } - } - }, - { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Remediation-RG-Module', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[parameters('subscriptionId')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "name": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "policyAssignmentId": { - "value": "[parameters('policyAssignmentId')]" - }, - "policyDefinitionReferenceId": { - "value": "[parameters('policyDefinitionReferenceId')]" - }, - "filtersLocations": { - "value": "[parameters('filtersLocations')]" - }, - "resourceCount": { - "value": "[parameters('resourceCount')]" - }, - "resourceDiscoveryMode": { - "value": "[parameters('resourceDiscoveryMode')]" - }, - "parallelDeployments": { - "value": "[parameters('parallelDeployments')]" - }, - "failureThresholdPercentage": { - "value": "[parameters('failureThresholdPercentage')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6808524543119403982" - }, - "name": "Policy Insights Remediations (Resource Group scope)", - "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[resourceId('Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed remediation." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-Remediation-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Remediation-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Remediation-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-Remediation-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Remediation-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Remediation-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-Remediation-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-Remediation-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Remediation-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.location.value))]" - } - } -} \ No newline at end of file diff --git a/modules/policy-insights/remediation/management-group/README.md b/modules/policy-insights/remediation/management-group/README.md deleted file mode 100644 index a3fe72ecf2..0000000000 --- a/modules/policy-insights/remediation/management-group/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# Policy Insights Remediations (Management Group scope) `[Microsoft.PolicyInsights/remediations]` - -This module deploys a Policy Insights Remediation on a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.PolicyInsights/remediations` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PolicyInsights/2021-10-01/remediations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | - -### Parameter: `name` - -Specifies the name of the policy remediation. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `failureThresholdPercentage` - -The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. - -- Required: No -- Type: string -- Default: `'1'` - -### Parameter: `filtersLocations` - -The filters that will be applied to determine which resources to remediate. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `parallelDeployments` - -Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `policyDefinitionReferenceId` - -The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceCount` - -Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. - -- Required: No -- Type: int -- Default: `500` - -### Parameter: `resourceDiscoveryMode` - -The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. - -- Required: No -- Type: string -- Default: `'ExistingNonCompliant'` -- Allowed: - ```Bicep - [ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remediation. | -| `resourceId` | string | The resource ID of the remediation. | - -## Cross-referenced modules - -_None_ diff --git a/modules/policy-insights/remediation/management-group/main.bicep b/modules/policy-insights/remediation/management-group/main.bicep deleted file mode 100644 index 030c4b53f9..0000000000 --- a/modules/policy-insights/remediation/management-group/main.bicep +++ /dev/null @@ -1,82 +0,0 @@ -metadata name = 'Policy Insights Remediations (Management Group scope)' -metadata description = 'This module deploys a Policy Insights Remediation on a Management Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'managementGroup' - -@sys.description('Required. Specifies the name of the policy remediation.') -param name string - -@sys.description('Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail.') -param failureThresholdPercentage string = '1' - -@sys.description('Optional. The filters that will be applied to determine which resources to remediate.') -param filtersLocations array = [] - -@sys.description('Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used.') -@minValue(1) -@maxValue(30) -param parallelDeployments int = 10 - -@sys.description('Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used.') -@minValue(1) -@maxValue(50000) -param resourceCount int = 500 - -@sys.description('Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified.') -@allowed([ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' -]) -param resourceDiscoveryMode string = 'ExistingNonCompliant' - -@sys.description('Required. The resource ID of the policy assignment that should be remediated.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.') -param policyDefinitionReferenceId string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource remediation 'Microsoft.PolicyInsights/remediations@2021-10-01' = { - name: name - properties: { - failureThreshold: { - percentage: json(failureThresholdPercentage) // The json() function is used to allow specifying a decimal value. - } - filters: { - locations: filtersLocations - } - parallelDeployments: parallelDeployments - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - } -} - -@description('The name of the remediation.') -output name string = remediation.name - -@description('The resource ID of the remediation.') -output resourceId string = remediation.id - -@sys.description('The location the resource was deployed into.') -output location string = location diff --git a/modules/policy-insights/remediation/management-group/main.json b/modules/policy-insights/remediation/management-group/main.json deleted file mode 100644 index f2de28f853..0000000000 --- a/modules/policy-insights/remediation/management-group/main.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11915278545941211218" - }, - "name": "Policy Insights Remediations (Management Group scope)", - "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } -} \ No newline at end of file diff --git a/modules/policy-insights/remediation/management-group/version.json b/modules/policy-insights/remediation/management-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/policy-insights/remediation/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/policy-insights/remediation/resource-group/README.md b/modules/policy-insights/remediation/resource-group/README.md deleted file mode 100644 index 9f60629423..0000000000 --- a/modules/policy-insights/remediation/resource-group/README.md +++ /dev/null @@ -1,137 +0,0 @@ -# Policy Insights Remediations (Resource Group scope) `[Microsoft.PolicyInsights/remediations]` - -This module deploys a Policy Insights Remediation on a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.PolicyInsights/remediations` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PolicyInsights/2021-10-01/remediations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | - -### Parameter: `name` - -Specifies the name of the policy remediation. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `failureThresholdPercentage` - -The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. - -- Required: No -- Type: string -- Default: `'1'` - -### Parameter: `filtersLocations` - -The filters that will be applied to determine which resources to remediate. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `parallelDeployments` - -Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `policyDefinitionReferenceId` - -The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceCount` - -Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. - -- Required: No -- Type: int -- Default: `500` - -### Parameter: `resourceDiscoveryMode` - -The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. - -- Required: No -- Type: string -- Default: `'ExistingNonCompliant'` -- Allowed: - ```Bicep - [ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remediation. | -| `resourceGroupName` | string | The resource group of the deployed remediation. | -| `resourceId` | string | The resource ID of the remediation. | - -## Cross-referenced modules - -_None_ diff --git a/modules/policy-insights/remediation/resource-group/main.bicep b/modules/policy-insights/remediation/resource-group/main.bicep deleted file mode 100644 index 64a8f0ba10..0000000000 --- a/modules/policy-insights/remediation/resource-group/main.bicep +++ /dev/null @@ -1,84 +0,0 @@ -metadata name = 'Policy Insights Remediations (Resource Group scope)' -metadata description = 'This module deploys a Policy Insights Remediation on a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'resourceGroup' - -@sys.description('Required. Specifies the name of the policy remediation.') -param name string - -@sys.description('Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail.') -param failureThresholdPercentage string = '1' - -@sys.description('Optional. The filters that will be applied to determine which resources to remediate.') -param filtersLocations array = [] - -@sys.description('Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used.') -@minValue(1) -@maxValue(30) -param parallelDeployments int = 10 - -@sys.description('Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used.') -@minValue(1) -@maxValue(50000) -param resourceCount int = 500 - -@sys.description('Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified.') -@allowed([ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' -]) -param resourceDiscoveryMode string = 'ExistingNonCompliant' - -@sys.description('Required. The resource ID of the policy assignment that should be remediated.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.') -param policyDefinitionReferenceId string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = resourceGroup().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource remediation 'Microsoft.PolicyInsights/remediations@2021-10-01' = { - name: name - properties: { - failureThreshold: { - percentage: json(failureThresholdPercentage) // The json() function is used to allow specifying a decimal value. - } - filters: { - locations: filtersLocations - } - parallelDeployments: parallelDeployments - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - } -} - -@description('The name of the remediation.') -output name string = remediation.name - -@description('The resource ID of the remediation.') -output resourceId string = remediation.id - -@description('The resource group of the deployed remediation.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = location diff --git a/modules/policy-insights/remediation/resource-group/main.json b/modules/policy-insights/remediation/resource-group/main.json deleted file mode 100644 index a5af317771..0000000000 --- a/modules/policy-insights/remediation/resource-group/main.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6808524543119403982" - }, - "name": "Policy Insights Remediations (Resource Group scope)", - "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[resourceId('Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed remediation." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } -} \ No newline at end of file diff --git a/modules/policy-insights/remediation/resource-group/version.json b/modules/policy-insights/remediation/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/policy-insights/remediation/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/policy-insights/remediation/subscription/README.md b/modules/policy-insights/remediation/subscription/README.md deleted file mode 100644 index 6b9a9811c8..0000000000 --- a/modules/policy-insights/remediation/subscription/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# Policy Insights Remediations (Subscription scope) `[Microsoft.PolicyInsights/remediations]` - -This module deploys a Policy Insights Remediation on a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.PolicyInsights/remediations` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PolicyInsights/2021-10-01/remediations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | -| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | - -### Parameter: `name` - -Specifies the name of the policy remediation. - -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `failureThresholdPercentage` - -The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. - -- Required: No -- Type: string -- Default: `'1'` - -### Parameter: `filtersLocations` - -The filters that will be applied to determine which resources to remediate. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `parallelDeployments` - -Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `policyDefinitionReferenceId` - -The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `resourceCount` - -Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. - -- Required: No -- Type: int -- Default: `500` - -### Parameter: `resourceDiscoveryMode` - -The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. - -- Required: No -- Type: string -- Default: `'ExistingNonCompliant'` -- Allowed: - ```Bicep - [ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remediation. | -| `resourceId` | string | The resource ID of the remediation. | - -## Cross-referenced modules - -_None_ diff --git a/modules/policy-insights/remediation/subscription/main.bicep b/modules/policy-insights/remediation/subscription/main.bicep deleted file mode 100644 index 90ee83ffb5..0000000000 --- a/modules/policy-insights/remediation/subscription/main.bicep +++ /dev/null @@ -1,82 +0,0 @@ -metadata name = 'Policy Insights Remediations (Subscription scope)' -metadata description = 'This module deploys a Policy Insights Remediation on a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@sys.description('Required. Specifies the name of the policy remediation.') -param name string - -@sys.description('Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail.') -param failureThresholdPercentage string = '1' - -@sys.description('Optional. The filters that will be applied to determine which resources to remediate.') -param filtersLocations array = [] - -@sys.description('Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used.') -@minValue(1) -@maxValue(30) -param parallelDeployments int = 10 - -@sys.description('Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used.') -@minValue(1) -@maxValue(50000) -param resourceCount int = 500 - -@sys.description('Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified.') -@allowed([ - 'ExistingNonCompliant' - 'ReEvaluateCompliance' -]) -param resourceDiscoveryMode string = 'ExistingNonCompliant' - -@sys.description('Required. The resource ID of the policy assignment that should be remediated.') -param policyAssignmentId string - -@sys.description('Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.') -param policyDefinitionReferenceId string = '' - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource remediation 'Microsoft.PolicyInsights/remediations@2021-10-01' = { - name: name - properties: { - failureThreshold: { - percentage: json(failureThresholdPercentage) // The json() function is used to allow specifying a decimal value. - } - filters: { - locations: filtersLocations - } - parallelDeployments: parallelDeployments - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceId: policyDefinitionReferenceId - resourceCount: resourceCount - resourceDiscoveryMode: resourceDiscoveryMode - } -} - -@description('The name of the remediation.') -output name string = remediation.name - -@description('The resource ID of the remediation.') -output resourceId string = remediation.id - -@sys.description('The location the resource was deployed into.') -output location string = location diff --git a/modules/policy-insights/remediation/subscription/main.json b/modules/policy-insights/remediation/subscription/main.json deleted file mode 100644 index f88eabdeb0..0000000000 --- a/modules/policy-insights/remediation/subscription/main.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15638854500024270747" - }, - "name": "Policy Insights Remediations (Subscription scope)", - "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy remediation." - } - }, - "failureThresholdPercentage": { - "type": "string", - "defaultValue": "1", - "metadata": { - "description": "Optional. The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail." - } - }, - "filtersLocations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The filters that will be applied to determine which resources to remediate." - } - }, - "parallelDeployments": { - "type": "int", - "defaultValue": 10, - "minValue": 1, - "maxValue": 30, - "metadata": { - "description": "Optional. Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used." - } - }, - "resourceCount": { - "type": "int", - "defaultValue": 500, - "minValue": 1, - "maxValue": 50000, - "metadata": { - "description": "Optional. Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used." - } - }, - "resourceDiscoveryMode": { - "type": "string", - "defaultValue": "ExistingNonCompliant", - "allowedValues": [ - "ExistingNonCompliant", - "ReEvaluateCompliance" - ], - "metadata": { - "description": "Optional. The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified." - } - }, - "policyAssignmentId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the policy assignment that should be remediated." - } - }, - "policyDefinitionReferenceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.PolicyInsights/remediations", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "properties": { - "failureThreshold": { - "percentage": "[json(parameters('failureThresholdPercentage'))]" - }, - "filters": { - "locations": "[parameters('filtersLocations')]" - }, - "parallelDeployments": "[parameters('parallelDeployments')]", - "policyAssignmentId": "[parameters('policyAssignmentId')]", - "policyDefinitionReferenceId": "[parameters('policyDefinitionReferenceId')]", - "resourceCount": "[parameters('resourceCount')]", - "resourceDiscoveryMode": "[parameters('resourceDiscoveryMode')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the remediation." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the remediation." - }, - "value": "[subscriptionResourceId('Microsoft.PolicyInsights/remediations', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[parameters('location')]" - } - } -} \ No newline at end of file diff --git a/modules/policy-insights/remediation/subscription/version.json b/modules/policy-insights/remediation/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/policy-insights/remediation/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep deleted file mode 100644 index b34f003368..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep +++ /dev/null @@ -1,100 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirmgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../management-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - policyAssignmentId: policySetAssignment.id - policyDefinitionReferenceId: policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - filtersLocations: [ - 'australiaeast' - ] - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - parallelDeployments: 1 - failureThresholdPercentage: '0.5' - } -}] diff --git a/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep deleted file mode 100644 index 89336edd4a..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep +++ /dev/null @@ -1,46 +0,0 @@ -targetScope = 'managementGroup' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirmgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../management-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -}] diff --git a/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep deleted file mode 100644 index ad8934beac..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep +++ /dev/null @@ -1,110 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-policyinsights.remediations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirrgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../resource-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - policyAssignmentId: policySetAssignment.id - policyDefinitionReferenceId: policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - filtersLocations: [ - 'australiaeast' - ] - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - parallelDeployments: 1 - failureThresholdPercentage: '0.5' - } -}] diff --git a/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep deleted file mode 100644 index f176a984d7..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep +++ /dev/null @@ -1,56 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-policyinsights.remediations-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirrgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../resource-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -}] diff --git a/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep deleted file mode 100644 index 5ee1cd36da..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep +++ /dev/null @@ -1,100 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirsubcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polDef-AuditKvlt-${serviceShort}' - properties: { - policyRule: { - if: { - allOf: [ - { - equals: 'Microsoft.KeyVault/vaults' - field: 'type' - } - ] - } - then: { - effect: '[parameters(\'effect\')]' - } - } - parameters: { - effect: { - allowedValues: [ - 'Audit' - ] - defaultValue: 'Audit' - type: 'String' - } - } - } -} - -resource policySet 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = { - name: 'dep-${namePrefix}-polSet-${serviceShort}' - properties: { - policyDefinitions: [ - { - parameters: { - effect: { - value: 'Audit' - } - } - policyDefinitionId: policyDefinition.id - policyDefinitionReferenceId: policyDefinition.name - } - ] - } -} - -resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: policySet.id - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../subscription/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: location - policyAssignmentId: policySetAssignment.id - policyDefinitionReferenceId: policySet.properties.policyDefinitions[0].policyDefinitionReferenceId - filtersLocations: [ - 'australiaeast' - ] - resourceCount: 10 - resourceDiscoveryMode: 'ExistingNonCompliant' - parallelDeployments: 1 - failureThresholdPercentage: '0.5' - } -}] diff --git a/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep deleted file mode 100644 index 7cd844eda5..0000000000 --- a/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep +++ /dev/null @@ -1,46 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pirsubmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = { - name: 'dep-${namePrefix}-psa-${serviceShort}' - location: location - properties: { - displayName: 'Test case assignment' - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../subscription/main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - policyAssignmentId: policyAssignment.id - } -}] diff --git a/modules/policy-insights/remediation/version.json b/modules/policy-insights/remediation/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/policy-insights/remediation/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md b/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 4129db5ce7..a2ea66042e 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -1,546 +1,7 @@ -# Power BI Dedicated Capacities `[Microsoft.PowerBIDedicated/capacities]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/power-bi-dedicated/capacity](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/power-bi-dedicated/capacity).** -This module deploys a Power BI Dedicated Capacity. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/power-bi-dedicated/capacity). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.PowerBIDedicated/capacities` | [2021-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PowerBIDedicated/2021-01-01/capacities) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/power-bi-dedicated.capacity:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pbdcapmin' - params: { - // Required parameters - members: [ - '' - ] - name: 'pbdcapmin001' - skuCapacity: 1 - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "members": { - "value": [ - "" - ] - }, - "name": { - "value": "pbdcapmin001" - }, - "skuCapacity": { - "value": 1 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pbdcapmax' - params: { - // Required parameters - members: [ - '' - ] - name: 'pbdcapmax001' - skuCapacity: 1 - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "members": { - "value": [ - "" - ] - }, - "name": { - "value": "pbdcapmax001" - }, - "skuCapacity": { - "value": 1 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pbdcapwaf' - params: { - // Required parameters - members: [ - '' - ] - name: 'pbdcapwaf001' - skuCapacity: 1 - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "members": { - "value": [ - "" - ] - }, - "name": { - "value": "pbdcapwaf001" - }, - "skuCapacity": { - "value": 1 - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`members`](#parameter-members) | array | Members of the resource. | -| [`name`](#parameter-name) | string | Name of the PowerBI Embedded. | -| [`skuCapacity`](#parameter-skucapacity) | int | SkuCapacity of the resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`mode`](#parameter-mode) | string | Mode of the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`skuName`](#parameter-skuname) | string | SkuCapacity of the resource. | -| [`skuTier`](#parameter-skutier) | string | SkuCapacity of the resource. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `members` - -Members of the resource. - -- Required: Yes -- Type: array - -### Parameter: `name` - -Name of the PowerBI Embedded. - -- Required: Yes -- Type: string - -### Parameter: `skuCapacity` - -SkuCapacity of the resource. - -- Required: Yes -- Type: int - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `mode` - -Mode of the resource. - -- Required: No -- Type: string -- Default: `'Gen2'` -- Allowed: - ```Bicep - [ - 'Gen1' - 'Gen2' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -SkuCapacity of the resource. - -- Required: No -- Type: string -- Default: `'A1'` -- Allowed: - ```Bicep - [ - 'A1' - 'A2' - 'A3' - 'A4' - 'A5' - 'A6' - ] - ``` - -### Parameter: `skuTier` - -SkuCapacity of the resource. - -- Required: No -- Type: string -- Default: `'PBIE_Azure'` -- Allowed: - ```Bicep - [ - 'AutoPremiumHost' - 'PBIE_Azure' - 'Premium' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the PowerBi Embedded instance. | -| `resourceGroupName` | string | The name of the resource group the PowerBi Embedded was created in. | -| `resourceId` | string | The resource ID of the PowerBi Embedded instance. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/power-bi-dedicated/capacity/main.bicep b/modules/power-bi-dedicated/capacity/main.bicep deleted file mode 100644 index c155245138..0000000000 --- a/modules/power-bi-dedicated/capacity/main.bicep +++ /dev/null @@ -1,162 +0,0 @@ -metadata name = 'Power BI Dedicated Capacities' -metadata description = 'This module deploys a Power BI Dedicated Capacity.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the PowerBI Embedded.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Required. SkuCapacity of the resource.') -param skuCapacity int - -@allowed([ - 'A1' - 'A2' - 'A3' - 'A4' - 'A5' - 'A6' -]) -@description('Optional. SkuCapacity of the resource.') -param skuName string = 'A1' - -@allowed([ - 'AutoPremiumHost' - 'PBIE_Azure' - 'Premium' -]) -@description('Optional. SkuCapacity of the resource.') -param skuTier string = 'PBIE_Azure' - -@description('Required. Members of the resource.') -param members array - -@allowed([ - 'Gen1' - 'Gen2' -]) -@description('Optional. Mode of the resource.') -param mode string = 'Gen2' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource capacity 'Microsoft.PowerBIDedicated/capacities@2021-01-01' = { - name: name - location: location - tags: tags - sku: { - capacity: skuCapacity - name: skuName - tier: skuTier - } - properties: { - administration: { - members: members - } - mode: mode - } -} - -resource capacity_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: capacity -} - -resource capacity_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(capacity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: capacity -}] - -@description('The resource ID of the PowerBi Embedded instance.') -output resourceId string = capacity.id - -@description('The name of the resource group the PowerBi Embedded was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The Name of the PowerBi Embedded instance.') -output name string = capacity.name - -@description('The location the resource was deployed into.') -output location string = capacity.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json deleted file mode 100644 index edbff72051..0000000000 --- a/modules/power-bi-dedicated/capacity/main.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14660488048974784902" - }, - "name": "Power BI Dedicated Capacities", - "description": "This module deploys a Power BI Dedicated Capacity.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the PowerBI Embedded." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "skuCapacity": { - "type": "int", - "metadata": { - "description": "Required. SkuCapacity of the resource." - } - }, - "skuName": { - "type": "string", - "defaultValue": "A1", - "allowedValues": [ - "A1", - "A2", - "A3", - "A4", - "A5", - "A6" - ], - "metadata": { - "description": "Optional. SkuCapacity of the resource." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "PBIE_Azure", - "allowedValues": [ - "AutoPremiumHost", - "PBIE_Azure", - "Premium" - ], - "metadata": { - "description": "Optional. SkuCapacity of the resource." - } - }, - "members": { - "type": "array", - "metadata": { - "description": "Required. Members of the resource." - } - }, - "mode": { - "type": "string", - "defaultValue": "Gen2", - "allowedValues": [ - "Gen1", - "Gen2" - ], - "metadata": { - "description": "Optional. Mode of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "capacity": { - "type": "Microsoft.PowerBIDedicated/capacities", - "apiVersion": "2021-01-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "capacity": "[parameters('skuCapacity')]", - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "properties": { - "administration": { - "members": "[parameters('members')]" - }, - "mode": "[parameters('mode')]" - } - }, - "capacity_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.PowerBIDedicated/capacities/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "capacity" - ] - }, - "capacity_roleAssignments": { - "copy": { - "name": "capacity_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.PowerBIDedicated/capacities/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "capacity" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the PowerBi Embedded instance." - }, - "value": "[resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the PowerBi Embedded was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the PowerBi Embedded instance." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('capacity', '2021-01-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f8c3d8627e..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,61 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pbdcapmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuCapacity: 1 - members: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - } -}] diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep deleted file mode 100644 index c6fe16963e..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,77 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pbdcapmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuCapacity: 1 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - members: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index de6e04a1b0..0000000000 --- a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,77 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pbdcapwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuCapacity: 1 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - members: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/power-bi-dedicated/capacity/version.json b/modules/power-bi-dedicated/capacity/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/power-bi-dedicated/capacity/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/purview/account/MOVED-TO-AVM.md b/modules/purview/account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/purview/account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 620636715a..076b1e7fb5 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -1,1053 +1,7 @@ -# Purview Accounts `[Microsoft.Purview/accounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/purview/account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/purview/account).** -This module deploys a Purview Account. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/purview/account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Purview/accounts` | [2021-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/purview.account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pvamin' - params: { - // Required parameters - name: 'pvamin001' - // Non-required parameters - enableDefaultTelemetry: '' - managedResourceGroupName: 'pvamin001-managed-rg' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pvamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedResourceGroupName": { - "value": "pvamin001-managed-rg" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pvamax' - params: { - // Required parameters - name: 'pvamax001' - // Non-required parameters - accountPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'account' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventHubPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managedResourceGroupName: 'pvamax001-managed-rg' - portalPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'portal' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - storageBlobPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - storageQueuePrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'queue' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pvamax001" - }, - // Non-required parameters - "accountPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "account", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventHubPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedResourceGroupName": { - "value": "pvamax001-managed-rg" - }, - "portalPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "portal", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "storageBlobPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "storageQueuePrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "queue", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pvawaf' - params: { - // Required parameters - name: 'pvawaf001' - // Non-required parameters - accountPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'account' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - eventHubPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managedResourceGroupName: 'pvawaf001-managed-rg' - portalPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'portal' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - storageBlobPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - storageQueuePrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'queue' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pvawaf001" - }, - // Non-required parameters - "accountPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "account", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "eventHubPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedResourceGroupName": { - "value": "pvawaf001-managed-rg" - }, - "portalPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "portal", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "storageBlobPrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "storageQueuePrivateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "queue", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Purview Account. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accountPrivateEndpoints`](#parameter-accountprivateendpoints) | array | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | -| [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`storageBlobPrivateEndpoints`](#parameter-storageblobprivateendpoints) | array | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | -| [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Purview Account. - -- Required: Yes -- Type: string - -### Parameter: `accountPrivateEndpoints` - -Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventHubPrivateEndpoints` - -Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `managedResourceGroupName` - -The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. - -- Required: No -- Type: string -- Default: `[format('managed-rg-{0}', parameters('name'))]` - -### Parameter: `portalPrivateEndpoints` - -Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `'NotSpecified'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - 'NotSpecified' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `storageBlobPrivateEndpoints` - -Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `storageQueuePrivateEndpoints` - -Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace. | -| `managedResourceGroupId` | string | The resource ID of the managed resource group. | -| `managedResourceGroupName` | string | The name of the managed resource group. | -| `managedStorageAccountId` | string | The resource ID of the managed storage account. | -| `name` | string | The name of the Purview Account. | -| `resourceGroupName` | string | The resource group the Purview Account was deployed into. | -| `resourceId` | string | The resource ID of the Purview Account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep deleted file mode 100644 index b93675e30d..0000000000 --- a/modules/purview/account/main.bicep +++ /dev/null @@ -1,374 +0,0 @@ -metadata name = 'Purview Accounts' -metadata description = 'This module deploys a Purview Account.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Purview Account.') -@minLength(3) -@maxLength(63) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') -param managedResourceGroupName string = 'managed-rg-${name}' - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - 'Enabled' - 'Disabled' - 'NotSpecified' -]) -param publicNetworkAccess string = 'NotSpecified' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'account\'.') -param accountPrivateEndpoints array = [] - -@description('Optional. Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'portal\'.') -param portalPrivateEndpoints array = [] - -@description('Optional. Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'blob\'.') -param storageBlobPrivateEndpoints array = [] - -@description('Optional. Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'queue\'.') -param storageQueuePrivateEndpoints array = [] - -@description('Optional. Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'namespace\'.') -param eventHubPrivateEndpoints array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The lock settings of the service.') -param lock lockType - -// =========== // -// Variables // -// =========== // - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource account 'Microsoft.Purview/accounts@2021-07-01' = { - name: name - location: location - tags: tags - identity: identity - properties: { - cloudConnectors: {} - managedResourceGroupName: managedResourceGroupName - publicNetworkAccess: publicNetworkAccess - } -} - -resource account_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: account -} - -resource account_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: account -}] - -module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in accountPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Account-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: account.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' - } -}] - -module portal_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in portalPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Portal-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: account.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' - } -}] - -module blob_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in storageBlobPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Storage-Blob-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: account.properties.managedResources.storageAccount - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' - } -}] - -module queue_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in storageQueuePrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Storage-Queue-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: account.properties.managedResources.storageAccount - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' - } -}] - -module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in eventHubPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Eventhub-Namespace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: account.properties.managedResources.eventHubNamespace - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' - } -}] - -resource account_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(account.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: account -}] - -@description('The name of the Purview Account.') -output name string = account.name - -@description('The resource group the Purview Account was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Purview Account.') -output resourceId string = account.id - -@description('The location the resource was deployed into.') -output location string = account.location - -@description('The name of the managed resource group.') -output managedResourceGroupName string = account.properties.managedResourceGroupName - -@description('The resource ID of the managed resource group.') -output managedResourceGroupId string = account.properties.managedResources.resourceGroup - -@description('The resource ID of the managed storage account.') -output managedStorageAccountId string = account.properties.managedResources.storageAccount - -@description('The resource ID of the managed Event Hub Namespace.') -output managedEventHubId string = account.properties.managedResources.eventHubNamespace - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = contains(account.identity, 'principalId') ? account.identity.principalId : '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json deleted file mode 100644 index e18390b358..0000000000 --- a/modules/purview/account/main.json +++ /dev/null @@ -1,3496 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5819351942554123276" - }, - "name": "Purview Accounts", - "description": "This module deploys a Purview Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 3, - "maxLength": 63, - "metadata": { - "description": "Required. Name of the Purview Account." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "managedResourceGroupName": { - "type": "string", - "defaultValue": "[format('managed-rg-{0}', parameters('name'))]", - "metadata": { - "description": "Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "NotSpecified", - "allowedValues": [ - "Enabled", - "Disabled", - "NotSpecified" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "accountPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'." - } - }, - "portalPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'." - } - }, - "storageBlobPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'." - } - }, - "storageQueuePrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'." - } - }, - "eventHubPrivateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": { - "type": "[if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", - "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "account": { - "type": "Microsoft.Purview/accounts", - "apiVersion": "2021-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "cloudConnectors": {}, - "managedResourceGroupName": "[parameters('managedResourceGroupName')]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } - }, - "account_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "account" - ] - }, - "account_diagnosticSettings": { - "copy": { - "name": "account_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "account" - ] - }, - "account_roleAssignments": { - "copy": { - "name": "account_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Purview/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "account" - ] - }, - "account_privateEndpoints": { - "copy": { - "name": "account_privateEndpoints", - "count": "[length(parameters('accountPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Account-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[parameters('accountPrivateEndpoints')[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'service'), parameters('accountPrivateEndpoints')[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[parameters('accountPrivateEndpoints')[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('accountPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "account" - ] - }, - "portal_privateEndpoints": { - "copy": { - "name": "portal_privateEndpoints", - "count": "[length(parameters('portalPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Portal-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[parameters('portalPrivateEndpoints')[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'service'), parameters('portalPrivateEndpoints')[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[parameters('portalPrivateEndpoints')[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('portalPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "account" - ] - }, - "blob_privateEndpoints": { - "copy": { - "name": "blob_privateEndpoints", - "count": "[length(parameters('storageBlobPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-Blob-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[parameters('storageBlobPrivateEndpoints')[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'service'), parameters('storageBlobPrivateEndpoints')[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[reference('account').managedResources.storageAccount]" - }, - "subnetResourceId": { - "value": "[parameters('storageBlobPrivateEndpoints')[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageBlobPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "account" - ] - }, - "queue_privateEndpoints": { - "copy": { - "name": "queue_privateEndpoints", - "count": "[length(parameters('storageQueuePrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-Queue-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[parameters('storageQueuePrivateEndpoints')[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'service'), parameters('storageQueuePrivateEndpoints')[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[reference('account').managedResources.storageAccount]" - }, - "subnetResourceId": { - "value": "[parameters('storageQueuePrivateEndpoints')[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageQueuePrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "account" - ] - }, - "eventHub_privateEndpoints": { - "copy": { - "name": "eventHub_privateEndpoints", - "count": "[length(parameters('eventHubPrivateEndpoints'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Eventhub-Namespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[parameters('eventHubPrivateEndpoints')[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'service'), parameters('eventHubPrivateEndpoints')[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[reference('account').managedResources.eventHubNamespace]" - }, - "subnetResourceId": { - "value": "[parameters('eventHubPrivateEndpoints')[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('eventHubPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": { - "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "account" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Purview Account." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the Purview Account was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Purview Account." - }, - "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('account', '2021-07-01', 'full').location]" - }, - "managedResourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the managed resource group." - }, - "value": "[reference('account').managedResourceGroupName]" - }, - "managedResourceGroupId": { - "type": "string", - "metadata": { - "description": "The resource ID of the managed resource group." - }, - "value": "[reference('account').managedResources.resourceGroup]" - }, - "managedStorageAccountId": { - "type": "string", - "metadata": { - "description": "The resource ID of the managed storage account." - }, - "value": "[reference('account').managedResources.storageAccount]" - }, - "managedEventHubId": { - "type": "string", - "metadata": { - "description": "The resource ID of the managed Event Hub Namespace." - }, - "value": "[reference('account').managedResources.eventHubNamespace]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(contains(reference('account', '2021-07-01', 'full').identity, 'principalId'), reference('account', '2021-07-01', 'full').identity.principalId, '')]" - } - } -} \ No newline at end of file diff --git a/modules/purview/account/tests/e2e/defaults/main.test.bicep b/modules/purview/account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 78ad70351f..0000000000 --- a/modules/purview/account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pvamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - scope: resourceGroup - params: { - name: '${namePrefix}${serviceShort}001' - managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/purview/account/tests/e2e/max/dependencies.bicep b/modules/purview/account/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 1edeb81930..0000000000 --- a/modules/purview/account/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -var privateDNSZoneNames = [ - 'privatelink.purview.azure.com' - 'privatelink.purviewstudio.azure.com' - 'privatelink.blob.${environment().suffixes.storage}' - 'privatelink.queue.${environment().suffixes.storage}' - 'privatelink.servicebus.windows.net' -] - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@batchSize(1) -resource privateDNSZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDNSZone in privateDNSZoneNames: { - name: privateDNSZone - location: 'global' -}] - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone for Purview Account.') -output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id - -@description('The resource ID of the created Private DNS Zone for Purview Portal.') -output purviewPortalPrivateDNSResourceId string = privateDNSZones[1].id - -@description('The resource ID of the created Private DNS Zone for Storage Account Blob.') -output storageBlobPrivateDNSResourceId string = privateDNSZones[2].id - -@description('The resource ID of the created Private DNS Zone for Storage Account Queue.') -output storageQueuePrivateDNSResourceId string = privateDNSZones[3].id - -@description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') -output eventHubPrivateDNSResourceId string = privateDNSZones[4].id diff --git a/modules/purview/account/tests/e2e/max/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep deleted file mode 100644 index 5f09f48e2e..0000000000 --- a/modules/purview/account/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,190 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pvamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - scope: resourceGroup - params: { - name: '${namePrefix}${serviceShort}001' - location: location - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' - publicNetworkAccess: 'Disabled' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - accountPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.purviewAccountPrivateDNSResourceId - ] - service: 'account' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - portalPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.purviewPortalPrivateDNSResourceId - ] - service: 'portal' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageBlobPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.storageBlobPrivateDNSResourceId - ] - service: 'blob' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageQueuePrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.storageQueuePrivateDNSResourceId - ] - service: 'queue' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - eventHubPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.eventHubPrivateDNSResourceId - ] - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - enableDefaultTelemetry: enableDefaultTelemetry - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - } -}] diff --git a/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 1edeb81930..0000000000 --- a/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -var privateDNSZoneNames = [ - 'privatelink.purview.azure.com' - 'privatelink.purviewstudio.azure.com' - 'privatelink.blob.${environment().suffixes.storage}' - 'privatelink.queue.${environment().suffixes.storage}' - 'privatelink.servicebus.windows.net' -] - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@batchSize(1) -resource privateDNSZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDNSZone in privateDNSZoneNames: { - name: privateDNSZone - location: 'global' -}] - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone for Purview Account.') -output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id - -@description('The resource ID of the created Private DNS Zone for Purview Portal.') -output purviewPortalPrivateDNSResourceId string = privateDNSZones[1].id - -@description('The resource ID of the created Private DNS Zone for Storage Account Blob.') -output storageBlobPrivateDNSResourceId string = privateDNSZones[2].id - -@description('The resource ID of the created Private DNS Zone for Storage Account Queue.') -output storageQueuePrivateDNSResourceId string = privateDNSZones[3].id - -@description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') -output eventHubPrivateDNSResourceId string = privateDNSZones[4].id diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 50ff6aa700..0000000000 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,173 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pvawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - scope: resourceGroup - params: { - name: '${namePrefix}${serviceShort}001' - location: location - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' - publicNetworkAccess: 'Disabled' - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - accountPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.purviewAccountPrivateDNSResourceId - ] - service: 'account' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - portalPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.purviewPortalPrivateDNSResourceId - ] - service: 'portal' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageBlobPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.storageBlobPrivateDNSResourceId - ] - service: 'blob' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - storageQueuePrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.storageQueuePrivateDNSResourceId - ] - service: 'queue' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - eventHubPrivateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.eventHubPrivateDNSResourceId - ] - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - enableDefaultTelemetry: enableDefaultTelemetry - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - } -}] diff --git a/modules/purview/account/version.json b/modules/purview/account/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/purview/account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index def4d8dcf7..40fbaeeaee 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -1,2300 +1,7 @@ -# Recovery Services Vaults `[Microsoft.RecoveryServices/vaults]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Recovery Services Vault. +**This module has been evolved into the following AVM module: [avm/res/recovery-services/vault](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/recovery-services/vault).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/recovery-services/vault). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.RecoveryServices/vaults` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults) | -| `Microsoft.RecoveryServices/vaults/backupconfig` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupconfig) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) | -| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupPolicies) | -| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupstorageconfig) | -| `Microsoft.RecoveryServices/vaults/replicationAlertSettings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationAlertSettings) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | -| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationPolicies) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/recovery-services.vault:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Dr](#example-2-dr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvmin' - params: { - // Required parameters - name: 'rsvmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rsvmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Dr_ - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvdr' - params: { - // Required parameters - name: '' - // Non-required parameters - enableDefaultTelemetry: '' - replicationFabrics: [ - { - location: 'NorthEurope' - replicationContainers: [ - { - name: 'ne-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerName: 'pluto' - targetProtectionContainerId: '' - } - ] - } - { - name: 'ne-container2' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'WE-2' - targetContainerName: 'we-container1' - } - ] - } - ] - } - { - location: 'WestEurope' - name: 'WE-2' - replicationContainers: [ - { - name: 'we-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'NorthEurope' - targetContainerName: 'ne-container2' - } - ] - } - ] - } - ] - replicationPolicies: [ - { - name: 'Default_values' - } - { - appConsistentFrequencyInMinutes: 240 - crashConsistentFrequencyInMinutes: 7 - multiVmSyncStatus: 'Disable' - name: 'Custom_values' - recoveryPointHistory: 2880 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "replicationFabrics": { - "value": [ - { - "location": "NorthEurope", - "replicationContainers": [ - { - "name": "ne-container1", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerName": "pluto", - "targetProtectionContainerId": "" - } - ] - }, - { - "name": "ne-container2", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerFabricName": "WE-2", - "targetContainerName": "we-container1" - } - ] - } - ] - }, - { - "location": "WestEurope", - "name": "WE-2", - "replicationContainers": [ - { - "name": "we-container1", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerFabricName": "NorthEurope", - "targetContainerName": "ne-container2" - } - ] - } - ] - } - ] - }, - "replicationPolicies": { - "value": [ - { - "name": "Default_values" - }, - { - "appConsistentFrequencyInMinutes": 240, - "crashConsistentFrequencyInMinutes": 7, - "multiVmSyncStatus": "Disable", - "name": "Custom_values", - "recoveryPointHistory": 2880 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvmax' - params: { - // Required parameters - name: 'rsvmax001' - // Non-required parameters - backupConfig: { - enhancedSecurityState: 'Disabled' - softDeleteFeatureState: 'Disabled' - } - backupPolicies: [ - { - name: 'VMpolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - instantRpRetentionRangeInDays: 2 - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 180 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - } - } - { - name: 'sqlpolicy' - properties: { - backupManagementType: 'AzureWorkload' - protectedItemsCount: 0 - settings: { - isCompression: true - issqlcompression: true - timeZone: 'UTC' - } - subProtectionPolicy: [ - { - policyType: 'Full' - retentionPolicy: { - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 104 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Sunday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2019-11-07T22:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Differential' - retentionPolicy: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Monday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2017-03-07T02:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Log' - retentionPolicy: { - retentionDuration: { - count: 15 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - scheduleFrequencyInMins: 120 - schedulePolicyType: 'LogSchedulePolicy' - } - } - ] - workLoadType: 'SQLDataBase' - } - } - { - name: 'filesharepolicy' - properties: { - backupManagementType: 'AzureStorage' - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T04:30:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T04:30:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - workloadType: 'AzureFileShare' - } - } - ] - backupStorageConfig: { - crossRegionRestoreFlag: true - storageModelType: 'GeoRedundant' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - monitoringSettings: { - azureMonitorAlertSettings: { - alertsForAllJobFailures: 'Enabled' - } - classicAlertSettings: { - alertsForCriticalOperations: 'Enabled' - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - replicationAlertSettings: { - customEmailAddresses: [ - 'test.user@testcompany.com' - ] - locale: 'en-US' - sendToOwners: 'Send' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - securitySettings: { - immutabilitySettings: { - state: 'Unlocked' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rsvmax001" - }, - // Non-required parameters - "backupConfig": { - "value": { - "enhancedSecurityState": "Disabled", - "softDeleteFeatureState": "Disabled" - } - }, - "backupPolicies": { - "value": [ - { - "name": "VMpolicy", - "properties": { - "backupManagementType": "AzureIaasVM", - "instantRPDetails": {}, - "instantRpRetentionRangeInDays": 2, - "protectedItemsCount": 0, - "retentionPolicy": { - "dailySchedule": { - "retentionDuration": { - "count": 180, - "durationType": "Days" - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "monthlySchedule": { - "retentionDuration": { - "count": 60, - "durationType": "Months" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy", - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionDuration": { - "count": 12, - "durationType": "Weeks" - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "yearlySchedule": { - "monthsOfYear": [ - "January" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - } - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T07:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "timeZone": "UTC" - } - }, - { - "name": "sqlpolicy", - "properties": { - "backupManagementType": "AzureWorkload", - "protectedItemsCount": 0, - "settings": { - "isCompression": true, - "issqlcompression": true, - "timeZone": "UTC" - }, - "subProtectionPolicy": [ - { - "policyType": "Full", - "retentionPolicy": { - "monthlySchedule": { - "retentionDuration": { - "count": 60, - "durationType": "Months" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy", - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionDuration": { - "count": 104, - "durationType": "Weeks" - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - }, - "yearlySchedule": { - "monthsOfYear": [ - "January" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - } - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunDays": [ - "Sunday" - ], - "scheduleRunFrequency": "Weekly", - "scheduleRunTimes": [ - "2019-11-07T22:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - } - }, - { - "policyType": "Differential", - "retentionPolicy": { - "retentionDuration": { - "count": 30, - "durationType": "Days" - }, - "retentionPolicyType": "SimpleRetentionPolicy" - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunDays": [ - "Monday" - ], - "scheduleRunFrequency": "Weekly", - "scheduleRunTimes": [ - "2017-03-07T02:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - } - }, - { - "policyType": "Log", - "retentionPolicy": { - "retentionDuration": { - "count": 15, - "durationType": "Days" - }, - "retentionPolicyType": "SimpleRetentionPolicy" - }, - "schedulePolicy": { - "scheduleFrequencyInMins": 120, - "schedulePolicyType": "LogSchedulePolicy" - } - } - ], - "workLoadType": "SQLDataBase" - } - }, - { - "name": "filesharepolicy", - "properties": { - "backupManagementType": "AzureStorage", - "protectedItemsCount": 0, - "retentionPolicy": { - "dailySchedule": { - "retentionDuration": { - "count": 30, - "durationType": "Days" - }, - "retentionTimes": [ - "2019-11-07T04:30:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy" - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T04:30:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "timeZone": "UTC", - "workloadType": "AzureFileShare" - } - } - ] - }, - "backupStorageConfig": { - "value": { - "crossRegionRestoreFlag": true, - "storageModelType": "GeoRedundant" - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringSettings": { - "value": { - "azureMonitorAlertSettings": { - "alertsForAllJobFailures": "Enabled" - }, - "classicAlertSettings": { - "alertsForCriticalOperations": "Enabled" - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "replicationAlertSettings": { - "value": { - "customEmailAddresses": [ - "test.user@testcompany.com" - ], - "locale": "en-US", - "sendToOwners": "Send" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "securitySettings": { - "value": { - "immutabilitySettings": { - "state": "Unlocked" - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvwaf' - params: { - // Required parameters - name: 'rsvwaf001' - // Non-required parameters - backupConfig: { - enhancedSecurityState: 'Disabled' - softDeleteFeatureState: 'Disabled' - } - backupPolicies: [ - { - name: 'VMpolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - instantRpRetentionRangeInDays: 2 - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 180 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - } - } - { - name: 'sqlpolicy' - properties: { - backupManagementType: 'AzureWorkload' - protectedItemsCount: 0 - settings: { - isCompression: true - issqlcompression: true - timeZone: 'UTC' - } - subProtectionPolicy: [ - { - policyType: 'Full' - retentionPolicy: { - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 104 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Sunday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2019-11-07T22:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Differential' - retentionPolicy: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Monday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2017-03-07T02:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Log' - retentionPolicy: { - retentionDuration: { - count: 15 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - scheduleFrequencyInMins: 120 - schedulePolicyType: 'LogSchedulePolicy' - } - } - ] - workLoadType: 'SQLDataBase' - } - } - { - name: 'filesharepolicy' - properties: { - backupManagementType: 'AzureStorage' - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T04:30:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T04:30:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - workloadType: 'AzureFileShare' - } - } - ] - backupStorageConfig: { - crossRegionRestoreFlag: true - storageModelType: 'GeoRedundant' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - monitoringSettings: { - azureMonitorAlertSettings: { - alertsForAllJobFailures: 'Enabled' - } - classicAlertSettings: { - alertsForCriticalOperations: 'Enabled' - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - replicationAlertSettings: { - customEmailAddresses: [ - 'test.user@testcompany.com' - ] - locale: 'en-US' - sendToOwners: 'Send' - } - securitySettings: { - immutabilitySettings: { - state: 'Unlocked' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rsvwaf001" - }, - // Non-required parameters - "backupConfig": { - "value": { - "enhancedSecurityState": "Disabled", - "softDeleteFeatureState": "Disabled" - } - }, - "backupPolicies": { - "value": [ - { - "name": "VMpolicy", - "properties": { - "backupManagementType": "AzureIaasVM", - "instantRPDetails": {}, - "instantRpRetentionRangeInDays": 2, - "protectedItemsCount": 0, - "retentionPolicy": { - "dailySchedule": { - "retentionDuration": { - "count": 180, - "durationType": "Days" - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "monthlySchedule": { - "retentionDuration": { - "count": 60, - "durationType": "Months" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy", - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionDuration": { - "count": 12, - "durationType": "Weeks" - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - }, - "yearlySchedule": { - "monthsOfYear": [ - "January" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ] - } - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T07:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "timeZone": "UTC" - } - }, - { - "name": "sqlpolicy", - "properties": { - "backupManagementType": "AzureWorkload", - "protectedItemsCount": 0, - "settings": { - "isCompression": true, - "issqlcompression": true, - "timeZone": "UTC" - }, - "subProtectionPolicy": [ - { - "policyType": "Full", - "retentionPolicy": { - "monthlySchedule": { - "retentionDuration": { - "count": 60, - "durationType": "Months" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy", - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionDuration": { - "count": 104, - "durationType": "Weeks" - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - }, - "yearlySchedule": { - "monthsOfYear": [ - "January" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - }, - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ] - } - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunDays": [ - "Sunday" - ], - "scheduleRunFrequency": "Weekly", - "scheduleRunTimes": [ - "2019-11-07T22:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - } - }, - { - "policyType": "Differential", - "retentionPolicy": { - "retentionDuration": { - "count": 30, - "durationType": "Days" - }, - "retentionPolicyType": "SimpleRetentionPolicy" - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunDays": [ - "Monday" - ], - "scheduleRunFrequency": "Weekly", - "scheduleRunTimes": [ - "2017-03-07T02:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - } - }, - { - "policyType": "Log", - "retentionPolicy": { - "retentionDuration": { - "count": 15, - "durationType": "Days" - }, - "retentionPolicyType": "SimpleRetentionPolicy" - }, - "schedulePolicy": { - "scheduleFrequencyInMins": 120, - "schedulePolicyType": "LogSchedulePolicy" - } - } - ], - "workLoadType": "SQLDataBase" - } - }, - { - "name": "filesharepolicy", - "properties": { - "backupManagementType": "AzureStorage", - "protectedItemsCount": 0, - "retentionPolicy": { - "dailySchedule": { - "retentionDuration": { - "count": 30, - "durationType": "Days" - }, - "retentionTimes": [ - "2019-11-07T04:30:00Z" - ] - }, - "retentionPolicyType": "LongTermRetentionPolicy" - }, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T04:30:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "timeZone": "UTC", - "workloadType": "AzureFileShare" - } - } - ] - }, - "backupStorageConfig": { - "value": { - "crossRegionRestoreFlag": true, - "storageModelType": "GeoRedundant" - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringSettings": { - "value": { - "azureMonitorAlertSettings": { - "alertsForAllJobFailures": "Enabled" - }, - "classicAlertSettings": { - "alertsForCriticalOperations": "Enabled" - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "replicationAlertSettings": { - "value": { - "customEmailAddresses": [ - "test.user@testcompany.com" - ], - "locale": "en-US", - "sendToOwners": "Send" - } - }, - "securitySettings": { - "value": { - "immutabilitySettings": { - "state": "Unlocked" - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backupConfig`](#parameter-backupconfig) | object | The backup configuration. | -| [`backupPolicies`](#parameter-backuppolicies) | array | List of all backup policies. | -| [`backupStorageConfig`](#parameter-backupstorageconfig) | object | The storage configuration for the Azure Recovery Service Vault. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`monitoringSettings`](#parameter-monitoringsettings) | object | Monitoring Settings of the vault. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`protectionContainers`](#parameter-protectioncontainers) | array | List of all protection containers. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. | -| [`replicationAlertSettings`](#parameter-replicationalertsettings) | object | Replication alert settings. | -| [`replicationFabrics`](#parameter-replicationfabrics) | array | List of all replication fabrics. | -| [`replicationPolicies`](#parameter-replicationpolicies) | array | List of all replication policies. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | -| [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | - -### Parameter: `name` - -Name of the Azure Recovery Service Vault. - -- Required: Yes -- Type: string - -### Parameter: `backupConfig` - -The backup configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `backupPolicies` - -List of all backup policies. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `backupStorageConfig` - -The storage configuration for the Azure Recovery Service Vault. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `monitoringSettings` - -Monitoring Settings of the vault. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `protectionContainers` - -List of all protection containers. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `replicationAlertSettings` - -Replication alert settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `replicationFabrics` - -List of all replication fabrics. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `replicationPolicies` - -List of all replication policies. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securitySettings` - -Security Settings of the vault. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Tags of the Recovery Service Vault resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the recovery services vault. | -| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | -| `resourceId` | string | The resource ID of the recovery services vault. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/recovery-services/vault/backup-config/README.md b/modules/recovery-services/vault/backup-config/README.md deleted file mode 100644 index f9a077c8f8..0000000000 --- a/modules/recovery-services/vault/backup-config/README.md +++ /dev/null @@ -1,169 +0,0 @@ -# Recovery Services Vault Backup Config `[Microsoft.RecoveryServices/vaults/backupconfig]` - -This module deploys a Recovery Services Vault Backup Config. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupconfig` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupconfig) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enhancedSecurityState`](#parameter-enhancedsecuritystate) | string | Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. | -| [`isSoftDeleteFeatureStateEditable`](#parameter-issoftdeletefeaturestateeditable) | bool | Is soft delete feature state editable. | -| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Backup Policy. | -| [`resourceGuardOperationRequests`](#parameter-resourceguardoperationrequests) | array | ResourceGuard Operation Requests. | -| [`softDeleteFeatureState`](#parameter-softdeletefeaturestate) | string | Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. | -| [`storageModelType`](#parameter-storagemodeltype) | string | Storage type. | -| [`storageType`](#parameter-storagetype) | string | Storage type. | -| [`storageTypeState`](#parameter-storagetypestate) | string | Once a machine is registered against a resource, the storageTypeState is always Locked. | - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enhancedSecurityState` - -Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `isSoftDeleteFeatureStateEditable` - -Is soft delete feature state editable. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -Name of the Azure Recovery Service Vault Backup Policy. - -- Required: No -- Type: string -- Default: `'vaultconfig'` - -### Parameter: `resourceGuardOperationRequests` - -ResourceGuard Operation Requests. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `softDeleteFeatureState` - -Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `storageModelType` - -Storage type. - -- Required: No -- Type: string -- Default: `'GeoRedundant'` -- Allowed: - ```Bicep - [ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' - ] - ``` - -### Parameter: `storageType` - -Storage type. - -- Required: No -- Type: string -- Default: `'GeoRedundant'` -- Allowed: - ```Bicep - [ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' - ] - ``` - -### Parameter: `storageTypeState` - -Once a machine is registered against a resource, the storageTypeState is always Locked. - -- Required: No -- Type: string -- Default: `'Locked'` -- Allowed: - ```Bicep - [ - 'Locked' - 'Unlocked' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup config. | -| `resourceGroupName` | string | The name of the resource group the backup config was created in. | -| `resourceId` | string | The resource ID of the backup config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/backup-config/main.bicep b/modules/recovery-services/vault/backup-config/main.bicep deleted file mode 100644 index ef69babe40..0000000000 --- a/modules/recovery-services/vault/backup-config/main.bicep +++ /dev/null @@ -1,96 +0,0 @@ -metadata name = 'Recovery Services Vault Backup Config' -metadata description = 'This module deploys a Recovery Services Vault Backup Config.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Optional. Name of the Azure Recovery Service Vault Backup Policy.') -param name string = 'vaultconfig' - -@description('Optional. Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param enhancedSecurityState string = 'Enabled' - -@description('Optional. ResourceGuard Operation Requests.') -param resourceGuardOperationRequests array = [] - -@description('Optional. Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param softDeleteFeatureState string = 'Enabled' - -@description('Optional. Storage type.') -@allowed([ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' -]) -param storageModelType string = 'GeoRedundant' - -@description('Optional. Storage type.') -@allowed([ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' -]) -param storageType string = 'GeoRedundant' - -@description('Optional. Once a machine is registered against a resource, the storageTypeState is always Locked.') -@allowed([ - 'Locked' - 'Unlocked' -]) -param storageTypeState string = 'Locked' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Is soft delete feature state editable.') -param isSoftDeleteFeatureStateEditable bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource rsv 'Microsoft.RecoveryServices/vaults@2023-01-01' existing = { - name: recoveryVaultName -} - -resource backupConfig 'Microsoft.RecoveryServices/vaults/backupconfig@2023-01-01' = { - name: name - parent: rsv - properties: { - enhancedSecurityState: enhancedSecurityState - resourceGuardOperationRequests: resourceGuardOperationRequests - softDeleteFeatureState: softDeleteFeatureState - storageModelType: storageModelType - storageType: storageType - storageTypeState: storageTypeState - isSoftDeleteFeatureStateEditable: isSoftDeleteFeatureStateEditable - } -} - -@description('The name of the backup config.') -output name string = backupConfig.name - -@description('The resource ID of the backup config.') -output resourceId string = backupConfig.id - -@description('The name of the resource group the backup config was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/backup-config/main.json b/modules/recovery-services/vault/backup-config/main.json deleted file mode 100644 index ae17434536..0000000000 --- a/modules/recovery-services/vault/backup-config/main.json +++ /dev/null @@ -1,162 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12267998063539265813" - }, - "name": "Recovery Services Vault Backup Config", - "description": "This module deploys a Recovery Services Vault Backup Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "vaultconfig", - "metadata": { - "description": "Optional. Name of the Azure Recovery Service Vault Backup Policy." - } - }, - "enhancedSecurityState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations." - } - }, - "resourceGuardOperationRequests": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. ResourceGuard Operation Requests." - } - }, - "softDeleteFeatureState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes." - } - }, - "storageModelType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Storage type." - } - }, - "storageType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Storage type." - } - }, - "storageTypeState": { - "type": "string", - "defaultValue": "Locked", - "allowedValues": [ - "Locked", - "Unlocked" - ], - "metadata": { - "description": "Optional. Once a machine is registered against a resource, the storageTypeState is always Locked." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "isSoftDeleteFeatureStateEditable": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Is soft delete feature state editable." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupconfig", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "enhancedSecurityState": "[parameters('enhancedSecurityState')]", - "resourceGuardOperationRequests": "[parameters('resourceGuardOperationRequests')]", - "softDeleteFeatureState": "[parameters('softDeleteFeatureState')]", - "storageModelType": "[parameters('storageModelType')]", - "storageType": "[parameters('storageType')]", - "storageTypeState": "[parameters('storageTypeState')]", - "isSoftDeleteFeatureStateEditable": "[parameters('isSoftDeleteFeatureStateEditable')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup config." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupconfig', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup config was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/backup-config/version.json b/modules/recovery-services/vault/backup-config/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/backup-config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/README.md deleted file mode 100644 index 16d53d84a2..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/README.md +++ /dev/null @@ -1,156 +0,0 @@ -# Recovery Services Vault Protection Container `[Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers]` - -This module deploys a Recovery Services Vault Protection Container. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Protection Container. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backupManagementType`](#parameter-backupmanagementtype) | string | Backup management type to execute the current Protection Container job. | -| [`containerType`](#parameter-containertype) | string | Type of the container. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the Protection Container. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`protectedItems`](#parameter-protecteditems) | array | Protected items to register in the container. | -| [`sourceResourceId`](#parameter-sourceresourceid) | string | Resource ID of the target resource for the Protection Container. | - -### Parameter: `name` - -Name of the Azure Recovery Service Vault Protection Container. - -- Required: Yes -- Type: string - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `backupManagementType` - -Backup management type to execute the current Protection Container job. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AzureBackupServer' - 'AzureIaasVM' - 'AzureSql' - 'AzureStorage' - 'AzureWorkload' - 'DefaultBackup' - 'DPM' - 'Invalid' - 'MAB' - ] - ``` - -### Parameter: `containerType` - -Type of the container. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AzureBackupServerContainer' - 'AzureSqlContainer' - 'GenericContainer' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'SQLAGWorkLoadContainer' - 'StorageContainer' - 'VMAppContainer' - 'Windows' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `friendlyName` - -Friendly name of the Protection Container. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `protectedItems` - -Protected items to register in the container. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sourceResourceId` - -Resource ID of the target resource for the Protection Container. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Name of the Protection Container. | -| `resourceGroupName` | string | The name of the Resource Group the Protection Container was created in. | -| `resourceId` | string | The resource ID of the Protection Container. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/main.bicep b/modules/recovery-services/vault/backup-fabric/protection-container/main.bicep deleted file mode 100644 index 3cb51c17c7..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/main.bicep +++ /dev/null @@ -1,104 +0,0 @@ -metadata name = 'Recovery Services Vault Protection Container' -metadata description = 'This module deploys a Recovery Services Vault Protection Container.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Required. Name of the Azure Recovery Service Vault Protection Container.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Backup management type to execute the current Protection Container job.') -@allowed([ - 'AzureBackupServer' - 'AzureIaasVM' - 'AzureSql' - 'AzureStorage' - 'AzureWorkload' - 'DPM' - 'DefaultBackup' - 'Invalid' - 'MAB' - '' -]) -param backupManagementType string = '' - -@description('Optional. Resource ID of the target resource for the Protection Container.') -param sourceResourceId string = '' - -@description('Optional. Friendly name of the Protection Container.') -param friendlyName string = '' - -@description('Optional. Protected items to register in the container.') -param protectedItems array = [] - -@description('Optional. Type of the container.') -@allowed([ - 'AzureBackupServerContainer' - 'AzureSqlContainer' - 'GenericContainer' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'SQLAGWorkLoadContainer' - 'StorageContainer' - 'VMAppContainer' - 'Windows' - '' -]) -param containerType string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource protectionContainer 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers@2023-01-01' = { - name: '${recoveryVaultName}/Azure/${name}' - properties: { - sourceResourceId: !empty(sourceResourceId) ? sourceResourceId : null - friendlyName: !empty(friendlyName) ? friendlyName : null - backupManagementType: !empty(backupManagementType) ? backupManagementType : null - containerType: !empty(containerType) ? any(containerType) : null - } -} - -module protectionContainer_protectedItems 'protected-item/main.bicep' = [for (protectedItem, index) in protectedItems: { - name: '${uniqueString(deployment().name, location)}-ProtectedItem-${index}' - params: { - policyId: protectedItem.policyId - name: protectedItem.name - protectedItemType: protectedItem.protectedItemType - protectionContainerName: name - recoveryVaultName: recoveryVaultName - sourceResourceId: protectedItem.sourceResourceId - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - protectionContainer - ] -}] - -@description('The name of the Resource Group the Protection Container was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Protection Container.') -output resourceId string = protectionContainer.id - -@description('The Name of the Protection Container.') -output name string = protectionContainer.name diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/main.json deleted file mode 100644 index 936d6013a9..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/main.json +++ /dev/null @@ -1,326 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13622946234752234891" - }, - "name": "Recovery Services Vault Protection Container", - "description": "This module deploys a Recovery Services Vault Protection Container.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Recovery Service Vault Protection Container." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "backupManagementType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureBackupServer", - "AzureIaasVM", - "AzureSql", - "AzureStorage", - "AzureWorkload", - "DPM", - "DefaultBackup", - "Invalid", - "MAB", - "" - ], - "metadata": { - "description": "Optional. Backup management type to execute the current Protection Container job." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target resource for the Protection Container." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Friendly name of the Protection Container." - } - }, - "protectedItems": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Protected items to register in the container." - } - }, - "containerType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureBackupServerContainer", - "AzureSqlContainer", - "GenericContainer", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "SQLAGWorkLoadContainer", - "StorageContainer", - "VMAppContainer", - "Windows", - "" - ], - "metadata": { - "description": "Optional. Type of the container." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]", - "friendlyName": "[if(not(empty(parameters('friendlyName'))), parameters('friendlyName'), null())]", - "backupManagementType": "[if(not(empty(parameters('backupManagementType'))), parameters('backupManagementType'), null())]", - "containerType": "[if(not(empty(parameters('containerType'))), parameters('containerType'), null())]" - } - }, - { - "copy": { - "name": "protectionContainer_protectedItems", - "count": "[length(parameters('protectedItems'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ProtectedItem-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "policyId": { - "value": "[parameters('protectedItems')[copyIndex()].policyId]" - }, - "name": { - "value": "[parameters('protectedItems')[copyIndex()].name]" - }, - "protectedItemType": { - "value": "[parameters('protectedItems')[copyIndex()].protectedItemType]" - }, - "protectionContainerName": { - "value": "[parameters('name')]" - }, - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "sourceResourceId": { - "value": "[parameters('protectedItems')[copyIndex()].sourceResourceId]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9921011786088905122" - }, - "name": "Recovery Service Vaults Protection Container Protected Item", - "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "protectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment." - } - }, - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "protectedItemType": { - "type": "string", - "allowedValues": [ - "AzureFileShareProtectedItem", - "AzureVmWorkloadSAPAseDatabase", - "AzureVmWorkloadSAPHanaDatabase", - "AzureVmWorkloadSQLDatabase", - "DPMProtectedItem", - "GenericProtectedItem", - "MabFileFolderProtectedItem", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "Microsoft.Sql/servers/databases" - ], - "metadata": { - "description": "Required. The backup item type." - } - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Required. ID of the backup policy with which this item is backed up." - } - }, - "sourceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource to back up." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "protectedItemType": "[parameters('protectedItemType')]", - "policyId": "[parameters('policyId')]", - "sourceResourceId": "[parameters('sourceResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the protected item was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the protected item." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems', split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[2], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[3])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the protected item." - }, - "value": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[2])]" - ] - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Protection Container was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Protection Container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[2])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Protection Container." - }, - "value": "[format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md deleted file mode 100644 index 0c9eda13b5..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md +++ /dev/null @@ -1,127 +0,0 @@ -# Recovery Service Vaults Protection Container Protected Item `[Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems]` - -This module deploys a Recovery Services Vault Protection Container Protected Item. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the resource. | -| [`policyId`](#parameter-policyid) | string | ID of the backup policy with which this item is backed up. | -| [`protectedItemType`](#parameter-protecteditemtype) | string | The backup item type. | -| [`sourceResourceId`](#parameter-sourceresourceid) | string | Resource ID of the resource to back up. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`protectionContainerName`](#parameter-protectioncontainername) | string | Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | - -### Parameter: `name` - -Name of the resource. - -- Required: Yes -- Type: string - -### Parameter: `policyId` - -ID of the backup policy with which this item is backed up. - -- Required: Yes -- Type: string - -### Parameter: `protectedItemType` - -The backup item type. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'AzureFileShareProtectedItem' - 'AzureVmWorkloadSAPAseDatabase' - 'AzureVmWorkloadSAPHanaDatabase' - 'AzureVmWorkloadSQLDatabase' - 'DPMProtectedItem' - 'GenericProtectedItem' - 'MabFileFolderProtectedItem' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'Microsoft.Sql/servers/databases' - ] - ``` - -### Parameter: `sourceResourceId` - -Resource ID of the resource to back up. - -- Required: Yes -- Type: string - -### Parameter: `protectionContainerName` - -Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Name of the protected item. | -| `resourceGroupName` | string | The name of the Resource Group the protected item was created in. | -| `resourceId` | string | The resource ID of the protected item. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.bicep b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.bicep deleted file mode 100644 index 7631577c89..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.bicep +++ /dev/null @@ -1,70 +0,0 @@ -metadata name = 'Recovery Service Vaults Protection Container Protected Item' -metadata description = 'This module deploys a Recovery Services Vault Protection Container Protected Item.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the resource.') -param name string - -@description('Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment.') -param protectionContainerName string - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@allowed([ - 'AzureFileShareProtectedItem' - 'AzureVmWorkloadSAPAseDatabase' - 'AzureVmWorkloadSAPHanaDatabase' - 'AzureVmWorkloadSQLDatabase' - 'DPMProtectedItem' - 'GenericProtectedItem' - 'MabFileFolderProtectedItem' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'Microsoft.Sql/servers/databases' -]) -@description('Required. The backup item type.') -param protectedItemType string - -@description('Required. ID of the backup policy with which this item is backed up.') -param policyId string - -@description('Required. Resource ID of the resource to back up.') -param sourceResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource protectedItem 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems@2023-01-01' = { - name: '${recoveryVaultName}/Azure/${protectionContainerName}/${name}' - location: location - properties: { - protectedItemType: any(protectedItemType) - policyId: policyId - sourceResourceId: sourceResourceId - } -} - -@description('The name of the Resource Group the protected item was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the protected item.') -output resourceId string = protectedItem.id - -@description('The Name of the protected item.') -output name string = protectedItem.name diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json deleted file mode 100644 index 1bc3ed2a39..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9921011786088905122" - }, - "name": "Recovery Service Vaults Protection Container Protected Item", - "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "protectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment." - } - }, - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "protectedItemType": { - "type": "string", - "allowedValues": [ - "AzureFileShareProtectedItem", - "AzureVmWorkloadSAPAseDatabase", - "AzureVmWorkloadSAPHanaDatabase", - "AzureVmWorkloadSQLDatabase", - "DPMProtectedItem", - "GenericProtectedItem", - "MabFileFolderProtectedItem", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "Microsoft.Sql/servers/databases" - ], - "metadata": { - "description": "Required. The backup item type." - } - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Required. ID of the backup policy with which this item is backed up." - } - }, - "sourceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource to back up." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "protectedItemType": "[parameters('protectedItemType')]", - "policyId": "[parameters('policyId')]", - "sourceResourceId": "[parameters('sourceResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the protected item was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the protected item." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems', split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[2], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[3])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the protected item." - }, - "value": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/version.json b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/version.json b/modules/recovery-services/vault/backup-fabric/protection-container/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/backup-fabric/protection-container/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/backup-policy/README.md b/modules/recovery-services/vault/backup-policy/README.md deleted file mode 100644 index a76148c582..0000000000 --- a/modules/recovery-services/vault/backup-policy/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Recovery Services Vault Backup Policies `[Microsoft.RecoveryServices/vaults/backupPolicies]` - -This module deploys a Recovery Services Vault Backup Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Backup Policy. | -| [`properties`](#parameter-properties) | object | Configuration of the Azure Recovery Service Vault Backup Policy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -Name of the Azure Recovery Service Vault Backup Policy. - -- Required: Yes -- Type: string - -### Parameter: `properties` - -Configuration of the Azure Recovery Service Vault Backup Policy. - -- Required: Yes -- Type: object - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup policy. | -| `resourceGroupName` | string | The name of the resource group the backup policy was created in. | -| `resourceId` | string | The resource ID of the backup policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/backup-policy/main.bicep b/modules/recovery-services/vault/backup-policy/main.bicep deleted file mode 100644 index d9a4822bf3..0000000000 --- a/modules/recovery-services/vault/backup-policy/main.bicep +++ /dev/null @@ -1,46 +0,0 @@ -metadata name = 'Recovery Services Vault Backup Policies' -metadata description = 'This module deploys a Recovery Services Vault Backup Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Required. Name of the Azure Recovery Service Vault Backup Policy.') -param name string - -@description('Required. Configuration of the Azure Recovery Service Vault Backup Policy.') -param properties object - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource rsv 'Microsoft.RecoveryServices/vaults@2023-01-01' existing = { - name: recoveryVaultName -} - -resource backupPolicy 'Microsoft.RecoveryServices/vaults/backupPolicies@2023-01-01' = { - name: name - parent: rsv - properties: properties -} - -@description('The name of the backup policy.') -output name string = backupPolicy.name - -@description('The resource ID of the backup policy.') -output resourceId string = backupPolicy.id - -@description('The name of the resource group the backup policy was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/backup-policy/main.json b/modules/recovery-services/vault/backup-policy/main.json deleted file mode 100644 index 14698052f8..0000000000 --- a/modules/recovery-services/vault/backup-policy/main.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4289896830796340565" - }, - "name": "Recovery Services Vault Backup Policies", - "description": "This module deploys a Recovery Services Vault Backup Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Recovery Service Vault Backup Policy." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. Configuration of the Azure Recovery Service Vault Backup Policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupPolicies", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup policy." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup policy was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/backup-policy/version.json b/modules/recovery-services/vault/backup-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/backup-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/backup-storage-config/README.md b/modules/recovery-services/vault/backup-storage-config/README.md deleted file mode 100644 index 3d0b89984c..0000000000 --- a/modules/recovery-services/vault/backup-storage-config/README.md +++ /dev/null @@ -1,94 +0,0 @@ -# Recovery Services Vault Backup Storage Config `[Microsoft.RecoveryServices/vaults/backupstorageconfig]` - -This module deploys a Recovery Service Vault Backup Storage Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupstorageconfig) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`crossRegionRestoreFlag`](#parameter-crossregionrestoreflag) | bool | Opt in details of Cross Region Restore feature. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the backup storage config. | -| [`storageModelType`](#parameter-storagemodeltype) | string | Change Vault Storage Type (Works if vault has not registered any backup instance). | - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `crossRegionRestoreFlag` - -Opt in details of Cross Region Restore feature. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the backup storage config. - -- Required: No -- Type: string -- Default: `'vaultstorageconfig'` - -### Parameter: `storageModelType` - -Change Vault Storage Type (Works if vault has not registered any backup instance). - -- Required: No -- Type: string -- Default: `'GeoRedundant'` -- Allowed: - ```Bicep - [ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup storage config. | -| `resourceGroupName` | string | The name of the Resource Group the backup storage configuration was created in. | -| `resourceId` | string | The resource ID of the backup storage config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/backup-storage-config/main.bicep b/modules/recovery-services/vault/backup-storage-config/main.bicep deleted file mode 100644 index b0bc484c6b..0000000000 --- a/modules/recovery-services/vault/backup-storage-config/main.bicep +++ /dev/null @@ -1,58 +0,0 @@ -metadata name = 'Recovery Services Vault Backup Storage Config' -metadata description = 'This module deploys a Recovery Service Vault Backup Storage Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Optional. The name of the backup storage config.') -param name string = 'vaultstorageconfig' - -@description('Optional. Change Vault Storage Type (Works if vault has not registered any backup instance).') -@allowed([ - 'GeoRedundant' - 'LocallyRedundant' - 'ReadAccessGeoZoneRedundant' - 'ZoneRedundant' -]) -param storageModelType string = 'GeoRedundant' - -@description('Optional. Opt in details of Cross Region Restore feature.') -param crossRegionRestoreFlag bool = true - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource rsv 'Microsoft.RecoveryServices/vaults@2023-01-01' existing = { - name: recoveryVaultName -} - -resource backupStorageConfig 'Microsoft.RecoveryServices/vaults/backupstorageconfig@2023-01-01' = { - name: name - parent: rsv - properties: { - storageModelType: storageModelType - crossRegionRestoreFlag: crossRegionRestoreFlag - } -} - -@description('The name of the backup storage config.') -output name string = backupStorageConfig.name - -@description('The resource ID of the backup storage config.') -output resourceId string = backupStorageConfig.id - -@description('The name of the Resource Group the backup storage configuration was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/backup-storage-config/main.json b/modules/recovery-services/vault/backup-storage-config/main.json deleted file mode 100644 index bb44f2781e..0000000000 --- a/modules/recovery-services/vault/backup-storage-config/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9499262871851480671" - }, - "name": "Recovery Services Vault Backup Storage Config", - "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "vaultstorageconfig", - "metadata": { - "description": "Optional. The name of the backup storage config." - } - }, - "storageModelType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Change Vault Storage Type (Works if vault has not registered any backup instance)." - } - }, - "crossRegionRestoreFlag": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Opt in details of Cross Region Restore feature." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupstorageconfig", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "storageModelType": "[parameters('storageModelType')]", - "crossRegionRestoreFlag": "[parameters('crossRegionRestoreFlag')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup storage config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup storage config." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupstorageconfig', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the backup storage configuration was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/backup-storage-config/version.json b/modules/recovery-services/vault/backup-storage-config/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/backup-storage-config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep deleted file mode 100644 index 276f4850c4..0000000000 --- a/modules/recovery-services/vault/main.bicep +++ /dev/null @@ -1,445 +0,0 @@ -metadata name = 'Recovery Services Vaults' -metadata description = 'This module deploys a Recovery Services Vault.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Azure Recovery Service Vault.') -param name string - -@description('Optional. The storage configuration for the Azure Recovery Service Vault.') -param backupStorageConfig object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. List of all backup policies.') -param backupPolicies array = [] - -@description('Optional. The backup configuration.') -param backupConfig object = {} - -@description('Optional. List of all protection containers.') -@minLength(0) -param protectionContainers array = [] - -@description('Optional. List of all replication fabrics.') -@minLength(0) -param replicationFabrics array = [] - -@description('Optional. List of all replication policies.') -@minLength(0) -param replicationPolicies array = [] - -@description('Optional. Replication alert settings.') -param replicationAlertSettings object = {} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Tags of the Recovery Service Vault resource.') -param tags object? - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Monitoring Settings of the vault.') -param monitoringSettings object = {} - -@description('Optional. Security Settings of the vault.') -param securitySettings object = {} - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = 'Disabled' - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'Site Recovery Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource rsv 'Microsoft.RecoveryServices/vaults@2023-01-01' = { - name: name - location: location - tags: tags - identity: identity - sku: { - name: 'RS0' - tier: 'Standard' - } - properties: { - monitoringSettings: !empty(monitoringSettings) ? monitoringSettings : null - securitySettings: !empty(securitySettings) ? securitySettings : null - publicNetworkAccess: publicNetworkAccess - } -} - -module rsv_replicationFabrics 'replication-fabric/main.bicep' = [for (replicationFabric, index) in replicationFabrics: { - name: '${uniqueString(deployment().name, location)}-RSV-Fabric-${index}' - params: { - recoveryVaultName: rsv.name - name: contains(replicationFabric, 'name') ? replicationFabric.name : replicationFabric.location - location: replicationFabric.location - replicationContainers: contains(replicationFabric, 'replicationContainers') ? replicationFabric.replicationContainers : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - rsv_replicationPolicies - ] -}] - -module rsv_replicationPolicies 'replication-policy/main.bicep' = [for (replicationPolicy, index) in replicationPolicies: { - name: '${uniqueString(deployment().name, location)}-RSV-Policy-${index}' - params: { - name: replicationPolicy.name - recoveryVaultName: rsv.name - appConsistentFrequencyInMinutes: contains(replicationPolicy, 'appConsistentFrequencyInMinutes') ? replicationPolicy.appConsistentFrequencyInMinutes : 60 - crashConsistentFrequencyInMinutes: contains(replicationPolicy, 'crashConsistentFrequencyInMinutes') ? replicationPolicy.crashConsistentFrequencyInMinutes : 5 - multiVmSyncStatus: contains(replicationPolicy, 'multiVmSyncStatus') ? replicationPolicy.multiVmSyncStatus : 'Enable' - recoveryPointHistory: contains(replicationPolicy, 'recoveryPointHistory') ? replicationPolicy.recoveryPointHistory : 1440 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module rsv_backupStorageConfiguration 'backup-storage-config/main.bicep' = if (!empty(backupStorageConfig)) { - name: '${uniqueString(deployment().name, location)}-RSV-BackupStorageConfig' - params: { - recoveryVaultName: rsv.name - storageModelType: backupStorageConfig.storageModelType - crossRegionRestoreFlag: backupStorageConfig.crossRegionRestoreFlag - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module rsv_backupFabric_protectionContainers 'backup-fabric/protection-container/main.bicep' = [for (protectionContainer, index) in protectionContainers: { - name: '${uniqueString(deployment().name, location)}-RSV-ProtectionContainers-${index}' - params: { - recoveryVaultName: rsv.name - name: protectionContainer.name - sourceResourceId: protectionContainer.sourceResourceId - friendlyName: protectionContainer.friendlyName - backupManagementType: protectionContainer.backupManagementType - containerType: protectionContainer.containerType - enableDefaultTelemetry: enableReferencedModulesTelemetry - protectedItems: contains(protectionContainer, 'protectedItems') ? protectionContainer.protectedItems : [] - location: location - } -}] - -module rsv_backupPolicies 'backup-policy/main.bicep' = [for (backupPolicy, index) in backupPolicies: { - name: '${uniqueString(deployment().name, location)}-RSV-BackupPolicy-${index}' - params: { - recoveryVaultName: rsv.name - name: backupPolicy.name - properties: backupPolicy.properties - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module rsv_backupConfig 'backup-config/main.bicep' = if (!empty(backupConfig)) { - name: '${uniqueString(deployment().name, location)}-RSV-BackupConfig' - params: { - recoveryVaultName: rsv.name - name: contains(backupConfig, 'name') ? backupConfig.name : 'vaultconfig' - enhancedSecurityState: contains(backupConfig, 'enhancedSecurityState') ? backupConfig.enhancedSecurityState : 'Enabled' - resourceGuardOperationRequests: contains(backupConfig, 'resourceGuardOperationRequests') ? backupConfig.resourceGuardOperationRequests : [] - softDeleteFeatureState: contains(backupConfig, 'softDeleteFeatureState') ? backupConfig.softDeleteFeatureState : 'Enabled' - storageModelType: contains(backupConfig, 'storageModelType') ? backupConfig.storageModelType : 'GeoRedundant' - storageType: contains(backupConfig, 'storageType') ? backupConfig.storageType : 'GeoRedundant' - storageTypeState: contains(backupConfig, 'storageTypeState') ? backupConfig.storageTypeState : 'Locked' - isSoftDeleteFeatureStateEditable: contains(backupConfig, 'isSoftDeleteFeatureStateEditable') ? backupConfig.isSoftDeleteFeatureStateEditable : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module rsv_replicationAlertSettings 'replication-alert-setting/main.bicep' = if (!empty(replicationAlertSettings)) { - name: '${uniqueString(deployment().name, location)}-RSV-replicationAlertSettings' - params: { - name: 'defaultAlertSetting' - recoveryVaultName: rsv.name - customEmailAddresses: contains(replicationAlertSettings, 'customEmailAddresses') ? replicationAlertSettings.customEmailAddresses : [] - locale: contains(replicationAlertSettings, 'locale') ? replicationAlertSettings.locale : '' - sendToOwners: contains(replicationAlertSettings, 'sendToOwners') ? replicationAlertSettings.sendToOwners : 'Send' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource rsv_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: rsv -} - -resource rsv_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: rsv -}] - -module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-rsv-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'AzureSiteRecovery' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(rsv.id, '/'))}-${privateEndpoint.?service ?? 'AzureSiteRecovery'}-${index}' - serviceResourceId: rsv.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource rsv_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(rsv.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: rsv -}] - -@description('The resource ID of the recovery services vault.') -output resourceId string = rsv.id - -@description('The name of the resource group the recovery services vault was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The Name of the recovery services vault.') -output name string = rsv.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(rsv.identity, 'principalId') ? rsv.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = rsv.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json deleted file mode 100644 index c7129f3aef..0000000000 --- a/modules/recovery-services/vault/main.json +++ /dev/null @@ -1,2865 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "995975405658769372" - }, - "name": "Recovery Services Vaults", - "description": "This module deploys a Recovery Services Vault.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Recovery Service Vault." - } - }, - "backupStorageConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The storage configuration for the Azure Recovery Service Vault." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "backupPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of all backup policies." - } - }, - "backupConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The backup configuration." - } - }, - "protectionContainers": { - "type": "array", - "defaultValue": [], - "minLength": 0, - "metadata": { - "description": "Optional. List of all protection containers." - } - }, - "replicationFabrics": { - "type": "array", - "defaultValue": [], - "minLength": 0, - "metadata": { - "description": "Optional. List of all replication fabrics." - } - }, - "replicationPolicies": { - "type": "array", - "defaultValue": [], - "minLength": 0, - "metadata": { - "description": "Optional. List of all replication policies." - } - }, - "replicationAlertSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Replication alert settings." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the Recovery Service Vault resource." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "monitoringSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Monitoring Settings of the vault." - } - }, - "securitySettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Security Settings of the vault." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "rsv": { - "type": "Microsoft.RecoveryServices/vaults", - "apiVersion": "2023-01-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "RS0", - "tier": "Standard" - }, - "properties": { - "monitoringSettings": "[if(not(empty(parameters('monitoringSettings'))), parameters('monitoringSettings'), null())]", - "securitySettings": "[if(not(empty(parameters('securitySettings'))), parameters('securitySettings'), null())]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } - }, - "rsv_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_diagnosticSettings": { - "copy": { - "name": "rsv_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_roleAssignments": { - "copy": { - "name": "rsv_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_replicationFabrics": { - "copy": { - "name": "rsv_replicationFabrics", - "count": "[length(parameters('replicationFabrics'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-Fabric-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('replicationFabrics')[copyIndex()], 'name'), createObject('value', parameters('replicationFabrics')[copyIndex()].name), createObject('value', parameters('replicationFabrics')[copyIndex()].location))]", - "location": { - "value": "[parameters('replicationFabrics')[copyIndex()].location]" - }, - "replicationContainers": "[if(contains(parameters('replicationFabrics')[copyIndex()], 'replicationContainers'), createObject('value', parameters('replicationFabrics')[copyIndex()].replicationContainers), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "141571686653146888" - }, - "name": "Recovery Services Vault Replication Fabrics", - "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Required. The recovery location the fabric represents." - } - }, - "name": { - "type": "string", - "defaultValue": "[parameters('location')]", - "metadata": { - "description": "Optional. The name of the fabric." - } - }, - "replicationContainers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Replication containers to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "customDetails": { - "instanceType": "Azure", - "location": "[parameters('location')]" - } - } - }, - { - "copy": { - "name": "fabric_replicationContainers", - "count": "[length(parameters('replicationContainers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RCont-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('replicationContainers')[copyIndex()].name]" - }, - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "replicationFabricName": { - "value": "[parameters('name')]" - }, - "replicationContainerMappings": "[if(contains(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings'), createObject('value', parameters('replicationContainers')[copyIndex()].replicationContainerMappings), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10595314903369272974" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication container." - } - }, - "replicationContainerMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Replication containers mappings to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]", - "properties": { - "providerSpecificInput": [ - { - "instanceType": "A2A" - } - ] - } - }, - { - "copy": { - "name": "fabric_container_containerMappings", - "count": "[length(parameters('replicationContainerMappings'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Map-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]", - "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]", - "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]", - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "replicationFabricName": { - "value": "[parameters('replicationFabricName')]" - }, - "sourceProtectionContainerName": { - "value": "[parameters('name')]" - }, - "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]", - "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]", - "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13334445778984042102" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "sourceProtectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent source Replication container. Required if the template is used in a standalone deployment." - } - }, - "targetProtectionContainerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored." - } - }, - "targetContainerFabricName": { - "type": "string", - "defaultValue": "[parameters('replicationFabricName')]", - "metadata": { - "description": "Optional. Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "targetContainerName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "policyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the replication policy. If defined, policyName will be ignored." - } - }, - "policyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the replication policy. Will be ignored if policyId is also specified." - } - }, - "name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the replication container mapping. If not provided, it will be automatically generated as `-`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "policyResourceId": "[if(not(equals(parameters('policyId'), '')), parameters('policyId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', parameters('recoveryVaultName'), parameters('policyName')))]", - "targetProtectionContainerResourceId": "[if(not(equals(parameters('targetProtectionContainerId'), '')), parameters('targetProtectionContainerId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', parameters('recoveryVaultName'), parameters('targetContainerFabricName'), parameters('targetContainerName')))]", - "mappingName": "[if(not(empty(parameters('name'))), parameters('name'), format('{0}-{1}', parameters('sourceProtectionContainerName'), split(variables('targetProtectionContainerResourceId'), '/')[10]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]", - "properties": { - "targetProtectionContainerId": "[variables('targetProtectionContainerResourceId')]", - "policyId": "[variables('policyResourceId')]", - "providerSpecificInput": { - "instanceType": "A2A" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings', split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication fabric." - }, - "value": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication fabric." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication fabric was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "rsv", - "rsv_replicationPolicies" - ] - }, - "rsv_replicationPolicies": { - "copy": { - "name": "rsv_replicationPolicies", - "count": "[length(parameters('replicationPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-Policy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('replicationPolicies')[copyIndex()].name]" - }, - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "appConsistentFrequencyInMinutes": "[if(contains(parameters('replicationPolicies')[copyIndex()], 'appConsistentFrequencyInMinutes'), createObject('value', parameters('replicationPolicies')[copyIndex()].appConsistentFrequencyInMinutes), createObject('value', 60))]", - "crashConsistentFrequencyInMinutes": "[if(contains(parameters('replicationPolicies')[copyIndex()], 'crashConsistentFrequencyInMinutes'), createObject('value', parameters('replicationPolicies')[copyIndex()].crashConsistentFrequencyInMinutes), createObject('value', 5))]", - "multiVmSyncStatus": "[if(contains(parameters('replicationPolicies')[copyIndex()], 'multiVmSyncStatus'), createObject('value', parameters('replicationPolicies')[copyIndex()].multiVmSyncStatus), createObject('value', 'Enable'))]", - "recoveryPointHistory": "[if(contains(parameters('replicationPolicies')[copyIndex()], 'recoveryPointHistory'), createObject('value', parameters('replicationPolicies')[copyIndex()].recoveryPointHistory), createObject('value', 1440))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7511225868129156252" - }, - "name": "Recovery Services Vault Replication Policies", - "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication policy." - } - }, - "appConsistentFrequencyInMinutes": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. The app consistent snapshot frequency (in minutes)." - } - }, - "crashConsistentFrequencyInMinutes": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The crash consistent snapshot frequency (in minutes)." - } - }, - "multiVmSyncStatus": { - "type": "string", - "defaultValue": "Enable", - "allowedValues": [ - "Enable", - "Disable" - ], - "metadata": { - "description": "Optional. A value indicating whether multi-VM sync has to be enabled." - } - }, - "recoveryPointHistory": { - "type": "int", - "defaultValue": 1440, - "metadata": { - "description": "Optional. The duration in minutes until which the recovery points need to be stored." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationPolicies", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "providerSpecificInput": { - "instanceType": "A2A", - "appConsistentFrequencyInMinutes": "[parameters('appConsistentFrequencyInMinutes')]", - "crashConsistentFrequencyInMinutes": "[parameters('crashConsistentFrequencyInMinutes')]", - "multiVmSyncStatus": "[parameters('multiVmSyncStatus')]", - "recoveryPointHistory": "[parameters('recoveryPointHistory')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication policy." - }, - "value": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication policy." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication policy was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_backupStorageConfiguration": { - "condition": "[not(empty(parameters('backupStorageConfig')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-BackupStorageConfig', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "storageModelType": { - "value": "[parameters('backupStorageConfig').storageModelType]" - }, - "crossRegionRestoreFlag": { - "value": "[parameters('backupStorageConfig').crossRegionRestoreFlag]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9499262871851480671" - }, - "name": "Recovery Services Vault Backup Storage Config", - "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "vaultstorageconfig", - "metadata": { - "description": "Optional. The name of the backup storage config." - } - }, - "storageModelType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Change Vault Storage Type (Works if vault has not registered any backup instance)." - } - }, - "crossRegionRestoreFlag": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Opt in details of Cross Region Restore feature." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupstorageconfig", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "storageModelType": "[parameters('storageModelType')]", - "crossRegionRestoreFlag": "[parameters('crossRegionRestoreFlag')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup storage config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup storage config." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupstorageconfig', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the backup storage configuration was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_backupFabric_protectionContainers": { - "copy": { - "name": "rsv_backupFabric_protectionContainers", - "count": "[length(parameters('protectionContainers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-ProtectionContainers-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('protectionContainers')[copyIndex()].name]" - }, - "sourceResourceId": { - "value": "[parameters('protectionContainers')[copyIndex()].sourceResourceId]" - }, - "friendlyName": { - "value": "[parameters('protectionContainers')[copyIndex()].friendlyName]" - }, - "backupManagementType": { - "value": "[parameters('protectionContainers')[copyIndex()].backupManagementType]" - }, - "containerType": { - "value": "[parameters('protectionContainers')[copyIndex()].containerType]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "protectedItems": "[if(contains(parameters('protectionContainers')[copyIndex()], 'protectedItems'), createObject('value', parameters('protectionContainers')[copyIndex()].protectedItems), createObject('value', createArray()))]", - "location": { - "value": "[parameters('location')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13622946234752234891" - }, - "name": "Recovery Services Vault Protection Container", - "description": "This module deploys a Recovery Services Vault Protection Container.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Recovery Service Vault Protection Container." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "backupManagementType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureBackupServer", - "AzureIaasVM", - "AzureSql", - "AzureStorage", - "AzureWorkload", - "DPM", - "DefaultBackup", - "Invalid", - "MAB", - "" - ], - "metadata": { - "description": "Optional. Backup management type to execute the current Protection Container job." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target resource for the Protection Container." - } - }, - "friendlyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Friendly name of the Protection Container." - } - }, - "protectedItems": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Protected items to register in the container." - } - }, - "containerType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureBackupServerContainer", - "AzureSqlContainer", - "GenericContainer", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "SQLAGWorkLoadContainer", - "StorageContainer", - "VMAppContainer", - "Windows", - "" - ], - "metadata": { - "description": "Optional. Type of the container." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]", - "friendlyName": "[if(not(empty(parameters('friendlyName'))), parameters('friendlyName'), null())]", - "backupManagementType": "[if(not(empty(parameters('backupManagementType'))), parameters('backupManagementType'), null())]", - "containerType": "[if(not(empty(parameters('containerType'))), parameters('containerType'), null())]" - } - }, - { - "copy": { - "name": "protectionContainer_protectedItems", - "count": "[length(parameters('protectedItems'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ProtectedItem-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "policyId": { - "value": "[parameters('protectedItems')[copyIndex()].policyId]" - }, - "name": { - "value": "[parameters('protectedItems')[copyIndex()].name]" - }, - "protectedItemType": { - "value": "[parameters('protectedItems')[copyIndex()].protectedItemType]" - }, - "protectionContainerName": { - "value": "[parameters('name')]" - }, - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "sourceResourceId": { - "value": "[parameters('protectedItems')[copyIndex()].sourceResourceId]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9921011786088905122" - }, - "name": "Recovery Service Vaults Protection Container Protected Item", - "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the resource." - } - }, - "protectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment." - } - }, - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "protectedItemType": { - "type": "string", - "allowedValues": [ - "AzureFileShareProtectedItem", - "AzureVmWorkloadSAPAseDatabase", - "AzureVmWorkloadSAPHanaDatabase", - "AzureVmWorkloadSQLDatabase", - "DPMProtectedItem", - "GenericProtectedItem", - "MabFileFolderProtectedItem", - "Microsoft.ClassicCompute/virtualMachines", - "Microsoft.Compute/virtualMachines", - "Microsoft.Sql/servers/databases" - ], - "metadata": { - "description": "Required. The backup item type." - } - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Required. ID of the backup policy with which this item is backed up." - } - }, - "sourceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource to back up." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", - "apiVersion": "2023-01-01", - "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "protectedItemType": "[parameters('protectedItemType')]", - "policyId": "[parameters('policyId')]", - "sourceResourceId": "[parameters('sourceResourceId')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the protected item was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the protected item." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems', split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[2], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[3])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the protected item." - }, - "value": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[2])]" - ] - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Protection Container was created in." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Protection Container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[2])]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the Protection Container." - }, - "value": "[format('{0}/Azure/{1}', parameters('recoveryVaultName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_backupPolicies": { - "copy": { - "name": "rsv_backupPolicies", - "count": "[length(parameters('backupPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-BackupPolicy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('backupPolicies')[copyIndex()].name]" - }, - "properties": { - "value": "[parameters('backupPolicies')[copyIndex()].properties]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4289896830796340565" - }, - "name": "Recovery Services Vault Backup Policies", - "description": "This module deploys a Recovery Services Vault Backup Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Recovery Service Vault Backup Policy." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. Configuration of the Azure Recovery Service Vault Backup Policy." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupPolicies", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": "[parameters('properties')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup policy." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup policy was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_backupConfig": { - "condition": "[not(empty(parameters('backupConfig')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-BackupConfig', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('backupConfig'), 'name'), createObject('value', parameters('backupConfig').name), createObject('value', 'vaultconfig'))]", - "enhancedSecurityState": "[if(contains(parameters('backupConfig'), 'enhancedSecurityState'), createObject('value', parameters('backupConfig').enhancedSecurityState), createObject('value', 'Enabled'))]", - "resourceGuardOperationRequests": "[if(contains(parameters('backupConfig'), 'resourceGuardOperationRequests'), createObject('value', parameters('backupConfig').resourceGuardOperationRequests), createObject('value', createArray()))]", - "softDeleteFeatureState": "[if(contains(parameters('backupConfig'), 'softDeleteFeatureState'), createObject('value', parameters('backupConfig').softDeleteFeatureState), createObject('value', 'Enabled'))]", - "storageModelType": "[if(contains(parameters('backupConfig'), 'storageModelType'), createObject('value', parameters('backupConfig').storageModelType), createObject('value', 'GeoRedundant'))]", - "storageType": "[if(contains(parameters('backupConfig'), 'storageType'), createObject('value', parameters('backupConfig').storageType), createObject('value', 'GeoRedundant'))]", - "storageTypeState": "[if(contains(parameters('backupConfig'), 'storageTypeState'), createObject('value', parameters('backupConfig').storageTypeState), createObject('value', 'Locked'))]", - "isSoftDeleteFeatureStateEditable": "[if(contains(parameters('backupConfig'), 'isSoftDeleteFeatureStateEditable'), createObject('value', parameters('backupConfig').isSoftDeleteFeatureStateEditable), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12267998063539265813" - }, - "name": "Recovery Services Vault Backup Config", - "description": "This module deploys a Recovery Services Vault Backup Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "vaultconfig", - "metadata": { - "description": "Optional. Name of the Azure Recovery Service Vault Backup Policy." - } - }, - "enhancedSecurityState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations." - } - }, - "resourceGuardOperationRequests": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. ResourceGuard Operation Requests." - } - }, - "softDeleteFeatureState": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes." - } - }, - "storageModelType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Storage type." - } - }, - "storageType": { - "type": "string", - "defaultValue": "GeoRedundant", - "allowedValues": [ - "GeoRedundant", - "LocallyRedundant", - "ReadAccessGeoZoneRedundant", - "ZoneRedundant" - ], - "metadata": { - "description": "Optional. Storage type." - } - }, - "storageTypeState": { - "type": "string", - "defaultValue": "Locked", - "allowedValues": [ - "Locked", - "Unlocked" - ], - "metadata": { - "description": "Optional. Once a machine is registered against a resource, the storageTypeState is always Locked." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "isSoftDeleteFeatureStateEditable": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Is soft delete feature state editable." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/backupconfig", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "enhancedSecurityState": "[parameters('enhancedSecurityState')]", - "resourceGuardOperationRequests": "[parameters('resourceGuardOperationRequests')]", - "softDeleteFeatureState": "[parameters('softDeleteFeatureState')]", - "storageModelType": "[parameters('storageModelType')]", - "storageType": "[parameters('storageType')]", - "storageTypeState": "[parameters('storageTypeState')]", - "isSoftDeleteFeatureStateEditable": "[parameters('isSoftDeleteFeatureStateEditable')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the backup config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the backup config." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupconfig', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the backup config was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_replicationAlertSettings": { - "condition": "[not(empty(parameters('replicationAlertSettings')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-replicationAlertSettings', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "defaultAlertSetting" - }, - "recoveryVaultName": { - "value": "[parameters('name')]" - }, - "customEmailAddresses": "[if(contains(parameters('replicationAlertSettings'), 'customEmailAddresses'), createObject('value', parameters('replicationAlertSettings').customEmailAddresses), createObject('value', createArray()))]", - "locale": "[if(contains(parameters('replicationAlertSettings'), 'locale'), createObject('value', parameters('replicationAlertSettings').locale), createObject('value', ''))]", - "sendToOwners": "[if(contains(parameters('replicationAlertSettings'), 'sendToOwners'), createObject('value', parameters('replicationAlertSettings').sendToOwners), createObject('value', 'Send'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9038487209624086059" - }, - "name": "Recovery Services Vault Replication Alert Settings", - "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "defaultAlertSetting", - "metadata": { - "description": "Optional. The name of the replication Alert Setting." - } - }, - "customEmailAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Comma separated list of custom email address for sending alert emails." - } - }, - "locale": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The locale for the email notification." - } - }, - "sendToOwners": { - "type": "string", - "defaultValue": "Send", - "allowedValues": [ - "DoNotSend", - "Send" - ], - "metadata": { - "description": "Optional. The value indicating whether to send email to subscription administrator." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationAlertSettings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "customEmailAddresses": "[if(not(empty(parameters('customEmailAddresses'))), parameters('customEmailAddresses'), null())]", - "locale": "[parameters('locale')]", - "sendToOwners": "[parameters('sendToOwners')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication Alert Setting." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication alert setting was created." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication alert setting." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationAlertSettings', parameters('recoveryVaultName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - }, - "rsv_privateEndpoints": { - "copy": { - "name": "rsv_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-rsv-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'AzureSiteRecovery')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'AzureSiteRecovery'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "rsv" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the recovery services vault." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the recovery services vault was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The Name of the recovery services vault." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('rsv', '2023-01-01', 'full').identity, 'principalId')), reference('rsv', '2023-01-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('rsv', '2023-01-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-alert-setting/README.md b/modules/recovery-services/vault/replication-alert-setting/README.md deleted file mode 100644 index d8c489809d..0000000000 --- a/modules/recovery-services/vault/replication-alert-setting/README.md +++ /dev/null @@ -1,101 +0,0 @@ -# Recovery Services Vault Replication Alert Settings `[Microsoft.RecoveryServices/vaults/replicationAlertSettings]` - -This module deploys a Recovery Services Vault Replication Alert Settings. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationAlertSettings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationAlertSettings) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customEmailAddresses`](#parameter-customemailaddresses) | array | Comma separated list of custom email address for sending alert emails. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`locale`](#parameter-locale) | string | The locale for the email notification. | -| [`name`](#parameter-name) | string | The name of the replication Alert Setting. | -| [`sendToOwners`](#parameter-sendtoowners) | string | The value indicating whether to send email to subscription administrator. | - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `customEmailAddresses` - -Comma separated list of custom email address for sending alert emails. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `locale` - -The locale for the email notification. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `name` - -The name of the replication Alert Setting. - -- Required: No -- Type: string -- Default: `'defaultAlertSetting'` - -### Parameter: `sendToOwners` - -The value indicating whether to send email to subscription administrator. - -- Required: No -- Type: string -- Default: `'Send'` -- Allowed: - ```Bicep - [ - 'DoNotSend' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the replication Alert Setting. | -| `resourceGroupName` | string | The name of the resource group the replication alert setting was created. | -| `resourceId` | string | The resource ID of the replication alert setting. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/replication-alert-setting/main.bicep b/modules/recovery-services/vault/replication-alert-setting/main.bicep deleted file mode 100644 index fc2cfbbd8b..0000000000 --- a/modules/recovery-services/vault/replication-alert-setting/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'Recovery Services Vault Replication Alert Settings' -metadata description = 'This module deploys a Recovery Services Vault Replication Alert Settings.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Optional. The name of the replication Alert Setting.') -param name string = 'defaultAlertSetting' - -@description('Optional. Comma separated list of custom email address for sending alert emails.') -param customEmailAddresses array = [] - -@description('Optional. The locale for the email notification.') -param locale string = '' - -@description('Optional. The value indicating whether to send email to subscription administrator.') -@allowed([ - 'DoNotSend' - 'Send' -]) -param sendToOwners string = 'Send' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource recoveryVault 'Microsoft.RecoveryServices/vaults@2023-01-01' existing = { - name: recoveryVaultName -} - -resource replicationAlertSettings 'Microsoft.RecoveryServices/vaults/replicationAlertSettings@2022-10-01' = { - name: name - parent: recoveryVault - properties: { - customEmailAddresses: !empty(customEmailAddresses) ? customEmailAddresses : null - locale: locale - sendToOwners: sendToOwners - } -} - -@description('The name of the replication Alert Setting.') -output name string = replicationAlertSettings.name - -@description('The name of the resource group the replication alert setting was created.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the replication alert setting.') -output resourceId string = replicationAlertSettings.id diff --git a/modules/recovery-services/vault/replication-alert-setting/main.json b/modules/recovery-services/vault/replication-alert-setting/main.json deleted file mode 100644 index 731253a5b9..0000000000 --- a/modules/recovery-services/vault/replication-alert-setting/main.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9038487209624086059" - }, - "name": "Recovery Services Vault Replication Alert Settings", - "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "defaultAlertSetting", - "metadata": { - "description": "Optional. The name of the replication Alert Setting." - } - }, - "customEmailAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Comma separated list of custom email address for sending alert emails." - } - }, - "locale": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The locale for the email notification." - } - }, - "sendToOwners": { - "type": "string", - "defaultValue": "Send", - "allowedValues": [ - "DoNotSend", - "Send" - ], - "metadata": { - "description": "Optional. The value indicating whether to send email to subscription administrator." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationAlertSettings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "customEmailAddresses": "[if(not(empty(parameters('customEmailAddresses'))), parameters('customEmailAddresses'), null())]", - "locale": "[parameters('locale')]", - "sendToOwners": "[parameters('sendToOwners')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication Alert Setting." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication alert setting was created." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication alert setting." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationAlertSettings', parameters('recoveryVaultName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-alert-setting/version.json b/modules/recovery-services/vault/replication-alert-setting/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/replication-alert-setting/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/replication-fabric/README.md b/modules/recovery-services/vault/replication-fabric/README.md deleted file mode 100644 index 5b2a425fc5..0000000000 --- a/modules/recovery-services/vault/replication-fabric/README.md +++ /dev/null @@ -1,94 +0,0 @@ -# Recovery Services Vault Replication Fabrics `[Microsoft.RecoveryServices/vaults/replicationFabrics]` - -This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery. - -> Note: this module currently support only the `instanceType: 'Azure'` scenario. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`location`](#parameter-location) | string | The recovery location the fabric represents. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the fabric. | -| [`replicationContainers`](#parameter-replicationcontainers) | array | Replication containers to create. | - -### Parameter: `location` - -The recovery location the fabric represents. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the fabric. - -- Required: No -- Type: string -- Default: `[parameters('location')]` - -### Parameter: `replicationContainers` - -Replication containers to create. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the replication fabric. | -| `resourceGroupName` | string | The name of the resource group the replication fabric was created in. | -| `resourceId` | string | The resource ID of the replication fabric. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/replication-fabric/main.bicep b/modules/recovery-services/vault/replication-fabric/main.bicep deleted file mode 100644 index d49d7ecd3a..0000000000 --- a/modules/recovery-services/vault/replication-fabric/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Recovery Services Vault Replication Fabrics' -metadata description = '''This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery. - -> Note: this module currently support only the `instanceType: 'Azure'` scenario.''' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Required. The recovery location the fabric represents.') -param location string = resourceGroup().location - -@description('Optional. The name of the fabric.') -param name string = location - -@description('Optional. Replication containers to create.') -param replicationContainers array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource replicationFabric 'Microsoft.RecoveryServices/vaults/replicationFabrics@2022-10-01' = { - name: '${recoveryVaultName}/${name}' - properties: { - customDetails: { - instanceType: 'Azure' - location: location - } - } -} - -module fabric_replicationContainers 'replication-protection-container/main.bicep' = [for (container, index) in replicationContainers: { - name: '${deployment().name}-RCont-${index}' - params: { - name: container.name - recoveryVaultName: recoveryVaultName - replicationFabricName: name - replicationContainerMappings: contains(container, 'replicationContainerMappings') ? container.replicationContainerMappings : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - replicationFabric - ] -}] - -@description('The name of the replication fabric.') -output name string = replicationFabric.name - -@description('The resource ID of the replication fabric.') -output resourceId string = replicationFabric.id - -@description('The name of the resource group the replication fabric was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/replication-fabric/main.json b/modules/recovery-services/vault/replication-fabric/main.json deleted file mode 100644 index 798663b16a..0000000000 --- a/modules/recovery-services/vault/replication-fabric/main.json +++ /dev/null @@ -1,415 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "141571686653146888" - }, - "name": "Recovery Services Vault Replication Fabrics", - "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Required. The recovery location the fabric represents." - } - }, - "name": { - "type": "string", - "defaultValue": "[parameters('location')]", - "metadata": { - "description": "Optional. The name of the fabric." - } - }, - "replicationContainers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Replication containers to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "customDetails": { - "instanceType": "Azure", - "location": "[parameters('location')]" - } - } - }, - { - "copy": { - "name": "fabric_replicationContainers", - "count": "[length(parameters('replicationContainers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RCont-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('replicationContainers')[copyIndex()].name]" - }, - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "replicationFabricName": { - "value": "[parameters('name')]" - }, - "replicationContainerMappings": "[if(contains(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings'), createObject('value', parameters('replicationContainers')[copyIndex()].replicationContainerMappings), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10595314903369272974" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication container." - } - }, - "replicationContainerMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Replication containers mappings to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]", - "properties": { - "providerSpecificInput": [ - { - "instanceType": "A2A" - } - ] - } - }, - { - "copy": { - "name": "fabric_container_containerMappings", - "count": "[length(parameters('replicationContainerMappings'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Map-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]", - "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]", - "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]", - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "replicationFabricName": { - "value": "[parameters('replicationFabricName')]" - }, - "sourceProtectionContainerName": { - "value": "[parameters('name')]" - }, - "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]", - "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]", - "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13334445778984042102" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "sourceProtectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent source Replication container. Required if the template is used in a standalone deployment." - } - }, - "targetProtectionContainerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored." - } - }, - "targetContainerFabricName": { - "type": "string", - "defaultValue": "[parameters('replicationFabricName')]", - "metadata": { - "description": "Optional. Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "targetContainerName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "policyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the replication policy. If defined, policyName will be ignored." - } - }, - "policyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the replication policy. Will be ignored if policyId is also specified." - } - }, - "name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the replication container mapping. If not provided, it will be automatically generated as `-`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "policyResourceId": "[if(not(equals(parameters('policyId'), '')), parameters('policyId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', parameters('recoveryVaultName'), parameters('policyName')))]", - "targetProtectionContainerResourceId": "[if(not(equals(parameters('targetProtectionContainerId'), '')), parameters('targetProtectionContainerId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', parameters('recoveryVaultName'), parameters('targetContainerFabricName'), parameters('targetContainerName')))]", - "mappingName": "[if(not(empty(parameters('name'))), parameters('name'), format('{0}-{1}', parameters('sourceProtectionContainerName'), split(variables('targetProtectionContainerResourceId'), '/')[10]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]", - "properties": { - "targetProtectionContainerId": "[variables('targetProtectionContainerResourceId')]", - "policyId": "[variables('policyResourceId')]", - "providerSpecificInput": { - "instanceType": "A2A" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings', split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication fabric." - }, - "value": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication fabric." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication fabric was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md deleted file mode 100644 index 6869b51b00..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md +++ /dev/null @@ -1,91 +0,0 @@ -# Recovery Services Vault Replication Fabric Replication Protection Containers `[Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers]` - -This module deploys a Recovery Services Vault Replication Protection Container. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the replication container. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | -| [`replicationFabricName`](#parameter-replicationfabricname) | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`replicationContainerMappings`](#parameter-replicationcontainermappings) | array | Replication containers mappings to create. | - -### Parameter: `name` - -The name of the replication container. - -- Required: Yes -- Type: string - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `replicationFabricName` - -The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `replicationContainerMappings` - -Replication containers mappings to create. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the replication container. | -| `resourceGroupName` | string | The name of the resource group the replication container was created in. | -| `resourceId` | string | The resource ID of the replication container. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep deleted file mode 100644 index 27bcca2023..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep +++ /dev/null @@ -1,73 +0,0 @@ -metadata name = 'Recovery Services Vault Replication Fabric Replication Protection Containers' -metadata description = '''This module deploys a Recovery Services Vault Replication Protection Container. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.''' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment.') -param replicationFabricName string - -@description('Required. The name of the replication container.') -param name string - -@description('Optional. Replication containers mappings to create.') -param replicationContainerMappings array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource replicationContainer 'Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers@2022-10-01' = { - name: '${recoveryVaultName}/${replicationFabricName}/${name}' - properties: { - providerSpecificInput: [ - { - instanceType: 'A2A' - } - ] - } -} - -module fabric_container_containerMappings 'replication-protection-container-mapping/main.bicep' = [for (mapping, index) in replicationContainerMappings: { - name: '${deployment().name}-Map-${index}' - params: { - name: contains(mapping, 'name') ? mapping.name : '' - policyId: contains(mapping, 'policyId') ? mapping.policyId : '' - policyName: contains(mapping, 'policyName') ? mapping.policyName : '' - recoveryVaultName: recoveryVaultName - replicationFabricName: replicationFabricName - sourceProtectionContainerName: name - targetProtectionContainerId: contains(mapping, 'targetProtectionContainerId') ? mapping.targetProtectionContainerId : '' - targetContainerFabricName: contains(mapping, 'targetContainerFabricName') ? mapping.targetContainerFabricName : replicationFabricName - targetContainerName: contains(mapping, 'targetContainerName') ? mapping.targetContainerName : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - replicationContainer - ] -}] - -@description('The name of the replication container.') -output name string = replicationContainer.name - -@description('The resource ID of the replication container.') -output resourceId string = replicationContainer.id - -@description('The name of the resource group the replication container was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json deleted file mode 100644 index 70d1d4f6bc..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json +++ /dev/null @@ -1,279 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10595314903369272974" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication container." - } - }, - "replicationContainerMappings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Replication containers mappings to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]", - "properties": { - "providerSpecificInput": [ - { - "instanceType": "A2A" - } - ] - } - }, - { - "copy": { - "name": "fabric_container_containerMappings", - "count": "[length(parameters('replicationContainerMappings'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Map-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]", - "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]", - "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]", - "recoveryVaultName": { - "value": "[parameters('recoveryVaultName')]" - }, - "replicationFabricName": { - "value": "[parameters('replicationFabricName')]" - }, - "sourceProtectionContainerName": { - "value": "[parameters('name')]" - }, - "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]", - "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]", - "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13334445778984042102" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "sourceProtectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent source Replication container. Required if the template is used in a standalone deployment." - } - }, - "targetProtectionContainerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored." - } - }, - "targetContainerFabricName": { - "type": "string", - "defaultValue": "[parameters('replicationFabricName')]", - "metadata": { - "description": "Optional. Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "targetContainerName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "policyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the replication policy. If defined, policyName will be ignored." - } - }, - "policyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the replication policy. Will be ignored if policyId is also specified." - } - }, - "name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the replication container mapping. If not provided, it will be automatically generated as `-`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "policyResourceId": "[if(not(equals(parameters('policyId'), '')), parameters('policyId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', parameters('recoveryVaultName'), parameters('policyName')))]", - "targetProtectionContainerResourceId": "[if(not(equals(parameters('targetProtectionContainerId'), '')), parameters('targetProtectionContainerId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', parameters('recoveryVaultName'), parameters('targetContainerFabricName'), parameters('targetContainerName')))]", - "mappingName": "[if(not(empty(parameters('name'))), parameters('name'), format('{0}-{1}', parameters('sourceProtectionContainerName'), split(variables('targetProtectionContainerResourceId'), '/')[10]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]", - "properties": { - "targetProtectionContainerId": "[variables('targetProtectionContainerResourceId')]", - "policyId": "[variables('policyResourceId')]", - "providerSpecificInput": { - "instanceType": "A2A" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings', split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[0], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[1], split(format('{0}/{1}/{2}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('name')), '/')[2])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md deleted file mode 100644 index f353db55e2..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md +++ /dev/null @@ -1,130 +0,0 @@ -# Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings `[Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings]` - -This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | -| [`replicationFabricName`](#parameter-replicationfabricname) | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | -| [`sourceProtectionContainerName`](#parameter-sourceprotectioncontainername) | string | The name of the parent source Replication container. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the replication container mapping. If not provided, it will be automatically generated as `-`. | -| [`policyId`](#parameter-policyid) | string | Resource ID of the replication policy. If defined, policyName will be ignored. | -| [`policyName`](#parameter-policyname) | string | Name of the replication policy. Will be ignored if policyId is also specified. | -| [`targetContainerFabricName`](#parameter-targetcontainerfabricname) | string | Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. | -| [`targetContainerName`](#parameter-targetcontainername) | string | Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. | -| [`targetProtectionContainerId`](#parameter-targetprotectioncontainerid) | string | Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. | - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `replicationFabricName` - -The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `sourceProtectionContainerName` - -The name of the parent source Replication container. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the replication container mapping. If not provided, it will be automatically generated as `-`. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `policyId` - -Resource ID of the replication policy. If defined, policyName will be ignored. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `policyName` - -Name of the replication policy. Will be ignored if policyId is also specified. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `targetContainerFabricName` - -Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. - -- Required: No -- Type: string -- Default: `[parameters('replicationFabricName')]` - -### Parameter: `targetContainerName` - -Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `targetProtectionContainerId` - -Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the replication container. | -| `resourceGroupName` | string | The name of the resource group the replication container was created in. | -| `resourceId` | string | The resource ID of the replication container. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.bicep b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.bicep deleted file mode 100644 index 1ad80f5bf3..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.bicep +++ /dev/null @@ -1,71 +0,0 @@ -metadata name = 'Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings' -metadata description = '''This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.''' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment.') -param replicationFabricName string - -@description('Conditional. The name of the parent source Replication container. Required if the template is used in a standalone deployment.') -param sourceProtectionContainerName string - -@description('Optional. Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored.') -param targetProtectionContainerId string = '' - -@description('Optional. Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored.') -param targetContainerFabricName string = replicationFabricName - -@description('Optional. Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored.') -param targetContainerName string = '' - -@description('Optional. Resource ID of the replication policy. If defined, policyName will be ignored.') -param policyId string = '' - -@description('Optional. Name of the replication policy. Will be ignored if policyId is also specified.') -param policyName string = '' - -@description('Optional. The name of the replication container mapping. If not provided, it will be automatically generated as `-`.') -param name string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var policyResourceId = policyId != '' ? policyId : subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', recoveryVaultName, policyName) -var targetProtectionContainerResourceId = targetProtectionContainerId != '' ? targetProtectionContainerId : subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', recoveryVaultName, targetContainerFabricName, targetContainerName) -var mappingName = !empty(name) ? name : '${sourceProtectionContainerName}-${split(targetProtectionContainerResourceId, '/')[10]}' - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource replicationContainer 'Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings@2022-10-01' = { - name: '${recoveryVaultName}/${replicationFabricName}/${sourceProtectionContainerName}/${mappingName}' - properties: { - targetProtectionContainerId: targetProtectionContainerResourceId - policyId: policyResourceId - providerSpecificInput: { - instanceType: 'A2A' - } - } -} - -@description('The name of the replication container.') -output name string = replicationContainer.name - -@description('The resource ID of the replication container.') -output resourceId string = replicationContainer.id - -@description('The name of the resource group the replication container was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json deleted file mode 100644 index 89ab6e740e..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13334445778984042102" - }, - "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "replicationFabricName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Replication Fabric. Required if the template is used in a standalone deployment." - } - }, - "sourceProtectionContainerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent source Replication container. Required if the template is used in a standalone deployment." - } - }, - "targetProtectionContainerId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored." - } - }, - "targetContainerFabricName": { - "type": "string", - "defaultValue": "[parameters('replicationFabricName')]", - "metadata": { - "description": "Optional. Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "targetContainerName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored." - } - }, - "policyId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the replication policy. If defined, policyName will be ignored." - } - }, - "policyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the replication policy. Will be ignored if policyId is also specified." - } - }, - "name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the replication container mapping. If not provided, it will be automatically generated as `-`." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "policyResourceId": "[if(not(equals(parameters('policyId'), '')), parameters('policyId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', parameters('recoveryVaultName'), parameters('policyName')))]", - "targetProtectionContainerResourceId": "[if(not(equals(parameters('targetProtectionContainerId'), '')), parameters('targetProtectionContainerId'), subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', parameters('recoveryVaultName'), parameters('targetContainerFabricName'), parameters('targetContainerName')))]", - "mappingName": "[if(not(empty(parameters('name'))), parameters('name'), format('{0}-{1}', parameters('sourceProtectionContainerName'), split(variables('targetProtectionContainerResourceId'), '/')[10]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]", - "properties": { - "targetProtectionContainerId": "[variables('targetProtectionContainerResourceId')]", - "policyId": "[variables('policyResourceId')]", - "providerSpecificInput": { - "instanceType": "A2A" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication container." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication container." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings', split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('recoveryVaultName'), parameters('replicationFabricName'), parameters('sourceProtectionContainerName'), variables('mappingName')), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication container was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/version.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/version.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/replication-fabric/version.json b/modules/recovery-services/vault/replication-fabric/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/replication-fabric/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/replication-policy/README.md b/modules/recovery-services/vault/replication-policy/README.md deleted file mode 100644 index d7b8fab197..0000000000 --- a/modules/recovery-services/vault/replication-policy/README.md +++ /dev/null @@ -1,116 +0,0 @@ -# Recovery Services Vault Replication Policies `[Microsoft.RecoveryServices/vaults/replicationPolicies]` - -This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the replication policy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appConsistentFrequencyInMinutes`](#parameter-appconsistentfrequencyinminutes) | int | The app consistent snapshot frequency (in minutes). | -| [`crashConsistentFrequencyInMinutes`](#parameter-crashconsistentfrequencyinminutes) | int | The crash consistent snapshot frequency (in minutes). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`multiVmSyncStatus`](#parameter-multivmsyncstatus) | string | A value indicating whether multi-VM sync has to be enabled. | -| [`recoveryPointHistory`](#parameter-recoverypointhistory) | int | The duration in minutes until which the recovery points need to be stored. | - -### Parameter: `name` - -The name of the replication policy. - -- Required: Yes -- Type: string - -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `appConsistentFrequencyInMinutes` - -The app consistent snapshot frequency (in minutes). - -- Required: No -- Type: int -- Default: `60` - -### Parameter: `crashConsistentFrequencyInMinutes` - -The crash consistent snapshot frequency (in minutes). - -- Required: No -- Type: int -- Default: `5` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `multiVmSyncStatus` - -A value indicating whether multi-VM sync has to be enabled. - -- Required: No -- Type: string -- Default: `'Enable'` -- Allowed: - ```Bicep - [ - 'Disable' - 'Enable' - ] - ``` - -### Parameter: `recoveryPointHistory` - -The duration in minutes until which the recovery points need to be stored. - -- Required: No -- Type: int -- Default: `1440` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the replication policy. | -| `resourceGroupName` | string | The name of the resource group the replication policy was created in. | -| `resourceId` | string | The resource ID of the replication policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/recovery-services/vault/replication-policy/main.bicep b/modules/recovery-services/vault/replication-policy/main.bicep deleted file mode 100644 index 0e36f9212b..0000000000 --- a/modules/recovery-services/vault/replication-policy/main.bicep +++ /dev/null @@ -1,63 +0,0 @@ -metadata name = 'Recovery Services Vault Replication Policies' -metadata description = '''This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario. - -> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.''' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Required. The name of the replication policy.') -param name string - -@description('Optional. The app consistent snapshot frequency (in minutes).') -param appConsistentFrequencyInMinutes int = 60 - -@description('Optional. The crash consistent snapshot frequency (in minutes).') -param crashConsistentFrequencyInMinutes int = 5 - -@description('Optional. A value indicating whether multi-VM sync has to be enabled.') -@allowed([ - 'Enable' - 'Disable' -]) -param multiVmSyncStatus string = 'Enable' - -@description('Optional. The duration in minutes until which the recovery points need to be stored.') -param recoveryPointHistory int = 1440 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource replicationPolicy 'Microsoft.RecoveryServices/vaults/replicationPolicies@2022-10-01' = { - name: '${recoveryVaultName}/${name}' - properties: { - providerSpecificInput: { - instanceType: 'A2A' - appConsistentFrequencyInMinutes: appConsistentFrequencyInMinutes - crashConsistentFrequencyInMinutes: crashConsistentFrequencyInMinutes - multiVmSyncStatus: multiVmSyncStatus - recoveryPointHistory: recoveryPointHistory - } - } -} -@description('The name of the replication policy.') -output name string = replicationPolicy.name - -@description('The resource ID of the replication policy.') -output resourceId string = replicationPolicy.id - -@description('The name of the resource group the replication policy was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/recovery-services/vault/replication-policy/main.json b/modules/recovery-services/vault/replication-policy/main.json deleted file mode 100644 index 2c1c8d1b93..0000000000 --- a/modules/recovery-services/vault/replication-policy/main.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7511225868129156252" - }, - "name": "Recovery Services Vault Replication Policies", - "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "recoveryVaultName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the replication policy." - } - }, - "appConsistentFrequencyInMinutes": { - "type": "int", - "defaultValue": 60, - "metadata": { - "description": "Optional. The app consistent snapshot frequency (in minutes)." - } - }, - "crashConsistentFrequencyInMinutes": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The crash consistent snapshot frequency (in minutes)." - } - }, - "multiVmSyncStatus": { - "type": "string", - "defaultValue": "Enable", - "allowedValues": [ - "Enable", - "Disable" - ], - "metadata": { - "description": "Optional. A value indicating whether multi-VM sync has to be enabled." - } - }, - "recoveryPointHistory": { - "type": "int", - "defaultValue": 1440, - "metadata": { - "description": "Optional. The duration in minutes until which the recovery points need to be stored." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}-rsvPolicy', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.RecoveryServices/vaults/replicationPolicies", - "apiVersion": "2022-10-01", - "name": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]", - "properties": { - "providerSpecificInput": { - "instanceType": "A2A", - "appConsistentFrequencyInMinutes": "[parameters('appConsistentFrequencyInMinutes')]", - "crashConsistentFrequencyInMinutes": "[parameters('crashConsistentFrequencyInMinutes')]", - "multiVmSyncStatus": "[parameters('multiVmSyncStatus')]", - "recoveryPointHistory": "[parameters('recoveryPointHistory')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the replication policy." - }, - "value": "[format('{0}/{1}', parameters('recoveryVaultName'), parameters('name'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the replication policy." - }, - "value": "[resourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[0], split(format('{0}/{1}', parameters('recoveryVaultName'), parameters('name')), '/')[1])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the replication policy was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/recovery-services/vault/replication-policy/version.json b/modules/recovery-services/vault/replication-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/replication-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep b/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 8b9f40bfcb..0000000000 --- a/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep b/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep deleted file mode 100644 index c76d0f632e..0000000000 --- a/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep +++ /dev/null @@ -1,106 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvdr' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // -var rsvName = '${namePrefix}${serviceShort}001' -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: rsvName - replicationFabrics: [ - { - location: 'NorthEurope' - replicationContainers: [ - { - name: 'ne-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerName: 'pluto' - targetProtectionContainerId: '${resourceGroup.id}/providers/Microsoft.RecoveryServices/vaults/${rsvName}/replicationFabrics/NorthEurope/replicationProtectionContainers/ne-container2' - } - ] - } - { - name: 'ne-container2' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'WE-2' - targetContainerName: 'we-container1' - } - ] - } - ] - } - { - location: 'WestEurope' - name: 'WE-2' - replicationContainers: [ - { - name: 'we-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'NorthEurope' - targetContainerName: 'ne-container2' - } - ] - } - ] - } - ] - replicationPolicies: [ - { - name: 'Default_values' - } - { - appConsistentFrequencyInMinutes: 240 - crashConsistentFrequencyInMinutes: 7 - multiVmSyncStatus: 'Disable' - name: 'Custom_values' - recoveryPointHistory: 2880 - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/recovery-services/vault/tests/e2e/max/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 12b8653f54..0000000000 --- a/modules/recovery-services/vault/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.siterecovery.windowsazure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep deleted file mode 100644 index 0e78cb6064..0000000000 --- a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,389 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - backupConfig: { - enhancedSecurityState: 'Disabled' - softDeleteFeatureState: 'Disabled' - } - backupPolicies: [ - { - name: 'VMpolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - instantRpRetentionRangeInDays: 2 - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 180 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - } - } - { - name: 'sqlpolicy' - properties: { - backupManagementType: 'AzureWorkload' - protectedItemsCount: 0 - settings: { - isCompression: true - issqlcompression: true - timeZone: 'UTC' - } - subProtectionPolicy: [ - { - policyType: 'Full' - retentionPolicy: { - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 104 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Sunday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2019-11-07T22:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Differential' - retentionPolicy: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Monday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2017-03-07T02:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Log' - retentionPolicy: { - retentionDuration: { - count: 15 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - scheduleFrequencyInMins: 120 - schedulePolicyType: 'LogSchedulePolicy' - } - } - ] - workLoadType: 'SQLDataBase' - } - } - { - name: 'filesharepolicy' - properties: { - backupManagementType: 'AzureStorage' - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T04:30:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T04:30:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - workloadType: 'AzureFileShare' - } - } - ] - backupStorageConfig: { - crossRegionRestoreFlag: true - storageModelType: 'GeoRedundant' - } - replicationAlertSettings: { - customEmailAddresses: [ - 'test.user@testcompany.com' - ] - locale: 'en-US' - sendToOwners: 'Send' - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - monitoringSettings: { - azureMonitorAlertSettings: { - alertsForAllJobFailures: 'Enabled' - } - classicAlertSettings: { - alertsForCriticalOperations: 'Enabled' - } - } - securitySettings: { - immutabilitySettings: { - state: 'Unlocked' - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 12b8653f54..0000000000 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.siterecovery.windowsazure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 005293b717..0000000000 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,372 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - backupConfig: { - enhancedSecurityState: 'Disabled' - softDeleteFeatureState: 'Disabled' - } - backupPolicies: [ - { - name: 'VMpolicy' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - instantRpRetentionRangeInDays: 2 - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 180 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - } - } - { - name: 'sqlpolicy' - properties: { - backupManagementType: 'AzureWorkload' - protectedItemsCount: 0 - settings: { - isCompression: true - issqlcompression: true - timeZone: 'UTC' - } - subProtectionPolicy: [ - { - policyType: 'Full' - retentionPolicy: { - monthlySchedule: { - retentionDuration: { - count: 60 - durationType: 'Months' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionDuration: { - count: 104 - durationType: 'Weeks' - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - yearlySchedule: { - monthsOfYear: [ - 'January' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - } - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Sunday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2019-11-07T22:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Differential' - retentionPolicy: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunDays: [ - 'Monday' - ] - scheduleRunFrequency: 'Weekly' - scheduleRunTimes: [ - '2017-03-07T02:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - } - { - policyType: 'Log' - retentionPolicy: { - retentionDuration: { - count: 15 - durationType: 'Days' - } - retentionPolicyType: 'SimpleRetentionPolicy' - } - schedulePolicy: { - scheduleFrequencyInMins: 120 - schedulePolicyType: 'LogSchedulePolicy' - } - } - ] - workLoadType: 'SQLDataBase' - } - } - { - name: 'filesharepolicy' - properties: { - backupManagementType: 'AzureStorage' - protectedItemsCount: 0 - retentionPolicy: { - dailySchedule: { - retentionDuration: { - count: 30 - durationType: 'Days' - } - retentionTimes: [ - '2019-11-07T04:30:00Z' - ] - } - retentionPolicyType: 'LongTermRetentionPolicy' - } - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T04:30:00Z' - ] - scheduleWeeklyFrequency: 0 - } - timeZone: 'UTC' - workloadType: 'AzureFileShare' - } - } - ] - backupStorageConfig: { - crossRegionRestoreFlag: true - storageModelType: 'GeoRedundant' - } - replicationAlertSettings: { - customEmailAddresses: [ - 'test.user@testcompany.com' - ] - locale: 'en-US' - sendToOwners: 'Send' - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - monitoringSettings: { - azureMonitorAlertSettings: { - alertsForAllJobFailures: 'Enabled' - } - classicAlertSettings: { - alertsForCriticalOperations: 'Enabled' - } - } - securitySettings: { - immutabilitySettings: { - state: 'Unlocked' - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/recovery-services/vault/version.json b/modules/recovery-services/vault/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/recovery-services/vault/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/MOVED-TO-AVM.md b/modules/relay/namespace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/relay/namespace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 1ca1eed4c8..8c09e6322b 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -1,1356 +1,7 @@ -# Relay Namespaces `[Microsoft.Relay/namespaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/relay/namespace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/relay/namespace).** -This module deploys a Relay Namespace +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/relay/namespace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Relay/namespaces` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces) | -| `Microsoft.Relay/namespaces/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/authorizationRules) | -| `Microsoft.Relay/namespaces/hybridConnections` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections) | -| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | -| `Microsoft.Relay/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/networkRuleSets) | -| `Microsoft.Relay/namespaces/wcfRelays` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays) | -| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/relay.namespace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rnmin' - params: { - // Required parameters - name: 'rnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rnmax' - params: { - // Required parameters - name: 'rnmax001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - hybridConnections: [ - { - name: 'rnmaxhc001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - userMetadata: '[{\'key\':\'endpoint\',\'value\':\'db-server.constoso.com:1433\'}]' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - subnet: { - id: '' - ignoreMissingVnetServiceEndpoint: true - } - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - wcfRelays: [ - { - name: 'rnmaxwcf001' - relayType: 'NetTcp' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rnmax001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hybridConnections": { - "value": [ - { - "name": "rnmaxhc001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "userMetadata": "[{\"key\":\"endpoint\",\"value\":\"db-server.constoso.com:1433\"}]" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "subnet": { - "id": "", - "ignoreMissingVnetServiceEndpoint": true - } - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "wcfRelays": { - "value": [ - { - "name": "rnmaxwcf001", - "relayType": "NetTcp", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rnpe' - params: { - // Required parameters - name: 'rnpe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rnpe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rnwaf' - params: { - // Required parameters - name: 'rnwaf001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - hybridConnections: [ - { - name: 'rnwafhc001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - userMetadata: '[{\'key\':\'endpoint\',\'value\':\'db-server.constoso.com:1433\'}]' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - subnet: { - id: '' - ignoreMissingVnetServiceEndpoint: true - } - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - wcfRelays: [ - { - name: 'rnwafwcf001' - relayType: 'NetTcp' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rnwaf001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hybridConnections": { - "value": [ - { - "name": "rnwafhc001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "userMetadata": "[{\"key\":\"endpoint\",\"value\":\"db-server.constoso.com:1433\"}]" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "subnet": { - "id": "", - "ignoreMissingVnetServiceEndpoint": true - } - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "wcfRelays": { - "value": [ - { - "name": "rnwafwcf001", - "relayType": "NetTcp", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Relay Namespace. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay namespace. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hybridConnections`](#parameter-hybridconnections) | array | The hybrid connections to create in the relay namespace. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuName`](#parameter-skuname) | string | Name of this SKU. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`wcfRelays`](#parameter-wcfrelays) | array | The wcf relays to create in the relay namespace. | - -### Parameter: `name` - -Name of the Relay Namespace. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the Relay namespace. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hybridConnections` - -The hybrid connections to create in the relay namespace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `networkRuleSets` - -Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuName` - -Name of this SKU. - -- Required: No -- Type: string -- Default: `'Standard'` -- Allowed: - ```Bicep - [ - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `wcfRelays` - -The wcf relays to create in the relay namespace. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed relay namespace. | -| `resourceGroupName` | string | The resource group of the deployed relay namespace. | -| `resourceId` | string | The resource ID of the deployed relay namespace. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/relay/namespace/authorization-rule/README.md b/modules/relay/namespace/authorization-rule/README.md deleted file mode 100644 index f643f25c3c..0000000000 --- a/modules/relay/namespace/authorization-rule/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Relay Namespace Authorization Rules `[Microsoft.Relay/namespaces/authorizationRules]` - -This module deploys a Relay Namespace Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Relay/namespaces/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/authorization-rule/main.bicep b/modules/relay/namespace/authorization-rule/main.bicep deleted file mode 100644 index fe6b2f1145..0000000000 --- a/modules/relay/namespace/authorization-rule/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'Relay Namespace Authorization Rules' -metadata description = 'This module deploys a Relay Namespace Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. The name of the authorization rule.') -param name string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName -} - -resource authorizationRule 'Microsoft.Relay/namespaces/authorizationRules@2021-11-01' = { - name: name - parent: namespace - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespace/authorization-rule/main.json b/modules/relay/namespace/authorization-rule/main.json deleted file mode 100644 index bc2bf1ddba..0000000000 --- a/modules/relay/namespace/authorization-rule/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6991913570355678944" - }, - "name": "Relay Namespace Authorization Rules", - "description": "This module deploys a Relay Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/authorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/authorization-rule/version.json b/modules/relay/namespace/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/relay/namespace/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md deleted file mode 100644 index a205695854..0000000000 --- a/modules/relay/namespace/hybrid-connection/README.md +++ /dev/null @@ -1,251 +0,0 @@ -# Relay Namespace Hybrid Connections `[Microsoft.Relay/namespaces/hybridConnections]` - -This module deploys a Relay Namespace Hybrid Connection. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Relay/namespaces/hybridConnections` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections) | -| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the hybrid connection. | -| [`userMetadata`](#parameter-usermetadata) | string | The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay Hybrid Connection. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | - -### Parameter: `name` - -The name of the hybrid connection. - -- Required: Yes -- Type: string - -### Parameter: `userMetadata` - -The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the Relay Hybrid Connection. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `requiresClientAuthorization` - -A value indicating if this hybrid connection requires client authorization. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed hybrid connection. | -| `resourceGroupName` | string | The resource group of the deployed hybrid connection. | -| `resourceId` | string | The resource ID of the deployed hybrid connection. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md deleted file mode 100644 index 37b834a50c..0000000000 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Hybrid Connection Authorization Rules `[Microsoft.Relay/namespaces/hybridConnections/authorizationRules]` - -This module deploys a Hybrid Connection Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hybridConnectionName`](#parameter-hybridconnectionname) | string | The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `hybridConnectionName` - -The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The Resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/main.bicep b/modules/relay/namespace/hybrid-connection/authorization-rule/main.bicep deleted file mode 100644 index 65ae13ee49..0000000000 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'Hybrid Connection Authorization Rules' -metadata description = 'This module deploys a Hybrid Connection Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the authorization rule.') -param name string - -@description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Conditional. The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment.') -param hybridConnectionName string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName - - resource hybridConnection 'hybridConnections@2021-11-01' existing = { - name: hybridConnectionName - } -} - -resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { - name: name - parent: namespace::hybridConnection - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The Resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json b/modules/relay/namespace/hybrid-connection/authorization-rule/main.json deleted file mode 100644 index fe0d832c02..0000000000 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8614944991526016585" - }, - "name": "Hybrid Connection Authorization Rules", - "description": "This module deploys a Hybrid Connection Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "hybridConnectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/hybridConnections/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections/authorizationRules', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/version.json b/modules/relay/namespace/hybrid-connection/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep deleted file mode 100644 index fcda242bda..0000000000 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ /dev/null @@ -1,168 +0,0 @@ -metadata name = 'Relay Namespace Hybrid Connections' -metadata description = 'This module deploys a Relay Namespace Hybrid Connection.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. The name of the hybrid connection.') -@minLength(6) -@maxLength(50) -param name string - -@description('Required. The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored.') -param userMetadata string - -@description('Optional. A value indicating if this hybrid connection requires client authorization.') -param requiresClientAuthorization bool = true - -@description('Optional. Authorization Rules for the Relay Hybrid Connection.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } -] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName -} - -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { - name: name - parent: namespace - properties: { - requiresClientAuthorization: requiresClientAuthorization - userMetadata: userMetadata - } -} - -module hybridConnection_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthorizationRule-${index}' - params: { - namespaceName: namespaceName - hybridConnectionName: hybridConnection.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: hybridConnection -} - -resource hybridConnection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(hybridConnection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: hybridConnection -}] - -@description('The name of the deployed hybrid connection.') -output name string = hybridConnection.name - -@description('The resource ID of the deployed hybrid connection.') -output resourceId string = hybridConnection.id - -@description('The resource group of the deployed hybrid connection.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json deleted file mode 100644 index b3ba439423..0000000000 --- a/modules/relay/namespace/hybrid-connection/main.json +++ /dev/null @@ -1,425 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10713076217261186547" - }, - "name": "Relay Namespace Hybrid Connections", - "description": "This module deploys a Relay Namespace Hybrid Connection.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. The name of the hybrid connection." - } - }, - "userMetadata": { - "type": "string", - "metadata": { - "description": "Required. The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored." - } - }, - "requiresClientAuthorization": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this hybrid connection requires client authorization." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "defaultListener", - "rights": [ - "Listen" - ] - }, - { - "name": "defaultSender", - "rights": [ - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Relay Hybrid Connection." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.Relay/namespaces", - "apiVersion": "2021-11-01", - "name": "[parameters('namespaceName')]" - }, - "hybridConnection": { - "type": "Microsoft.Relay/namespaces/hybridConnections", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", - "userMetadata": "[parameters('userMetadata')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "hybridConnection_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "hybridConnection" - ] - }, - "hybridConnection_roleAssignments": { - "copy": { - "name": "hybridConnection_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "hybridConnection" - ] - }, - "hybridConnection_authorizationRules": { - "copy": { - "name": "hybridConnection_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "hybridConnectionName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8614944991526016585" - }, - "name": "Hybrid Connection Authorization Rules", - "description": "This module deploys a Hybrid Connection Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "hybridConnectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/hybridConnections/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections/authorizationRules', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "hybridConnection" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed hybrid connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed hybrid connection." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed hybrid connection." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/hybrid-connection/version.json b/modules/relay/namespace/hybrid-connection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/relay/namespace/hybrid-connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep deleted file mode 100644 index 3ffa30c756..0000000000 --- a/modules/relay/namespace/main.bicep +++ /dev/null @@ -1,406 +0,0 @@ -metadata name = 'Relay Namespaces' -metadata description = 'This module deploys a Relay Namespace' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Relay Namespace.') -@minLength(6) -@maxLength(50) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Name of this SKU.') -@allowed([ - 'Standard' -]) -param skuName string = 'Standard' - -@description('Optional. Authorization Rules for the Relay namespace.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } -] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = {} - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The hybrid connections to create in the relay namespace.') -param hybridConnections array = [] - -@description('Optional. The wcf relays to create in the relay namespace.') -param wcfRelays array = [] - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { - name: name - location: location - tags: empty(tags) ? null : tags - sku: { - name: skuName - } - properties: {} -} - -module namespace_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${uniqueString(deployment().name, location)}-AuthorizationRules-${index}' - params: { - namespaceName: namespace.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module namespace_networkRuleSet 'network-rule-set/main.bicep' = if (!empty(networkRuleSets) || !empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-NetworkRuleSet' - params: { - namespaceName: namespace.name - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') - defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' - ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module namespace_hybridConnections 'hybrid-connection/main.bicep' = [for (hybridConnection, index) in hybridConnections: { - name: '${uniqueString(deployment().name, location)}-HybridConnection-${index}' - params: { - namespaceName: namespace.name - name: hybridConnection.name - authorizationRules: contains(hybridConnection, 'authorizationRules') ? hybridConnection.authorizationRules : [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } - ] - requiresClientAuthorization: contains(hybridConnection, 'requiresClientAuthorization') ? hybridConnection.requiresClientAuthorization : true - userMetadata: hybridConnection.userMetadata - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module namespace_wcfRelays 'wcf-relay/main.bicep' = [for (wcfRelay, index) in wcfRelays: { - name: '${uniqueString(deployment().name, location)}-WcfRelay-${index}' - params: { - namespaceName: namespace.name - name: wcfRelay.name - authorizationRules: contains(wcfRelay, 'authorizationRules') ? wcfRelay.authorizationRules : [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } - ] - relayType: wcfRelay.relayType - requiresClientAuthorization: contains(wcfRelay, 'requiresClientAuthorization') ? wcfRelay.requiresClientAuthorization : true - requiresTransportSecurity: contains(wcfRelay, 'requiresTransportSecurity') ? wcfRelay.requiresTransportSecurity : true - userMetadata: contains(wcfRelay, 'userMetadata') ? wcfRelay.userMetadata : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource namespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: namespace -} - -resource namespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: namespace -}] - -module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-namespace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'namespace' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(namespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' - serviceResourceId: namespace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource namespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(namespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: namespace -}] - -@description('The resource ID of the deployed relay namespace.') -output resourceId string = namespace.id - -@description('The resource group of the deployed relay namespace.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployed relay namespace.') -output name string = namespace.name - -@description('The location the resource was deployed into.') -output location string = namespace.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json deleted file mode 100644 index 1c9ac35781..0000000000 --- a/modules/relay/namespace/main.json +++ /dev/null @@ -1,2437 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5535628605331543748" - }, - "name": "Relay Namespaces", - "description": "This module deploys a Relay Namespace", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Relay Namespace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard" - ], - "metadata": { - "description": "Optional. Name of this SKU." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Relay namespace." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "networkRuleSets": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "hybridConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The hybrid connections to create in the relay namespace." - } - }, - "wcfRelays": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The wcf relays to create in the relay namespace." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "type": "Microsoft.Relay/namespaces", - "apiVersion": "2021-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[if(empty(parameters('tags')), null(), parameters('tags'))]", - "sku": { - "name": "[parameters('skuName')]" - }, - "properties": {} - }, - "namespace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_diagnosticSettings": { - "copy": { - "name": "namespace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_roleAssignments": { - "copy": { - "name": "namespace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_authorizationRules": { - "copy": { - "name": "namespace_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6991913570355678944" - }, - "name": "Relay Namespace Authorization Rules", - "description": "This module deploys a Relay Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/authorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_networkRuleSet": { - "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkRuleSet', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "publicNetworkAccess": "[if(contains(parameters('networkRuleSets'), 'publicNetworkAccess'), createObject('value', parameters('networkRuleSets').publicNetworkAccess), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), createObject('value', 'Disabled'), createObject('value', 'Enabled')))]", - "defaultAction": "[if(contains(parameters('networkRuleSets'), 'defaultAction'), createObject('value', parameters('networkRuleSets').defaultAction), createObject('value', 'Allow'))]", - "ipRules": "[if(contains(parameters('networkRuleSets'), 'ipRules'), createObject('value', parameters('networkRuleSets').ipRules), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11855121384015754907" - }, - "name": "Relay Namespace Network Rules Sets", - "description": "This module deploys a Relay Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/networkRuleSets", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(not(empty(parameters('ipRules'))), 'Deny', parameters('defaultAction')))]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_hybridConnections": { - "copy": { - "name": "namespace_hybridConnections", - "count": "[length(parameters('hybridConnections'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-HybridConnection-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('hybridConnections')[copyIndex()].name]" - }, - "authorizationRules": "[if(contains(parameters('hybridConnections')[copyIndex()], 'authorizationRules'), createObject('value', parameters('hybridConnections')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')), createObject('name', 'defaultListener', 'rights', createArray('Listen')), createObject('name', 'defaultSender', 'rights', createArray('Send')))))]", - "requiresClientAuthorization": "[if(contains(parameters('hybridConnections')[copyIndex()], 'requiresClientAuthorization'), createObject('value', parameters('hybridConnections')[copyIndex()].requiresClientAuthorization), createObject('value', true()))]", - "userMetadata": { - "value": "[parameters('hybridConnections')[copyIndex()].userMetadata]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10713076217261186547" - }, - "name": "Relay Namespace Hybrid Connections", - "description": "This module deploys a Relay Namespace Hybrid Connection.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. The name of the hybrid connection." - } - }, - "userMetadata": { - "type": "string", - "metadata": { - "description": "Required. The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored." - } - }, - "requiresClientAuthorization": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this hybrid connection requires client authorization." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "defaultListener", - "rights": [ - "Listen" - ] - }, - { - "name": "defaultSender", - "rights": [ - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Relay Hybrid Connection." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.Relay/namespaces", - "apiVersion": "2021-11-01", - "name": "[parameters('namespaceName')]" - }, - "hybridConnection": { - "type": "Microsoft.Relay/namespaces/hybridConnections", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", - "userMetadata": "[parameters('userMetadata')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "hybridConnection_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "hybridConnection" - ] - }, - "hybridConnection_roleAssignments": { - "copy": { - "name": "hybridConnection_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "hybridConnection" - ] - }, - "hybridConnection_authorizationRules": { - "copy": { - "name": "hybridConnection_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "hybridConnectionName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8614944991526016585" - }, - "name": "Hybrid Connection Authorization Rules", - "description": "This module deploys a Hybrid Connection Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "hybridConnectionName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/hybridConnections/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections/authorizationRules', parameters('namespaceName'), parameters('hybridConnectionName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "hybridConnection" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed hybrid connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed hybrid connection." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed hybrid connection." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_wcfRelays": { - "copy": { - "name": "namespace_wcfRelays", - "count": "[length(parameters('wcfRelays'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-WcfRelay-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('wcfRelays')[copyIndex()].name]" - }, - "authorizationRules": "[if(contains(parameters('wcfRelays')[copyIndex()], 'authorizationRules'), createObject('value', parameters('wcfRelays')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')), createObject('name', 'defaultListener', 'rights', createArray('Listen')), createObject('name', 'defaultSender', 'rights', createArray('Send')))))]", - "relayType": { - "value": "[parameters('wcfRelays')[copyIndex()].relayType]" - }, - "requiresClientAuthorization": "[if(contains(parameters('wcfRelays')[copyIndex()], 'requiresClientAuthorization'), createObject('value', parameters('wcfRelays')[copyIndex()].requiresClientAuthorization), createObject('value', true()))]", - "requiresTransportSecurity": "[if(contains(parameters('wcfRelays')[copyIndex()], 'requiresTransportSecurity'), createObject('value', parameters('wcfRelays')[copyIndex()].requiresTransportSecurity), createObject('value', true()))]", - "userMetadata": "[if(contains(parameters('wcfRelays')[copyIndex()], 'userMetadata'), createObject('value', parameters('wcfRelays')[copyIndex()].userMetadata), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15802304453622016892" - }, - "name": "Relay Namespace WCF Relays", - "description": "This module deploys a Relay Namespace WCF Relay.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the WCF Relay." - } - }, - "relayType": { - "type": "string", - "allowedValues": [ - "Http", - "NetTcp" - ], - "metadata": { - "description": "Required. Type of WCF Relay." - } - }, - "requiresClientAuthorization": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this relay requires client authorization." - } - }, - "requiresTransportSecurity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this relay requires transport security." - } - }, - "userMetadata": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User-defined string data for the WCF Relay." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "defaultListener", - "rights": [ - "Listen" - ] - }, - { - "name": "defaultSender", - "rights": [ - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the WCF Relay." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.Relay/namespaces", - "apiVersion": "2021-11-01", - "name": "[parameters('namespaceName')]" - }, - "wcfRelay": { - "type": "Microsoft.Relay/namespaces/wcfRelays", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "relayType": "[parameters('relayType')]", - "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", - "requiresTransportSecurity": "[parameters('requiresTransportSecurity')]", - "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - }, - "dependsOn": [ - "namespace" - ] - }, - "wcfRelay_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "wcfRelay" - ] - }, - "wcfRelay_roleAssignments": { - "copy": { - "name": "wcfRelay_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "wcfRelay" - ] - }, - "wcfRelay_authorizationRules": { - "copy": { - "name": "wcfRelay_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "wcfRelayName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5333168181360876794" - }, - "name": "WCF Relay Authorization Rules", - "description": "This module deploys a WCF Relay Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "wcfRelayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/wcfRelays/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays/authorizationRules', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "wcfRelay" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed wcf relay." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed wcf relay." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed wcf relay." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "namespace" - ] - }, - "namespace_privateEndpoints": { - "copy": { - "name": "namespace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-namespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Relay/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "namespace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed relay namespace." - }, - "value": "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed relay namespace." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed relay namespace." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('namespace', '2021-11-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/network-rule-set/README.md b/modules/relay/namespace/network-rule-set/README.md deleted file mode 100644 index d055e8ae60..0000000000 --- a/modules/relay/namespace/network-rule-set/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Relay Namespace Network Rules Sets `[Microsoft.Relay/namespaces/networkRuleSets]` - -This module deploys a Relay Namespace Network Rule Set. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Relay/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/networkRuleSets) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipRules`](#parameter-iprules) | array | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `defaultAction` - -Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. - -- Required: No -- Type: string -- Default: `'Allow'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipRules` - -List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicNetworkAccess` - -This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the network rule set. | -| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | -| `resourceId` | string | The resource ID of the network rule set. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/network-rule-set/main.bicep b/modules/relay/namespace/network-rule-set/main.bicep deleted file mode 100644 index b754849a66..0000000000 --- a/modules/relay/namespace/network-rule-set/main.bicep +++ /dev/null @@ -1,63 +0,0 @@ -metadata name = 'Relay Namespace Network Rules Sets' -metadata description = 'This module deploys a Relay Namespace Network Rule Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') -param publicNetworkAccess string = 'Enabled' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') -param defaultAction string = 'Allow' - -@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') -param ipRules array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName -} - -resource networkRuleSet 'Microsoft.Relay/namespaces/networkRuleSets@2021-11-01' = { - name: 'default' - parent: namespace - properties: { - publicNetworkAccess: publicNetworkAccess - defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) ? 'Deny' : defaultAction) - ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules - } -} - -@description('The name of the network rule set.') -output name string = networkRuleSet.name - -@description('The resource ID of the network rule set.') -output resourceId string = networkRuleSet.id - -@description('The name of the resource group the network rule set was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespace/network-rule-set/main.json b/modules/relay/namespace/network-rule-set/main.json deleted file mode 100644 index c4f2128cf1..0000000000 --- a/modules/relay/namespace/network-rule-set/main.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11855121384015754907" - }, - "name": "Relay Namespace Network Rules Sets", - "description": "This module deploys a Relay Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/networkRuleSets", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(not(empty(parameters('ipRules'))), 'Deny', parameters('defaultAction')))]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/network-rule-set/version.json b/modules/relay/namespace/network-rule-set/version.json deleted file mode 100644 index 9481fea58e..0000000000 --- a/modules/relay/namespace/network-rule-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.2", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/tests/e2e/defaults/main.test.bicep b/modules/relay/namespace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c35d68e568..0000000000 --- a/modules/relay/namespace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rnmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/relay/namespace/tests/e2e/max/dependencies.bicep b/modules/relay/namespace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index cf1b2ab392..0000000000 --- a/modules/relay/namespace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespace/tests/e2e/max/main.test.bicep b/modules/relay/namespace/tests/e2e/max/main.test.bicep deleted file mode 100644 index ef21d1c6bc..0000000000 --- a/modules/relay/namespace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,192 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rnmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - networkRuleSets: { - defaultAction: 'Deny' - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - subnet: { - ignoreMissingVnetServiceEndpoint: true - id: nestedDependencies.outputs.subnetResourceId - } - } - ] - ipRules: [ - { - ipMask: '10.0.1.0/32' - action: 'Allow' - } - { - ipMask: '10.0.2.0/32' - action: 'Allow' - } - ] - } - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - hybridConnections: [ - { - name: '${namePrefix}${serviceShort}hc001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' - } - ] - wcfRelays: [ - { - name: '${namePrefix}${serviceShort}wcf001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - relayType: 'NetTcp' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - } -}] diff --git a/modules/relay/namespace/tests/e2e/pe/dependencies.bicep b/modules/relay/namespace/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index c63bafc918..0000000000 --- a/modules/relay/namespace/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespace/tests/e2e/pe/main.test.bicep b/modules/relay/namespace/tests/e2e/pe/main.test.bicep deleted file mode 100644 index cc38c87c6f..0000000000 --- a/modules/relay/namespace/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rnpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Standard' - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index cf1b2ab392..0000000000 --- a/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,60 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f4d56ac66e..0000000000 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,175 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rnwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - networkRuleSets: { - defaultAction: 'Deny' - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - subnet: { - ignoreMissingVnetServiceEndpoint: true - id: nestedDependencies.outputs.subnetResourceId - } - } - ] - ipRules: [ - { - ipMask: '10.0.1.0/32' - action: 'Allow' - } - { - ipMask: '10.0.2.0/32' - action: 'Allow' - } - ] - } - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - hybridConnections: [ - { - name: '${namePrefix}${serviceShort}hc001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' - } - ] - wcfRelays: [ - { - name: '${namePrefix}${serviceShort}wcf001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - relayType: 'NetTcp' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - } -}] diff --git a/modules/relay/namespace/version.json b/modules/relay/namespace/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/relay/namespace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md deleted file mode 100644 index ed68177d9a..0000000000 --- a/modules/relay/namespace/wcf-relay/README.md +++ /dev/null @@ -1,276 +0,0 @@ -# Relay Namespace WCF Relays `[Microsoft.Relay/namespaces/wcfRelays]` - -This module deploys a Relay Namespace WCF Relay. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Relay/namespaces/wcfRelays` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays) | -| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the WCF Relay. | -| [`relayType`](#parameter-relaytype) | string | Type of WCF Relay. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the WCF Relay. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this relay requires client authorization. | -| [`requiresTransportSecurity`](#parameter-requirestransportsecurity) | bool | A value indicating if this relay requires transport security. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`userMetadata`](#parameter-usermetadata) | string | User-defined string data for the WCF Relay. | - -### Parameter: `name` - -Name of the WCF Relay. - -- Required: Yes -- Type: string - -### Parameter: `relayType` - -Type of WCF Relay. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Http' - 'NetTcp' - ] - ``` - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the WCF Relay. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `requiresClientAuthorization` - -A value indicating if this relay requires client authorization. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `requiresTransportSecurity` - -A value indicating if this relay requires transport security. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `userMetadata` - -User-defined string data for the WCF Relay. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed wcf relay. | -| `resourceGroupName` | string | The resource group of the deployed wcf relay. | -| `resourceId` | string | The resource ID of the deployed wcf relay. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/README.md b/modules/relay/namespace/wcf-relay/authorization-rule/README.md deleted file mode 100644 index 387de82c37..0000000000 --- a/modules/relay/namespace/wcf-relay/authorization-rule/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# WCF Relay Authorization Rules `[Microsoft.Relay/namespaces/wcfRelays/authorizationRules]` - -This module deploys a WCF Relay Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | -| [`wcfRelayName`](#parameter-wcfrelayname) | string | The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `wcfRelayName` - -The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The Resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/main.bicep b/modules/relay/namespace/wcf-relay/authorization-rule/main.bicep deleted file mode 100644 index 18313211c8..0000000000 --- a/modules/relay/namespace/wcf-relay/authorization-rule/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'WCF Relay Authorization Rules' -metadata description = 'This module deploys a WCF Relay Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the authorization rule.') -param name string - -@description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Conditional. The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment.') -param wcfRelayName string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName - - resource wcfRelay 'wcfRelays@2021-11-01' existing = { - name: wcfRelayName - } -} - -resource authorizationRule 'Microsoft.Relay/namespaces/wcfRelays/authorizationRules@2021-11-01' = { - name: name - parent: namespace::wcfRelay - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The Resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/main.json b/modules/relay/namespace/wcf-relay/authorization-rule/main.json deleted file mode 100644 index 2734867f0e..0000000000 --- a/modules/relay/namespace/wcf-relay/authorization-rule/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5333168181360876794" - }, - "name": "WCF Relay Authorization Rules", - "description": "This module deploys a WCF Relay Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "wcfRelayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/wcfRelays/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays/authorizationRules', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/version.json b/modules/relay/namespace/wcf-relay/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/relay/namespace/wcf-relay/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep deleted file mode 100644 index f5a030cfa5..0000000000 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ /dev/null @@ -1,180 +0,0 @@ -metadata name = 'Relay Namespace WCF Relays' -metadata description = 'This module deploys a Relay Namespace WCF Relay.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. Name of the WCF Relay.') -@minLength(6) -@maxLength(50) -param name string - -@allowed([ - 'Http' - 'NetTcp' -]) -@description('Required. Type of WCF Relay.') -param relayType string - -@description('Optional. A value indicating if this relay requires client authorization.') -param requiresClientAuthorization bool = true - -@description('Optional. A value indicating if this relay requires transport security.') -param requiresTransportSecurity bool = true - -@description('Optional. User-defined string data for the WCF Relay.') -param userMetadata string = '' - -@description('Optional. Authorization Rules for the WCF Relay.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'defaultListener' - rights: [ - 'Listen' - ] - } - { - name: 'defaultSender' - rights: [ - 'Send' - ] - } -] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: namespaceName -} - -resource wcfRelay 'Microsoft.Relay/namespaces/wcfRelays@2021-11-01' = { - name: name - parent: namespace - properties: { - relayType: relayType - requiresClientAuthorization: requiresClientAuthorization - requiresTransportSecurity: requiresTransportSecurity - userMetadata: !empty(userMetadata) ? userMetadata : null - } -} - -module wcfRelay_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthorizationRule-${index}' - params: { - namespaceName: namespaceName - wcfRelayName: wcfRelay.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: wcfRelay -} - -resource wcfRelay_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(wcfRelay.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: wcfRelay -}] - -@description('The name of the deployed wcf relay.') -output name string = wcfRelay.name - -@description('The resource ID of the deployed wcf relay.') -output resourceId string = wcfRelay.id - -@description('The resource group of the deployed wcf relay.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json deleted file mode 100644 index bbe1de970b..0000000000 --- a/modules/relay/namespace/wcf-relay/main.json +++ /dev/null @@ -1,445 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15802304453622016892" - }, - "name": "Relay Namespace WCF Relays", - "description": "This module deploys a Relay Namespace WCF Relay.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the WCF Relay." - } - }, - "relayType": { - "type": "string", - "allowedValues": [ - "Http", - "NetTcp" - ], - "metadata": { - "description": "Required. Type of WCF Relay." - } - }, - "requiresClientAuthorization": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this relay requires client authorization." - } - }, - "requiresTransportSecurity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value indicating if this relay requires transport security." - } - }, - "userMetadata": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User-defined string data for the WCF Relay." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "defaultListener", - "rights": [ - "Listen" - ] - }, - { - "name": "defaultSender", - "rights": [ - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the WCF Relay." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.Relay/namespaces", - "apiVersion": "2021-11-01", - "name": "[parameters('namespaceName')]" - }, - "wcfRelay": { - "type": "Microsoft.Relay/namespaces/wcfRelays", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "relayType": "[parameters('relayType')]", - "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", - "requiresTransportSecurity": "[parameters('requiresTransportSecurity')]", - "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - }, - "dependsOn": [ - "namespace" - ] - }, - "wcfRelay_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "wcfRelay" - ] - }, - "wcfRelay_roleAssignments": { - "copy": { - "name": "wcfRelay_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "wcfRelay" - ] - }, - "wcfRelay_authorizationRules": { - "copy": { - "name": "wcfRelay_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "wcfRelayName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5333168181360876794" - }, - "name": "WCF Relay Authorization Rules", - "description": "This module deploys a WCF Relay Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment." - } - }, - "wcfRelayName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Relay/namespaces/wcfRelays/authorizationRules", - "apiVersion": "2021-11-01", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays/authorizationRules', parameters('namespaceName'), parameters('wcfRelayName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "wcfRelay" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed wcf relay." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed wcf relay." - }, - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed wcf relay." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/relay/namespace/wcf-relay/version.json b/modules/relay/namespace/wcf-relay/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/relay/namespace/wcf-relay/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resource-graph/query/MOVED-TO-AVM.md b/modules/resource-graph/query/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/resource-graph/query/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 945f6692f6..b6e41107ba 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -1,482 +1,7 @@ -# Resource Graph Queries `[Microsoft.ResourceGraph/queries]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/resource-graph/query](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/resource-graph/query).** -This module deploys a Resource Graph Query. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/resource-graph/query). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ResourceGraph/queries` | [2018-09-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ResourceGraph/2018-09-01-preview/queries) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/resource-graph.query:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module query 'br:bicep/modules/resource-graph.query:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rgqmin' - params: { - // Required parameters - name: 'rgqmin001' - query: 'resources | take 10' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rgqmin001" - }, - "query": { - "value": "resources | take 10" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module query 'br:bicep/modules/resource-graph.query:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rgqmax' - params: { - // Required parameters - name: 'rgqmax001' - query: 'resources | take 10' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - queryDescription: 'An example query to list first 10 resources in the subscription.' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rgqmax001" - }, - "query": { - "value": "resources | take 10" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "queryDescription": { - "value": "An example query to list first 10 resources in the subscription." - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module query 'br:bicep/modules/resource-graph.query:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rgqwaf' - params: { - // Required parameters - name: 'rgqwaf001' - query: 'resources | take 10' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - queryDescription: 'An example query to list first 10 resources in the subscription.' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rgqwaf001" - }, - "query": { - "value": "resources | take 10" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "queryDescription": { - "value": "An example query to list first 10 resources in the subscription." - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Resource Graph Query. | -| [`query`](#parameter-query) | string | KQL query that will be graph. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`queryDescription`](#parameter-querydescription) | string | The description of a graph query. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Resource Graph Query. - -- Required: Yes -- Type: string - -### Parameter: `query` - -KQL query that will be graph. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `queryDescription` - -The description of a graph query. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the query. | -| `resourceGroupName` | string | The resource group the query was deployed into. | -| `resourceId` | string | The resource ID of the query. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep deleted file mode 100644 index 229c82e68c..0000000000 --- a/modules/resource-graph/query/main.bicep +++ /dev/null @@ -1,127 +0,0 @@ -metadata name = 'Resource Graph Queries' -metadata description = 'This module deploys a Resource Graph Query.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Resource Graph Query.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Required. KQL query that will be graph.') -param query string - -@description('Optional. The description of a graph query.') -param queryDescription string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource rgQuery 'Microsoft.ResourceGraph/queries@2018-09-01-preview' = { - name: name - location: location - tags: tags - properties: { - query: query - description: queryDescription - } -} - -resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: rgQuery -} - -resource rgQuery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(rgQuery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: rgQuery -}] - -@description('The name of the query.') -output name string = rgQuery.name - -@description('The resource ID of the query.') -output resourceId string = rgQuery.id - -@description('The resource group the query was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = rgQuery.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json deleted file mode 100644 index f267077d80..0000000000 --- a/modules/resource-graph/query/main.json +++ /dev/null @@ -1,264 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11112562742135242475" - }, - "name": "Resource Graph Queries", - "description": "This module deploys a Resource Graph Query.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Resource Graph Query." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "query": { - "type": "string", - "metadata": { - "description": "Required. KQL query that will be graph." - } - }, - "queryDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of a graph query." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "rgQuery": { - "type": "Microsoft.ResourceGraph/queries", - "apiVersion": "2018-09-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "query": "[parameters('query')]", - "description": "[parameters('queryDescription')]" - } - }, - "rgQuery_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "rgQuery" - ] - }, - "rgQuery_roleAssignments": { - "copy": { - "name": "rgQuery_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ResourceGraph/queries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "rgQuery" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the query." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the query." - }, - "value": "[resourceId('Microsoft.ResourceGraph/queries', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the query was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('rgQuery', '2018-09-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep b/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 8a0db8fccb..0000000000 --- a/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rgqmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - query: 'resources | take 10' - } -}] diff --git a/modules/resource-graph/query/tests/e2e/max/dependencies.bicep b/modules/resource-graph/query/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/resource-graph/query/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resource-graph/query/tests/e2e/max/main.test.bicep b/modules/resource-graph/query/tests/e2e/max/main.test.bicep deleted file mode 100644 index 93f3005086..0000000000 --- a/modules/resource-graph/query/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,85 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rgqmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - query: 'resources | take 10' - queryDescription: 'An example query to list first 10 resources in the subscription.' - } -}] diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 893732aaee..0000000000 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,68 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rgqwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - query: 'resources | take 10' - queryDescription: 'An example query to list first 10 resources in the subscription.' - } -}] diff --git a/modules/resource-graph/query/version.json b/modules/resource-graph/query/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/resource-graph/query/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resources/deployment-script/MOVED-TO-AVM.md b/modules/resources/deployment-script/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/resources/deployment-script/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index db255db9f7..e6cffd8c0d 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -1,544 +1,7 @@ -# Deployment Scripts `[Microsoft.Resources/deploymentScripts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/resources/deployment-script](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/resources/deployment-script).** -This module deploys a Deployment Script. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/resources/deployment-script). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Resources/deploymentScripts` | [2020-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-10-01/deploymentScripts) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.deployment-script:1.0.0`. - -- [Cli](#example-1-cli) -- [Ps](#example-2-ps) - -### Example 1: _Cli_ - -
- -via Bicep module - -```bicep -module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rdscli' - params: { - // Required parameters - name: 'rdscli001' - // Non-required parameters - azCliVersion: '2.40.0' - cleanupPreference: 'Always' - enableDefaultTelemetry: '' - environmentVariables: { - secureList: [ - { - name: 'var1' - value: 'test' - } - { - name: 'var2' - secureValue: '' - } - ] - } - kind: 'AzureCLI' - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - retentionInterval: 'P1D' - runOnce: false - scriptContent: 'echo \'echo echo echo\'' - storageAccountResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - timeout: 'PT30M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rdscli001" - }, - // Non-required parameters - "azCliVersion": { - "value": "2.40.0" - }, - "cleanupPreference": { - "value": "Always" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "environmentVariables": { - "value": { - "secureList": [ - { - "name": "var1", - "value": "test" - }, - { - "name": "var2", - "secureValue": "" - } - ] - } - }, - "kind": { - "value": "AzureCLI" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "retentionInterval": { - "value": "P1D" - }, - "runOnce": { - "value": false - }, - "scriptContent": { - "value": "echo \"echo echo echo\"" - }, - "storageAccountResourceId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "timeout": { - "value": "PT30M" - } - } -} -``` - -
-

- -### Example 2: _Ps_ - -

- -via Bicep module - -```bicep -module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rdsps' - params: { - // Required parameters - name: 'rdsps001' - // Non-required parameters - azPowerShellVersion: '8.0' - cleanupPreference: 'Always' - enableDefaultTelemetry: '' - kind: 'AzurePowerShell' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - retentionInterval: 'P1D' - runOnce: false - scriptContent: 'Write-Host \'The cake is a lie!\'' - storageAccountResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - timeout: 'PT30M' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rdsps001" - }, - // Non-required parameters - "azPowerShellVersion": { - "value": "8.0" - }, - "cleanupPreference": { - "value": "Always" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "AzurePowerShell" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "retentionInterval": { - "value": "P1D" - }, - "runOnce": { - "value": false - }, - "scriptContent": { - "value": "Write-Host \"The cake is a lie!\"" - }, - "storageAccountResourceId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "timeout": { - "value": "PT30M" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Display name of the script to be run. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`arguments`](#parameter-arguments) | string | Command-line arguments to pass to the script. Arguments are separated by spaces. | -| [`azCliVersion`](#parameter-azcliversion) | string | Azure CLI module version to be used. | -| [`azPowerShellVersion`](#parameter-azpowershellversion) | string | Azure PowerShell module version to be used. | -| [`cleanupPreference`](#parameter-cleanuppreference) | string | The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). | -| [`containerGroupName`](#parameter-containergroupname) | string | Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`environmentVariables`](#parameter-environmentvariables) | secureObject | The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. | -| [`kind`](#parameter-kind) | string | Type of the script. AzurePowerShell, AzureCLI. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`primaryScriptUri`](#parameter-primaryscripturi) | string | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | -| [`retentionInterval`](#parameter-retentioninterval) | string | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | -| [`runOnce`](#parameter-runonce) | bool | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | -| [`scriptContent`](#parameter-scriptcontent) | string | Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. | -| [`supportingScriptUris`](#parameter-supportingscripturis) | array | List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`timeout`](#parameter-timeout) | string | Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | - -### Parameter: `name` - -Display name of the script to be run. - -- Required: Yes -- Type: string - -### Parameter: `arguments` - -Command-line arguments to pass to the script. Arguments are separated by spaces. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `azCliVersion` - -Azure CLI module version to be used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `azPowerShellVersion` - -Azure PowerShell module version to be used. - -- Required: No -- Type: string -- Default: `'3.0'` - -### Parameter: `cleanupPreference` - -The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). - -- Required: No -- Type: string -- Default: `'Always'` -- Allowed: - ```Bicep - [ - 'Always' - 'OnExpiration' - 'OnSuccess' - ] - ``` - -### Parameter: `containerGroupName` - -Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `environmentVariables` - -The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `kind` - -Type of the script. AzurePowerShell, AzureCLI. - -- Required: No -- Type: string -- Default: `'AzurePowerShell'` -- Allowed: - ```Bicep - [ - 'AzureCLI' - 'AzurePowerShell' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `primaryScriptUri` - -Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `retentionInterval` - -Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). - -- Required: No -- Type: string -- Default: `'P1D'` - -### Parameter: `runOnce` - -When set to false, script will run every time the template is deployed. When set to true, the script will only run once. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `scriptContent` - -Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageAccountResourceId` - -The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `supportingScriptUris` - -List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `timeout` - -Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. - -- Required: No -- Type: string -- Default: `'PT1H'` - -### Parameter: `baseTime` - -Do not provide a value! This date value is used to make sure the script run every time the template is deployed. - -- Required: No -- Type: string -- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployment script. | -| `outputs` | object | The output of the deployment script. | -| `resourceGroupName` | string | The resource group the deployment script was deployed into. | -| `resourceId` | string | The resource ID of the deployment script. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep deleted file mode 100644 index 6b4c04b8ab..0000000000 --- a/modules/resources/deployment-script/main.bicep +++ /dev/null @@ -1,168 +0,0 @@ -metadata name = 'Deployment Scripts' -metadata description = 'This module deploys a Deployment Script.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Display name of the script to be run.') -param name string - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Type of the script. AzurePowerShell, AzureCLI.') -@allowed([ - 'AzurePowerShell' - 'AzureCLI' -]) -param kind string = 'AzurePowerShell' - -@description('Optional. Azure PowerShell module version to be used.') -param azPowerShellVersion string = '3.0' - -@description('Optional. Azure CLI module version to be used.') -param azCliVersion string = '' - -@description('Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead.') -param scriptContent string = '' - -@description('Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead.') -param primaryScriptUri string = '' - -@description('Optional. The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a \'name\' and a \'value\' or a \'secretValue\' property for each object.') -@secure() -param environmentVariables object = {} - -@description('Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent).') -param supportingScriptUris array = [] - -@description('Optional. Command-line arguments to pass to the script. Arguments are separated by spaces.') -param arguments string = '' - -@description('Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week).') -param retentionInterval string = 'P1D' - -@description('Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once.') -param runOnce bool = false - -@description('Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled).') -@allowed([ - 'Always' - 'OnSuccess' - 'OnExpiration' -]) -param cleanupPreference string = 'Always' - -@description('Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a \'containerGroupName\' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use \'containerGroupName\' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. \'containerGroupName\' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed.') -param containerGroupName string = '' - -@description('Optional. The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account.') -param storageAccountResourceId string = '' - -@description('Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; \'PT30M\' - 30 minutes; \'P5D\' - 5 days; \'P1Y\' 1 year.') -param timeout string = 'PT1H' - -@description('Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed.') -param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var containerSettings = { - containerGroupName: containerGroupName -} - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var storageAccountSettings = !empty(storageAccountResourceId) ? { - storageAccountKey: listKeys(storageAccountResourceId, '2019-06-01').keys[0].value - storageAccountName: last(split(storageAccountResourceId, '/')) -} : {} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: name - location: location - tags: tags - identity: identity - kind: any(kind) - properties: { - azPowerShellVersion: kind == 'AzurePowerShell' ? azPowerShellVersion : null - azCliVersion: kind == 'AzureCLI' ? azCliVersion : null - containerSettings: !empty(containerGroupName) ? containerSettings : null - storageAccountSettings: !empty(storageAccountResourceId) ? storageAccountSettings : null - arguments: arguments - environmentVariables: !empty(environmentVariables) ? environmentVariables.secureList : [] - scriptContent: !empty(scriptContent) ? scriptContent : null - primaryScriptUri: !empty(primaryScriptUri) ? primaryScriptUri : null - supportingScriptUris: !empty(supportingScriptUris) ? supportingScriptUris : null - cleanupPreference: cleanupPreference - forceUpdateTag: runOnce ? resourceGroup().name : baseTime - retentionInterval: retentionInterval - timeout: timeout - } -} - -resource deploymentScript_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: deploymentScript -} - -@description('The resource ID of the deployment script.') -output resourceId string = deploymentScript.id - -@description('The resource group the deployment script was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployment script.') -output name string = deploymentScript.name - -@description('The location the resource was deployed into.') -output location string = deploymentScript.location - -@description('The output of the deployment script.') -output outputs object = contains(deploymentScript.properties, 'outputs') ? deploymentScript.properties.outputs : {} - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json deleted file mode 100644 index f72b45ddf1..0000000000 --- a/modules/resources/deployment-script/main.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2886955369347843451" - }, - "name": "Deployment Scripts", - "description": "This module deploys a Deployment Script.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Display name of the script to be run." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "kind": { - "type": "string", - "defaultValue": "AzurePowerShell", - "allowedValues": [ - "AzurePowerShell", - "AzureCLI" - ], - "metadata": { - "description": "Optional. Type of the script. AzurePowerShell, AzureCLI." - } - }, - "azPowerShellVersion": { - "type": "string", - "defaultValue": "3.0", - "metadata": { - "description": "Optional. Azure PowerShell module version to be used." - } - }, - "azCliVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Azure CLI module version to be used." - } - }, - "scriptContent": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead." - } - }, - "primaryScriptUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead." - } - }, - "environmentVariables": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. The environment variables to pass over to the script. The list is passed as an object with a key name \"secureList\" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object." - } - }, - "supportingScriptUris": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent)." - } - }, - "arguments": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Command-line arguments to pass to the script. Arguments are separated by spaces." - } - }, - "retentionInterval": { - "type": "string", - "defaultValue": "P1D", - "metadata": { - "description": "Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week)." - } - }, - "runOnce": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once." - } - }, - "cleanupPreference": { - "type": "string", - "defaultValue": "Always", - "allowedValues": [ - "Always", - "OnSuccess", - "OnExpiration" - ], - "metadata": { - "description": "Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled)." - } - }, - "containerGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account." - } - }, - "timeout": { - "type": "string", - "defaultValue": "PT1H", - "metadata": { - "description": "Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('yyyy-MM-dd-HH-mm-ss')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "containerSettings": { - "containerGroupName": "[parameters('containerGroupName')]" - }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "deploymentScript": { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "kind": "[parameters('kind')]", - "properties": { - "azPowerShellVersion": "[if(equals(parameters('kind'), 'AzurePowerShell'), parameters('azPowerShellVersion'), null())]", - "azCliVersion": "[if(equals(parameters('kind'), 'AzureCLI'), parameters('azCliVersion'), null())]", - "containerSettings": "[if(not(empty(parameters('containerGroupName'))), variables('containerSettings'), null())]", - "storageAccountSettings": "[if(not(empty(parameters('storageAccountResourceId'))), if(not(empty(parameters('storageAccountResourceId'))), createObject('storageAccountKey', listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, 'storageAccountName', last(split(parameters('storageAccountResourceId'), '/'))), createObject()), null())]", - "arguments": "[parameters('arguments')]", - "environmentVariables": "[if(not(empty(parameters('environmentVariables'))), parameters('environmentVariables').secureList, createArray())]", - "scriptContent": "[if(not(empty(parameters('scriptContent'))), parameters('scriptContent'), null())]", - "primaryScriptUri": "[if(not(empty(parameters('primaryScriptUri'))), parameters('primaryScriptUri'), null())]", - "supportingScriptUris": "[if(not(empty(parameters('supportingScriptUris'))), parameters('supportingScriptUris'), null())]", - "cleanupPreference": "[parameters('cleanupPreference')]", - "forceUpdateTag": "[if(parameters('runOnce'), resourceGroup().name, parameters('baseTime'))]", - "retentionInterval": "[parameters('retentionInterval')]", - "timeout": "[parameters('timeout')]" - } - }, - "deploymentScript_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Resources/deploymentScripts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "deploymentScript" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployment script." - }, - "value": "[resourceId('Microsoft.Resources/deploymentScripts', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the deployment script was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployment script." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('deploymentScript', '2020-10-01', 'full').location]" - }, - "outputs": { - "type": "object", - "metadata": { - "description": "The output of the deployment script." - }, - "value": "[if(contains(reference('deploymentScript'), 'outputs'), reference('deploymentScript').outputs, createObject())]" - } - } -} \ No newline at end of file diff --git a/modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep b/modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep deleted file mode 100644 index eb7f2fdc8e..0000000000 --- a/modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created storage account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep deleted file mode 100644 index 5f9fba41ac..0000000000 --- a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep +++ /dev/null @@ -1,85 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resources.deploymentscripts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rdscli' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - azCliVersion: '2.40.0' - cleanupPreference: 'Always' - kind: 'AzureCLI' - retentionInterval: 'P1D' - runOnce: false - scriptContent: 'echo \'echo echo echo\'' - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - timeout: 'PT30M' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - environmentVariables: { - secureList: [ - { - name: 'var1' - value: 'test' - } - { - name: 'var2' - secureValue: guid(deployment().name) - } - ] - } - } -}] diff --git a/modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep b/modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep deleted file mode 100644 index eb7f2fdc8e..0000000000 --- a/modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created storage account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep deleted file mode 100644 index 2734b239f0..0000000000 --- a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep +++ /dev/null @@ -1,77 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resources.deploymentscripts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rdsps' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - azPowerShellVersion: '8.0' - cleanupPreference: 'Always' - kind: 'AzurePowerShell' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - retentionInterval: 'P1D' - runOnce: false - scriptContent: 'Write-Host \'The cake is a lie!\'' - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - timeout: 'PT30M' - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/resources/deployment-script/version.json b/modules/resources/deployment-script/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/resources/deployment-script/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resources/resource-group/MOVED-TO-AVM.md b/modules/resources/resource-group/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/resources/resource-group/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 211775619c..c0e1e7e8fc 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -1,453 +1,7 @@ -# Resource Groups `[Microsoft.Resources/resourceGroups]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/resources/resource-group](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/resources/resource-group).** -This module deploys a Resource Group. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/resources/resource-group). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Resources/resourceGroups` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/resourceGroups) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.resource-group:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-rrgmin' - params: { - // Required parameters - name: 'rrgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rrgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rrgmax' - params: { - // Required parameters - name: 'rrgmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rrgmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rrgwaf' - params: { - // Required parameters - name: 'rrgwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rrgwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Resource Group. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location of the Resource Group. It uses the deployment's location when not provided. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedBy`](#parameter-managedby) | string | The ID of the resource that manages this resource group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the storage account resource. | - -### Parameter: `name` - -The name of the Resource Group. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location of the Resource Group. It uses the deployment's location when not provided. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedBy` - -The ID of the resource that manages this resource group. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the storage account resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the resource group. | -| `resourceId` | string | The resource ID of the resource group. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep deleted file mode 100644 index 7bb4f4cc20..0000000000 --- a/modules/resources/resource-group/main.bicep +++ /dev/null @@ -1,126 +0,0 @@ -metadata name = 'Resource Groups' -metadata description = 'This module deploys a Resource Group.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Required. The name of the Resource Group.') -param name string - -@description('Optional. Location of the Resource Group. It uses the deployment\'s location when not provided.') -param location string = deployment().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the storage account resource.') -param tags object? - -@description('Optional. The ID of the resource that manages this resource group.') -param managedBy string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Template Spec Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b') - 'Template Spec Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - location: location - name: name - tags: tags - managedBy: managedBy - properties: {} -} - -module resourceGroup_lock 'modules/nested_lock.bicep' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: '${uniqueString(deployment().name, location)}-RG-Lock' - params: { - lock: lock - name: resourceGroup.name - } - scope: resourceGroup -} - -resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(resourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } -}] - -@description('The name of the resource group.') -output name string = resourceGroup.name - -@description('The resource ID of the resource group.') -output resourceId string = resourceGroup.id - -@description('The location the resource was deployed into.') -output location string = resourceGroup.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json deleted file mode 100644 index eccb25088a..0000000000 --- a/modules/resources/resource-group/main.json +++ /dev/null @@ -1,329 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4157027857802113569" - }, - "name": "Resource Groups", - "description": "This module deploys a Resource Group.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Resource Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location of the Resource Group. It uses the deployment's location when not provided." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the storage account resource." - } - }, - "managedBy": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ID of the resource that manages this resource group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Template Spec Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b')]", - "Template Spec Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "resourceGroup": { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2021-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "managedBy": "[parameters('managedBy')]", - "properties": {} - }, - "resourceGroup_roleAssignments": { - "copy": { - "name": "resourceGroup_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "resourceGroup" - ] - }, - "resourceGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RG-Lock', uniqueString(deployment().name, parameters('location')))]", - "resourceGroup": "[parameters('name')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "lock": { - "value": "[parameters('lock')]" - }, - "name": { - "value": "[parameters('name')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3720705918360023027" - } - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - } - }, - "parameters": { - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Resource Group." - } - } - }, - "resources": { - "resourceGroup_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - } - } - } - } - }, - "dependsOn": [ - "resourceGroup" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the resource group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the resource group." - }, - "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('resourceGroup', '2021-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/resources/resource-group/modules/nested_lock.bicep b/modules/resources/resource-group/modules/nested_lock.bicep deleted file mode 100644 index 40ae513015..0000000000 --- a/modules/resources/resource-group/modules/nested_lock.bicep +++ /dev/null @@ -1,25 +0,0 @@ -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Required. The name of the Resource Group.') -param name string - -resource resourceGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } -} - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? diff --git a/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep b/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index a36b5e90cc..0000000000 --- a/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,30 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rrgmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/resources/resource-group/tests/e2e/max/dependencies.bicep b/modules/resources/resource-group/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8d9be85388..0000000000 --- a/modules/resources/resource-group/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,17 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resources/resource-group/tests/e2e/max/main.test.bicep b/modules/resources/resource-group/tests/e2e/max/main.test.bicep deleted file mode 100644 index e5d862b927..0000000000 --- a/modules/resources/resource-group/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,82 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rrgmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8d9be85388..0000000000 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,17 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 27d87dc197..0000000000 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,65 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rrgwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/resources/resource-group/version.json b/modules/resources/resource-group/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/resources/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resources/tags/README.md b/modules/resources/tags/README.md index e117c4ec48..369b34d4ee 100644 --- a/modules/resources/tags/README.md +++ b/modules/resources/tags/README.md @@ -1,253 +1,7 @@ -# Resources Tags `[Microsoft.Resources/tags]` +

⚠️ Retired ⚠️

-This module deploys a Resource Tag at a Subscription or Resource Group scope. +This module has been retired without a replacement in Azure Verified Modules ([AVM](https://aka.ms/AVM)). -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/resources/tags). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Resources/tags` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/tags) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.tags:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Rg](#example-2-rg) -- [Sub](#example-3-sub) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module tags 'br:bicep/modules/resources.tags:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-rtmin' - params: { - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Rg_ - -

- -via Bicep module - -```bicep -module tags 'br:bicep/modules/resources.tags:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rtrg' - params: { - enableDefaultTelemetry: '' - onlyUpdate: false - resourceGroupName: '' - tags: { - 'hidden-title': 'This is visible in the resource name' - Test: 'Yes' - TestToo: 'No' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "onlyUpdate": { - "value": false - }, - "resourceGroupName": { - "value": "" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "Test": "Yes", - "TestToo": "No" - } - } - } -} -``` - -
-

- -### Example 3: _Sub_ - -

- -via Bicep module - -```bicep -module tags 'br:bicep/modules/resources.tags:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-rtsub' - params: { - enableDefaultTelemetry: '' - onlyUpdate: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Test: 'Yes' - TestToo: 'No' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "onlyUpdate": { - "value": true - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "Test": "Yes", - "TestToo": "No" - } - } - } -} -``` - -
-

- - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | -| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `onlyUpdate` - -Instead of overwriting the existing tags, combine them with the new tags. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `resourceGroupName` - -Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. - -- Required: No -- Type: string -- Default: `[subscription().id]` - -### Parameter: `tags` - -Tags for the resource group. If not provided, removes existing tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the tags resource. | -| `resourceId` | string | The resource ID of the applied tags. | -| `tags` | object | The applied tags. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/resources/tags/main.bicep b/modules/resources/tags/main.bicep deleted file mode 100644 index 3d3abf0ce7..0000000000 --- a/modules/resources/tags/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'Resources Tags' -metadata description = 'This module deploys a Resource Tag at a Subscription or Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object? - -@description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') -param onlyUpdate bool = false - -@description('Optional. Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription.') -param resourceGroupName string = '' - -@description('Optional. Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription.') -param subscriptionId string = subscription().id - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module tags_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { - name: '${deployment().name}-Tags-Sub' - params: { - onlyUpdate: onlyUpdate - tags: tags - location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module tags_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { - name: '${deployment().name}-Tags-RG' - scope: resourceGroup(resourceGroupName) - params: { - onlyUpdate: onlyUpdate - tags: tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@description('The name of the tags resource.') -output name string = (!empty(resourceGroupName) && !empty(subscriptionId)) ? tags_rg.outputs.name : tags_sub.outputs.name - -@description('The applied tags.') -output tags object = (!empty(resourceGroupName) && !empty(subscriptionId)) ? tags_rg.outputs.tags : tags_sub.outputs.tags - -@description('The resource ID of the applied tags.') -output resourceId string = (!empty(resourceGroupName) && !empty(subscriptionId)) ? tags_rg.outputs.resourceId : tags_sub.outputs.resourceId diff --git a/modules/resources/tags/main.json b/modules/resources/tags/main.json deleted file mode 100644 index 4e5126e625..0000000000 --- a/modules/resources/tags/main.json +++ /dev/null @@ -1,429 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15162198398682035947" - }, - "name": "Resources Tags", - "description": "This module deploys a Resource Tag at a Subscription or Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource group. If not provided, removes existing tags." - } - }, - "onlyUpdate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Instead of overwriting the existing tags, combine them with the new tags." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().id]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "tags_sub": { - "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Tags-Sub', deployment().name)]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "onlyUpdate": { - "value": "[parameters('onlyUpdate')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10898258701499103964" - }, - "name": "Resources Tags Subscription Scope", - "description": "This module deploys a Resource Tag on a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource group. If not provided, removes existing tags." - } - }, - "onlyUpdate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Instead of overwriting the existing tags, combine them with the new tags." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "tag": { - "type": "Microsoft.Resources/tags", - "apiVersion": "2021-04-01", - "name": "default", - "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" - }, - "dependsOn": [ - "readTags" - ] - }, - "readTags": { - "condition": "[parameters('onlyUpdate')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ReadTags', deployment().name)]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15368390157759392588" - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the tags resource." - } - } - }, - "resources": [], - "outputs": { - "existingTags": { - "type": "object", - "metadata": { - "description": "Tags currently applied to the subscription level." - }, - "value": "[coalesce(tryGet(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01', 'full'))]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the tags resource." - }, - "value": "default" - }, - "tags": { - "type": "object", - "metadata": { - "description": "The applied tags." - }, - "value": "[coalesce(if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags')), createObject())]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the applied tags." - }, - "value": "[subscriptionResourceId('Microsoft.Resources/tags', 'default')]" - } - } - } - } - }, - "tags_rg": { - "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Tags-RG', deployment().name)]", - "resourceGroup": "[parameters('resourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "onlyUpdate": { - "value": "[parameters('onlyUpdate')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5948722293988001886" - }, - "name": "Resources Tags Resource Group", - "description": "This module deploys a Resource Tag on a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource group. If not provided, removes existing tags." - } - }, - "onlyUpdate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Instead of overwriting the existing tags, combine them with the new tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "tag": { - "type": "Microsoft.Resources/tags", - "apiVersion": "2021-04-01", - "name": "default", - "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" - }, - "dependsOn": [ - "readTags" - ] - }, - "readTags": { - "condition": "[parameters('onlyUpdate')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ReadTags', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18223311450921971493" - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the tags resource." - } - } - }, - "resources": [], - "outputs": { - "existingTags": { - "type": "object", - "metadata": { - "description": "Tags currently applied to the subscription level." - }, - "value": "[coalesce(tryGet(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), createObject())]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the tags resource." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the applied tags." - }, - "value": "[resourceId('Microsoft.Resources/tags', 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the tags were applied to." - }, - "value": "[resourceGroup().name]" - }, - "tags": { - "type": "object", - "metadata": { - "description": "The applied tags." - }, - "value": "[reference('tag').tags]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the tags resource." - }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.name.value, reference('tags_sub').outputs.name.value)]" - }, - "tags": { - "type": "object", - "metadata": { - "description": "The applied tags." - }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.tags.value, reference('tags_sub').outputs.tags.value)]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the applied tags." - }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.resourceId.value, reference('tags_sub').outputs.resourceId.value)]" - } - } -} \ No newline at end of file diff --git a/modules/resources/tags/resource-group/.bicep/readTags.bicep b/modules/resources/tags/resource-group/.bicep/readTags.bicep deleted file mode 100644 index e397d43574..0000000000 --- a/modules/resources/tags/resource-group/.bicep/readTags.bicep +++ /dev/null @@ -1,9 +0,0 @@ -@description('Optional. The name of the tags resource.') -param name string = 'default' - -resource tags 'Microsoft.Resources/tags@2019-10-01' existing = { - name: name -} - -@description('Tags currently applied to the subscription level.') -output existingTags object = tags.properties.?tags ?? {} diff --git a/modules/resources/tags/resource-group/README.md b/modules/resources/tags/resource-group/README.md deleted file mode 100644 index bb606d2fb6..0000000000 --- a/modules/resources/tags/resource-group/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# Resources Tags Resource Group `[Microsoft.Resources/tags]` - -This module deploys a Resource Tag on a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Resources/tags` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/tags) | - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | -| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `onlyUpdate` - -Instead of overwriting the existing tags, combine them with the new tags. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags for the resource group. If not provided, removes existing tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the tags resource. | -| `resourceGroupName` | string | The name of the resource group the tags were applied to. | -| `resourceId` | string | The resource ID of the applied tags. | -| `tags` | object | The applied tags. | - -## Cross-referenced modules - -_None_ diff --git a/modules/resources/tags/resource-group/main.bicep b/modules/resources/tags/resource-group/main.bicep deleted file mode 100644 index aaf9058459..0000000000 --- a/modules/resources/tags/resource-group/main.bicep +++ /dev/null @@ -1,49 +0,0 @@ -metadata name = 'Resources Tags Resource Group' -metadata description = 'This module deploys a Resource Tag on a Resource Group scope.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object? - -@description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') -param onlyUpdate bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module readTags '.bicep/readTags.bicep' = if (onlyUpdate) { - name: '${deployment().name}-ReadTags' -} - -var newTags = onlyUpdate ? union(readTags.outputs.existingTags, (tags ?? {})) : tags - -resource tag 'Microsoft.Resources/tags@2021-04-01' = { - name: 'default' - properties: { - tags: newTags - } -} - -@description('The name of the tags resource.') -output name string = tag.name - -@description('The resource ID of the applied tags.') -output resourceId string = tag.id - -@description('The name of the resource group the tags were applied to.') -output resourceGroupName string = resourceGroup().name - -@description('The applied tags.') -output tags object = tag.properties.tags diff --git a/modules/resources/tags/resource-group/main.json b/modules/resources/tags/resource-group/main.json deleted file mode 100644 index 19d250c7df..0000000000 --- a/modules/resources/tags/resource-group/main.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5948722293988001886" - }, - "name": "Resources Tags Resource Group", - "description": "This module deploys a Resource Tag on a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource group. If not provided, removes existing tags." - } - }, - "onlyUpdate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Instead of overwriting the existing tags, combine them with the new tags." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "tag": { - "type": "Microsoft.Resources/tags", - "apiVersion": "2021-04-01", - "name": "default", - "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" - }, - "dependsOn": [ - "readTags" - ] - }, - "readTags": { - "condition": "[parameters('onlyUpdate')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ReadTags', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18223311450921971493" - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the tags resource." - } - } - }, - "resources": [], - "outputs": { - "existingTags": { - "type": "object", - "metadata": { - "description": "Tags currently applied to the subscription level." - }, - "value": "[coalesce(tryGet(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), createObject())]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the tags resource." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the applied tags." - }, - "value": "[resourceId('Microsoft.Resources/tags', 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the tags were applied to." - }, - "value": "[resourceGroup().name]" - }, - "tags": { - "type": "object", - "metadata": { - "description": "The applied tags." - }, - "value": "[reference('tag').tags]" - } - } -} \ No newline at end of file diff --git a/modules/resources/tags/resource-group/version.json b/modules/resources/tags/resource-group/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/resources/tags/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resources/tags/subscription/.bicep/readTags.bicep b/modules/resources/tags/subscription/.bicep/readTags.bicep deleted file mode 100644 index 06dcc91dac..0000000000 --- a/modules/resources/tags/subscription/.bicep/readTags.bicep +++ /dev/null @@ -1,11 +0,0 @@ -targetScope = 'subscription' - -@description('Optional. The name of the tags resource.') -param name string = 'default' - -resource tags 'Microsoft.Resources/tags@2021-04-01' existing = { - name: name -} - -@description('Tags currently applied to the subscription level.') -output existingTags object = tags.properties.?tags ?? tags diff --git a/modules/resources/tags/subscription/README.md b/modules/resources/tags/subscription/README.md deleted file mode 100644 index 67ef585df7..0000000000 --- a/modules/resources/tags/subscription/README.md +++ /dev/null @@ -1,71 +0,0 @@ -# Resources Tags Subscription Scope `[Microsoft.Resources/tags]` - -This module deploys a Resource Tag on a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Resources/tags` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/tags) | - -## Parameters - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | -| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `onlyUpdate` - -Instead of overwriting the existing tags, combine them with the new tags. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `tags` - -Tags for the resource group. If not provided, removes existing tags. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the tags resource. | -| `resourceId` | string | The resource ID of the applied tags. | -| `tags` | object | The applied tags. | - -## Cross-referenced modules - -_None_ diff --git a/modules/resources/tags/subscription/main.bicep b/modules/resources/tags/subscription/main.bicep deleted file mode 100644 index a7eb069208..0000000000 --- a/modules/resources/tags/subscription/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Resources Tags Subscription Scope' -metadata description = 'This module deploys a Resource Tag on a Subscription scope.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object? - -@description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') -param onlyUpdate bool = false - -@sys.description('Optional. Location deployment metadata.') -param location string = deployment().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -module readTags '.bicep/readTags.bicep' = if (onlyUpdate) { - name: '${deployment().name}-ReadTags' -} - -var newTags = (onlyUpdate) ? union(readTags.outputs.existingTags, (tags ?? {})) : tags - -resource tag 'Microsoft.Resources/tags@2021-04-01' = { - name: 'default' - properties: { - tags: newTags - } -} - -@description('The name of the tags resource.') -output name string = tag.name - -@description('The applied tags.') -output tags object = newTags ?? {} - -@description('The resource ID of the applied tags.') -output resourceId string = tag.id diff --git a/modules/resources/tags/subscription/main.json b/modules/resources/tags/subscription/main.json deleted file mode 100644 index cb8f474092..0000000000 --- a/modules/resources/tags/subscription/main.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10898258701499103964" - }, - "name": "Resources Tags Subscription Scope", - "description": "This module deploys a Resource Tag on a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags for the resource group. If not provided, removes existing tags." - } - }, - "onlyUpdate": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Instead of overwriting the existing tags, combine them with the new tags." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "tag": { - "type": "Microsoft.Resources/tags", - "apiVersion": "2021-04-01", - "name": "default", - "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" - }, - "dependsOn": [ - "readTags" - ] - }, - "readTags": { - "condition": "[parameters('onlyUpdate')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ReadTags', deployment().name)]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15368390157759392588" - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the tags resource." - } - } - }, - "resources": [], - "outputs": { - "existingTags": { - "type": "object", - "metadata": { - "description": "Tags currently applied to the subscription level." - }, - "value": "[coalesce(tryGet(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01', 'full'))]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the tags resource." - }, - "value": "default" - }, - "tags": { - "type": "object", - "metadata": { - "description": "The applied tags." - }, - "value": "[coalesce(if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags')), createObject())]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the applied tags." - }, - "value": "[subscriptionResourceId('Microsoft.Resources/tags', 'default')]" - } - } -} \ No newline at end of file diff --git a/modules/resources/tags/subscription/version.json b/modules/resources/tags/subscription/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/resources/tags/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/resources/tags/tests/e2e/defaults/main.test.bicep b/modules/resources/tags/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index ab0a7599eb..0000000000 --- a/modules/resources/tags/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,25 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rtmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - } -} diff --git a/modules/resources/tags/tests/e2e/rg/main.test.bicep b/modules/resources/tags/tests/e2e/rg/main.test.bicep deleted file mode 100644 index 0f08a5a281..0000000000 --- a/modules/resources/tags/tests/e2e/rg/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-resources.tags-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rtrg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - onlyUpdate: false - resourceGroupName: resourceGroup.name - tags: { - 'hidden-title': 'This is visible in the resource name' - Test: 'Yes' - TestToo: 'No' - } - } -} diff --git a/modules/resources/tags/tests/e2e/sub/main.test.bicep b/modules/resources/tags/tests/e2e/sub/main.test.bicep deleted file mode 100644 index 92c029e810..0000000000 --- a/modules/resources/tags/tests/e2e/sub/main.test.bicep +++ /dev/null @@ -1,28 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rtsub' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - onlyUpdate: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Test: 'Yes' - TestToo: 'No' - } - enableDefaultTelemetry: enableDefaultTelemetry - } -} diff --git a/modules/resources/tags/version.json b/modules/resources/tags/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/resources/tags/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/search/search-service/MOVED-TO-AVM.md b/modules/search/search-service/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/search/search-service/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index ed4c89fdfc..98fd40a637 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -1,1270 +1,7 @@ -# Search Services `[Microsoft.Search/searchServices]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/search/search-service](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/search/search-service).** -This module deploys a Search Service. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/search/search-service). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Search/searchServices` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2022-09-01/searchServices) | -| `Microsoft.Search/searchServices/sharedPrivateLinkResources` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2022-09-01/searchServices/sharedPrivateLinkResources) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/search.search-service:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sssmin' - params: { - // Required parameters - name: 'sssmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sssmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sssmax' - params: { - // Required parameters - name: 'sssmax001' - // Non-required parameters - authOptions: { - aadOrApiKey: { - aadAuthFailureMode: 'http401WithBearerChallenge' - } - } - cmkEnforcement: 'Enabled' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: false - enableDefaultTelemetry: '' - hostingMode: 'highDensity' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - networkRuleSet: { - ipRules: [ - { - value: '40.74.28.0/23' - } - { - value: '87.147.204.13' - } - ] - } - partitionCount: 2 - replicaCount: 3 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Search Service Contributor' - } - ] - sku: 'standard3' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sssmax001" - }, - // Non-required parameters - "authOptions": { - "value": { - "aadOrApiKey": { - "aadAuthFailureMode": "http401WithBearerChallenge" - } - } - }, - "cmkEnforcement": { - "value": "Enabled" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hostingMode": { - "value": "highDensity" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "networkRuleSet": { - "value": { - "ipRules": [ - { - "value": "40.74.28.0/23" - }, - { - "value": "87.147.204.13" - } - ] - } - }, - "partitionCount": { - "value": 2 - }, - "replicaCount": { - "value": 3 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Search Service Contributor" - } - ] - }, - "sku": { - "value": "standard3" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssspe' - params: { - // Required parameters - name: 'ssspe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - applicationSecurityGroupResourceIds: [ - '' - ] - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'disabled' - sharedPrivateLinkResources: [ - { - groupId: 'blob' - privateLinkResourceId: '' - requestMessage: 'Please approve this request' - resourceRegion: '' - } - { - groupId: 'vault' - privateLinkResourceId: '' - requestMessage: 'Please approve this request' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssspe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "applicationSecurityGroupResourceIds": [ - "" - ], - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "disabled" - }, - "sharedPrivateLinkResources": { - "value": [ - { - "groupId": "blob", - "privateLinkResourceId": "", - "requestMessage": "Please approve this request", - "resourceRegion": "" - }, - { - "groupId": "vault", - "privateLinkResourceId": "", - "requestMessage": "Please approve this request" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssswaf' - params: { - // Required parameters - name: 'ssswaf001' - // Non-required parameters - authOptions: { - aadOrApiKey: { - aadAuthFailureMode: 'http401WithBearerChallenge' - } - } - cmkEnforcement: 'Enabled' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: false - enableDefaultTelemetry: '' - hostingMode: 'highDensity' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - networkRuleSet: { - ipRules: [ - { - value: '40.74.28.0/23' - } - { - value: '87.147.204.13' - } - ] - } - partitionCount: 2 - replicaCount: 3 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Search Service Contributor' - } - ] - sku: 'standard3' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssswaf001" - }, - // Non-required parameters - "authOptions": { - "value": { - "aadOrApiKey": { - "aadAuthFailureMode": "http401WithBearerChallenge" - } - } - }, - "cmkEnforcement": { - "value": "Enabled" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hostingMode": { - "value": "highDensity" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "networkRuleSet": { - "value": { - "ipRules": [ - { - "value": "40.74.28.0/23" - }, - { - "value": "87.147.204.13" - } - ] - } - }, - "partitionCount": { - "value": 2 - }, - "replicaCount": { - "value": 3 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Search Service Contributor" - } - ] - }, - "sku": { - "value": "standard3" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authOptions`](#parameter-authoptions) | object | Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. | -| [`cmkEnforcement`](#parameter-cmkenforcement) | string | Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`networkRuleSet`](#parameter-networkruleset) | object | Network specific rules that determine how the Azure Cognitive Search service may be reached. | -| [`partitionCount`](#parameter-partitioncount) | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. | -| [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. | -| [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. | -| [`tags`](#parameter-tags) | object | Tags to help categorize the resource in the Azure portal. | - -### Parameter: `name` - -The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. - -- Required: Yes -- Type: string - -### Parameter: `authOptions` - -Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `cmkEnforcement` - -Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. - -- Required: No -- Type: string -- Default: `'Unspecified'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - 'Unspecified' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hostingMode` - -Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. - -- Required: No -- Type: string -- Default: `'default'` -- Allowed: - ```Bicep - [ - 'default' - 'highDensity' - ] - ``` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `networkRuleSet` - -Network specific rules that determine how the Azure Cognitive Search service may be reached. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `partitionCount` - -The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. - -- Required: No -- Type: string -- Default: `'enabled'` -- Allowed: - ```Bicep - [ - 'disabled' - 'enabled' - ] - ``` - -### Parameter: `replicaCount` - -The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sharedPrivateLinkResources` - -The sharedPrivateLinkResources to create as part of the search Service. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `sku` - -Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. - -- Required: No -- Type: string -- Default: `'standard'` -- Allowed: - ```Bicep - [ - 'basic' - 'free' - 'standard' - 'standard2' - 'standard3' - 'storage_optimized_l1' - 'storage_optimized_l2' - ] - ``` - -### Parameter: `tags` - -Tags to help categorize the resource in the Azure portal. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the search service. | -| `resourceGroupName` | string | The name of the resource group the search service was created in. | -| `resourceId` | string | The resource ID of the search service. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep deleted file mode 100644 index 8f044e1609..0000000000 --- a/modules/search/search-service/main.bicep +++ /dev/null @@ -1,404 +0,0 @@ -metadata name = 'Search Services' -metadata description = 'This module deploys a Search Service.' -metadata owner = 'Azure/module-maintainers' - -// ============== // -// Parameters // -// ============== // - -@description('Required. The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created.') -param name string - -@description('Optional. Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if \'disableLocalAuth\' is set to true.') -param authOptions object = {} - -@description('Optional. When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if \'authOptions\' are defined.') -param disableLocalAuth bool = true - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys.') -@allowed([ - 'Disabled' - 'Enabled' - 'Unspecified' -]) -param cmkEnforcement string = 'Unspecified' - -@description('Optional. Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either \'default\' or \'highDensity\'. For all other SKUs, this value must be \'default\'.') -@allowed([ - 'default' - 'highDensity' -]) -param hostingMode string = 'default' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached.') -param networkRuleSet object = {} - -@description('Optional. The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For \'standard3\' services with hostingMode set to \'highDensity\', the allowed values are between 1 and 3.') -@minValue(1) -@maxValue(12) -param partitionCount int = 1 - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The sharedPrivateLinkResources to create as part of the search Service.') -param sharedPrivateLinkResources array = [] - -@description('Optional. This value can be set to \'enabled\' to avoid breaking changes on existing customer resources and templates. If set to \'disabled\', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method.') -@allowed([ - 'enabled' - 'disabled' -]) -param publicNetworkAccess string = 'enabled' - -@description('Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.') -@minValue(1) -@maxValue(12) -param replicaCount int = 1 - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType - -@description('Optional. Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits.') -@allowed([ - 'basic' - 'free' - 'standard' - 'standard2' - 'standard3' - 'storage_optimized_l1' - 'storage_optimized_l2' -]) -param sku string = 'standard' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Tags to help categorize the resource in the Azure portal.') -param tags object? - -// ============= // -// Variables // -// ============= // - -var enableReferencedModulesTelemetry = false - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : null -} : null - -// =============== // -// Deployments // -// =============== // - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Search Index Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7') - 'Search Index Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource searchService 'Microsoft.Search/searchServices@2022-09-01' = { - location: location - name: name - sku: { - name: sku - } - tags: tags - identity: identity - properties: { - authOptions: !empty(authOptions) ? authOptions : null - disableLocalAuth: disableLocalAuth - encryptionWithCmk: { - enforcement: cmkEnforcement - } - hostingMode: hostingMode - networkRuleSet: networkRuleSet - partitionCount: partitionCount - replicaCount: replicaCount - publicNetworkAccess: publicNetworkAccess - } -} - -resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: searchService -}] - -resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: searchService -} - -resource searchService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(searchService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: searchService -}] - -module searchService_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-searchService-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'searchService' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(searchService.id, '/'))}-${privateEndpoint.?service ?? 'searchService'}-${index}' - serviceResourceId: searchService.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -// The Shared Private Link Resources must be deployed sequentially -// othersie the deployment may fail. -// Using batchSize(1) to deploy them one by one -@batchSize(1) -module searchService_sharedPrivateLinkResources 'shared-private-link-resource/main.bicep' = [for (sharedPrivateLinkResource, index) in sharedPrivateLinkResources: { - name: '${uniqueString(deployment().name, location)}-searchService-SharedPrivateLink-${index}' - params: { - name: contains(sharedPrivateLinkResource, 'name') ? sharedPrivateLinkResource.name : 'spl-${last(split(searchService.id, '/'))}-${sharedPrivateLinkResource.groupId}-${index}' - searchServiceName: searchService.name - privateLinkResourceId: sharedPrivateLinkResource.privateLinkResourceId - groupId: contains(sharedPrivateLinkResource, 'groupId') ? sharedPrivateLinkResource.groupId : '' - requestMessage: contains(sharedPrivateLinkResource, 'requestMessage') ? sharedPrivateLinkResource.requestMessage : '' - resourceRegion: contains(sharedPrivateLinkResource, 'resourceRegion') ? sharedPrivateLinkResource.resourceRegion : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// =========== // -// Outputs // -// =========== // - -@description('The name of the search service.') -output name string = searchService.name - -@description('The resource ID of the search service.') -output resourceId string = searchService.id - -@description('The name of the resource group the search service was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(searchService.identity, 'principalId') ? searchService.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = searchService.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json deleted file mode 100644 index 023f3f582e..0000000000 --- a/modules/search/search-service/main.json +++ /dev/null @@ -1,1467 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8225370298861272581" - }, - "name": "Search Services", - "description": "This module deploys a Search Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created." - } - }, - "authOptions": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "cmkEnforcement": { - "type": "string", - "defaultValue": "Unspecified", - "allowedValues": [ - "Disabled", - "Enabled", - "Unspecified" - ], - "metadata": { - "description": "Optional. Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys." - } - }, - "hostingMode": { - "type": "string", - "defaultValue": "default", - "allowedValues": [ - "default", - "highDensity" - ], - "metadata": { - "description": "Optional. Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "networkRuleSet": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached." - } - }, - "partitionCount": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 12, - "metadata": { - "description": "Optional. The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "sharedPrivateLinkResources": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The sharedPrivateLinkResources to create as part of the search Service." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "enabled", - "allowedValues": [ - "enabled", - "disabled" - ], - "metadata": { - "description": "Optional. This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method." - } - }, - "replicaCount": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 12, - "metadata": { - "description": "Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "sku": { - "type": "string", - "defaultValue": "standard", - "allowedValues": [ - "basic", - "free", - "standard", - "standard2", - "standard3", - "storage_optimized_l1", - "storage_optimized_l2" - ], - "metadata": { - "description": "Optional. Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to help categorize the resource in the Azure portal." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Search Index Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7')]", - "Search Index Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "searchService": { - "type": "Microsoft.Search/searchServices", - "apiVersion": "2022-09-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "sku": { - "name": "[parameters('sku')]" - }, - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "authOptions": "[if(not(empty(parameters('authOptions'))), parameters('authOptions'), null())]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryptionWithCmk": { - "enforcement": "[parameters('cmkEnforcement')]" - }, - "hostingMode": "[parameters('hostingMode')]", - "networkRuleSet": "[parameters('networkRuleSet')]", - "partitionCount": "[parameters('partitionCount')]", - "replicaCount": "[parameters('replicaCount')]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } - }, - "searchService_diagnosticSettings": { - "copy": { - "name": "searchService_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "searchService" - ] - }, - "searchService_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "searchService" - ] - }, - "searchService_roleAssignments": { - "copy": { - "name": "searchService_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Search/searchServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "searchService" - ] - }, - "searchService_privateEndpoints": { - "copy": { - "name": "searchService_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-searchService-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "searchService" - ] - }, - "searchService_sharedPrivateLinkResources": { - "copy": { - "name": "searchService_sharedPrivateLinkResources", - "count": "[length(parameters('sharedPrivateLinkResources'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-searchService-SharedPrivateLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(contains(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), createObject('value', parameters('sharedPrivateLinkResources')[copyIndex()].name), createObject('value', format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex())))]", - "searchServiceName": { - "value": "[parameters('name')]" - }, - "privateLinkResourceId": { - "value": "[parameters('sharedPrivateLinkResources')[copyIndex()].privateLinkResourceId]" - }, - "groupId": "[if(contains(parameters('sharedPrivateLinkResources')[copyIndex()], 'groupId'), createObject('value', parameters('sharedPrivateLinkResources')[copyIndex()].groupId), createObject('value', ''))]", - "requestMessage": "[if(contains(parameters('sharedPrivateLinkResources')[copyIndex()], 'requestMessage'), createObject('value', parameters('sharedPrivateLinkResources')[copyIndex()].requestMessage), createObject('value', ''))]", - "resourceRegion": "[if(contains(parameters('sharedPrivateLinkResources')[copyIndex()], 'resourceRegion'), createObject('value', parameters('sharedPrivateLinkResources')[copyIndex()].resourceRegion), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15235633206826642766" - }, - "name": "Search Services Private Link Resources", - "description": "This module deploys a Search Service Private Link Resource.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "searchServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent searchServices. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource the shared private link resource is for." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The group ID from the provider of resource the shared private link resource is for." - } - }, - "requestMessage": { - "type": "string", - "metadata": { - "description": "Required. The request message for requesting approval of the shared private link resource." - } - }, - "resourceRegion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Search/searchServices/sharedPrivateLinkResources", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('searchServiceName'), parameters('name'))]", - "properties": { - "privateLinkResourceId": "[parameters('privateLinkResourceId')]", - "groupId": "[if(not(empty(parameters('groupId'))), parameters('groupId'), null())]", - "requestMessage": "[if(not(empty(parameters('requestMessage'))), parameters('requestMessage'), null())]", - "resourceRegion": "[if(not(empty(parameters('resourceRegion'))), parameters('resourceRegion'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the shared private link resource." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the shared private link resource." - }, - "value": "[resourceId('Microsoft.Search/searchServices/sharedPrivateLinkResources', parameters('searchServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the shared private link resource was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "searchService" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the search service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the search service." - }, - "value": "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the search service was created in." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('searchService', '2022-09-01', 'full').identity, 'principalId')), reference('searchService', '2022-09-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('searchService', '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/search/search-service/shared-private-link-resource/README.md b/modules/search/search-service/shared-private-link-resource/README.md deleted file mode 100644 index 3b9b383a8b..0000000000 --- a/modules/search/search-service/shared-private-link-resource/README.md +++ /dev/null @@ -1,104 +0,0 @@ -# Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]` - -This module deploys a Search Service Private Link Resource. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Search/searchServices/sharedPrivateLinkResources` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2022-09-01/searchServices/sharedPrivateLinkResources) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`groupId`](#parameter-groupid) | string | The group ID from the provider of resource the shared private link resource is for. | -| [`name`](#parameter-name) | string | The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. | -| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The resource ID of the resource the shared private link resource is for. | -| [`requestMessage`](#parameter-requestmessage) | string | The request message for requesting approval of the shared private link resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`searchServiceName`](#parameter-searchservicename) | string | The name of the parent searchServices. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`resourceRegion`](#parameter-resourceregion) | string | Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). | - -### Parameter: `groupId` - -The group ID from the provider of resource the shared private link resource is for. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. - -- Required: Yes -- Type: string - -### Parameter: `privateLinkResourceId` - -The resource ID of the resource the shared private link resource is for. - -- Required: Yes -- Type: string - -### Parameter: `requestMessage` - -The request message for requesting approval of the shared private link resource. - -- Required: Yes -- Type: string - -### Parameter: `searchServiceName` - -The name of the parent searchServices. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `resourceRegion` - -Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the shared private link resource. | -| `resourceGroupName` | string | The name of the resource group the shared private link resource was created in. | -| `resourceId` | string | The resource ID of the shared private link resource. | - -## Cross-referenced modules - -_None_ diff --git a/modules/search/search-service/shared-private-link-resource/main.bicep b/modules/search/search-service/shared-private-link-resource/main.bicep deleted file mode 100644 index b04939662b..0000000000 --- a/modules/search/search-service/shared-private-link-resource/main.bicep +++ /dev/null @@ -1,68 +0,0 @@ -metadata name = 'Search Services Private Link Resources' -metadata description = 'This module deploys a Search Service Private Link Resource.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent searchServices. Required if the template is used in a standalone deployment.') -param searchServiceName string - -@description('Required. The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group.') -param name string - -@description('Required. The resource ID of the resource the shared private link resource is for.') -param privateLinkResourceId string - -@description('Required. The group ID from the provider of resource the shared private link resource is for.') -param groupId string - -@description('Required. The request message for requesting approval of the shared private link resource.') -param requestMessage string - -@description('Optional. Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service).') -param resourceRegion string = '' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -// =============== // -// Deployments // -// =============== // - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource searchService 'Microsoft.Search/searchServices@2022-09-01' existing = { - name: searchServiceName -} - -resource sharedPrivateLinkResource 'Microsoft.Search/searchServices/sharedPrivateLinkResources@2022-09-01' = { - parent: searchService - name: name - properties: { - privateLinkResourceId: privateLinkResourceId - groupId: !empty(groupId) ? groupId : null - requestMessage: !empty(requestMessage) ? requestMessage : null - resourceRegion: !empty(resourceRegion) ? resourceRegion : null - } -} - -// =========== // -// Outputs // -// =========== // - -@description('The name of the shared private link resource.') -output name string = sharedPrivateLinkResource.name - -@description('The resource ID of the shared private link resource.') -output resourceId string = sharedPrivateLinkResource.id - -@description('The name of the resource group the shared private link resource was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/search/search-service/shared-private-link-resource/main.json b/modules/search/search-service/shared-private-link-resource/main.json deleted file mode 100644 index 10404f34cd..0000000000 --- a/modules/search/search-service/shared-private-link-resource/main.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15235633206826642766" - }, - "name": "Search Services Private Link Resources", - "description": "This module deploys a Search Service Private Link Resource.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "searchServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent searchServices. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource the shared private link resource is for." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The group ID from the provider of resource the shared private link resource is for." - } - }, - "requestMessage": { - "type": "string", - "metadata": { - "description": "Required. The request message for requesting approval of the shared private link resource." - } - }, - "resourceRegion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service)." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Search/searchServices/sharedPrivateLinkResources", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('searchServiceName'), parameters('name'))]", - "properties": { - "privateLinkResourceId": "[parameters('privateLinkResourceId')]", - "groupId": "[if(not(empty(parameters('groupId'))), parameters('groupId'), null())]", - "requestMessage": "[if(not(empty(parameters('requestMessage'))), parameters('requestMessage'), null())]", - "resourceRegion": "[if(not(empty(parameters('resourceRegion'))), parameters('resourceRegion'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the shared private link resource." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the shared private link resource." - }, - "value": "[resourceId('Microsoft.Search/searchServices/sharedPrivateLinkResources', parameters('searchServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the shared private link resource was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/search/search-service/shared-private-link-resource/version.json b/modules/search/search-service/shared-private-link-resource/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/search/search-service/shared-private-link-resource/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/search/search-service/tests/e2e/defaults/main.test.bicep b/modules/search/search-service/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index c655c3d657..0000000000 --- a/modules/search/search-service/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sssmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/search/search-service/tests/e2e/max/dependencies.bicep b/modules/search/search-service/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 8413dfd20e..0000000000 --- a/modules/search/search-service/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/search/search-service/tests/e2e/max/main.test.bicep b/modules/search/search-service/tests/e2e/max/main.test.bicep deleted file mode 100644 index 2edbeb312f..0000000000 --- a/modules/search/search-service/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sssmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - sku: 'standard3' - cmkEnforcement: 'Enabled' - disableLocalAuth: false - authOptions: { - aadOrApiKey: { - aadAuthFailureMode: 'http401WithBearerChallenge' - } - } - hostingMode: 'highDensity' - partitionCount: 2 - replicaCount: 3 - managedIdentities: { - systemAssigned: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'Search Service Contributor' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - networkRuleSet: { - ipRules: [ - { - value: '40.74.28.0/23' - } - { - value: '87.147.204.13' - } - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/search/search-service/tests/e2e/pe/dependencies.bicep b/modules/search/search-service/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index 21b090a339..0000000000 --- a/modules/search/search-service/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,114 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the private DNS zone.') -param privateDnsZoneName string - -@description('Required. The name of the Application Security Group.') -param applicationSecurityGroupName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.CognitiveServices' - } - ] - } - } - ] - } -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { - name: applicationSecurityGroupName - location: location - properties: {} -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: privateDnsZoneName - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The location of the created Storage Account.') -output storageAccountLocation string = storageAccount.location - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The location of the created Key Vault.') -output keyVaultLocation string = keyVault.location - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Application Security Group.') -output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/search/search-service/tests/e2e/pe/main.test.bicep b/modules/search/search-service/tests/e2e/pe/main.test.bicep deleted file mode 100644 index 2cd4bd7d52..0000000000 --- a/modules/search/search-service/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,92 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssspe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - privateDnsZoneName: 'privatelink.search.windows.net' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publicNetworkAccess: 'disabled' - privateEndpoints: [ - { - applicationSecurityGroupResourceIds: [ - nestedDependencies.outputs.applicationSecurityGroupResourceId - ] - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - sharedPrivateLinkResources: [ - { - privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId - groupId: 'blob' - resourceRegion: nestedDependencies.outputs.storageAccountLocation - requestMessage: 'Please approve this request' - } - { - privateLinkResourceId: nestedDependencies.outputs.keyVaultResourceId - groupId: 'vault' - requestMessage: 'Please approve this request' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 8413dfd20e..0000000000 --- a/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index e5968a4f01..0000000000 --- a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - sku: 'standard3' - cmkEnforcement: 'Enabled' - disableLocalAuth: false - authOptions: { - aadOrApiKey: { - aadAuthFailureMode: 'http401WithBearerChallenge' - } - } - hostingMode: 'highDensity' - partitionCount: 2 - replicaCount: 3 - managedIdentities: { - systemAssigned: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'Search Service Contributor' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - networkRuleSet: { - ipRules: [ - { - value: '40.74.28.0/23' - } - { - value: '87.147.204.13' - } - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/search/search-service/version.json b/modules/search/search-service/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/search/search-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/security/azure-security-center/.bicep/nested_iotSecuritySolutions.bicep b/modules/security/azure-security-center/.bicep/nested_iotSecuritySolutions.bicep deleted file mode 100644 index 544e70ca31..0000000000 --- a/modules/security/azure-security-center/.bicep/nested_iotSecuritySolutions.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. Security Solution data.') -param ioTSecuritySolutionProperties object = {} - -resource iotSecuritySolutions 'Microsoft.Security/iotSecuritySolutions@2019-08-01' = if (!empty(ioTSecuritySolutionProperties)) { - name: 'iotSecuritySolutions' - properties: { - workspace: ioTSecuritySolutionProperties.workspace - displayName: ioTSecuritySolutionProperties.displayName - status: ioTSecuritySolutionProperties.status - export: ioTSecuritySolutionProperties.export - disabledDataSources: ioTSecuritySolutionProperties.disabledDataSources - iotHubs: ioTSecuritySolutionProperties.iotHubs - userDefinedResources: ioTSecuritySolutionProperties.userDefinedResources - recommendationsConfiguration: ioTSecuritySolutionProperties.recommendationsConfiguration - } -} diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index 99689ad43b..3ea869a230 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -1,467 +1,7 @@ -# Azure Security Center (Defender for Cloud) `[Microsoft.Security/azuresecuritycenter]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Azure Security Center (Defender for Cloud) Configuration. +**This module has been evolved into the following AVM module: [avm/ptn/security/security-center](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/security/security-center).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/security/security-center). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Security/autoProvisioningSettings` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/autoProvisioningSettings) | -| `Microsoft.Security/deviceSecurityGroups` | [2019-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/deviceSecurityGroups) | -| `Microsoft.Security/iotSecuritySolutions` | [2019-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/iotSecuritySolutions) | -| `Microsoft.Security/pricings` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2018-06-01/pricings) | -| `Microsoft.Security/securityContacts` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/securityContacts) | -| `Microsoft.Security/workspaceSettings` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/workspaceSettings) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/security.azure-security-center:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sascmax' - params: { - // Required parameters - workspaceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - securityContactProperties: { - alertNotifications: 'Off' - alertsToAdmins: 'Off' - email: 'foo@contoso.com' - phone: '+12345678' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "workspaceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "securityContactProperties": { - "value": { - "alertNotifications": "Off", - "alertsToAdmins": "Off", - "email": "foo@contoso.com", - "phone": "+12345678" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sascwaf' - params: { - // Required parameters - workspaceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - securityContactProperties: { - alertNotifications: 'Off' - alertsToAdmins: 'Off' - email: 'foo@contoso.com' - phone: '+12345678' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "workspaceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "securityContactProperties": { - "value": { - "alertNotifications": "Off", - "alertsToAdmins": "Off", - "email": "foo@contoso.com", - "phone": "+12345678" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`scope`](#parameter-scope) | string | All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | -| [`workspaceId`](#parameter-workspaceid) | string | The full Azure ID of the workspace to save the data in. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appServicesPricingTier`](#parameter-appservicespricingtier) | string | The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`armPricingTier`](#parameter-armpricingtier) | string | The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`autoProvision`](#parameter-autoprovision) | string | Describes what kind of security agent provisioning action to take. - On or Off. | -| [`containerRegistryPricingTier`](#parameter-containerregistrypricingtier) | string | The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`containersTier`](#parameter-containerstier) | string | The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`cosmosDbsTier`](#parameter-cosmosdbstier) | string | The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`deviceSecurityGroupProperties`](#parameter-devicesecuritygroupproperties) | object | Device Security group data. | -| [`dnsPricingTier`](#parameter-dnspricingtier) | string | The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ioTSecuritySolutionProperties`](#parameter-iotsecuritysolutionproperties) | object | Security Solution data. | -| [`keyVaultsPricingTier`](#parameter-keyvaultspricingtier) | string | The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`kubernetesServicePricingTier`](#parameter-kubernetesservicepricingtier) | string | The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`location`](#parameter-location) | string | Location deployment metadata. | -| [`openSourceRelationalDatabasesTier`](#parameter-opensourcerelationaldatabasestier) | string | The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`securityContactProperties`](#parameter-securitycontactproperties) | object | Security contact data. | -| [`sqlServersPricingTier`](#parameter-sqlserverspricingtier) | string | The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`sqlServerVirtualMachinesPricingTier`](#parameter-sqlservervirtualmachinespricingtier) | string | The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`storageAccountsPricingTier`](#parameter-storageaccountspricingtier) | string | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| [`virtualMachinesPricingTier`](#parameter-virtualmachinespricingtier) | string | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | - -### Parameter: `scope` - -All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. - -- Required: Yes -- Type: string - -### Parameter: `workspaceId` - -The full Azure ID of the workspace to save the data in. - -- Required: Yes -- Type: string - -### Parameter: `appServicesPricingTier` - -The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `armPricingTier` - -The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `autoProvision` - -Describes what kind of security agent provisioning action to take. - On or Off. - -- Required: No -- Type: string -- Default: `'On'` -- Allowed: - ```Bicep - [ - 'Off' - 'On' - ] - ``` - -### Parameter: `containerRegistryPricingTier` - -The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `containersTier` - -The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `cosmosDbsTier` - -The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `deviceSecurityGroupProperties` - -Device Security group data. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `dnsPricingTier` - -The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ioTSecuritySolutionProperties` - -Security Solution data. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `keyVaultsPricingTier` - -The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `kubernetesServicePricingTier` - -The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `location` - -Location deployment metadata. - -- Required: No -- Type: string -- Default: `[deployment().location]` - -### Parameter: `openSourceRelationalDatabasesTier` - -The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `securityContactProperties` - -Security contact data. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `sqlServersPricingTier` - -The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `sqlServerVirtualMachinesPricingTier` - -The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `storageAccountsPricingTier` - -The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `virtualMachinesPricingTier` - -The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the security center. | -| `workspaceId` | string | The resource ID of the used log analytics workspace. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/security/azure-security-center/main.bicep b/modules/security/azure-security-center/main.bicep deleted file mode 100644 index d0adb8211a..0000000000 --- a/modules/security/azure-security-center/main.bicep +++ /dev/null @@ -1,252 +0,0 @@ -metadata name = 'Azure Security Center (Defender for Cloud)' -metadata description = 'This module deploys an Azure Security Center (Defender for Cloud) Configuration.' -metadata owner = 'Azure/module-maintainers' - -targetScope = 'subscription' - -@description('Required. The full Azure ID of the workspace to save the data in.') -param workspaceId string - -@description('Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope.') -param scope string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Describes what kind of security agent provisioning action to take. - On or Off.') -@allowed([ - 'On' - 'Off' -]) -param autoProvision string = 'On' - -@description('Optional. Device Security group data.') -param deviceSecurityGroupProperties object = {} - -@description('Optional. Security Solution data.') -param ioTSecuritySolutionProperties object = {} - -@description('Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param virtualMachinesPricingTier string = 'Free' - -@description('Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param sqlServersPricingTier string = 'Free' - -@description('Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param appServicesPricingTier string = 'Free' - -@description('Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param storageAccountsPricingTier string = 'Free' - -@description('Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param sqlServerVirtualMachinesPricingTier string = 'Free' - -@description('Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param kubernetesServicePricingTier string = 'Free' - -@description('Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param containerRegistryPricingTier string = 'Free' - -@description('Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param keyVaultsPricingTier string = 'Free' - -@description('Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param dnsPricingTier string = 'Free' - -@description('Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param armPricingTier string = 'Free' - -@description('Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param openSourceRelationalDatabasesTier string = 'Free' - -@description('Optional. The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param containersTier string = 'Free' - -@description('Optional. The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') -@allowed([ - 'Free' - 'Standard' -]) -param cosmosDbsTier string = 'Free' - -@description('Optional. Security contact data.') -param securityContactProperties object = {} - -@description('Optional. Location deployment metadata.') -param location string = deployment().location - -var pricings = [ - { - name: 'VirtualMachines' - pricingTier: virtualMachinesPricingTier - } - { - name: 'SqlServers' - pricingTier: sqlServersPricingTier - } - { - name: 'AppServices' - pricingTier: appServicesPricingTier - } - { - name: 'StorageAccounts' - pricingTier: storageAccountsPricingTier - } - { - name: 'SqlServerVirtualMachines' - pricingTier: sqlServerVirtualMachinesPricingTier - } - { - name: 'KubernetesService' - pricingTier: kubernetesServicePricingTier - } - { - name: 'ContainerRegistry' - pricingTier: containerRegistryPricingTier - } - { - name: 'KeyVaults' - pricingTier: keyVaultsPricingTier - } - { - name: 'Dns' - pricingTier: dnsPricingTier - } - { - name: 'Arm' - pricingTier: armPricingTier - } - { - name: 'OpenSourceRelationalDatabases' - pricingTier: openSourceRelationalDatabasesTier - } - { - name: 'Containers' - pricingTier: containersTier - } - { - name: 'CosmosDbs' - pricingTier: cosmosDbsTier - } -] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@batchSize(1) -resource pricingTiers 'Microsoft.Security/pricings@2018-06-01' = [for (pricing, index) in pricings: { - name: pricing.name - properties: { - pricingTier: pricing.pricingTier - } -}] - -resource autoProvisioningSettings 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = { - name: 'default' - properties: { - autoProvision: autoProvision - } -} - -resource deviceSecurityGroups 'Microsoft.Security/deviceSecurityGroups@2019-08-01' = if (!empty(deviceSecurityGroupProperties)) { - name: 'deviceSecurityGroups' - properties: { - thresholdRules: deviceSecurityGroupProperties.thresholdRules - timeWindowRules: deviceSecurityGroupProperties.timeWindowRules - allowlistRules: deviceSecurityGroupProperties.allowlistRules - denylistRules: deviceSecurityGroupProperties.denylistRules - } -} - -module iotSecuritySolutions '.bicep/nested_iotSecuritySolutions.bicep' = if (!empty(ioTSecuritySolutionProperties)) { - name: '${uniqueString(deployment().name)}-ASC-IotSecuritySolutions' - scope: resourceGroup(empty(ioTSecuritySolutionProperties) ? 'dummy' : ioTSecuritySolutionProperties.resourceGroup) - params: { - ioTSecuritySolutionProperties: ioTSecuritySolutionProperties - } -} - -resource securityContacts 'Microsoft.Security/securityContacts@2017-08-01-preview' = if (!empty(securityContactProperties)) { - name: 'default' - properties: { - email: securityContactProperties.email - phone: securityContactProperties.phone - alertNotifications: securityContactProperties.alertNotifications - alertsToAdmins: securityContactProperties.alertsToAdmins - } -} - -resource workspaceSettings 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = { - name: 'default' - properties: { - workspaceId: workspaceId - scope: scope - } - dependsOn: [ - autoProvisioningSettings - ] -} - -@description('The resource ID of the used log analytics workspace.') -output workspaceId string = workspaceId - -@description('The name of the security center.') -output name string = 'Security' diff --git a/modules/security/azure-security-center/main.json b/modules/security/azure-security-center/main.json deleted file mode 100644 index c59f3bd7e9..0000000000 --- a/modules/security/azure-security-center/main.json +++ /dev/null @@ -1,420 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9701989179534275854" - }, - "name": "Azure Security Center (Defender for Cloud)", - "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "workspaceId": { - "type": "string", - "metadata": { - "description": "Required. The full Azure ID of the workspace to save the data in." - } - }, - "scope": { - "type": "string", - "metadata": { - "description": "Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "autoProvision": { - "type": "string", - "defaultValue": "On", - "allowedValues": [ - "On", - "Off" - ], - "metadata": { - "description": "Optional. Describes what kind of security agent provisioning action to take. - On or Off." - } - }, - "deviceSecurityGroupProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Device Security group data." - } - }, - "ioTSecuritySolutionProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Security Solution data." - } - }, - "virtualMachinesPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "sqlServersPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "appServicesPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "storageAccountsPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "sqlServerVirtualMachinesPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "kubernetesServicePricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "containerRegistryPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "keyVaultsPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "dnsPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "armPricingTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "openSourceRelationalDatabasesTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "containersTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "cosmosDbsTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." - } - }, - "securityContactProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Security contact data." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - } - }, - "variables": { - "pricings": [ - { - "name": "VirtualMachines", - "pricingTier": "[parameters('virtualMachinesPricingTier')]" - }, - { - "name": "SqlServers", - "pricingTier": "[parameters('sqlServersPricingTier')]" - }, - { - "name": "AppServices", - "pricingTier": "[parameters('appServicesPricingTier')]" - }, - { - "name": "StorageAccounts", - "pricingTier": "[parameters('storageAccountsPricingTier')]" - }, - { - "name": "SqlServerVirtualMachines", - "pricingTier": "[parameters('sqlServerVirtualMachinesPricingTier')]" - }, - { - "name": "KubernetesService", - "pricingTier": "[parameters('kubernetesServicePricingTier')]" - }, - { - "name": "ContainerRegistry", - "pricingTier": "[parameters('containerRegistryPricingTier')]" - }, - { - "name": "KeyVaults", - "pricingTier": "[parameters('keyVaultsPricingTier')]" - }, - { - "name": "Dns", - "pricingTier": "[parameters('dnsPricingTier')]" - }, - { - "name": "Arm", - "pricingTier": "[parameters('armPricingTier')]" - }, - { - "name": "OpenSourceRelationalDatabases", - "pricingTier": "[parameters('openSourceRelationalDatabasesTier')]" - }, - { - "name": "Containers", - "pricingTier": "[parameters('containersTier')]" - }, - { - "name": "CosmosDbs", - "pricingTier": "[parameters('cosmosDbsTier')]" - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "location": "[parameters('location')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "copy": { - "name": "pricingTiers", - "count": "[length(variables('pricings'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "[variables('pricings')[copyIndex()].name]", - "properties": { - "pricingTier": "[variables('pricings')[copyIndex()].pricingTier]" - } - }, - { - "type": "Microsoft.Security/autoProvisioningSettings", - "apiVersion": "2017-08-01-preview", - "name": "default", - "properties": { - "autoProvision": "[parameters('autoProvision')]" - } - }, - { - "condition": "[not(empty(parameters('deviceSecurityGroupProperties')))]", - "type": "Microsoft.Security/deviceSecurityGroups", - "apiVersion": "2019-08-01", - "name": "deviceSecurityGroups", - "properties": { - "thresholdRules": "[parameters('deviceSecurityGroupProperties').thresholdRules]", - "timeWindowRules": "[parameters('deviceSecurityGroupProperties').timeWindowRules]", - "allowlistRules": "[parameters('deviceSecurityGroupProperties').allowlistRules]", - "denylistRules": "[parameters('deviceSecurityGroupProperties').denylistRules]" - } - }, - { - "condition": "[not(empty(parameters('securityContactProperties')))]", - "type": "Microsoft.Security/securityContacts", - "apiVersion": "2017-08-01-preview", - "name": "default", - "properties": { - "email": "[parameters('securityContactProperties').email]", - "phone": "[parameters('securityContactProperties').phone]", - "alertNotifications": "[parameters('securityContactProperties').alertNotifications]", - "alertsToAdmins": "[parameters('securityContactProperties').alertsToAdmins]" - } - }, - { - "type": "Microsoft.Security/workspaceSettings", - "apiVersion": "2017-08-01-preview", - "name": "default", - "properties": { - "workspaceId": "[parameters('workspaceId')]", - "scope": "[parameters('scope')]" - }, - "dependsOn": [ - "[subscriptionResourceId('Microsoft.Security/autoProvisioningSettings', 'default')]" - ] - }, - { - "condition": "[not(empty(parameters('ioTSecuritySolutionProperties')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ASC-IotSecuritySolutions', uniqueString(deployment().name))]", - "resourceGroup": "[if(empty(parameters('ioTSecuritySolutionProperties')), 'dummy', parameters('ioTSecuritySolutionProperties').resourceGroup)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "ioTSecuritySolutionProperties": { - "value": "[parameters('ioTSecuritySolutionProperties')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17940871522867244658" - } - }, - "parameters": { - "ioTSecuritySolutionProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Security Solution data." - } - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('ioTSecuritySolutionProperties')))]", - "type": "Microsoft.Security/iotSecuritySolutions", - "apiVersion": "2019-08-01", - "name": "iotSecuritySolutions", - "properties": { - "workspace": "[parameters('ioTSecuritySolutionProperties').workspace]", - "displayName": "[parameters('ioTSecuritySolutionProperties').displayName]", - "status": "[parameters('ioTSecuritySolutionProperties').status]", - "export": "[parameters('ioTSecuritySolutionProperties').export]", - "disabledDataSources": "[parameters('ioTSecuritySolutionProperties').disabledDataSources]", - "iotHubs": "[parameters('ioTSecuritySolutionProperties').iotHubs]", - "userDefinedResources": "[parameters('ioTSecuritySolutionProperties').userDefinedResources]", - "recommendationsConfiguration": "[parameters('ioTSecuritySolutionProperties').recommendationsConfiguration]" - } - } - ] - } - } - } - ], - "outputs": { - "workspaceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the used log analytics workspace." - }, - "value": "[parameters('workspaceId')]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the security center." - }, - "value": "Security" - } - } -} \ No newline at end of file diff --git a/modules/security/azure-security-center/tests/e2e/max/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/max/dependencies.bicep deleted file mode 100644 index cc24476629..0000000000 --- a/modules/security/azure-security-center/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/security/azure-security-center/tests/e2e/max/main.test.bicep b/modules/security/azure-security-center/tests/e2e/max/main.test.bicep deleted file mode 100644 index e76028a93a..0000000000 --- a/modules/security/azure-security-center/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,63 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sascmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - scope: '/subscriptions/${subscription().subscriptionId}' - workspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - securityContactProperties: { - alertNotifications: 'Off' - alertsToAdmins: 'Off' - email: 'foo@contoso.com' - phone: '+12345678' - } - } -}] diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index cc24476629..0000000000 --- a/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Log Analytics Workspace to create.') -param logAnalyticsWorkspaceName string - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { - name: logAnalyticsWorkspaceName - location: location -} - -@description('The resource ID of the created Log Analytics Workspace.') -output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 1e6b326548..0000000000 --- a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,63 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sascwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - scope: '/subscriptions/${subscription().subscriptionId}' - workspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - securityContactProperties: { - alertNotifications: 'Off' - alertsToAdmins: 'Off' - email: 'foo@contoso.com' - phone: '+12345678' - } - } -}] diff --git a/modules/security/azure-security-center/version.json b/modules/security/azure-security-center/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/security/azure-security-center/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/MOVED-TO-AVM.md b/modules/service-bus/namespace/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/service-bus/namespace/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index f4814f2cd9..0d5ae68b09 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1,1964 +1,7 @@ -# Service Bus Namespaces `[Microsoft.ServiceBus/namespaces]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/service-bus/namespace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/service-bus/namespace).** -This module deploys a Service Bus Namespace. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/service-bus/namespace). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.ServiceBus/namespaces` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces) | -| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/AuthorizationRules) | -| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | -| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/migrationConfigurations) | -| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/networkRuleSets) | -| `Microsoft.ServiceBus/namespaces/queues` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues) | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | -| `Microsoft.ServiceBus/namespaces/topics` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics) | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-bus.namespace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Pe](#example-4-pe) -- [WAF-aligned](#example-5-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnmin' - params: { - // Required parameters - name: 'sbnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnencr' - params: { - // Required parameters - name: 'sbnencr001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnencr001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnmax' - params: { - // Required parameters - name: 'sbnmax001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - minimumTlsVersion: '1.2' - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - premiumMessagingPartitions: 1 - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - queues: [ - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - autoDeleteOnIdle: 'PT5M' - maxMessageSizeInKilobytes: 2048 - name: 'sbnmaxq001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 2 - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - topics: [ - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - name: 'sbnmaxt001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnmax001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "premiumMessagingPartitions": { - "value": 1 - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "queues": { - "value": [ - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ], - "autoDeleteOnIdle": "PT5M", - "maxMessageSizeInKilobytes": 2048, - "name": "sbnmaxq001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuCapacity": { - "value": 2 - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "topics": { - "value": [ - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ], - "name": "sbnmaxt001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- -### Example 4: _Pe_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnpe' - params: { - // Required parameters - name: 'sbnpe001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnpe001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnwaf' - params: { - // Required parameters - name: 'sbnwaf001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableLocalAuth: true - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - minimumTlsVersion: '1.2' - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - premiumMessagingPartitions: 1 - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'namespace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Enabled' - queues: [ - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - autoDeleteOnIdle: 'PT5M' - maxMessageSizeInKilobytes: 2048 - name: 'sbnwafq001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 2 - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - topics: [ - { - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - name: 'sbnwaft001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnwaf001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "minimumTlsVersion": { - "value": "1.2" - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "premiumMessagingPartitions": { - "value": 1 - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "namespace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "queues": { - "value": [ - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ], - "autoDeleteOnIdle": "PT5M", - "maxMessageSizeInKilobytes": 2048, - "name": "sbnwafq001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuCapacity": { - "value": 2 - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "topics": { - "value": [ - { - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ], - "name": "sbnwaft001", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Service Bus Namespace. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`alternateName`](#parameter-alternatename) | string | Alternate name for namespace. | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus namespace. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Service Bus namespace. | -| [`disasterRecoveryConfigs`](#parameter-disasterrecoveryconfigs) | object | The disaster recovery configuration. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`migrationConfigurations`](#parameter-migrationconfigurations) | object | The migration configuration. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | -| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| [`premiumMessagingPartitions`](#parameter-premiummessagingpartitions) | int | The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`queues`](#parameter-queues) | array | The queues to create in the service bus namespace. | -| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuCapacity`](#parameter-skucapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. | -| [`skuName`](#parameter-skuname) | string | Name of this SKU. - Basic, Standard, Premium. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`topics`](#parameter-topics) | array | The topics to create in the service bus namespace. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | - -### Parameter: `name` - -Name of the Service Bus Namespace. - -- Required: Yes -- Type: string - -### Parameter: `alternateName` - -Alternate name for namespace. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `authorizationRules` - -Authorization Rules for the Service Bus namespace. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - ``` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `disableLocalAuth` - -This property disables SAS authentication for the Service Bus namespace. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `disasterRecoveryConfigs` - -The disaster recovery configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `migrationConfigurations` - -The migration configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `minimumTlsVersion` - -The minimum TLS version for the cluster to support. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - ] - ``` - -### Parameter: `networkRuleSets` - -Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `premiumMessagingPartitions` - -The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - 'SecuredByPerimeter' - ] - ``` - -### Parameter: `queues` - -The queues to create in the service bus namespace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `requireInfrastructureEncryption` - -Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `skuCapacity` - -The specified messaging units for the tier. Only used for Premium Sku tier. - -- Required: No -- Type: int -- Default: `1` -- Allowed: - ```Bicep - [ - 1 - 2 - 4 - 8 - 16 - 32 - ] - ``` - -### Parameter: `skuName` - -Name of this SKU. - Basic, Standard, Premium. - -- Required: No -- Type: string -- Default: `'Basic'` -- Allowed: - ```Bicep - [ - 'Basic' - 'Premium' - 'Standard' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `topics` - -The topics to create in the service bus namespace. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `zoneRedundant` - -Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed service bus namespace. | -| `resourceGroupName` | string | The resource group of the deployed service bus namespace. | -| `resourceId` | string | The resource ID of the deployed service bus namespace. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/service-bus/namespace/authorization-rule/README.md b/modules/service-bus/namespace/authorization-rule/README.md deleted file mode 100644 index 3df8ec2c40..0000000000 --- a/modules/service-bus/namespace/authorization-rule/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Service Bus Namespace Authorization Rules `[Microsoft.ServiceBus/namespaces/AuthorizationRules]` - -This module deploys a Service Bus Namespace Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/AuthorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the authorization rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the authorization rule. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/authorization-rule/main.bicep b/modules/service-bus/namespace/authorization-rule/main.bicep deleted file mode 100644 index 0ade3c677e..0000000000 --- a/modules/service-bus/namespace/authorization-rule/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'Service Bus Namespace Authorization Rules' -metadata description = 'This module deploys a Service Bus Namespace Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. The name of the authorization rule.') -param name string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource authorizationRule 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/authorization-rule/main.json b/modules/service-bus/namespace/authorization-rule/main.json deleted file mode 100644 index 91d7c037fd..0000000000 --- a/modules/service-bus/namespace/authorization-rule/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1264227897820313372" - }, - "name": "Service Bus Namespace Authorization Rules", - "description": "This module deploys a Service Bus Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/authorization-rule/version.json b/modules/service-bus/namespace/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/disaster-recovery-config/README.md b/modules/service-bus/namespace/disaster-recovery-config/README.md deleted file mode 100644 index a69152b008..0000000000 --- a/modules/service-bus/namespace/disaster-recovery-config/README.md +++ /dev/null @@ -1,85 +0,0 @@ -# Service Bus Namespace Disaster Recovery Configs `[Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs]` - -This module deploys a Service Bus Namespace Disaster Recovery Config - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`alternateName`](#parameter-alternatename) | string | Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the disaster recovery config. | -| [`partnerNamespaceResourceID`](#parameter-partnernamespaceresourceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `alternateName` - -Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the disaster recovery config. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `partnerNamespaceResourceID` - -Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the disaster recovery config. | -| `resourceGroupName` | string | The name of the Resource Group the disaster recovery config was created in. | -| `resourceId` | string | The Resource ID of the disaster recovery config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/disaster-recovery-config/main.bicep b/modules/service-bus/namespace/disaster-recovery-config/main.bicep deleted file mode 100644 index 2d949345a7..0000000000 --- a/modules/service-bus/namespace/disaster-recovery-config/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'Service Bus Namespace Disaster Recovery Configs' -metadata description = 'This module deploys a Service Bus Namespace Disaster Recovery Config' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Optional. The name of the disaster recovery config.') -param name string = 'default' - -@description('Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing.') -param alternateName string = '' - -@description('Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing.') -param partnerNamespaceResourceID string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource disasterRecoveryConfig 'Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - alternateName: alternateName - partnerNamespace: partnerNamespaceResourceID - } -} - -@description('The name of the disaster recovery config.') -output name string = disasterRecoveryConfig.name - -@description('The Resource ID of the disaster recovery config.') -output resourceId string = disasterRecoveryConfig.id - -@description('The name of the Resource Group the disaster recovery config was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/disaster-recovery-config/main.json b/modules/service-bus/namespace/disaster-recovery-config/main.json deleted file mode 100644 index 397fb23db9..0000000000 --- a/modules/service-bus/namespace/disaster-recovery-config/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10655153602613161335" - }, - "name": "Service Bus Namespace Disaster Recovery Configs", - "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the disaster recovery config." - } - }, - "alternateName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing." - } - }, - "partnerNamespaceResourceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "alternateName": "[parameters('alternateName')]", - "partnerNamespace": "[parameters('partnerNamespaceResourceID')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the disaster recovery config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the disaster recovery config." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the disaster recovery config was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/disaster-recovery-config/version.json b/modules/service-bus/namespace/disaster-recovery-config/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/disaster-recovery-config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep deleted file mode 100644 index 04d5cc64a3..0000000000 --- a/modules/service-bus/namespace/main.bicep +++ /dev/null @@ -1,555 +0,0 @@ -metadata name = 'Service Bus Namespaces' -metadata description = 'This module deploys a Service Bus Namespace.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Service Bus Namespace.') -@maxLength(50) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Name of this SKU. - Basic, Standard, Premium.') -@allowed([ - 'Basic' - 'Standard' - 'Premium' -]) -param skuName string = 'Basic' - -@description('Optional. The specified messaging units for the tier. Only used for Premium Sku tier.') -@allowed([ - 1 - 2 - 4 - 8 - 16 - 32 -]) -param skuCapacity int = 1 - -@description('Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones.') -param zoneRedundant bool = false - -@allowed([ - '1.0' - '1.1' - '1.2' -]) -@description('Optional. The minimum TLS version for the cluster to support.') -param minimumTlsVersion string = '1.2' - -@description('Optional. Alternate name for namespace.') -param alternateName string = '' - -@description('Optional. The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4.') -param premiumMessagingPartitions int = 1 - -@description('Optional. Authorization Rules for the Service Bus namespace.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } -] - -@description('Optional. The migration configuration.') -param migrationConfigurations object = {} - -@description('Optional. The disaster recovery configuration.') -param disasterRecoveryConfigs object = {} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Disabled' - 'Enabled' - 'SecuredByPerimeter' -]) -param publicNetworkAccess string = '' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = {} - -@description('Optional. This property disables SAS authentication for the Service Bus namespace.') -param disableLocalAuth bool = true - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The queues to create in the service bus namespace.') -param queues array = [] - -@description('Optional. The topics to create in the service bus namespace.') -param topics array = [] - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') -param requireInfrastructureEncryption bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { - name: name - location: location - tags: empty(tags) ? null : tags - sku: { - name: skuName - capacity: skuName == 'Premium' ? skuCapacity : null - } - identity: identity - properties: { - publicNetworkAccess: !empty(publicNetworkAccess) ? publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') - minimumTlsVersion: minimumTlsVersion - alternateName: !empty(alternateName) ? alternateName : null - zoneRedundant: zoneRedundant - disableLocalAuth: disableLocalAuth - premiumMessagingPartitions: skuName == 'Premium' ? premiumMessagingPartitions : 0 - encryption: !empty(customerManagedKey) ? { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: [ - { - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - keyName: customerManagedKey!.keyName - keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } - ] - requireInfrastructureEncryption: requireInfrastructureEncryption - } : null - } -} - -module serviceBusNamespace_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${uniqueString(deployment().name, location)}-AuthorizationRules-${index}' - params: { - namespaceName: serviceBusNamespace.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module serviceBusNamespace_disasterRecoveryConfig 'disaster-recovery-config/main.bicep' = if (!empty(disasterRecoveryConfigs)) { - name: '${uniqueString(deployment().name, location)}-DisasterRecoveryConfig' - params: { - namespaceName: serviceBusNamespace.name - name: contains(disasterRecoveryConfigs, 'name') ? disasterRecoveryConfigs.name : 'default' - alternateName: contains(disasterRecoveryConfigs, 'alternateName') ? disasterRecoveryConfigs.alternateName : '' - partnerNamespaceResourceID: contains(disasterRecoveryConfigs, 'partnerNamespace') ? disasterRecoveryConfigs.partnerNamespace : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module serviceBusNamespace_migrationConfigurations 'migration-configuration/main.bicep' = if (!empty(migrationConfigurations)) { - name: '${uniqueString(deployment().name, location)}-MigrationConfigurations' - params: { - namespaceName: serviceBusNamespace.name - postMigrationName: migrationConfigurations.postMigrationName - targetNamespaceResourceId: migrationConfigurations.targetNamespace - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module serviceBusNamespace_networkRuleSet 'network-rule-set/main.bicep' = if (!empty(networkRuleSets) || !empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-NetworkRuleSet' - params: { - namespaceName: serviceBusNamespace.name - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') - defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' - trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true - ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] - virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module serviceBusNamespace_queues 'queue/main.bicep' = [for (queue, index) in queues: { - name: '${uniqueString(deployment().name, location)}-Queue-${index}' - params: { - namespaceName: serviceBusNamespace.name - name: queue.name - autoDeleteOnIdle: contains(queue, 'autoDeleteOnIdle') ? queue.autoDeleteOnIdle : '' - forwardDeadLetteredMessagesTo: contains(queue, 'forwardDeadLetteredMessagesTo') ? queue.forwardDeadLetteredMessagesTo : '' - forwardTo: contains(queue, 'forwardTo') ? queue.forwardTo : '' - maxMessageSizeInKilobytes: contains(queue, 'maxMessageSizeInKilobytes') ? queue.maxMessageSizeInKilobytes : 1024 - authorizationRules: contains(queue, 'authorizationRules') ? queue.authorizationRules : [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - deadLetteringOnMessageExpiration: contains(queue, 'deadLetteringOnMessageExpiration') ? queue.deadLetteringOnMessageExpiration : true - defaultMessageTimeToLive: contains(queue, 'defaultMessageTimeToLive') ? queue.defaultMessageTimeToLive : 'P14D' - duplicateDetectionHistoryTimeWindow: contains(queue, 'duplicateDetectionHistoryTimeWindow') ? queue.duplicateDetectionHistoryTimeWindow : 'PT10M' - enableBatchedOperations: contains(queue, 'enableBatchedOperations') ? queue.enableBatchedOperations : true - enableExpress: contains(queue, 'enableExpress') ? queue.enableExpress : false - enablePartitioning: contains(queue, 'enablePartitioning') ? queue.enablePartitioning : false - lock: queue.?lock ?? lock - lockDuration: contains(queue, 'lockDuration') ? queue.lockDuration : 'PT1M' - maxDeliveryCount: contains(queue, 'maxDeliveryCount') ? queue.maxDeliveryCount : 10 - maxSizeInMegabytes: contains(queue, 'maxSizeInMegabytes') ? queue.maxSizeInMegabytes : 1024 - requiresDuplicateDetection: contains(queue, 'requiresDuplicateDetection') ? queue.requiresDuplicateDetection : false - requiresSession: contains(queue, 'requiresSession') ? queue.requiresSession : false - roleAssignments: contains(queue, 'roleAssignments') ? queue.roleAssignments : [] - status: contains(queue, 'status') ? queue.status : 'Active' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module serviceBusNamespace_topics 'topic/main.bicep' = [for (topic, index) in topics: { - name: '${uniqueString(deployment().name, location)}-Topic-${index}' - params: { - namespaceName: serviceBusNamespace.name - name: topic.name - authorizationRules: contains(topic, 'authorizationRules') ? topic.authorizationRules : [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - autoDeleteOnIdle: contains(topic, 'autoDeleteOnIdle') ? topic.autoDeleteOnIdle : 'PT5M' - defaultMessageTimeToLive: contains(topic, 'defaultMessageTimeToLive') ? topic.defaultMessageTimeToLive : 'P14D' - duplicateDetectionHistoryTimeWindow: contains(topic, 'duplicateDetectionHistoryTimeWindow') ? topic.duplicateDetectionHistoryTimeWindow : 'PT10M' - enableBatchedOperations: contains(topic, 'enableBatchedOperations') ? topic.enableBatchedOperations : true - enableExpress: contains(topic, 'enableExpress') ? topic.enableExpress : false - enablePartitioning: contains(topic, 'enablePartitioning') ? topic.enablePartitioning : false - lock: topic.?lock ?? lock - maxMessageSizeInKilobytes: contains(topic, 'maxMessageSizeInKilobytes') ? topic.maxMessageSizeInKilobytes : 1024 - maxSizeInMegabytes: contains(topic, 'maxSizeInMegabytes') ? topic.maxSizeInMegabytes : 1024 - requiresDuplicateDetection: contains(topic, 'requiresDuplicateDetection') ? topic.requiresDuplicateDetection : false - roleAssignments: contains(topic, 'roleAssignments') ? topic.roleAssignments : [] - status: contains(topic, 'status') ? topic.status : 'Active' - supportOrdering: contains(topic, 'supportOrdering') ? topic.supportOrdering : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: serviceBusNamespace -} - -resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: serviceBusNamespace -}] - -module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-serviceBusNamespace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'namespace' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(serviceBusNamespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' - serviceResourceId: serviceBusNamespace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource serviceBusNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(serviceBusNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: serviceBusNamespace -}] - -@description('The resource ID of the deployed service bus namespace.') -output resourceId string = serviceBusNamespace.id - -@description('The resource group of the deployed service bus namespace.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the deployed service bus namespace.') -output name string = serviceBusNamespace.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(serviceBusNamespace.identity, 'principalId') ? serviceBusNamespace.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = serviceBusNamespace.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json deleted file mode 100644 index 473e54d7b7..0000000000 --- a/modules/service-bus/namespace/main.json +++ /dev/null @@ -1,3116 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15999404248309451971" - }, - "name": "Service Bus Namespaces", - "description": "This module deploys a Service Bus Namespace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Service Bus Namespace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Standard", - "Premium" - ], - "metadata": { - "description": "Optional. Name of this SKU. - Basic, Standard, Premium." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 1, - "allowedValues": [ - 1, - 2, - 4, - 8, - 16, - 32 - ], - "metadata": { - "description": "Optional. The specified messaging units for the tier. Only used for Premium Sku tier." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. The minimum TLS version for the cluster to support." - } - }, - "alternateName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Alternate name for namespace." - } - }, - "premiumMessagingPartitions": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Service Bus namespace." - } - }, - "migrationConfigurations": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The migration configuration." - } - }, - "disasterRecoveryConfigs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The disaster recovery configuration." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Disabled", - "Enabled", - "SecuredByPerimeter" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "networkRuleSets": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property disables SAS authentication for the Service Bus namespace." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "queues": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The queues to create in the service bus namespace." - } - }, - "topics": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The topics to create in the service bus namespace." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "requireInfrastructureEncryption": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "serviceBusNamespace": { - "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[if(empty(parameters('tags')), null(), parameters('tags'))]", - "sku": { - "name": "[parameters('skuName')]", - "capacity": "[if(equals(parameters('skuName'), 'Premium'), parameters('skuCapacity'), null())]" - }, - "identity": "[variables('identity')]", - "properties": { - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', 'Enabled'))]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "alternateName": "[if(not(empty(parameters('alternateName'))), parameters('alternateName'), null())]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "premiumMessagingPartitions": "[if(equals(parameters('skuName'), 'Premium'), parameters('premiumMessagingPartitions'), 0)]", - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "serviceBusNamespace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_diagnosticSettings": { - "copy": { - "name": "serviceBusNamespace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_roleAssignments": { - "copy": { - "name": "serviceBusNamespace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_authorizationRules": { - "copy": { - "name": "serviceBusNamespace_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthorizationRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1264227897820313372" - }, - "name": "Service Bus Namespace Authorization Rules", - "description": "This module deploys a Service Bus Namespace Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the authorization rule." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_disasterRecoveryConfig": { - "condition": "[not(empty(parameters('disasterRecoveryConfigs')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DisasterRecoveryConfig', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(parameters('disasterRecoveryConfigs'), 'name'), createObject('value', parameters('disasterRecoveryConfigs').name), createObject('value', 'default'))]", - "alternateName": "[if(contains(parameters('disasterRecoveryConfigs'), 'alternateName'), createObject('value', parameters('disasterRecoveryConfigs').alternateName), createObject('value', ''))]", - "partnerNamespaceResourceID": "[if(contains(parameters('disasterRecoveryConfigs'), 'partnerNamespace'), createObject('value', parameters('disasterRecoveryConfigs').partnerNamespace), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10655153602613161335" - }, - "name": "Service Bus Namespace Disaster Recovery Configs", - "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the disaster recovery config." - } - }, - "alternateName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing." - } - }, - "partnerNamespaceResourceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "alternateName": "[parameters('alternateName')]", - "partnerNamespace": "[parameters('partnerNamespaceResourceID')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the disaster recovery config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the disaster recovery config." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the disaster recovery config was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_migrationConfigurations": { - "condition": "[not(empty(parameters('migrationConfigurations')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MigrationConfigurations', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "postMigrationName": { - "value": "[parameters('migrationConfigurations').postMigrationName]" - }, - "targetNamespaceResourceId": { - "value": "[parameters('migrationConfigurations').targetNamespace]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5089878909119216074" - }, - "name": "Service Bus Namespace Migration Configuration", - "description": "This module deploys a Service Bus Namespace Migration Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "postMigrationName": { - "type": "string", - "metadata": { - "description": "Required. Name to access Standard Namespace after migration." - } - }, - "targetNamespaceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), '$default')]", - "properties": { - "targetNamespace": "[parameters('targetNamespaceResourceId')]", - "postMigrationName": "[parameters('postMigrationName')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the migration configuration." - }, - "value": "$default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the migration configuration." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/migrationConfigurations', parameters('namespaceName'), '$default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the migration configuration was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_networkRuleSet": { - "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkRuleSet', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "publicNetworkAccess": "[if(contains(parameters('networkRuleSets'), 'publicNetworkAccess'), createObject('value', parameters('networkRuleSets').publicNetworkAccess), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), createObject('value', 'Disabled'), createObject('value', 'Enabled')))]", - "defaultAction": "[if(contains(parameters('networkRuleSets'), 'defaultAction'), createObject('value', parameters('networkRuleSets').defaultAction), createObject('value', 'Allow'))]", - "trustedServiceAccessEnabled": "[if(contains(parameters('networkRuleSets'), 'trustedServiceAccessEnabled'), createObject('value', parameters('networkRuleSets').trustedServiceAccessEnabled), createObject('value', true()))]", - "ipRules": "[if(contains(parameters('networkRuleSets'), 'ipRules'), createObject('value', parameters('networkRuleSets').ipRules), createObject('value', createArray()))]", - "virtualNetworkRules": "[if(contains(parameters('networkRuleSets'), 'virtualNetworkRules'), createObject('value', parameters('networkRuleSets').virtualNetworkRules), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13436940198974346018" - }, - "name": "Service Bus Namespace Network Rule Sets", - "description": "This module deploys a ServiceBus Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "trustedServiceAccessEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "networkRules", - "count": "[length(parameters('virtualNetworkRules'))]", - "input": { - "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]", - "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/networkRuleSets", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(or(not(empty(parameters('ipRules'))), not(empty(parameters('virtualNetworkRules')))), 'Deny', parameters('defaultAction')))]", - "trustedServiceAccessEnabled": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('trustedServiceAccessEnabled'))]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]", - "virtualNetworkRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), variables('networkRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_queues": { - "copy": { - "name": "serviceBusNamespace_queues", - "count": "[length(parameters('queues'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Queue-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('queues')[copyIndex()].name]" - }, - "autoDeleteOnIdle": "[if(contains(parameters('queues')[copyIndex()], 'autoDeleteOnIdle'), createObject('value', parameters('queues')[copyIndex()].autoDeleteOnIdle), createObject('value', ''))]", - "forwardDeadLetteredMessagesTo": "[if(contains(parameters('queues')[copyIndex()], 'forwardDeadLetteredMessagesTo'), createObject('value', parameters('queues')[copyIndex()].forwardDeadLetteredMessagesTo), createObject('value', ''))]", - "forwardTo": "[if(contains(parameters('queues')[copyIndex()], 'forwardTo'), createObject('value', parameters('queues')[copyIndex()].forwardTo), createObject('value', ''))]", - "maxMessageSizeInKilobytes": "[if(contains(parameters('queues')[copyIndex()], 'maxMessageSizeInKilobytes'), createObject('value', parameters('queues')[copyIndex()].maxMessageSizeInKilobytes), createObject('value', 1024))]", - "authorizationRules": "[if(contains(parameters('queues')[copyIndex()], 'authorizationRules'), createObject('value', parameters('queues')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')))))]", - "deadLetteringOnMessageExpiration": "[if(contains(parameters('queues')[copyIndex()], 'deadLetteringOnMessageExpiration'), createObject('value', parameters('queues')[copyIndex()].deadLetteringOnMessageExpiration), createObject('value', true()))]", - "defaultMessageTimeToLive": "[if(contains(parameters('queues')[copyIndex()], 'defaultMessageTimeToLive'), createObject('value', parameters('queues')[copyIndex()].defaultMessageTimeToLive), createObject('value', 'P14D'))]", - "duplicateDetectionHistoryTimeWindow": "[if(contains(parameters('queues')[copyIndex()], 'duplicateDetectionHistoryTimeWindow'), createObject('value', parameters('queues')[copyIndex()].duplicateDetectionHistoryTimeWindow), createObject('value', 'PT10M'))]", - "enableBatchedOperations": "[if(contains(parameters('queues')[copyIndex()], 'enableBatchedOperations'), createObject('value', parameters('queues')[copyIndex()].enableBatchedOperations), createObject('value', true()))]", - "enableExpress": "[if(contains(parameters('queues')[copyIndex()], 'enableExpress'), createObject('value', parameters('queues')[copyIndex()].enableExpress), createObject('value', false()))]", - "enablePartitioning": "[if(contains(parameters('queues')[copyIndex()], 'enablePartitioning'), createObject('value', parameters('queues')[copyIndex()].enablePartitioning), createObject('value', false()))]", - "lock": { - "value": "[coalesce(tryGet(parameters('queues')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "lockDuration": "[if(contains(parameters('queues')[copyIndex()], 'lockDuration'), createObject('value', parameters('queues')[copyIndex()].lockDuration), createObject('value', 'PT1M'))]", - "maxDeliveryCount": "[if(contains(parameters('queues')[copyIndex()], 'maxDeliveryCount'), createObject('value', parameters('queues')[copyIndex()].maxDeliveryCount), createObject('value', 10))]", - "maxSizeInMegabytes": "[if(contains(parameters('queues')[copyIndex()], 'maxSizeInMegabytes'), createObject('value', parameters('queues')[copyIndex()].maxSizeInMegabytes), createObject('value', 1024))]", - "requiresDuplicateDetection": "[if(contains(parameters('queues')[copyIndex()], 'requiresDuplicateDetection'), createObject('value', parameters('queues')[copyIndex()].requiresDuplicateDetection), createObject('value', false()))]", - "requiresSession": "[if(contains(parameters('queues')[copyIndex()], 'requiresSession'), createObject('value', parameters('queues')[copyIndex()].requiresSession), createObject('value', false()))]", - "roleAssignments": "[if(contains(parameters('queues')[copyIndex()], 'roleAssignments'), createObject('value', parameters('queues')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "status": "[if(contains(parameters('queues')[copyIndex()], 'status'), createObject('value', parameters('queues')[copyIndex()].status), createObject('value', 'Active'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11801990742718728628" - }, - "name": "Service Bus Namespace Queue", - "description": "This module deploys a Service Bus Namespace Queue.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Service Bus Queue." - } - }, - "autoDeleteOnIdle": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." - } - }, - "forwardDeadLetteredMessagesTo": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Queue/Topic name to forward the Dead Letter message." - } - }, - "forwardTo": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Queue/Topic name to forward the messages." - } - }, - "lockDuration": { - "type": "string", - "defaultValue": "PT1M", - "metadata": { - "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." - } - }, - "maxSizeInMegabytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024." - } - }, - "requiresDuplicateDetection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value indicating if this queue requires duplicate detection." - } - }, - "requiresSession": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the queue supports the concept of sessions." - } - }, - "defaultMessageTimeToLive": { - "type": "string", - "defaultValue": "P14D", - "metadata": { - "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." - } - }, - "deadLetteringOnMessageExpiration": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires." - } - }, - "enableBatchedOperations": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether server-side batched operations are enabled." - } - }, - "duplicateDetectionHistoryTimeWindow": { - "type": "string", - "defaultValue": "PT10M", - "metadata": { - "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." - } - }, - "maxDeliveryCount": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." - } - }, - "maxMessageSizeInKilobytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Disabled", - "Restoring", - "SendDisabled", - "ReceiveDisabled", - "Creating", - "Deleting", - "Renaming", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." - } - }, - "enablePartitioning": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers." - } - }, - "enableExpress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "properties": { - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Service Bus Queue." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "queue": { - "type": "Microsoft.ServiceBus/namespaces/queues", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "autoDeleteOnIdle": "[if(not(empty(parameters('autoDeleteOnIdle'))), parameters('autoDeleteOnIdle'), null())]", - "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", - "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", - "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", - "enableExpress": "[parameters('enableExpress')]", - "enablePartitioning": "[parameters('enablePartitioning')]", - "forwardDeadLetteredMessagesTo": "[if(not(empty(parameters('forwardDeadLetteredMessagesTo'))), parameters('forwardDeadLetteredMessagesTo'), null())]", - "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", - "lockDuration": "[parameters('lockDuration')]", - "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "maxMessageSizeInKilobytes": "[if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "requiresSession": "[parameters('requiresSession')]", - "status": "[parameters('status')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "queue_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "queue" - ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - }, - "queue_authorizationRules": { - "copy": { - "name": "queue_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "queueName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17590031156732651952" - }, - "name": "Service Bus Namespace Queue Authorization Rules", - "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namepace queue." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "queueName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', parameters('namespaceName'), parameters('queueName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_topics": { - "copy": { - "name": "serviceBusNamespace_topics", - "count": "[length(parameters('topics'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Topic-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('topics')[copyIndex()].name]" - }, - "authorizationRules": "[if(contains(parameters('topics')[copyIndex()], 'authorizationRules'), createObject('value', parameters('topics')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')))))]", - "autoDeleteOnIdle": "[if(contains(parameters('topics')[copyIndex()], 'autoDeleteOnIdle'), createObject('value', parameters('topics')[copyIndex()].autoDeleteOnIdle), createObject('value', 'PT5M'))]", - "defaultMessageTimeToLive": "[if(contains(parameters('topics')[copyIndex()], 'defaultMessageTimeToLive'), createObject('value', parameters('topics')[copyIndex()].defaultMessageTimeToLive), createObject('value', 'P14D'))]", - "duplicateDetectionHistoryTimeWindow": "[if(contains(parameters('topics')[copyIndex()], 'duplicateDetectionHistoryTimeWindow'), createObject('value', parameters('topics')[copyIndex()].duplicateDetectionHistoryTimeWindow), createObject('value', 'PT10M'))]", - "enableBatchedOperations": "[if(contains(parameters('topics')[copyIndex()], 'enableBatchedOperations'), createObject('value', parameters('topics')[copyIndex()].enableBatchedOperations), createObject('value', true()))]", - "enableExpress": "[if(contains(parameters('topics')[copyIndex()], 'enableExpress'), createObject('value', parameters('topics')[copyIndex()].enableExpress), createObject('value', false()))]", - "enablePartitioning": "[if(contains(parameters('topics')[copyIndex()], 'enablePartitioning'), createObject('value', parameters('topics')[copyIndex()].enablePartitioning), createObject('value', false()))]", - "lock": { - "value": "[coalesce(tryGet(parameters('topics')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "maxMessageSizeInKilobytes": "[if(contains(parameters('topics')[copyIndex()], 'maxMessageSizeInKilobytes'), createObject('value', parameters('topics')[copyIndex()].maxMessageSizeInKilobytes), createObject('value', 1024))]", - "maxSizeInMegabytes": "[if(contains(parameters('topics')[copyIndex()], 'maxSizeInMegabytes'), createObject('value', parameters('topics')[copyIndex()].maxSizeInMegabytes), createObject('value', 1024))]", - "requiresDuplicateDetection": "[if(contains(parameters('topics')[copyIndex()], 'requiresDuplicateDetection'), createObject('value', parameters('topics')[copyIndex()].requiresDuplicateDetection), createObject('value', false()))]", - "roleAssignments": "[if(contains(parameters('topics')[copyIndex()], 'roleAssignments'), createObject('value', parameters('topics')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "status": "[if(contains(parameters('topics')[copyIndex()], 'status'), createObject('value', parameters('topics')[copyIndex()].status), createObject('value', 'Active'))]", - "supportOrdering": "[if(contains(parameters('topics')[copyIndex()], 'supportOrdering'), createObject('value', parameters('topics')[copyIndex()].supportOrdering), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15417348357364247690" - }, - "name": "Service Bus Namespace Topic", - "description": "This module deploys a Service Bus Namespace Topic.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Service Bus Topic." - } - }, - "maxSizeInMegabytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024." - } - }, - "requiresDuplicateDetection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value indicating if this topic requires duplicate detection." - } - }, - "defaultMessageTimeToLive": { - "type": "string", - "defaultValue": "P14D", - "metadata": { - "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." - } - }, - "enableBatchedOperations": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether server-side batched operations are enabled." - } - }, - "duplicateDetectionHistoryTimeWindow": { - "type": "string", - "defaultValue": "PT10M", - "metadata": { - "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." - } - }, - "maxMessageSizeInKilobytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024." - } - }, - "supportOrdering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Value that indicates whether the topic supports ordering." - } - }, - "autoDeleteOnIdle": { - "type": "string", - "defaultValue": "PT5M", - "metadata": { - "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Disabled", - "Restoring", - "SendDisabled", - "ReceiveDisabled", - "Creating", - "Deleting", - "Renaming", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." - } - }, - "enablePartitioning": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers." - } - }, - "enableExpress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "properties": { - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Service Bus Topic." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "topic": { - "type": "Microsoft.ServiceBus/namespaces/topics", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "autoDeleteOnIdle": "[parameters('autoDeleteOnIdle')]", - "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", - "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", - "enableExpress": "[parameters('enableExpress')]", - "enablePartitioning": "[parameters('enablePartitioning')]", - "maxMessageSizeInKilobytes": "[parameters('maxMessageSizeInKilobytes')]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "status": "[parameters('status')]", - "supportOrdering": "[parameters('supportOrdering')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "topic_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_authorizationRules": { - "copy": { - "name": "topic_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "topicName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1333107238814449885" - }, - "name": "Service Bus Namespace Topic Authorization Rules", - "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namespace topic." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "topicName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules', parameters('namespaceName'), parameters('topicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "topic" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed topic." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed topic." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - }, - "serviceBusNamespace_privateEndpoints": { - "copy": { - "name": "serviceBusNamespace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-serviceBusNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed service bus namespace." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed service bus namespace." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed service bus namespace." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('serviceBusNamespace', '2022-10-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/migration-configuration/README.md b/modules/service-bus/namespace/migration-configuration/README.md deleted file mode 100644 index 32ce1391b2..0000000000 --- a/modules/service-bus/namespace/migration-configuration/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Service Bus Namespace Migration Configuration `[Microsoft.ServiceBus/namespaces/migrationConfigurations]` - -This module deploys a Service Bus Namespace Migration Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/migrationConfigurations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`postMigrationName`](#parameter-postmigrationname) | string | Name to access Standard Namespace after migration. | -| [`targetNamespaceResourceId`](#parameter-targetnamespaceresourceid) | string | Existing premium Namespace resource ID which has no entities, will be used for migration. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `postMigrationName` - -Name to access Standard Namespace after migration. - -- Required: Yes -- Type: string - -### Parameter: `targetNamespaceResourceId` - -Existing premium Namespace resource ID which has no entities, will be used for migration. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the migration configuration. | -| `resourceGroupName` | string | The name of the Resource Group the migration configuration was created in. | -| `resourceId` | string | The Resource ID of the migration configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/migration-configuration/main.bicep b/modules/service-bus/namespace/migration-configuration/main.bicep deleted file mode 100644 index 1d7ed788cb..0000000000 --- a/modules/service-bus/namespace/migration-configuration/main.bicep +++ /dev/null @@ -1,51 +0,0 @@ -metadata name = 'Service Bus Namespace Migration Configuration' -metadata description = 'This module deploys a Service Bus Namespace Migration Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. Name to access Standard Namespace after migration.') -param postMigrationName string - -@description('Required. Existing premium Namespace resource ID which has no entities, will be used for migration.') -param targetNamespaceResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource migrationConfiguration 'Microsoft.ServiceBus/namespaces/migrationConfigurations@2022-10-01-preview' = { - name: '$default' - parent: namespace - properties: { - targetNamespace: targetNamespaceResourceId - postMigrationName: postMigrationName - } -} - -@description('The name of the migration configuration.') -output name string = migrationConfiguration.name - -@description('The Resource ID of the migration configuration.') -output resourceId string = migrationConfiguration.id - -@description('The name of the Resource Group the migration configuration was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/migration-configuration/main.json b/modules/service-bus/namespace/migration-configuration/main.json deleted file mode 100644 index 32da98e44c..0000000000 --- a/modules/service-bus/namespace/migration-configuration/main.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5089878909119216074" - }, - "name": "Service Bus Namespace Migration Configuration", - "description": "This module deploys a Service Bus Namespace Migration Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "postMigrationName": { - "type": "string", - "metadata": { - "description": "Required. Name to access Standard Namespace after migration." - } - }, - "targetNamespaceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), '$default')]", - "properties": { - "targetNamespace": "[parameters('targetNamespaceResourceId')]", - "postMigrationName": "[parameters('postMigrationName')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the migration configuration." - }, - "value": "$default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the migration configuration." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/migrationConfigurations', parameters('namespaceName'), '$default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the migration configuration was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/migration-configuration/version.json b/modules/service-bus/namespace/migration-configuration/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/migration-configuration/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/network-rule-set/README.md b/modules/service-bus/namespace/network-rule-set/README.md deleted file mode 100644 index 18214d606d..0000000000 --- a/modules/service-bus/namespace/network-rule-set/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Service Bus Namespace Network Rule Sets `[Microsoft.ServiceBus/namespaces/networkRuleSets]` - -This module deploys a ServiceBus Namespace Network Rule Set. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/networkRuleSets) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipRules`](#parameter-iprules) | array | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | -| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `defaultAction` - -Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. - -- Required: No -- Type: string -- Default: `'Allow'` -- Allowed: - ```Bicep - [ - 'Allow' - 'Deny' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipRules` - -List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `publicNetworkAccess` - -This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `trustedServiceAccessEnabled` - -Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `virtualNetworkRules` - -List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the network rule set. | -| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | -| `resourceId` | string | The resource ID of the network rule set. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/network-rule-set/main.bicep b/modules/service-bus/namespace/network-rule-set/main.bicep deleted file mode 100644 index f15d24ad9e..0000000000 --- a/modules/service-bus/namespace/network-rule-set/main.bicep +++ /dev/null @@ -1,78 +0,0 @@ -metadata name = 'Service Bus Namespace Network Rule Sets' -metadata description = 'This module deploys a ServiceBus Namespace Network Rule Set.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') -param publicNetworkAccess string = 'Enabled' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') -param defaultAction string = 'Allow' - -@description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') -param trustedServiceAccessEnabled bool = true - -@description('Optional. List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') -param virtualNetworkRules array = [] - -@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') -param ipRules array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var networkRules = [for (virtualNetworkRule, index) in virtualNetworkRules: { - ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : null - subnet: contains(virtualNetworkRule, 'subnetResourceId') ? { - id: virtualNetworkRule.subnetResourceId - } : null -}] - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2022-10-01-preview' = { - name: 'default' - parent: namespace - properties: { - publicNetworkAccess: publicNetworkAccess - defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction) - trustedServiceAccessEnabled: publicNetworkAccess == 'Disabled' ? null : trustedServiceAccessEnabled - ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules - virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules - } -} - -@description('The name of the network rule set.') -output name string = networkRuleSet.name - -@description('The resource ID of the network rule set.') -output resourceId string = networkRuleSet.id - -@description('The name of the resource group the network rule set was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/network-rule-set/main.json b/modules/service-bus/namespace/network-rule-set/main.json deleted file mode 100644 index 1cf1be124a..0000000000 --- a/modules/service-bus/namespace/network-rule-set/main.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13436940198974346018" - }, - "name": "Service Bus Namespace Network Rule Sets", - "description": "This module deploys a ServiceBus Namespace Network Rule Set.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." - } - }, - "defaultAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." - } - }, - "trustedServiceAccessEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "networkRules", - "count": "[length(parameters('virtualNetworkRules'))]", - "input": { - "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]", - "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]" - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/networkRuleSets", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), if(or(not(empty(parameters('ipRules'))), not(empty(parameters('virtualNetworkRules')))), 'Deny', parameters('defaultAction')))]", - "trustedServiceAccessEnabled": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('trustedServiceAccessEnabled'))]", - "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), parameters('ipRules'))]", - "virtualNetworkRules": "[if(equals(parameters('publicNetworkAccess'), 'Disabled'), null(), variables('networkRules'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the network rule set." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the network rule set." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the network rule set was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/network-rule-set/version.json b/modules/service-bus/namespace/network-rule-set/version.json deleted file mode 100644 index 9481fea58e..0000000000 --- a/modules/service-bus/namespace/network-rule-set/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.2", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md deleted file mode 100644 index f9c6d2da7a..0000000000 --- a/modules/service-bus/namespace/queue/README.md +++ /dev/null @@ -1,382 +0,0 @@ -# Service Bus Namespace Queue `[Microsoft.ServiceBus/namespaces/queues]` - -This module deploys a Service Bus Namespace Queue. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ServiceBus/namespaces/queues` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues) | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Service Bus Queue. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus Queue. | -| [`autoDeleteOnIdle`](#parameter-autodeleteonidle) | string | ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). | -| [`deadLetteringOnMessageExpiration`](#parameter-deadletteringonmessageexpiration) | bool | A value that indicates whether this queue has dead letter support when a message expires. | -| [`defaultMessageTimeToLive`](#parameter-defaultmessagetimetolive) | string | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | -| [`duplicateDetectionHistoryTimeWindow`](#parameter-duplicatedetectionhistorytimewindow) | string | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | -| [`enableBatchedOperations`](#parameter-enablebatchedoperations) | bool | Value that indicates whether server-side batched operations are enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableExpress`](#parameter-enableexpress) | bool | A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | -| [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the queue is to be partitioned across multiple message brokers. | -| [`forwardDeadLetteredMessagesTo`](#parameter-forwarddeadletteredmessagesto) | string | Queue/Topic name to forward the Dead Letter message. | -| [`forwardTo`](#parameter-forwardto) | string | Queue/Topic name to forward the messages. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`lockDuration`](#parameter-lockduration) | string | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | -| [`maxDeliveryCount`](#parameter-maxdeliverycount) | int | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | -| [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. | -| [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | -| [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this queue requires duplicate detection. | -| [`requiresSession`](#parameter-requiressession) | bool | A value that indicates whether the queue supports the concept of sessions. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | - -### Parameter: `name` - -Name of the Service Bus Queue. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the Service Bus Queue. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - properties: { - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - } - ] - ``` - -### Parameter: `autoDeleteOnIdle` - -ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `deadLetteringOnMessageExpiration` - -A value that indicates whether this queue has dead letter support when a message expires. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `defaultMessageTimeToLive` - -ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. - -- Required: No -- Type: string -- Default: `'P14D'` - -### Parameter: `duplicateDetectionHistoryTimeWindow` - -ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. - -- Required: No -- Type: string -- Default: `'PT10M'` - -### Parameter: `enableBatchedOperations` - -Value that indicates whether server-side batched operations are enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableExpress` - -A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePartitioning` - -A value that indicates whether the queue is to be partitioned across multiple message brokers. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `forwardDeadLetteredMessagesTo` - -Queue/Topic name to forward the Dead Letter message. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `forwardTo` - -Queue/Topic name to forward the messages. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `lockDuration` - -ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. - -- Required: No -- Type: string -- Default: `'PT1M'` - -### Parameter: `maxDeliveryCount` - -The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. - -- Required: No -- Type: int -- Default: `10` - -### Parameter: `maxMessageSizeInKilobytes` - -Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. - -- Required: No -- Type: int -- Default: `1024` - -### Parameter: `maxSizeInMegabytes` - -The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. - -- Required: No -- Type: int -- Default: `1024` - -### Parameter: `requiresDuplicateDetection` - -A value indicating if this queue requires duplicate detection. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `requiresSession` - -A value that indicates whether the queue supports the concept of sessions. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `status` - -Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. - -- Required: No -- Type: string -- Default: `'Active'` -- Allowed: - ```Bicep - [ - 'Active' - 'Creating' - 'Deleting' - 'Disabled' - 'ReceiveDisabled' - 'Renaming' - 'Restoring' - 'SendDisabled' - 'Unknown' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed queue. | -| `resourceGroupName` | string | The resource group of the deployed queue. | -| `resourceId` | string | The resource ID of the deployed queue. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/queue/authorization-rule/README.md b/modules/service-bus/namespace/queue/authorization-rule/README.md deleted file mode 100644 index 85306aedc9..0000000000 --- a/modules/service-bus/namespace/queue/authorization-rule/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Service Bus Namespace Queue Authorization Rules `[Microsoft.ServiceBus/namespaces/queues/authorizationRules]` - -This module deploys a Service Bus Namespace Queue Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the service bus namepace queue. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | -| [`queueName`](#parameter-queuename) | string | The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the service bus namepace queue. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `queueName` - -The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The Resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/queue/authorization-rule/main.bicep b/modules/service-bus/namespace/queue/authorization-rule/main.bicep deleted file mode 100644 index 1c246c1650..0000000000 --- a/modules/service-bus/namespace/queue/authorization-rule/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'Service Bus Namespace Queue Authorization Rules' -metadata description = 'This module deploys a Service Bus Namespace Queue Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the service bus namepace queue.') -param name string - -@description('Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Conditional. The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment.') -param queueName string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName - - resource queue 'queues@2022-10-01-preview' existing = { - name: queueName - } -} - -resource authorizationRule 'Microsoft.ServiceBus/namespaces/queues/authorizationRules@2022-10-01-preview' = { - name: name - parent: namespace::queue - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The Resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/queue/authorization-rule/main.json b/modules/service-bus/namespace/queue/authorization-rule/main.json deleted file mode 100644 index 4692fdcec7..0000000000 --- a/modules/service-bus/namespace/queue/authorization-rule/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17590031156732651952" - }, - "name": "Service Bus Namespace Queue Authorization Rules", - "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namepace queue." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "queueName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', parameters('namespaceName'), parameters('queueName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/queue/authorization-rule/version.json b/modules/service-bus/namespace/queue/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/queue/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep deleted file mode 100644 index 2f111f109e..0000000000 --- a/modules/service-bus/namespace/queue/main.bicep +++ /dev/null @@ -1,225 +0,0 @@ -metadata name = 'Service Bus Namespace Queue' -metadata description = 'This module deploys a Service Bus Namespace Queue.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. Name of the Service Bus Queue.') -@minLength(6) -@maxLength(50) -param name string - -@description('Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M).') -param autoDeleteOnIdle string = '' - -@description('Optional. Queue/Topic name to forward the Dead Letter message.') -param forwardDeadLetteredMessagesTo string = '' - -@description('Optional. Queue/Topic name to forward the messages.') -param forwardTo string = '' - -@description('Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute.') -param lockDuration string = 'PT1M' - -@description('Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024.') -param maxSizeInMegabytes int = 1024 - -@description('Optional. A value indicating if this queue requires duplicate detection.') -param requiresDuplicateDetection bool = false - -@description('Optional. A value that indicates whether the queue supports the concept of sessions.') -param requiresSession bool = false - -@description('Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself.') -param defaultMessageTimeToLive string = 'P14D' - -@description('Optional. A value that indicates whether this queue has dead letter support when a message expires.') -param deadLetteringOnMessageExpiration bool = true - -@description('Optional. Value that indicates whether server-side batched operations are enabled.') -param enableBatchedOperations bool = true - -@description('Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes.') -param duplicateDetectionHistoryTimeWindow string = 'PT10M' - -@description('Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10.') -param maxDeliveryCount int = 10 - -@description('Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024.') -param maxMessageSizeInKilobytes int = 1024 - -@description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.') -@allowed([ - 'Active' - 'Disabled' - 'Restoring' - 'SendDisabled' - 'ReceiveDisabled' - 'Creating' - 'Deleting' - 'Renaming' - 'Unknown' -]) -param status string = 'Active' - -@description('Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers.') -param enablePartitioning bool = false - -@description('Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage.') -param enableExpress bool = false - -@description('Optional. Authorization Rules for the Service Bus Queue.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - properties: { - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - } -] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource queue 'Microsoft.ServiceBus/namespaces/queues@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - autoDeleteOnIdle: !empty(autoDeleteOnIdle) ? autoDeleteOnIdle : null - defaultMessageTimeToLive: defaultMessageTimeToLive - deadLetteringOnMessageExpiration: deadLetteringOnMessageExpiration - duplicateDetectionHistoryTimeWindow: duplicateDetectionHistoryTimeWindow - enableBatchedOperations: enableBatchedOperations - enableExpress: enableExpress - enablePartitioning: enablePartitioning - forwardDeadLetteredMessagesTo: !empty(forwardDeadLetteredMessagesTo) ? forwardDeadLetteredMessagesTo : null - forwardTo: !empty(forwardTo) ? forwardTo : null - lockDuration: lockDuration - maxDeliveryCount: maxDeliveryCount - maxMessageSizeInKilobytes: namespace.sku.name == 'Premium' ? maxMessageSizeInKilobytes : null - maxSizeInMegabytes: maxSizeInMegabytes - requiresDuplicateDetection: requiresDuplicateDetection - requiresSession: requiresSession - status: status - } -} - -module queue_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthRule-${index}' - params: { - namespaceName: namespaceName - queueName: queue.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: queue -} - -resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: queue -}] - -@description('The name of the deployed queue.') -output name string = queue.name - -@description('The resource ID of the deployed queue.') -output resourceId string = queue.id - -@description('The resource group of the deployed queue.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json deleted file mode 100644 index ec18685913..0000000000 --- a/modules/service-bus/namespace/queue/main.json +++ /dev/null @@ -1,539 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11801990742718728628" - }, - "name": "Service Bus Namespace Queue", - "description": "This module deploys a Service Bus Namespace Queue.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Service Bus Queue." - } - }, - "autoDeleteOnIdle": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." - } - }, - "forwardDeadLetteredMessagesTo": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Queue/Topic name to forward the Dead Letter message." - } - }, - "forwardTo": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Queue/Topic name to forward the messages." - } - }, - "lockDuration": { - "type": "string", - "defaultValue": "PT1M", - "metadata": { - "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." - } - }, - "maxSizeInMegabytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024." - } - }, - "requiresDuplicateDetection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value indicating if this queue requires duplicate detection." - } - }, - "requiresSession": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the queue supports the concept of sessions." - } - }, - "defaultMessageTimeToLive": { - "type": "string", - "defaultValue": "P14D", - "metadata": { - "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." - } - }, - "deadLetteringOnMessageExpiration": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires." - } - }, - "enableBatchedOperations": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether server-side batched operations are enabled." - } - }, - "duplicateDetectionHistoryTimeWindow": { - "type": "string", - "defaultValue": "PT10M", - "metadata": { - "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." - } - }, - "maxDeliveryCount": { - "type": "int", - "defaultValue": 10, - "metadata": { - "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." - } - }, - "maxMessageSizeInKilobytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Disabled", - "Restoring", - "SendDisabled", - "ReceiveDisabled", - "Creating", - "Deleting", - "Renaming", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." - } - }, - "enablePartitioning": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers." - } - }, - "enableExpress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "properties": { - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Service Bus Queue." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "queue": { - "type": "Microsoft.ServiceBus/namespaces/queues", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "autoDeleteOnIdle": "[if(not(empty(parameters('autoDeleteOnIdle'))), parameters('autoDeleteOnIdle'), null())]", - "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", - "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", - "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", - "enableExpress": "[parameters('enableExpress')]", - "enablePartitioning": "[parameters('enablePartitioning')]", - "forwardDeadLetteredMessagesTo": "[if(not(empty(parameters('forwardDeadLetteredMessagesTo'))), parameters('forwardDeadLetteredMessagesTo'), null())]", - "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", - "lockDuration": "[parameters('lockDuration')]", - "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "maxMessageSizeInKilobytes": "[if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "requiresSession": "[parameters('requiresSession')]", - "status": "[parameters('status')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "queue_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "queue" - ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - }, - "queue_authorizationRules": { - "copy": { - "name": "queue_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "queueName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17590031156732651952" - }, - "name": "Service Bus Namespace Queue Authorization Rules", - "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namepace queue." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "queueName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', parameters('namespaceName'), parameters('queueName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/queue/version.json b/modules/service-bus/namespace/queue/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/queue/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep b/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 39c9f7941e..0000000000 --- a/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index 91bcb7661d..0000000000 --- a/modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true // Required by service bus namespace - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - // Key Vault Crypto User - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep deleted file mode 100644 index 4bc6f9d364..0000000000 --- a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,131 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Premium' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - networkRuleSets: { - defaultAction: 'Deny' - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - ipRules: [ - { - ipMask: '10.0.1.0/32' - action: 'Allow' - } - { - ipMask: '10.0.2.0/32' - action: 'Allow' - } - ] - } - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/service-bus/namespace/tests/e2e/max/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 07a2e7878c..0000000000 --- a/modules/service-bus/namespace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep deleted file mode 100644 index 4e64786e88..0000000000 --- a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,227 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'Premium' - skuCapacity: 2 - premiumMessagingPartitions: 1 - zoneRedundant: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - - principalType: 'ServicePrincipal' - } - ] - networkRuleSets: { - defaultAction: 'Deny' - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - ipRules: [ - { - ipMask: '10.0.1.0/32' - action: 'Allow' - } - { - ipMask: '10.0.2.0/32' - action: 'Allow' - } - ] - } - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - queues: [ - { - name: '${namePrefix}${serviceShort}q001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - autoDeleteOnIdle: 'PT5M' - maxMessageSizeInKilobytes: 2048 - } - ] - topics: [ - { - name: '${namePrefix}${serviceShort}t001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - disableLocalAuth: true - publicNetworkAccess: 'Enabled' - minimumTlsVersion: '1.2' - } -}] diff --git a/modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index c63bafc918..0000000000 --- a/modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep b/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep deleted file mode 100644 index ebc7250257..0000000000 --- a/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,74 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnpe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Premium' - publicNetworkAccess: 'Disabled' - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 07a2e7878c..0000000000 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index d61b0ddb60..0000000000 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,227 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'Premium' - skuCapacity: 2 - premiumMessagingPartitions: 1 - zoneRedundant: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - - principalType: 'ServicePrincipal' - } - ] - networkRuleSets: { - defaultAction: 'Deny' - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - ipRules: [ - { - ipMask: '10.0.1.0/32' - action: 'Allow' - } - { - ipMask: '10.0.2.0/32' - action: 'Allow' - } - ] - } - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - queues: [ - { - name: '${namePrefix}${serviceShort}q001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - autoDeleteOnIdle: 'PT5M' - maxMessageSizeInKilobytes: 2048 - } - ] - topics: [ - { - name: '${namePrefix}${serviceShort}t001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - service: 'namespace' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - disableLocalAuth: true - publicNetworkAccess: 'Enabled' - minimumTlsVersion: '1.2' - } -}] diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md deleted file mode 100644 index f81f109519..0000000000 --- a/modules/service-bus/namespace/topic/README.md +++ /dev/null @@ -1,337 +0,0 @@ -# Service Bus Namespace Topic `[Microsoft.ServiceBus/namespaces/topics]` - -This module deploys a Service Bus Namespace Topic. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ServiceBus/namespaces/topics` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics) | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Service Bus Topic. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus Topic. | -| [`autoDeleteOnIdle`](#parameter-autodeleteonidle) | string | ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. | -| [`defaultMessageTimeToLive`](#parameter-defaultmessagetimetolive) | string | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | -| [`duplicateDetectionHistoryTimeWindow`](#parameter-duplicatedetectionhistorytimewindow) | string | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | -| [`enableBatchedOperations`](#parameter-enablebatchedoperations) | bool | Value that indicates whether server-side batched operations are enabled. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableExpress`](#parameter-enableexpress) | bool | A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. | -| [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the topic is to be partitioned across multiple message brokers. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | -| [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | -| [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this topic requires duplicate detection. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | -| [`supportOrdering`](#parameter-supportordering) | bool | Value that indicates whether the topic supports ordering. | - -### Parameter: `name` - -Name of the Service Bus Topic. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authorizationRules` - -Authorization Rules for the Service Bus Topic. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'RootManageSharedAccessKey' - properties: { - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - } - ] - ``` - -### Parameter: `autoDeleteOnIdle` - -ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. - -- Required: No -- Type: string -- Default: `'PT5M'` - -### Parameter: `defaultMessageTimeToLive` - -ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. - -- Required: No -- Type: string -- Default: `'P14D'` - -### Parameter: `duplicateDetectionHistoryTimeWindow` - -ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. - -- Required: No -- Type: string -- Default: `'PT10M'` - -### Parameter: `enableBatchedOperations` - -Value that indicates whether server-side batched operations are enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableExpress` - -A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enablePartitioning` - -A value that indicates whether the topic is to be partitioned across multiple message brokers. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maxMessageSizeInKilobytes` - -Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. - -- Required: No -- Type: int -- Default: `1024` - -### Parameter: `maxSizeInMegabytes` - -The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. - -- Required: No -- Type: int -- Default: `1024` - -### Parameter: `requiresDuplicateDetection` - -A value indicating if this topic requires duplicate detection. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `status` - -Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. - -- Required: No -- Type: string -- Default: `'Active'` -- Allowed: - ```Bicep - [ - 'Active' - 'Creating' - 'Deleting' - 'Disabled' - 'ReceiveDisabled' - 'Renaming' - 'Restoring' - 'SendDisabled' - 'Unknown' - ] - ``` - -### Parameter: `supportOrdering` - -Value that indicates whether the topic supports ordering. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed topic. | -| `resourceGroupName` | string | The resource group of the deployed topic. | -| `resourceId` | string | The resource ID of the deployed topic. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/topic/authorization-rule/README.md b/modules/service-bus/namespace/topic/authorization-rule/README.md deleted file mode 100644 index c235204944..0000000000 --- a/modules/service-bus/namespace/topic/authorization-rule/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Service Bus Namespace Topic Authorization Rules `[Microsoft.ServiceBus/namespaces/topics/authorizationRules]` - -This module deploys a Service Bus Namespace Topic Authorization Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the service bus namespace topic. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | -| [`topicName`](#parameter-topicname) | string | The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`rights`](#parameter-rights) | array | The rights associated with the rule. | - -### Parameter: `name` - -The name of the service bus namespace topic. - -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `topicName` - -The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `rights` - -The rights associated with the rule. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'Listen' - 'Manage' - 'Send' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | -| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | -| `resourceId` | string | The Resource ID of the authorization rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-bus/namespace/topic/authorization-rule/main.bicep b/modules/service-bus/namespace/topic/authorization-rule/main.bicep deleted file mode 100644 index fb60f6c92d..0000000000 --- a/modules/service-bus/namespace/topic/authorization-rule/main.bicep +++ /dev/null @@ -1,60 +0,0 @@ -metadata name = 'Service Bus Namespace Topic Authorization Rules' -metadata description = 'This module deploys a Service Bus Namespace Topic Authorization Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the service bus namespace topic.') -param name string - -@description('Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment.') -param namespaceName string - -@description('Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment.') -param topicName string - -@description('Optional. The rights associated with the rule.') -@allowed([ - 'Listen' - 'Manage' - 'Send' -]) -param rights array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName - - resource topic 'topics@2022-10-01-preview' existing = { - name: topicName - } -} - -resource authorizationRule 'Microsoft.ServiceBus/namespaces/topics/authorizationRules@2022-10-01-preview' = { - name: name - parent: namespace::topic - properties: { - rights: rights - } -} - -@description('The name of the authorization rule.') -output name string = authorizationRule.name - -@description('The Resource ID of the authorization rule.') -output resourceId string = authorizationRule.id - -@description('The name of the Resource Group the authorization rule was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/service-bus/namespace/topic/authorization-rule/main.json b/modules/service-bus/namespace/topic/authorization-rule/main.json deleted file mode 100644 index f5819014ca..0000000000 --- a/modules/service-bus/namespace/topic/authorization-rule/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1333107238814449885" - }, - "name": "Service Bus Namespace Topic Authorization Rules", - "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namespace topic." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "topicName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules', parameters('namespaceName'), parameters('topicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/topic/authorization-rule/version.json b/modules/service-bus/namespace/topic/authorization-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/topic/authorization-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep deleted file mode 100644 index 9ff8bdcb06..0000000000 --- a/modules/service-bus/namespace/topic/main.bicep +++ /dev/null @@ -1,205 +0,0 @@ -metadata name = 'Service Bus Namespace Topic' -metadata description = 'This module deploys a Service Bus Namespace Topic.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment.') -@minLength(6) -@maxLength(50) -param namespaceName string - -@description('Required. Name of the Service Bus Topic.') -@minLength(6) -@maxLength(50) -param name string - -@description('Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024.') -param maxSizeInMegabytes int = 1024 - -@description('Optional. A value indicating if this topic requires duplicate detection.') -param requiresDuplicateDetection bool = false - -@description('Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself.') -param defaultMessageTimeToLive string = 'P14D' - -@description('Optional. Value that indicates whether server-side batched operations are enabled.') -param enableBatchedOperations bool = true - -@description('Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes.') -param duplicateDetectionHistoryTimeWindow string = 'PT10M' - -@description('Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024.') -param maxMessageSizeInKilobytes int = 1024 - -@description('Optional. Value that indicates whether the topic supports ordering.') -param supportOrdering bool = false - -@description('Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes.') -param autoDeleteOnIdle string = 'PT5M' - -@description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.') -@allowed([ - 'Active' - 'Disabled' - 'Restoring' - 'SendDisabled' - 'ReceiveDisabled' - 'Creating' - 'Deleting' - 'Renaming' - 'Unknown' -]) -param status string = 'Active' - -@description('Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers.') -param enablePartitioning bool = false - -@description('Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage.') -param enableExpress bool = false - -@description('Optional. Authorization Rules for the Service Bus Topic.') -param authorizationRules array = [ - { - name: 'RootManageSharedAccessKey' - properties: { - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - } -] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: namespaceName -} - -resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' = { - name: name - parent: namespace - properties: { - autoDeleteOnIdle: autoDeleteOnIdle - defaultMessageTimeToLive: defaultMessageTimeToLive - duplicateDetectionHistoryTimeWindow: duplicateDetectionHistoryTimeWindow - enableBatchedOperations: enableBatchedOperations - enableExpress: enableExpress - enablePartitioning: enablePartitioning - maxMessageSizeInKilobytes: maxMessageSizeInKilobytes - maxSizeInMegabytes: maxSizeInMegabytes - requiresDuplicateDetection: requiresDuplicateDetection - status: status - supportOrdering: supportOrdering - } -} - -module topic_authorizationRules 'authorization-rule/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthRule-${index}' - params: { - namespaceName: namespaceName - topicName: topic.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: topic -} - -resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: topic -}] - -@description('The name of the deployed topic.') -output name string = topic.name - -@description('The resource ID of the deployed topic.') -output resourceId string = topic.id - -@description('The resource group of the deployed topic.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json deleted file mode 100644 index 4b0e2d0904..0000000000 --- a/modules/service-bus/namespace/topic/main.json +++ /dev/null @@ -1,499 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15417348357364247690" - }, - "name": "Service Bus Namespace Topic", - "description": "This module deploys a Service Bus Namespace Topic.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "namespaceName": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "minLength": 6, - "maxLength": 50, - "metadata": { - "description": "Required. Name of the Service Bus Topic." - } - }, - "maxSizeInMegabytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024." - } - }, - "requiresDuplicateDetection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value indicating if this topic requires duplicate detection." - } - }, - "defaultMessageTimeToLive": { - "type": "string", - "defaultValue": "P14D", - "metadata": { - "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." - } - }, - "enableBatchedOperations": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Value that indicates whether server-side batched operations are enabled." - } - }, - "duplicateDetectionHistoryTimeWindow": { - "type": "string", - "defaultValue": "PT10M", - "metadata": { - "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." - } - }, - "maxMessageSizeInKilobytes": { - "type": "int", - "defaultValue": 1024, - "metadata": { - "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024." - } - }, - "supportOrdering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Value that indicates whether the topic supports ordering." - } - }, - "autoDeleteOnIdle": { - "type": "string", - "defaultValue": "PT5M", - "metadata": { - "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes." - } - }, - "status": { - "type": "string", - "defaultValue": "Active", - "allowedValues": [ - "Active", - "Disabled", - "Restoring", - "SendDisabled", - "ReceiveDisabled", - "Creating", - "Deleting", - "Renaming", - "Unknown" - ], - "metadata": { - "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." - } - }, - "enablePartitioning": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers." - } - }, - "enableExpress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage." - } - }, - "authorizationRules": { - "type": "array", - "defaultValue": [ - { - "name": "RootManageSharedAccessKey", - "properties": { - "rights": [ - "Listen", - "Manage", - "Send" - ] - } - } - ], - "metadata": { - "description": "Optional. Authorization Rules for the Service Bus Topic." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "namespace": { - "existing": true, - "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2022-10-01-preview", - "name": "[parameters('namespaceName')]" - }, - "topic": { - "type": "Microsoft.ServiceBus/namespaces/topics", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": { - "autoDeleteOnIdle": "[parameters('autoDeleteOnIdle')]", - "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", - "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", - "enableExpress": "[parameters('enableExpress')]", - "enablePartitioning": "[parameters('enablePartitioning')]", - "maxMessageSizeInKilobytes": "[parameters('maxMessageSizeInKilobytes')]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "status": "[parameters('status')]", - "supportOrdering": "[parameters('supportOrdering')]" - }, - "dependsOn": [ - "namespace" - ] - }, - "topic_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "topic" - ] - }, - "topic_authorizationRules": { - "copy": { - "name": "topic_authorizationRules", - "count": "[length(parameters('authorizationRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "namespaceName": { - "value": "[parameters('namespaceName')]" - }, - "topicName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('authorizationRules')[copyIndex()].name]" - }, - "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1333107238814449885" - }, - "name": "Service Bus Namespace Topic Authorization Rules", - "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service bus namespace topic." - } - }, - "namespaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." - } - }, - "topicName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment." - } - }, - "rights": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "Listen", - "Manage", - "Send" - ], - "metadata": { - "description": "Optional. The rights associated with the rule." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2022-10-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", - "properties": { - "rights": "[parameters('rights')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the authorization rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Resource ID of the authorization rule." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules', parameters('namespaceName'), parameters('topicName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the authorization rule was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "topic" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed topic." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed topic." - }, - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed topic." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/service-bus/namespace/topic/version.json b/modules/service-bus/namespace/topic/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-bus/namespace/topic/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-bus/namespace/version.json b/modules/service-bus/namespace/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/service-bus/namespace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 1cad50d156..edb9bf611b 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -1,1610 +1,7 @@ -# Service Fabric Clusters `[Microsoft.ServiceFabric/clusters]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Service Fabric Cluster. +**This module has been evolved into the following AVM module: [avm/res/service-fabric/cluster](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/service-fabric/cluster).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/service-fabric/cluster). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ServiceFabric/clusters` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceFabric/2021-06-01/clusters) | -| `Microsoft.ServiceFabric/clusters/applicationTypes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceFabric/2021-06-01/clusters/applicationTypes) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-fabric.cluster:1.0.0`. - -- [Cert](#example-1-cert) -- [Using only defaults](#example-2-using-only-defaults) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Cert_ - -
- -via Bicep module - -```bicep -module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfccer' - params: { - // Required parameters - managementEndpoint: 'https://sfccer001.westeurope.cloudapp.azure.com:19080' - name: 'sfccer001' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - } - ] - reliabilityLevel: 'None' - // Non-required parameters - certificate: { - thumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - x509StoreName: 'My' - } - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "managementEndpoint": { - "value": "https://sfccer001.westeurope.cloudapp.azure.com:19080" - }, - "name": { - "value": "sfccer001" - }, - "nodeTypes": { - "value": [ - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": 65534, - "startPort": 49152 - }, - "httpGatewayEndpointPort": 19080, - "isPrimary": true, - "name": "Node01" - } - ] - }, - "reliabilityLevel": { - "value": "None" - }, - // Non-required parameters - "certificate": { - "value": { - "thumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", - "x509StoreName": "My" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfcmin' - params: { - // Required parameters - managementEndpoint: 'https://sfcmin001.westeurope.cloudapp.azure.com:19080' - name: 'sfcmin001' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - } - ] - reliabilityLevel: 'None' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "managementEndpoint": { - "value": "https://sfcmin001.westeurope.cloudapp.azure.com:19080" - }, - "name": { - "value": "sfcmin001" - }, - "nodeTypes": { - "value": [ - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": 65534, - "startPort": 49152 - }, - "httpGatewayEndpointPort": 19080, - "isPrimary": true, - "name": "Node01" - } - ] - }, - "reliabilityLevel": { - "value": "None" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfcmax' - params: { - // Required parameters - managementEndpoint: 'https://sfcmax001.westeurope.cloudapp.azure.com:19080' - name: 'sfcmax001' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Silver' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - isStateless: false - multipleAvailabilityZones: false - name: 'Node01' - placementProperties: {} - reverseProxyEndpointPort: '' - vmInstanceCount: 5 - } - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 64000 - httpGatewayEndpointPort: 19007 - isPrimary: true - name: 'Node02' - startPort: 49000 - vmInstanceCount: 5 - } - } - ] - reliabilityLevel: 'Silver' - // Non-required parameters - addOnFeatures: [ - 'BackupRestoreService' - 'DnsService' - 'RepairManager' - 'ResourceMonitorService' - ] - applicationTypes: [ - { - name: 'WordCount' - } - ] - azureActiveDirectory: { - clientApplication: '' - clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' - tenantId: '' - } - certificateCommonNames: { - commonNames: [ - { - certificateCommonName: 'certcommon' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - } - ] - x509StoreName: '' - } - clientCertificateCommonNames: [ - { - certificateCommonName: 'clientcommoncert1' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateCommonName: 'clientcommoncert2' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - clientCertificateThumbprints: [ - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - diagnosticsStorageAccountConfig: { - blobEndpoint: '' - protectedAccountKeyName: 'StorageAccountKey1' - queueEndpoint: '' - storageAccountName: '' - tableEndpoint: '' - } - enableDefaultTelemetry: '' - fabricSettings: [ - { - name: 'Security' - parameters: [ - { - name: 'ClusterProtectionLevel' - value: 'EncryptAndSign' - } - ] - } - { - name: 'UpgradeService' - parameters: [ - { - name: 'AppPollIntervalInSeconds' - value: '60' - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxUnusedVersionsToKeep: 2 - notifications: [ - { - isEnabled: true - notificationCategory: 'WaveProgress' - notificationLevel: 'Critical' - notificationTargets: [ - { - notificationChannel: 'EmailUser' - receivers: [ - 'SomeReceiver' - ] - } - ] - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - clusterName: 'sfcmax001' - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Service Fabric' - } - upgradeDescription: { - deltaHealthPolicy: { - maxPercentDeltaUnhealthyApplications: 0 - maxPercentDeltaUnhealthyNodes: 0 - maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 - } - forceRestart: false - healthCheckRetryTimeout: '00:45:00' - healthCheckStableDuration: '00:01:00' - healthCheckWaitDuration: '00:00:30' - healthPolicy: { - maxPercentUnhealthyApplications: 0 - maxPercentUnhealthyNodes: 0 - } - upgradeDomainTimeout: '02:00:00' - upgradeReplicaSetCheckTimeout: '1.00:00:00' - upgradeTimeout: '02:00:00' - } - vmImage: 'Linux' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "managementEndpoint": { - "value": "https://sfcmax001.westeurope.cloudapp.azure.com:19080" - }, - "name": { - "value": "sfcmax001" - }, - "nodeTypes": { - "value": [ - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Silver", - "ephemeralPorts": { - "endPort": 65534, - "startPort": 49152 - }, - "httpGatewayEndpointPort": 19080, - "isPrimary": true, - "isStateless": false, - "multipleAvailabilityZones": false, - "name": "Node01", - "placementProperties": {}, - "reverseProxyEndpointPort": "", - "vmInstanceCount": 5 - }, - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": 64000, - "httpGatewayEndpointPort": 19007, - "isPrimary": true, - "name": "Node02", - "startPort": 49000, - "vmInstanceCount": 5 - } - } - ] - }, - "reliabilityLevel": { - "value": "Silver" - }, - // Non-required parameters - "addOnFeatures": { - "value": [ - "BackupRestoreService", - "DnsService", - "RepairManager", - "ResourceMonitorService" - ] - }, - "applicationTypes": { - "value": [ - { - "name": "WordCount" - } - ] - }, - "azureActiveDirectory": { - "value": { - "clientApplication": "", - "clusterApplication": "cf33fea8-b30f-424f-ab73-c48d99e0b222", - "tenantId": "" - } - }, - "certificateCommonNames": { - "value": { - "commonNames": [ - { - "certificateCommonName": "certcommon", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130" - } - ], - "x509StoreName": "" - } - }, - "clientCertificateCommonNames": { - "value": [ - { - "certificateCommonName": "clientcommoncert1", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", - "isAdmin": false - }, - { - "certificateCommonName": "clientcommoncert2", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", - "isAdmin": false - } - ] - }, - "clientCertificateThumbprints": { - "value": [ - { - "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", - "isAdmin": false - }, - { - "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", - "isAdmin": false - } - ] - }, - "diagnosticsStorageAccountConfig": { - "value": { - "blobEndpoint": "", - "protectedAccountKeyName": "StorageAccountKey1", - "queueEndpoint": "", - "storageAccountName": "", - "tableEndpoint": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fabricSettings": { - "value": [ - { - "name": "Security", - "parameters": [ - { - "name": "ClusterProtectionLevel", - "value": "EncryptAndSign" - } - ] - }, - { - "name": "UpgradeService", - "parameters": [ - { - "name": "AppPollIntervalInSeconds", - "value": "60" - } - ] - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maxUnusedVersionsToKeep": { - "value": 2 - }, - "notifications": { - "value": [ - { - "isEnabled": true, - "notificationCategory": "WaveProgress", - "notificationLevel": "Critical", - "notificationTargets": [ - { - "notificationChannel": "EmailUser", - "receivers": [ - "SomeReceiver" - ] - } - ] - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "clusterName": "sfcmax001", - "hidden-title": "This is visible in the resource name", - "resourceType": "Service Fabric" - } - }, - "upgradeDescription": { - "value": { - "deltaHealthPolicy": { - "maxPercentDeltaUnhealthyApplications": 0, - "maxPercentDeltaUnhealthyNodes": 0, - "maxPercentUpgradeDomainDeltaUnhealthyNodes": 0 - }, - "forceRestart": false, - "healthCheckRetryTimeout": "00:45:00", - "healthCheckStableDuration": "00:01:00", - "healthCheckWaitDuration": "00:00:30", - "healthPolicy": { - "maxPercentUnhealthyApplications": 0, - "maxPercentUnhealthyNodes": 0 - }, - "upgradeDomainTimeout": "02:00:00", - "upgradeReplicaSetCheckTimeout": "1.00:00:00", - "upgradeTimeout": "02:00:00" - } - }, - "vmImage": { - "value": "Linux" - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfcwaf' - params: { - // Required parameters - managementEndpoint: 'https://sfcwaf001.westeurope.cloudapp.azure.com:19080' - name: 'sfcwaf001' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Silver' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - isStateless: false - multipleAvailabilityZones: false - name: 'Node01' - placementProperties: {} - reverseProxyEndpointPort: '' - vmInstanceCount: 5 - } - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 64000 - httpGatewayEndpointPort: 19007 - isPrimary: true - name: 'Node02' - startPort: 49000 - vmInstanceCount: 5 - } - } - ] - reliabilityLevel: 'Silver' - // Non-required parameters - addOnFeatures: [ - 'BackupRestoreService' - 'DnsService' - 'RepairManager' - 'ResourceMonitorService' - ] - applicationTypes: [ - { - name: 'WordCount' - } - ] - azureActiveDirectory: { - clientApplication: '' - clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' - tenantId: '' - } - certificateCommonNames: { - commonNames: [ - { - certificateCommonName: 'certcommon' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - } - ] - x509StoreName: '' - } - clientCertificateCommonNames: [ - { - certificateCommonName: 'clientcommoncert1' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateCommonName: 'clientcommoncert2' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - clientCertificateThumbprints: [ - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - diagnosticsStorageAccountConfig: { - blobEndpoint: '' - protectedAccountKeyName: 'StorageAccountKey1' - queueEndpoint: '' - storageAccountName: '' - tableEndpoint: '' - } - enableDefaultTelemetry: '' - fabricSettings: [ - { - name: 'Security' - parameters: [ - { - name: 'ClusterProtectionLevel' - value: 'EncryptAndSign' - } - ] - } - { - name: 'UpgradeService' - parameters: [ - { - name: 'AppPollIntervalInSeconds' - value: '60' - } - ] - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxUnusedVersionsToKeep: 2 - notifications: [ - { - isEnabled: true - notificationCategory: 'WaveProgress' - notificationLevel: 'Critical' - notificationTargets: [ - { - notificationChannel: 'EmailUser' - receivers: [ - 'SomeReceiver' - ] - } - ] - } - ] - tags: { - clusterName: 'sfcwaf001' - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Service Fabric' - } - upgradeDescription: { - deltaHealthPolicy: { - maxPercentDeltaUnhealthyApplications: 0 - maxPercentDeltaUnhealthyNodes: 0 - maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 - } - forceRestart: false - healthCheckRetryTimeout: '00:45:00' - healthCheckStableDuration: '00:01:00' - healthCheckWaitDuration: '00:00:30' - healthPolicy: { - maxPercentUnhealthyApplications: 0 - maxPercentUnhealthyNodes: 0 - } - upgradeDomainTimeout: '02:00:00' - upgradeReplicaSetCheckTimeout: '1.00:00:00' - upgradeTimeout: '02:00:00' - } - vmImage: 'Linux' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "managementEndpoint": { - "value": "https://sfcwaf001.westeurope.cloudapp.azure.com:19080" - }, - "name": { - "value": "sfcwaf001" - }, - "nodeTypes": { - "value": [ - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Silver", - "ephemeralPorts": { - "endPort": 65534, - "startPort": 49152 - }, - "httpGatewayEndpointPort": 19080, - "isPrimary": true, - "isStateless": false, - "multipleAvailabilityZones": false, - "name": "Node01", - "placementProperties": {}, - "reverseProxyEndpointPort": "", - "vmInstanceCount": 5 - }, - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": 64000, - "httpGatewayEndpointPort": 19007, - "isPrimary": true, - "name": "Node02", - "startPort": 49000, - "vmInstanceCount": 5 - } - } - ] - }, - "reliabilityLevel": { - "value": "Silver" - }, - // Non-required parameters - "addOnFeatures": { - "value": [ - "BackupRestoreService", - "DnsService", - "RepairManager", - "ResourceMonitorService" - ] - }, - "applicationTypes": { - "value": [ - { - "name": "WordCount" - } - ] - }, - "azureActiveDirectory": { - "value": { - "clientApplication": "", - "clusterApplication": "cf33fea8-b30f-424f-ab73-c48d99e0b222", - "tenantId": "" - } - }, - "certificateCommonNames": { - "value": { - "commonNames": [ - { - "certificateCommonName": "certcommon", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130" - } - ], - "x509StoreName": "" - } - }, - "clientCertificateCommonNames": { - "value": [ - { - "certificateCommonName": "clientcommoncert1", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", - "isAdmin": false - }, - { - "certificateCommonName": "clientcommoncert2", - "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", - "isAdmin": false - } - ] - }, - "clientCertificateThumbprints": { - "value": [ - { - "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", - "isAdmin": false - }, - { - "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", - "isAdmin": false - } - ] - }, - "diagnosticsStorageAccountConfig": { - "value": { - "blobEndpoint": "", - "protectedAccountKeyName": "StorageAccountKey1", - "queueEndpoint": "", - "storageAccountName": "", - "tableEndpoint": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fabricSettings": { - "value": [ - { - "name": "Security", - "parameters": [ - { - "name": "ClusterProtectionLevel", - "value": "EncryptAndSign" - } - ] - }, - { - "name": "UpgradeService", - "parameters": [ - { - "name": "AppPollIntervalInSeconds", - "value": "60" - } - ] - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "maxUnusedVersionsToKeep": { - "value": 2 - }, - "notifications": { - "value": [ - { - "isEnabled": true, - "notificationCategory": "WaveProgress", - "notificationLevel": "Critical", - "notificationTargets": [ - { - "notificationChannel": "EmailUser", - "receivers": [ - "SomeReceiver" - ] - } - ] - } - ] - }, - "tags": { - "value": { - "clusterName": "sfcwaf001", - "hidden-title": "This is visible in the resource name", - "resourceType": "Service Fabric" - } - }, - "upgradeDescription": { - "value": { - "deltaHealthPolicy": { - "maxPercentDeltaUnhealthyApplications": 0, - "maxPercentDeltaUnhealthyNodes": 0, - "maxPercentUpgradeDomainDeltaUnhealthyNodes": 0 - }, - "forceRestart": false, - "healthCheckRetryTimeout": "00:45:00", - "healthCheckStableDuration": "00:01:00", - "healthCheckWaitDuration": "00:00:30", - "healthPolicy": { - "maxPercentUnhealthyApplications": 0, - "maxPercentUnhealthyNodes": 0 - }, - "upgradeDomainTimeout": "02:00:00", - "upgradeReplicaSetCheckTimeout": "1.00:00:00", - "upgradeTimeout": "02:00:00" - } - }, - "vmImage": { - "value": "Linux" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managementEndpoint`](#parameter-managementendpoint) | string | The http management endpoint of the cluster. | -| [`name`](#parameter-name) | string | Name of the Service Fabric cluster. | -| [`nodeTypes`](#parameter-nodetypes) | array | The list of node types in the cluster. | -| [`reliabilityLevel`](#parameter-reliabilitylevel) | string | The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addOnFeatures`](#parameter-addonfeatures) | array | The list of add-on features to enable in the cluster. | -| [`applicationTypes`](#parameter-applicationtypes) | array | Array of Service Fabric cluster application types. | -| [`azureActiveDirectory`](#parameter-azureactivedirectory) | object | The settings to enable AAD authentication on the cluster. | -| [`certificate`](#parameter-certificate) | object | Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. | -| [`certificateCommonNames`](#parameter-certificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| [`clientCertificateCommonNames`](#parameter-clientcertificatecommonnames) | array | The list of client certificates referenced by common name that are allowed to manage the cluster. | -| [`clientCertificateThumbprints`](#parameter-clientcertificatethumbprints) | array | The list of client certificates referenced by thumbprint that are allowed to manage the cluster. | -| [`clusterCodeVersion`](#parameter-clustercodeversion) | string | The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. | -| [`diagnosticsStorageAccountConfig`](#parameter-diagnosticsstorageaccountconfig) | object | The storage account information for storing Service Fabric diagnostic logs. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventStoreServiceEnabled`](#parameter-eventstoreserviceenabled) | bool | Indicates if the event store service is enabled. | -| [`fabricSettings`](#parameter-fabricsettings) | array | The list of custom fabric settings to configure the cluster. | -| [`infrastructureServiceManager`](#parameter-infrastructureservicemanager) | bool | Indicates if infrastructure service manager is enabled. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maxUnusedVersionsToKeep`](#parameter-maxunusedversionstokeep) | int | Number of unused versions per application type to keep. | -| [`notifications`](#parameter-notifications) | array | Indicates a list of notification channels for cluster events. | -| [`reverseProxyCertificate`](#parameter-reverseproxycertificate) | object | Describes the certificate details. | -| [`reverseProxyCertificateCommonNames`](#parameter-reverseproxycertificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sfZonalUpgradeMode`](#parameter-sfzonalupgrademode) | string | This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`upgradeDescription`](#parameter-upgradedescription) | object | Describes the policy used when upgrading the cluster. | -| [`upgradeMode`](#parameter-upgrademode) | string | The upgrade mode of the cluster when new Service Fabric runtime version is available. | -| [`upgradePauseEndTimestampUtc`](#parameter-upgradepauseendtimestamputc) | string | Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | -| [`upgradePauseStartTimestampUtc`](#parameter-upgradepausestarttimestamputc) | string | Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | -| [`upgradeWave`](#parameter-upgradewave) | string | Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. | -| [`vmImage`](#parameter-vmimage) | string | The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. | -| [`vmssZonalUpgradeMode`](#parameter-vmsszonalupgrademode) | string | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | -| [`waveUpgradePaused`](#parameter-waveupgradepaused) | bool | Boolean to pause automatic runtime version upgrades to the cluster. | - -### Parameter: `managementEndpoint` - -The http management endpoint of the cluster. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the Service Fabric cluster. - -- Required: Yes -- Type: string - -### Parameter: `nodeTypes` - -The list of node types in the cluster. - -- Required: Yes -- Type: array - -### Parameter: `reliabilityLevel` - -The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Bronze' - 'Gold' - 'None' - 'Platinum' - 'Silver' - ] - ``` - -### Parameter: `addOnFeatures` - -The list of add-on features to enable in the cluster. - -- Required: No -- Type: array -- Default: `[]` -- Allowed: - ```Bicep - [ - 'BackupRestoreService' - 'DnsService' - 'RepairManager' - 'ResourceMonitorService' - ] - ``` - -### Parameter: `applicationTypes` - -Array of Service Fabric cluster application types. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `azureActiveDirectory` - -The settings to enable AAD authentication on the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `certificate` - -Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `certificateCommonNames` - -Describes a list of server certificates referenced by common name that are used to secure the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `clientCertificateCommonNames` - -The list of client certificates referenced by common name that are allowed to manage the cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `clientCertificateThumbprints` - -The list of client certificates referenced by thumbprint that are allowed to manage the cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `clusterCodeVersion` - -The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticsStorageAccountConfig` - -The storage account information for storing Service Fabric diagnostic logs. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `eventStoreServiceEnabled` - -Indicates if the event store service is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `fabricSettings` - -The list of custom fabric settings to configure the cluster. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `infrastructureServiceManager` - -Indicates if infrastructure service manager is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maxUnusedVersionsToKeep` - -Number of unused versions per application type to keep. - -- Required: No -- Type: int -- Default: `3` - -### Parameter: `notifications` - -Indicates a list of notification channels for cluster events. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `reverseProxyCertificate` - -Describes the certificate details. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `reverseProxyCertificateCommonNames` - -Describes a list of server certificates referenced by common name that are used to secure the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sfZonalUpgradeMode` - -This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. - -- Required: No -- Type: string -- Default: `'Hierarchical'` -- Allowed: - ```Bicep - [ - 'Hierarchical' - 'Parallel' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `upgradeDescription` - -Describes the policy used when upgrading the cluster. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `upgradeMode` - -The upgrade mode of the cluster when new Service Fabric runtime version is available. - -- Required: No -- Type: string -- Default: `'Automatic'` -- Allowed: - ```Bicep - [ - 'Automatic' - 'Manual' - ] - ``` - -### Parameter: `upgradePauseEndTimestampUtc` - -Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `upgradePauseStartTimestampUtc` - -Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `upgradeWave` - -Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. - -- Required: No -- Type: string -- Default: `'Wave0'` -- Allowed: - ```Bicep - [ - 'Wave0' - 'Wave1' - 'Wave2' - ] - ``` - -### Parameter: `vmImage` - -The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vmssZonalUpgradeMode` - -This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. - -- Required: No -- Type: string -- Default: `'Hierarchical'` -- Allowed: - ```Bicep - [ - 'Hierarchical' - 'Parallel' - ] - ``` - -### Parameter: `waveUpgradePaused` - -Boolean to pause automatic runtime version upgrades to the cluster. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `endpoint` | string | The Service Fabric Cluster endpoint. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Service Fabric Cluster name. | -| `resourceGroupName` | string | The Service Fabric Cluster resource group. | -| `resourceId` | string | The Service Fabric Cluster resource ID. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `notifications` - -

- -Parameter JSON format - -```json -"notifications": { - "value": [ - { - "isEnabled": true, // Required. Indicates if the notification is enabled. - "notificationCategory": "WaveProgress", // Required. The category of notification. Possible values include: "WaveProgress". - "notificationLevel": "Critical", // Required. The level of notification. Possible values include: "Critical", "All". - "notificationTargets": [ - { - "notificationChannel": "EmailUser", // Required. The notification channel indicates the type of receivers subscribed to the notification, either user or subscription. Possible values include: "EmailUser", "EmailSubscription". - "receivers": [ - "SomeReceiver" // Required. List of targets that subscribe to the notification. - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -notifications: [ - { - isEnabled: true // Required. Indicates if the notification is enabled. - notificationCategory: 'WaveProgress' // Required. The category of notification. Possible values include: 'WaveProgress'. - notificationLevel: 'Critical' // Required. The level of notification. Possible values include: 'Critical' 'All'. - notificationTargets: [ - { - notificationChannel: 'EmailUser' // Required. The notification channel indicates the type of receivers subscribed to the notification either user or subscription. Possible values include: 'EmailUser' 'EmailSubscription'. - receivers: [ - 'SomeReceiver' // Required. List of targets that subscribe to the notification. - ] - } - ] - } -] -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/service-fabric/cluster/application-type/README.md b/modules/service-fabric/cluster/application-type/README.md deleted file mode 100644 index c2334d1daa..0000000000 --- a/modules/service-fabric/cluster/application-type/README.md +++ /dev/null @@ -1,75 +0,0 @@ -# Service Fabric Cluster Application Types `[Microsoft.ServiceFabric/clusters/applicationTypes]` - -This module deploys a Service Fabric Cluster Application Type. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ServiceFabric/clusters/applicationTypes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceFabric/2021-06-01/clusters/applicationTypes) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serviceFabricClusterName`](#parameter-servicefabricclustername) | string | The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | Application type name. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `serviceFabricClusterName` - -The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -Application type name. - -- Required: No -- Type: string -- Default: `'defaultApplicationType'` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The resource name of the Application type. | -| `resourceGroupName` | string | The resource group of the Application type. | -| `resourceID` | string | The resource ID of the Application type. | - -## Cross-referenced modules - -_None_ diff --git a/modules/service-fabric/cluster/application-type/main.bicep b/modules/service-fabric/cluster/application-type/main.bicep deleted file mode 100644 index e630244a60..0000000000 --- a/modules/service-fabric/cluster/application-type/main.bicep +++ /dev/null @@ -1,46 +0,0 @@ -metadata name = 'Service Fabric Cluster Application Types' -metadata description = 'This module deploys a Service Fabric Cluster Application Type.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment.') -param serviceFabricClusterName string - -@description('Optional. Application type name.') -param name string = 'defaultApplicationType' - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource serviceFabricCluster 'Microsoft.ServiceFabric/clusters@2021-06-01' existing = { - name: serviceFabricClusterName -} - -resource applicationTypes 'Microsoft.ServiceFabric/clusters/applicationTypes@2021-06-01' = { - name: name - parent: serviceFabricCluster - tags: tags -} - -@description('The resource name of the Application type.') -output name string = applicationTypes.name - -@description('The resource group of the Application type.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the Application type.') -output resourceID string = applicationTypes.id diff --git a/modules/service-fabric/cluster/application-type/main.json b/modules/service-fabric/cluster/application-type/main.json deleted file mode 100644 index eacd61f908..0000000000 --- a/modules/service-fabric/cluster/application-type/main.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4810595833725093386" - }, - "name": "Service Fabric Cluster Application Types", - "description": "This module deploys a Service Fabric Cluster Application Type.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serviceFabricClusterName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "defaultApplicationType", - "metadata": { - "description": "Optional. Application type name." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "serviceFabricCluster": { - "existing": true, - "type": "Microsoft.ServiceFabric/clusters", - "apiVersion": "2021-06-01", - "name": "[parameters('serviceFabricClusterName')]" - }, - "applicationTypes": { - "type": "Microsoft.ServiceFabric/clusters/applicationTypes", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('serviceFabricClusterName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "serviceFabricCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The resource name of the Application type." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the Application type." - }, - "value": "[resourceGroup().name]" - }, - "resourceID": { - "type": "string", - "metadata": { - "description": "The resource ID of the Application type." - }, - "value": "[resourceId('Microsoft.ServiceFabric/clusters/applicationTypes', parameters('serviceFabricClusterName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/service-fabric/cluster/application-type/version.json b/modules/service-fabric/cluster/application-type/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-fabric/cluster/application-type/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep deleted file mode 100644 index b49631e5e7..0000000000 --- a/modules/service-fabric/cluster/main.bicep +++ /dev/null @@ -1,373 +0,0 @@ -metadata name = 'Service Fabric Clusters' -metadata description = 'This module deploys a Service Fabric Cluster.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the Service Fabric cluster.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@allowed([ - 'BackupRestoreService' - 'DnsService' - 'RepairManager' - 'ResourceMonitorService' -]) -@description('Optional. The list of add-on features to enable in the cluster.') -param addOnFeatures array = [] - -@description('Optional. Number of unused versions per application type to keep.') -param maxUnusedVersionsToKeep int = 3 - -@description('Optional. The settings to enable AAD authentication on the cluster.') -param azureActiveDirectory object = {} - -@description('Optional. Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location.') -param certificate object = {} - -@description('Optional. Describes a list of server certificates referenced by common name that are used to secure the cluster.') -param certificateCommonNames object = {} - -@description('Optional. The list of client certificates referenced by common name that are allowed to manage the cluster.') -param clientCertificateCommonNames array = [] - -@description('Optional. The list of client certificates referenced by thumbprint that are allowed to manage the cluster.') -param clientCertificateThumbprints array = [] - -@description('Optional. The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions.') -param clusterCodeVersion string = '' - -@description('Optional. The storage account information for storing Service Fabric diagnostic logs.') -param diagnosticsStorageAccountConfig object = {} - -@description('Optional. Indicates if the event store service is enabled.') -param eventStoreServiceEnabled bool = false - -@description('Optional. The list of custom fabric settings to configure the cluster.') -param fabricSettings array = [] - -@description('Optional. Indicates if infrastructure service manager is enabled.') -param infrastructureServiceManager bool = false - -@description('Required. The http management endpoint of the cluster.') -param managementEndpoint string - -@description('Required. The list of node types in the cluster.') -param nodeTypes array - -@description('Optional. Indicates a list of notification channels for cluster events.') -param notifications array = [] - -@allowed([ - 'Bronze' - 'Gold' - 'None' - 'Platinum' - 'Silver' -]) -@description('Required. The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9.') -param reliabilityLevel string - -@description('Optional. Describes the certificate details.') -param reverseProxyCertificate object = {} - -@description('Optional. Describes a list of server certificates referenced by common name that are used to secure the cluster.') -param reverseProxyCertificateCommonNames object = {} - -@allowed([ - 'Hierarchical' - 'Parallel' -]) -@description('Optional. This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster.') -param sfZonalUpgradeMode string = 'Hierarchical' - -@description('Optional. Describes the policy used when upgrading the cluster.') -param upgradeDescription object = {} - -@allowed([ - 'Automatic' - 'Manual' -]) -@description('Optional. The upgrade mode of the cluster when new Service Fabric runtime version is available.') -param upgradeMode string = 'Automatic' - -@description('Optional. Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC).') -param upgradePauseEndTimestampUtc string = '' - -@description('Optional. Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC).') -param upgradePauseStartTimestampUtc string = '' - -@allowed([ - 'Wave0' - 'Wave1' - 'Wave2' -]) -@description('Optional. Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0.') -param upgradeWave string = 'Wave0' - -@description('Optional. The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used.') -param vmImage string = '' - -@allowed([ - 'Hierarchical' - 'Parallel' -]) -@description('Optional. This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added.') -param vmssZonalUpgradeMode string = 'Hierarchical' - -@description('Optional. Boolean to pause automatic runtime version upgrades to the cluster.') -param waveUpgradePaused bool = false - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Array of Service Fabric cluster application types.') -param applicationTypes array = [] - -var enableReferencedModulesTelemetry = false - -var clientCertificateCommonNamesVar = [for clientCertificateCommonName in clientCertificateCommonNames: { - certificateCommonName: contains(clientCertificateCommonName, 'certificateCommonName') ? clientCertificateCommonName.certificateCommonName : null - certificateIssuerThumbprint: contains(clientCertificateCommonName, 'certificateIssuerThumbprint') ? clientCertificateCommonName.certificateIssuerThumbprint : null - isAdmin: contains(clientCertificateCommonName, 'isAdmin') ? clientCertificateCommonName.isAdmin : false -}] - -var clientCertificateThumbprintsVar = [for clientCertificateThumbprint in clientCertificateThumbprints: { - certificateThumbprint: contains(clientCertificateThumbprint, 'certificateThumbprint') ? clientCertificateThumbprint.certificateThumbprint : null - isAdmin: contains(clientCertificateThumbprint, 'isAdmin') ? clientCertificateThumbprint.isAdmin : false -}] - -var fabricSettingsVar = [for fabricSetting in fabricSettings: { - name: contains(fabricSetting, 'name') ? fabricSetting.name : null - parameters: contains(fabricSetting, 'parameters') ? fabricSetting.parameters : null -}] - -var fnodeTypesVar = [for nodeType in nodeTypes: { - applicationPorts: contains(nodeType, 'applicationPorts') ? { - endPort: contains(nodeType.applicationPorts, 'endPort') ? nodeType.applicationPorts.endPort : null - startPort: contains(nodeType.applicationPorts, 'startPort') ? nodeType.applicationPorts.startPort : null - } : null - capacities: contains(nodeType, 'capacities') ? nodeType.capacities : null - clientConnectionEndpointPort: contains(nodeType, 'clientConnectionEndpointPort') ? nodeType.clientConnectionEndpointPort : null - durabilityLevel: contains(nodeType, 'durabilityLevel') ? nodeType.durabilityLevel : null - ephemeralPorts: contains(nodeType, 'ephemeralPorts') ? { - endPort: contains(nodeType.ephemeralPorts, 'endPort') ? nodeType.ephemeralPorts.endPort : null - startPort: contains(nodeType.ephemeralPorts, 'startPort') ? nodeType.ephemeralPorts.startPort : null - } : null - httpGatewayEndpointPort: contains(nodeType, 'httpGatewayEndpointPort') ? nodeType.httpGatewayEndpointPort : null - isPrimary: contains(nodeType, 'isPrimary') ? nodeType.isPrimary : null - isStateless: contains(nodeType, 'isStateless') ? nodeType.isStateless : null - multipleAvailabilityZones: contains(nodeType, 'multipleAvailabilityZones') ? nodeType.multipleAvailabilityZones : null - name: contains(nodeType, 'name') ? nodeType.name : 'Node00' - placementProperties: contains(nodeType, 'placementProperties') ? nodeType.placementProperties : null - reverseProxyEndpointPort: contains(nodeType, 'reverseProxyEndpointPort') ? nodeType.reverseProxyEndpointPort : null - vmInstanceCount: contains(nodeType, 'vmInstanceCount') ? nodeType.vmInstanceCount : 1 -}] - -var notificationsVar = [for notification in notifications: { - isEnabled: contains(notification, 'isEnabled') ? notification.isEnabled : false - notificationCategory: contains(notification, 'notificationCategory') ? notification.notificationCategory : 'WaveProgress' - notificationLevel: contains(notification, 'notificationLevel') ? notification.notificationLevel : 'All' - notificationTargets: contains(notification, 'notificationTargets') ? notification.notificationTargets : [] -}] - -var upgradeDescriptionVar = union({ - deltaHealthPolicy: { - applicationDeltaHealthPolicies: contains(upgradeDescription, 'applicationDeltaHealthPolicies') ? upgradeDescription.applicationDeltaHealthPolicies : {} - maxPercentDeltaUnhealthyApplications: contains(upgradeDescription, 'maxPercentDeltaUnhealthyApplications') ? upgradeDescription.maxPercentDeltaUnhealthyApplications : 0 - maxPercentDeltaUnhealthyNodes: contains(upgradeDescription, 'maxPercentDeltaUnhealthyNodes') ? upgradeDescription.maxPercentDeltaUnhealthyNodes : 0 - maxPercentUpgradeDomainDeltaUnhealthyNodes: contains(upgradeDescription, 'maxPercentUpgradeDomainDeltaUnhealthyNodes') ? upgradeDescription.maxPercentUpgradeDomainDeltaUnhealthyNodes : 0 - } - forceRestart: contains(upgradeDescription, 'forceRestart') ? upgradeDescription.forceRestart : false - healthCheckRetryTimeout: contains(upgradeDescription, 'healthCheckRetryTimeout') ? upgradeDescription.healthCheckRetryTimeout : '00:45:00' - healthCheckStableDuration: contains(upgradeDescription, 'healthCheckStableDuration') ? upgradeDescription.healthCheckStableDuration : '00:01:00' - healthCheckWaitDuration: contains(upgradeDescription, 'healthCheckWaitDuration') ? upgradeDescription.healthCheckWaitDuration : '00:00:30' - upgradeDomainTimeout: contains(upgradeDescription, 'upgradeDomainTimeout') ? upgradeDescription.upgradeDomainTimeout : '02:00:00' - upgradeReplicaSetCheckTimeout: contains(upgradeDescription, 'upgradeReplicaSetCheckTimeout') ? upgradeDescription.upgradeReplicaSetCheckTimeout : '1.00:00:00' - upgradeTimeout: contains(upgradeDescription, 'upgradeTimeout') ? upgradeDescription.upgradeTimeout : '02:00:00' - }, contains(upgradeDescription, 'healthPolicy') ? { - healthPolicy: { - applicationHealthPolicies: contains(upgradeDescription.healthPolicy, 'applicationHealthPolicies') ? upgradeDescription.healthPolicy.applicationHealthPolicies : {} - maxPercentUnhealthyApplications: contains(upgradeDescription.healthPolicy, 'maxPercentUnhealthyApplications') ? upgradeDescription.healthPolicy.maxPercentUnhealthyApplications : 0 - maxPercentUnhealthyNodes: contains(upgradeDescription.healthPolicy, 'maxPercentUnhealthyNodes') ? upgradeDescription.healthPolicy.maxPercentUnhealthyNodes : 0 - } - } : {}) - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -// Service Fabric cluster resource -resource serviceFabricCluster 'Microsoft.ServiceFabric/clusters@2021-06-01' = { - name: name - location: location - tags: tags - properties: { - addOnFeatures: addOnFeatures - applicationTypeVersionsCleanupPolicy: { - maxUnusedVersionsToKeep: maxUnusedVersionsToKeep - } - azureActiveDirectory: !empty(azureActiveDirectory) ? { - clientApplication: contains(azureActiveDirectory, 'clientApplication') ? azureActiveDirectory.clientApplication : null - clusterApplication: contains(azureActiveDirectory, 'clusterApplication') ? azureActiveDirectory.clusterApplication : null - tenantId: contains(azureActiveDirectory, 'tenantId') ? azureActiveDirectory.tenantId : null - } : null - certificate: !empty(certificate) ? { - thumbprint: contains(certificate, 'thumbprint') ? certificate.thumbprint : null - thumbprintSecondary: contains(certificate, 'thumbprintSecondary') ? certificate.thumbprintSecondary : null - x509StoreName: contains(certificate, 'x509StoreName') ? certificate.x509StoreName : null - } : null - certificateCommonNames: !empty(certificateCommonNames) ? { - commonNames: contains(certificateCommonNames, 'commonNames') ? certificateCommonNames.commonNames : null - x509StoreName: contains(certificateCommonNames, 'certificateCommonNamesx509StoreName') ? certificateCommonNames.certificateCommonNamesx509StoreName : null - } : null - clientCertificateCommonNames: !empty(clientCertificateCommonNames) ? clientCertificateCommonNamesVar : null - clientCertificateThumbprints: !empty(clientCertificateThumbprints) ? clientCertificateThumbprintsVar : null - clusterCodeVersion: !empty(clusterCodeVersion) ? clusterCodeVersion : null - diagnosticsStorageAccountConfig: !empty(diagnosticsStorageAccountConfig) ? { - blobEndpoint: contains(diagnosticsStorageAccountConfig, 'blobEndpoint') ? diagnosticsStorageAccountConfig.blobEndpoint : null - protectedAccountKeyName: contains(diagnosticsStorageAccountConfig, 'protectedAccountKeyName') ? diagnosticsStorageAccountConfig.protectedAccountKeyName : null - protectedAccountKeyName2: contains(diagnosticsStorageAccountConfig, 'protectedAccountKeyName2') ? diagnosticsStorageAccountConfig.protectedAccountKeyName2 : null - queueEndpoint: contains(diagnosticsStorageAccountConfig, 'queueEndpoint') ? diagnosticsStorageAccountConfig.queueEndpoint : null - storageAccountName: contains(diagnosticsStorageAccountConfig, 'storageAccountName') ? diagnosticsStorageAccountConfig.storageAccountName : null - tableEndpoint: contains(diagnosticsStorageAccountConfig, 'tableEndpoint') ? diagnosticsStorageAccountConfig.tableEndpoint : null - } : null - eventStoreServiceEnabled: eventStoreServiceEnabled - fabricSettings: !empty(fabricSettings) ? fabricSettingsVar : null - infrastructureServiceManager: infrastructureServiceManager - managementEndpoint: managementEndpoint - nodeTypes: !empty(nodeTypes) ? fnodeTypesVar : [] - notifications: !empty(notifications) ? notificationsVar : null - reliabilityLevel: !empty(reliabilityLevel) ? reliabilityLevel : 'None' - reverseProxyCertificate: !empty(reverseProxyCertificate) ? { - thumbprint: contains(reverseProxyCertificate, 'thumbprint') ? reverseProxyCertificate.thumbprint : null - thumbprintSecondary: contains(reverseProxyCertificate, 'thumbprintSecondary') ? reverseProxyCertificate.thumbprintSecondary : null - x509StoreName: contains(reverseProxyCertificate, 'x509StoreName') ? reverseProxyCertificate.x509StoreName : null - } : null - reverseProxyCertificateCommonNames: !empty(reverseProxyCertificateCommonNames) ? { - commonNames: contains(reverseProxyCertificateCommonNames, 'commonNames') ? reverseProxyCertificateCommonNames.commonNames : null - x509StoreName: contains(reverseProxyCertificateCommonNames, 'x509StoreName') ? reverseProxyCertificateCommonNames.x509StoreName : null - } : null - sfZonalUpgradeMode: !empty(sfZonalUpgradeMode) ? sfZonalUpgradeMode : null - upgradeDescription: !empty(upgradeDescription) ? upgradeDescriptionVar : null - upgradeMode: !empty(upgradeMode) ? upgradeMode : null - upgradePauseEndTimestampUtc: !empty(upgradePauseEndTimestampUtc) ? upgradePauseEndTimestampUtc : null - upgradePauseStartTimestampUtc: !empty(upgradePauseStartTimestampUtc) ? upgradePauseStartTimestampUtc : null - upgradeWave: !empty(upgradeWave) ? upgradeWave : null - vmImage: !empty(vmImage) ? vmImage : null - vmssZonalUpgradeMode: !empty(vmssZonalUpgradeMode) ? vmssZonalUpgradeMode : null - waveUpgradePaused: waveUpgradePaused - } -} - -// Service Fabric cluster resource lock -resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: serviceFabricCluster -} - -// Service Fabric cluster RBAC assignment -resource serviceFabricCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(serviceFabricCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: serviceFabricCluster -}] - -// Service Fabric cluster application types -module serviceFabricCluster_applicationTypes 'application-type/main.bicep' = [for applicationType in applicationTypes: { - name: '${uniqueString(deployment().name, location)}-SFC-${applicationType.name}' - params: { - name: applicationType.name - serviceFabricClusterName: serviceFabricCluster.name - tags: applicationType.?tags ?? tags - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The Service Fabric Cluster name.') -output name string = serviceFabricCluster.name - -@description('The Service Fabric Cluster resource group.') -output resourceGroupName string = resourceGroup().name - -@description('The Service Fabric Cluster resource ID.') -output resourceId string = serviceFabricCluster.id - -@description('The Service Fabric Cluster endpoint.') -output endpoint string = serviceFabricCluster.properties.clusterEndpoint - -@description('The location the resource was deployed into.') -output location string = serviceFabricCluster.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json deleted file mode 100644 index f23067b513..0000000000 --- a/modules/service-fabric/cluster/main.json +++ /dev/null @@ -1,696 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5275013787596152510" - }, - "name": "Service Fabric Clusters", - "description": "This module deploys a Service Fabric Cluster.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Service Fabric cluster." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "addOnFeatures": { - "type": "array", - "defaultValue": [], - "allowedValues": [ - "BackupRestoreService", - "DnsService", - "RepairManager", - "ResourceMonitorService" - ], - "metadata": { - "description": "Optional. The list of add-on features to enable in the cluster." - } - }, - "maxUnusedVersionsToKeep": { - "type": "int", - "defaultValue": 3, - "metadata": { - "description": "Optional. Number of unused versions per application type to keep." - } - }, - "azureActiveDirectory": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The settings to enable AAD authentication on the cluster." - } - }, - "certificate": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location." - } - }, - "certificateCommonNames": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes a list of server certificates referenced by common name that are used to secure the cluster." - } - }, - "clientCertificateCommonNames": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of client certificates referenced by common name that are allowed to manage the cluster." - } - }, - "clientCertificateThumbprints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of client certificates referenced by thumbprint that are allowed to manage the cluster." - } - }, - "clusterCodeVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to \"Manual\". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions." - } - }, - "diagnosticsStorageAccountConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The storage account information for storing Service Fabric diagnostic logs." - } - }, - "eventStoreServiceEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates if the event store service is enabled." - } - }, - "fabricSettings": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of custom fabric settings to configure the cluster." - } - }, - "infrastructureServiceManager": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates if infrastructure service manager is enabled." - } - }, - "managementEndpoint": { - "type": "string", - "metadata": { - "description": "Required. The http management endpoint of the cluster." - } - }, - "nodeTypes": { - "type": "array", - "metadata": { - "description": "Required. The list of node types in the cluster." - } - }, - "notifications": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Indicates a list of notification channels for cluster events." - } - }, - "reliabilityLevel": { - "type": "string", - "allowedValues": [ - "Bronze", - "Gold", - "None", - "Platinum", - "Silver" - ], - "metadata": { - "description": "Required. The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9." - } - }, - "reverseProxyCertificate": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes the certificate details." - } - }, - "reverseProxyCertificateCommonNames": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes a list of server certificates referenced by common name that are used to secure the cluster." - } - }, - "sfZonalUpgradeMode": { - "type": "string", - "defaultValue": "Hierarchical", - "allowedValues": [ - "Hierarchical", - "Parallel" - ], - "metadata": { - "description": "Optional. This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster." - } - }, - "upgradeDescription": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Describes the policy used when upgrading the cluster." - } - }, - "upgradeMode": { - "type": "string", - "defaultValue": "Automatic", - "allowedValues": [ - "Automatic", - "Manual" - ], - "metadata": { - "description": "Optional. The upgrade mode of the cluster when new Service Fabric runtime version is available." - } - }, - "upgradePauseEndTimestampUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC)." - } - }, - "upgradePauseStartTimestampUtc": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC)." - } - }, - "upgradeWave": { - "type": "string", - "defaultValue": "Wave0", - "allowedValues": [ - "Wave0", - "Wave1", - "Wave2" - ], - "metadata": { - "description": "Optional. Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0." - } - }, - "vmImage": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used." - } - }, - "vmssZonalUpgradeMode": { - "type": "string", - "defaultValue": "Hierarchical", - "allowedValues": [ - "Hierarchical", - "Parallel" - ], - "metadata": { - "description": "Optional. This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added." - } - }, - "waveUpgradePaused": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Boolean to pause automatic runtime version upgrades to the cluster." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "applicationTypes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of Service Fabric cluster application types." - } - } - }, - "variables": { - "copy": [ - { - "name": "clientCertificateCommonNamesVar", - "count": "[length(parameters('clientCertificateCommonNames'))]", - "input": { - "certificateCommonName": "[if(contains(parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')], 'certificateCommonName'), parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')].certificateCommonName, null())]", - "certificateIssuerThumbprint": "[if(contains(parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')], 'certificateIssuerThumbprint'), parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')].certificateIssuerThumbprint, null())]", - "isAdmin": "[if(contains(parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')], 'isAdmin'), parameters('clientCertificateCommonNames')[copyIndex('clientCertificateCommonNamesVar')].isAdmin, false())]" - } - }, - { - "name": "clientCertificateThumbprintsVar", - "count": "[length(parameters('clientCertificateThumbprints'))]", - "input": { - "certificateThumbprint": "[if(contains(parameters('clientCertificateThumbprints')[copyIndex('clientCertificateThumbprintsVar')], 'certificateThumbprint'), parameters('clientCertificateThumbprints')[copyIndex('clientCertificateThumbprintsVar')].certificateThumbprint, null())]", - "isAdmin": "[if(contains(parameters('clientCertificateThumbprints')[copyIndex('clientCertificateThumbprintsVar')], 'isAdmin'), parameters('clientCertificateThumbprints')[copyIndex('clientCertificateThumbprintsVar')].isAdmin, false())]" - } - }, - { - "name": "fabricSettingsVar", - "count": "[length(parameters('fabricSettings'))]", - "input": { - "name": "[if(contains(parameters('fabricSettings')[copyIndex('fabricSettingsVar')], 'name'), parameters('fabricSettings')[copyIndex('fabricSettingsVar')].name, null())]", - "parameters": "[if(contains(parameters('fabricSettings')[copyIndex('fabricSettingsVar')], 'parameters'), parameters('fabricSettings')[copyIndex('fabricSettingsVar')].parameters, null())]" - } - }, - { - "name": "fnodeTypesVar", - "count": "[length(parameters('nodeTypes'))]", - "input": { - "applicationPorts": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'applicationPorts'), createObject('endPort', if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')].applicationPorts, 'endPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].applicationPorts.endPort, null()), 'startPort', if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')].applicationPorts, 'startPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].applicationPorts.startPort, null())), null())]", - "capacities": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'capacities'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].capacities, null())]", - "clientConnectionEndpointPort": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'clientConnectionEndpointPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].clientConnectionEndpointPort, null())]", - "durabilityLevel": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'durabilityLevel'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].durabilityLevel, null())]", - "ephemeralPorts": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'ephemeralPorts'), createObject('endPort', if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')].ephemeralPorts, 'endPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].ephemeralPorts.endPort, null()), 'startPort', if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')].ephemeralPorts, 'startPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].ephemeralPorts.startPort, null())), null())]", - "httpGatewayEndpointPort": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'httpGatewayEndpointPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].httpGatewayEndpointPort, null())]", - "isPrimary": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'isPrimary'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].isPrimary, null())]", - "isStateless": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'isStateless'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].isStateless, null())]", - "multipleAvailabilityZones": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'multipleAvailabilityZones'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].multipleAvailabilityZones, null())]", - "name": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'name'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].name, 'Node00')]", - "placementProperties": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'placementProperties'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].placementProperties, null())]", - "reverseProxyEndpointPort": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'reverseProxyEndpointPort'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].reverseProxyEndpointPort, null())]", - "vmInstanceCount": "[if(contains(parameters('nodeTypes')[copyIndex('fnodeTypesVar')], 'vmInstanceCount'), parameters('nodeTypes')[copyIndex('fnodeTypesVar')].vmInstanceCount, 1)]" - } - }, - { - "name": "notificationsVar", - "count": "[length(parameters('notifications'))]", - "input": { - "isEnabled": "[if(contains(parameters('notifications')[copyIndex('notificationsVar')], 'isEnabled'), parameters('notifications')[copyIndex('notificationsVar')].isEnabled, false())]", - "notificationCategory": "[if(contains(parameters('notifications')[copyIndex('notificationsVar')], 'notificationCategory'), parameters('notifications')[copyIndex('notificationsVar')].notificationCategory, 'WaveProgress')]", - "notificationLevel": "[if(contains(parameters('notifications')[copyIndex('notificationsVar')], 'notificationLevel'), parameters('notifications')[copyIndex('notificationsVar')].notificationLevel, 'All')]", - "notificationTargets": "[if(contains(parameters('notifications')[copyIndex('notificationsVar')], 'notificationTargets'), parameters('notifications')[copyIndex('notificationsVar')].notificationTargets, createArray())]" - } - } - ], - "enableReferencedModulesTelemetry": false, - "upgradeDescriptionVar": "[union(createObject('deltaHealthPolicy', createObject('applicationDeltaHealthPolicies', if(contains(parameters('upgradeDescription'), 'applicationDeltaHealthPolicies'), parameters('upgradeDescription').applicationDeltaHealthPolicies, createObject()), 'maxPercentDeltaUnhealthyApplications', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyApplications'), parameters('upgradeDescription').maxPercentDeltaUnhealthyApplications, 0), 'maxPercentDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentDeltaUnhealthyNodes, 0), 'maxPercentUpgradeDomainDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentUpgradeDomainDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentUpgradeDomainDeltaUnhealthyNodes, 0)), 'forceRestart', if(contains(parameters('upgradeDescription'), 'forceRestart'), parameters('upgradeDescription').forceRestart, false()), 'healthCheckRetryTimeout', if(contains(parameters('upgradeDescription'), 'healthCheckRetryTimeout'), parameters('upgradeDescription').healthCheckRetryTimeout, '00:45:00'), 'healthCheckStableDuration', if(contains(parameters('upgradeDescription'), 'healthCheckStableDuration'), parameters('upgradeDescription').healthCheckStableDuration, '00:01:00'), 'healthCheckWaitDuration', if(contains(parameters('upgradeDescription'), 'healthCheckWaitDuration'), parameters('upgradeDescription').healthCheckWaitDuration, '00:00:30'), 'upgradeDomainTimeout', if(contains(parameters('upgradeDescription'), 'upgradeDomainTimeout'), parameters('upgradeDescription').upgradeDomainTimeout, '02:00:00'), 'upgradeReplicaSetCheckTimeout', if(contains(parameters('upgradeDescription'), 'upgradeReplicaSetCheckTimeout'), parameters('upgradeDescription').upgradeReplicaSetCheckTimeout, '1.00:00:00'), 'upgradeTimeout', if(contains(parameters('upgradeDescription'), 'upgradeTimeout'), parameters('upgradeDescription').upgradeTimeout, '02:00:00')), if(contains(parameters('upgradeDescription'), 'healthPolicy'), createObject('healthPolicy', createObject('applicationHealthPolicies', if(contains(parameters('upgradeDescription').healthPolicy, 'applicationHealthPolicies'), parameters('upgradeDescription').healthPolicy.applicationHealthPolicies, createObject()), 'maxPercentUnhealthyApplications', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyApplications'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyApplications, 0), 'maxPercentUnhealthyNodes', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyNodes'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyNodes, 0))), createObject()))]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "serviceFabricCluster": { - "type": "Microsoft.ServiceFabric/clusters", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "addOnFeatures": "[parameters('addOnFeatures')]", - "applicationTypeVersionsCleanupPolicy": { - "maxUnusedVersionsToKeep": "[parameters('maxUnusedVersionsToKeep')]" - }, - "azureActiveDirectory": "[if(not(empty(parameters('azureActiveDirectory'))), createObject('clientApplication', if(contains(parameters('azureActiveDirectory'), 'clientApplication'), parameters('azureActiveDirectory').clientApplication, null()), 'clusterApplication', if(contains(parameters('azureActiveDirectory'), 'clusterApplication'), parameters('azureActiveDirectory').clusterApplication, null()), 'tenantId', if(contains(parameters('azureActiveDirectory'), 'tenantId'), parameters('azureActiveDirectory').tenantId, null())), null())]", - "certificate": "[if(not(empty(parameters('certificate'))), createObject('thumbprint', if(contains(parameters('certificate'), 'thumbprint'), parameters('certificate').thumbprint, null()), 'thumbprintSecondary', if(contains(parameters('certificate'), 'thumbprintSecondary'), parameters('certificate').thumbprintSecondary, null()), 'x509StoreName', if(contains(parameters('certificate'), 'x509StoreName'), parameters('certificate').x509StoreName, null())), null())]", - "certificateCommonNames": "[if(not(empty(parameters('certificateCommonNames'))), createObject('commonNames', if(contains(parameters('certificateCommonNames'), 'commonNames'), parameters('certificateCommonNames').commonNames, null()), 'x509StoreName', if(contains(parameters('certificateCommonNames'), 'certificateCommonNamesx509StoreName'), parameters('certificateCommonNames').certificateCommonNamesx509StoreName, null())), null())]", - "clientCertificateCommonNames": "[if(not(empty(parameters('clientCertificateCommonNames'))), variables('clientCertificateCommonNamesVar'), null())]", - "clientCertificateThumbprints": "[if(not(empty(parameters('clientCertificateThumbprints'))), variables('clientCertificateThumbprintsVar'), null())]", - "clusterCodeVersion": "[if(not(empty(parameters('clusterCodeVersion'))), parameters('clusterCodeVersion'), null())]", - "diagnosticsStorageAccountConfig": "[if(not(empty(parameters('diagnosticsStorageAccountConfig'))), createObject('blobEndpoint', if(contains(parameters('diagnosticsStorageAccountConfig'), 'blobEndpoint'), parameters('diagnosticsStorageAccountConfig').blobEndpoint, null()), 'protectedAccountKeyName', if(contains(parameters('diagnosticsStorageAccountConfig'), 'protectedAccountKeyName'), parameters('diagnosticsStorageAccountConfig').protectedAccountKeyName, null()), 'protectedAccountKeyName2', if(contains(parameters('diagnosticsStorageAccountConfig'), 'protectedAccountKeyName2'), parameters('diagnosticsStorageAccountConfig').protectedAccountKeyName2, null()), 'queueEndpoint', if(contains(parameters('diagnosticsStorageAccountConfig'), 'queueEndpoint'), parameters('diagnosticsStorageAccountConfig').queueEndpoint, null()), 'storageAccountName', if(contains(parameters('diagnosticsStorageAccountConfig'), 'storageAccountName'), parameters('diagnosticsStorageAccountConfig').storageAccountName, null()), 'tableEndpoint', if(contains(parameters('diagnosticsStorageAccountConfig'), 'tableEndpoint'), parameters('diagnosticsStorageAccountConfig').tableEndpoint, null())), null())]", - "eventStoreServiceEnabled": "[parameters('eventStoreServiceEnabled')]", - "fabricSettings": "[if(not(empty(parameters('fabricSettings'))), variables('fabricSettingsVar'), null())]", - "infrastructureServiceManager": "[parameters('infrastructureServiceManager')]", - "managementEndpoint": "[parameters('managementEndpoint')]", - "nodeTypes": "[if(not(empty(parameters('nodeTypes'))), variables('fnodeTypesVar'), createArray())]", - "notifications": "[if(not(empty(parameters('notifications'))), variables('notificationsVar'), null())]", - "reliabilityLevel": "[if(not(empty(parameters('reliabilityLevel'))), parameters('reliabilityLevel'), 'None')]", - "reverseProxyCertificate": "[if(not(empty(parameters('reverseProxyCertificate'))), createObject('thumbprint', if(contains(parameters('reverseProxyCertificate'), 'thumbprint'), parameters('reverseProxyCertificate').thumbprint, null()), 'thumbprintSecondary', if(contains(parameters('reverseProxyCertificate'), 'thumbprintSecondary'), parameters('reverseProxyCertificate').thumbprintSecondary, null()), 'x509StoreName', if(contains(parameters('reverseProxyCertificate'), 'x509StoreName'), parameters('reverseProxyCertificate').x509StoreName, null())), null())]", - "reverseProxyCertificateCommonNames": "[if(not(empty(parameters('reverseProxyCertificateCommonNames'))), createObject('commonNames', if(contains(parameters('reverseProxyCertificateCommonNames'), 'commonNames'), parameters('reverseProxyCertificateCommonNames').commonNames, null()), 'x509StoreName', if(contains(parameters('reverseProxyCertificateCommonNames'), 'x509StoreName'), parameters('reverseProxyCertificateCommonNames').x509StoreName, null())), null())]", - "sfZonalUpgradeMode": "[if(not(empty(parameters('sfZonalUpgradeMode'))), parameters('sfZonalUpgradeMode'), null())]", - "upgradeDescription": "[if(not(empty(parameters('upgradeDescription'))), variables('upgradeDescriptionVar'), null())]", - "upgradeMode": "[if(not(empty(parameters('upgradeMode'))), parameters('upgradeMode'), null())]", - "upgradePauseEndTimestampUtc": "[if(not(empty(parameters('upgradePauseEndTimestampUtc'))), parameters('upgradePauseEndTimestampUtc'), null())]", - "upgradePauseStartTimestampUtc": "[if(not(empty(parameters('upgradePauseStartTimestampUtc'))), parameters('upgradePauseStartTimestampUtc'), null())]", - "upgradeWave": "[if(not(empty(parameters('upgradeWave'))), parameters('upgradeWave'), null())]", - "vmImage": "[if(not(empty(parameters('vmImage'))), parameters('vmImage'), null())]", - "vmssZonalUpgradeMode": "[if(not(empty(parameters('vmssZonalUpgradeMode'))), parameters('vmssZonalUpgradeMode'), null())]", - "waveUpgradePaused": "[parameters('waveUpgradePaused')]" - } - }, - "serviceFabricCluster_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "serviceFabricCluster" - ] - }, - "serviceFabricCluster_roleAssignments": { - "copy": { - "name": "serviceFabricCluster_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "serviceFabricCluster" - ] - }, - "serviceFabricCluster_applicationTypes": { - "copy": { - "name": "serviceFabricCluster_applicationTypes", - "count": "[length(parameters('applicationTypes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SFC-{1}', uniqueString(deployment().name, parameters('location')), parameters('applicationTypes')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('applicationTypes')[copyIndex()].name]" - }, - "serviceFabricClusterName": { - "value": "[parameters('name')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('applicationTypes')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4810595833725093386" - }, - "name": "Service Fabric Cluster Application Types", - "description": "This module deploys a Service Fabric Cluster Application Type.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serviceFabricClusterName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "defaultApplicationType", - "metadata": { - "description": "Optional. Application type name." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "serviceFabricCluster": { - "existing": true, - "type": "Microsoft.ServiceFabric/clusters", - "apiVersion": "2021-06-01", - "name": "[parameters('serviceFabricClusterName')]" - }, - "applicationTypes": { - "type": "Microsoft.ServiceFabric/clusters/applicationTypes", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('serviceFabricClusterName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "serviceFabricCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The resource name of the Application type." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the Application type." - }, - "value": "[resourceGroup().name]" - }, - "resourceID": { - "type": "string", - "metadata": { - "description": "The resource ID of the Application type." - }, - "value": "[resourceId('Microsoft.ServiceFabric/clusters/applicationTypes', parameters('serviceFabricClusterName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "serviceFabricCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Service Fabric Cluster name." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The Service Fabric Cluster resource group." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Service Fabric Cluster resource ID." - }, - "value": "[resourceId('Microsoft.ServiceFabric/clusters', parameters('name'))]" - }, - "endpoint": { - "type": "string", - "metadata": { - "description": "The Service Fabric Cluster endpoint." - }, - "value": "[reference('serviceFabricCluster').clusterEndpoint]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('serviceFabricCluster', '2021-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep deleted file mode 100644 index abdbb40a0c..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep +++ /dev/null @@ -1,74 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfccer' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' - reliabilityLevel: 'None' - certificate: { - thumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - x509StoreName: 'My' - } - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 8a543b9681..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,69 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfcmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' - reliabilityLevel: 'None' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - } - ] - - } -}] diff --git a/modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 3cf8c25ddd..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,31 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the storage account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name diff --git a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep deleted file mode 100644 index cb3ffc3d41..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,236 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfcmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Service Fabric' - clusterName: '${namePrefix}${serviceShort}001' - } - addOnFeatures: [ - 'RepairManager' - 'DnsService' - 'BackupRestoreService' - 'ResourceMonitorService' - ] - maxUnusedVersionsToKeep: 2 - azureActiveDirectory: { - clientApplication: nestedDependencies.outputs.managedIdentityPrincipalId - clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' - tenantId: tenant().tenantId - } - certificateCommonNames: { - commonNames: [ - { - certificateCommonName: 'certcommon' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - } - ] - x509StoreName: '' - } - clientCertificateCommonNames: [ - { - certificateCommonName: 'clientcommoncert1' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateCommonName: 'clientcommoncert2' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - clientCertificateThumbprints: [ - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - diagnosticsStorageAccountConfig: { - blobEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}/' - protectedAccountKeyName: 'StorageAccountKey1' - queueEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.queue.${environment().suffixes.storage}/' - storageAccountName: nestedDependencies.outputs.storageAccountName - tableEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.table.${environment().suffixes.storage}/' - } - fabricSettings: [ - { - name: 'Security' - parameters: [ - { - name: 'ClusterProtectionLevel' - value: 'EncryptAndSign' - } - ] - } - { - name: 'UpgradeService' - parameters: [ - { - name: 'AppPollIntervalInSeconds' - value: '60' - } - ] - } - ] - managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' - reliabilityLevel: 'Silver' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Silver' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - - isStateless: false - multipleAvailabilityZones: false - - placementProperties: {} - reverseProxyEndpointPort: '' - vmInstanceCount: 5 - } - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 64000 - startPort: 49000 - httpGatewayEndpointPort: 19007 - isPrimary: true - name: 'Node02' - vmInstanceCount: 5 - } - } - ] - notifications: [ - { - isEnabled: true - notificationCategory: 'WaveProgress' - notificationLevel: 'Critical' - notificationTargets: [ - { - notificationChannel: 'EmailUser' - receivers: [ - 'SomeReceiver' - ] - } - ] - } - ] - upgradeDescription: { - forceRestart: false - upgradeReplicaSetCheckTimeout: '1.00:00:00' - healthCheckWaitDuration: '00:00:30' - healthCheckStableDuration: '00:01:00' - healthCheckRetryTimeout: '00:45:00' - upgradeTimeout: '02:00:00' - upgradeDomainTimeout: '02:00:00' - healthPolicy: { - maxPercentUnhealthyNodes: 0 - maxPercentUnhealthyApplications: 0 - } - deltaHealthPolicy: { - maxPercentDeltaUnhealthyNodes: 0 - maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 - maxPercentDeltaUnhealthyApplications: 0 - } - - } - vmImage: 'Linux' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - applicationTypes: [ - { - name: 'WordCount' // not idempotent - } - ] - } -}] diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 3cf8c25ddd..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,31 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the storage account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Storage Account.') -output storageAccountName string = storageAccount.name diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 4cc334c475..0000000000 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,219 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfcwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Service Fabric' - clusterName: '${namePrefix}${serviceShort}001' - } - addOnFeatures: [ - 'RepairManager' - 'DnsService' - 'BackupRestoreService' - 'ResourceMonitorService' - ] - maxUnusedVersionsToKeep: 2 - azureActiveDirectory: { - clientApplication: nestedDependencies.outputs.managedIdentityPrincipalId - clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' - tenantId: tenant().tenantId - } - certificateCommonNames: { - commonNames: [ - { - certificateCommonName: 'certcommon' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - } - ] - x509StoreName: '' - } - clientCertificateCommonNames: [ - { - certificateCommonName: 'clientcommoncert1' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateCommonName: 'clientcommoncert2' - certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - clientCertificateThumbprints: [ - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' - isAdmin: false - } - { - certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' - isAdmin: false - } - ] - diagnosticsStorageAccountConfig: { - blobEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}/' - protectedAccountKeyName: 'StorageAccountKey1' - queueEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.queue.${environment().suffixes.storage}/' - storageAccountName: nestedDependencies.outputs.storageAccountName - tableEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.table.${environment().suffixes.storage}/' - } - fabricSettings: [ - { - name: 'Security' - parameters: [ - { - name: 'ClusterProtectionLevel' - value: 'EncryptAndSign' - } - ] - } - { - name: 'UpgradeService' - parameters: [ - { - name: 'AppPollIntervalInSeconds' - value: '60' - } - ] - } - ] - managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' - reliabilityLevel: 'Silver' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Silver' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - - isStateless: false - multipleAvailabilityZones: false - - placementProperties: {} - reverseProxyEndpointPort: '' - vmInstanceCount: 5 - } - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 64000 - startPort: 49000 - httpGatewayEndpointPort: 19007 - isPrimary: true - name: 'Node02' - vmInstanceCount: 5 - } - } - ] - notifications: [ - { - isEnabled: true - notificationCategory: 'WaveProgress' - notificationLevel: 'Critical' - notificationTargets: [ - { - notificationChannel: 'EmailUser' - receivers: [ - 'SomeReceiver' - ] - } - ] - } - ] - upgradeDescription: { - forceRestart: false - upgradeReplicaSetCheckTimeout: '1.00:00:00' - healthCheckWaitDuration: '00:00:30' - healthCheckStableDuration: '00:01:00' - healthCheckRetryTimeout: '00:45:00' - upgradeTimeout: '02:00:00' - upgradeDomainTimeout: '02:00:00' - healthPolicy: { - maxPercentUnhealthyNodes: 0 - maxPercentUnhealthyApplications: 0 - } - deltaHealthPolicy: { - maxPercentDeltaUnhealthyNodes: 0 - maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 - maxPercentDeltaUnhealthyApplications: 0 - } - - } - vmImage: 'Linux' - applicationTypes: [ - { - name: 'WordCount' // not idempotent - } - ] - } -}] diff --git a/modules/service-fabric/cluster/version.json b/modules/service-fabric/cluster/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/service-fabric/cluster/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/signal-r-service/signal-r/MOVED-TO-AVM.md b/modules/signal-r-service/signal-r/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/signal-r-service/signal-r/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 23acd18754..58bb0fce74 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -1,1091 +1,7 @@ -# SignalR Service SignalR `[Microsoft.SignalRService/signalR]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/signal-r-service/signal-r](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/signal-r-service/signal-r).** -This module deploys a SignalR Service SignalR. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/signal-r-service/signal-r). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.SignalRService/signalR` | [2022-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2022-02-01/signalR) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.signal-r:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srsdrmin' - params: { - // Required parameters - name: 'srsdrmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srsdrmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srssrmax' - params: { - // Required parameters - name: 'srssrmax-001' - // Non-required parameters - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - enableDefaultTelemetry: '' - kind: 'SignalR' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-srssrmax-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'Standard_S1' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srssrmax-001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "clientCertEnabled": { - "value": false - }, - "disableAadAuth": { - "value": false - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "SignalR" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkAcls": { - "value": { - "defaultAction": "Allow", - "privateEndpoints": [ - { - "allow": [], - "deny": [ - "ServerConnection", - "Trace" - ], - "name": "pe-srssrmax-001" - } - ], - "publicNetwork": { - "allow": [], - "deny": [ - "RESTAPI", - "Trace" - ] - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "resourceLogConfigurationsToEnable": { - "value": [ - "ConnectivityLogs" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "Standard_S1" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srssrwaf' - params: { - // Required parameters - name: 'srssrwaf-001' - // Non-required parameters - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - enableDefaultTelemetry: '' - kind: 'SignalR' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-srssrwaf-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'Standard_S1' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srssrwaf-001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "clientCertEnabled": { - "value": false - }, - "disableAadAuth": { - "value": false - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "SignalR" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkAcls": { - "value": { - "defaultAction": "Allow", - "privateEndpoints": [ - { - "allow": [], - "deny": [ - "ServerConnection", - "Trace" - ], - "name": "pe-srssrwaf-001" - } - ], - "publicNetwork": { - "allow": [], - "deny": [ - "RESTAPI", - "Trace" - ] - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "resourceLogConfigurationsToEnable": { - "value": [ - "ConnectivityLogs" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "Standard_S1" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SignalR Service resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedOrigins`](#parameter-allowedorigins) | array | The allowed origin settings of the resource. | -| [`capacity`](#parameter-capacity) | int | The unit count of the resource. | -| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | Request client certificate during TLS handshake if enabled. | -| [`disableAadAuth`](#parameter-disableaadauth) | bool | The disable Azure AD auth settings of the resource. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | The disable local auth settings of the resource. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`features`](#parameter-features) | array | The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. | -| [`kind`](#parameter-kind) | string | The kind of the service. | -| [`liveTraceCatagoriesToEnable`](#parameter-livetracecatagoriestoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`location`](#parameter-location) | string | The location for the resource. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | The SKU of the service. | -| [`tags`](#parameter-tags) | object | The tags of the resource. | -| [`upstreamTemplatesToEnable`](#parameter-upstreamtemplatestoenable) | array | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | - -### Parameter: `name` - -The name of the SignalR Service resource. - -- Required: Yes -- Type: string - -### Parameter: `allowedOrigins` - -The allowed origin settings of the resource. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - '*' - ] - ``` - -### Parameter: `capacity` - -The unit count of the resource. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `clientCertEnabled` - -Request client certificate during TLS handshake if enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableAadAuth` - -The disable Azure AD auth settings of the resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableLocalAuth` - -The disable local auth settings of the resource. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `features` - -The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - flag: 'ServiceMode' - value: 'Serverless' - } - ] - ``` - -### Parameter: `kind` - -The kind of the service. - -- Required: No -- Type: string -- Default: `'SignalR'` -- Allowed: - ```Bicep - [ - 'RawWebSockets' - 'SignalR' - ] - ``` - -### Parameter: `liveTraceCatagoriesToEnable` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` -- Allowed: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` - -### Parameter: `location` - -The location for the resource. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `networkAcls` - -Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `resourceLogConfigurationsToEnable` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` -- Allowed: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -The SKU of the service. - -- Required: No -- Type: string -- Default: `'Standard_S1'` -- Allowed: - ```Bicep - [ - 'Free_F1' - 'Premium_P1' - 'Premium_P2' - 'Premium_P3' - 'Standard_S1' - 'Standard_S2' - 'Standard_S3' - ] - ``` - -### Parameter: `tags` - -The tags of the resource. - -- Required: No -- Type: object - -### Parameter: `upstreamTemplatesToEnable` - -Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The SignalR name. | -| `resourceGroupName` | string | The SignalR resource group. | -| `resourceId` | string | The SignalR resource ID. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep deleted file mode 100644 index 651e8d9707..0000000000 --- a/modules/signal-r-service/signal-r/main.bicep +++ /dev/null @@ -1,338 +0,0 @@ -metadata name = 'SignalR Service SignalR' -metadata description = 'This module deploys a SignalR Service SignalR.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The location for the resource.') -param location string = resourceGroup().location - -@description('Required. The name of the SignalR Service resource.') -param name string - -@description('Optional. The kind of the service.') -@allowed([ - 'SignalR' - 'RawWebSockets' -]) -param kind string = 'SignalR' - -@description('Optional. The SKU of the service.') -@allowed([ - 'Free_F1' - 'Standard_S1' - 'Standard_S2' - 'Standard_S3' - 'Premium_P1' - 'Premium_P2' - 'Premium_P3' -]) -param sku string = 'Standard_S1' - -@description('Optional. The unit count of the resource.') -param capacity int = 1 - -@description('Optional. The tags of the resource.') -param tags object? - -@description('Optional. The allowed origin settings of the resource.') -param allowedOrigins array = [ - '*' -] - -@description('Optional. The disable Azure AD auth settings of the resource.') -param disableAadAuth bool = false - -@description('Optional. The disable local auth settings of the resource.') -param disableLocalAuth bool = true - -@description('Optional. The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information.') -param features array = [ - { - flag: 'ServiceMode' - value: 'Serverless' - } -] - -@description('Optional. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the \'SKU\' is not \'Free_F1\'. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@allowed([ - 'ConnectivityLogs' - 'MessagingLogs' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param liveTraceCatagoriesToEnable array = [ - 'ConnectivityLogs' - 'MessagingLogs' -] - -@allowed([ - 'ConnectivityLogs' - 'MessagingLogs' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param resourceLogConfigurationsToEnable array = [ - 'ConnectivityLogs' - 'MessagingLogs' -] - -@description('Optional. Request client certificate during TLS handshake if enabled.') -param clientCertEnabled bool = false - -@description('Optional. Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate.') -param upstreamTemplatesToEnable array = [] - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var liveTraceCatagories = [for configuration in liveTraceCatagoriesToEnable: { - name: configuration - enabled: 'true' -}] - -var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: { - name: configuration - enabled: 'true' -}] - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') - 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') - 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') - 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') - 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') - 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource signalR 'Microsoft.SignalRService/signalR@2022-02-01' = { - name: name - location: location - kind: kind - sku: { - name: sku - capacity: capacity - tier: sku == 'Free_F1' ? 'Free' : sku == 'Standard_S1' || sku == 'Standard_S2' || sku == 'Standard_S3' ? 'Standard' : 'Premium' - } - tags: tags - properties: { - cors: { - allowedOrigins: allowedOrigins - } - disableAadAuth: disableAadAuth - disableLocalAuth: disableLocalAuth - features: features - liveTraceConfiguration: !empty(liveTraceCatagoriesToEnable) ? { - categories: liveTraceCatagories - } : {} - networkACLs: !empty(networkAcls) ? any(networkAcls) : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkAcls) ? 'Disabled' : null) - resourceLogConfiguration: { - categories: resourceLogConfiguration - } - tls: { - clientCertEnabled: clientCertEnabled - } - upstream: !empty(upstreamTemplatesToEnable) ? { - templates: upstreamTemplatesToEnable - } : {} - } -} - -module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-signalR-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'signalr' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(signalR.id, '/'))}-${privateEndpoint.?service ?? 'signalr'}-${index}' - serviceResourceId: signalR.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: signalR -} - -resource signalR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(signalR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: signalR -}] - -@description('The SignalR name.') -output name string = signalR.name - -@description('The SignalR resource group.') -output resourceGroupName string = resourceGroup().name - -@description('The SignalR resource ID.') -output resourceId string = signalR.id - -@description('The location the resource was deployed into.') -output location string = signalR.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json deleted file mode 100644 index 050a462238..0000000000 --- a/modules/signal-r-service/signal-r/main.json +++ /dev/null @@ -1,1225 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17822146109821250505" - }, - "name": "SignalR Service SignalR", - "description": "This module deploys a SignalR Service SignalR.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location for the resource." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SignalR Service resource." - } - }, - "kind": { - "type": "string", - "defaultValue": "SignalR", - "allowedValues": [ - "SignalR", - "RawWebSockets" - ], - "metadata": { - "description": "Optional. The kind of the service." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard_S1", - "allowedValues": [ - "Free_F1", - "Standard_S1", - "Standard_S2", - "Standard_S3", - "Premium_P1", - "Premium_P2", - "Premium_P3" - ], - "metadata": { - "description": "Optional. The SKU of the service." - } - }, - "capacity": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The unit count of the resource." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The tags of the resource." - } - }, - "allowedOrigins": { - "type": "array", - "defaultValue": [ - "*" - ], - "metadata": { - "description": "Optional. The allowed origin settings of the resource." - } - }, - "disableAadAuth": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The disable Azure AD auth settings of the resource." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The disable local auth settings of the resource." - } - }, - "features": { - "type": "array", - "defaultValue": [ - { - "flag": "ServiceMode", - "value": "Serverless" - } - ], - "metadata": { - "description": "Optional. The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information." - } - }, - "networkAcls": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "liveTraceCatagoriesToEnable": { - "type": "array", - "defaultValue": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "allowedValues": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "resourceLogConfigurationsToEnable": { - "type": "array", - "defaultValue": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "allowedValues": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Request client certificate during TLS handshake if enabled." - } - }, - "upstreamTemplatesToEnable": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "liveTraceCatagories", - "count": "[length(parameters('liveTraceCatagoriesToEnable'))]", - "input": { - "name": "[parameters('liveTraceCatagoriesToEnable')[copyIndex('liveTraceCatagories')]]", - "enabled": "true" - } - }, - { - "name": "resourceLogConfiguration", - "count": "[length(parameters('resourceLogConfigurationsToEnable'))]", - "input": { - "name": "[parameters('resourceLogConfigurationsToEnable')[copyIndex('resourceLogConfiguration')]]", - "enabled": "true" - } - } - ], - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", - "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", - "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", - "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", - "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "signalR": { - "type": "Microsoft.SignalRService/signalR", - "apiVersion": "2022-02-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "sku": { - "name": "[parameters('sku')]", - "capacity": "[parameters('capacity')]", - "tier": "[if(equals(parameters('sku'), 'Free_F1'), 'Free', if(or(or(equals(parameters('sku'), 'Standard_S1'), equals(parameters('sku'), 'Standard_S2')), equals(parameters('sku'), 'Standard_S3')), 'Standard', 'Premium'))]" - }, - "tags": "[parameters('tags')]", - "properties": { - "cors": { - "allowedOrigins": "[parameters('allowedOrigins')]" - }, - "disableAadAuth": "[parameters('disableAadAuth')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "features": "[parameters('features')]", - "liveTraceConfiguration": "[if(not(empty(parameters('liveTraceCatagoriesToEnable'))), createObject('categories', variables('liveTraceCatagories')), createObject())]", - "networkACLs": "[if(not(empty(parameters('networkAcls'))), parameters('networkAcls'), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]", - "resourceLogConfiguration": { - "categories": "[variables('resourceLogConfiguration')]" - }, - "tls": { - "clientCertEnabled": "[parameters('clientCertEnabled')]" - }, - "upstream": "[if(not(empty(parameters('upstreamTemplatesToEnable'))), createObject('templates', parameters('upstreamTemplatesToEnable')), createObject())]" - } - }, - "signalR_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "signalR" - ] - }, - "signalR_roleAssignments": { - "copy": { - "name": "signalR_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.SignalRService/signalR', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "signalR" - ] - }, - "signalR_privateEndpoints": { - "copy": { - "name": "signalR_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-signalR-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'signalr')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/signalR', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'signalr'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "signalR" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The SignalR name." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The SignalR resource group." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The SignalR resource ID." - }, - "value": "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('signalR', '2022-02-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 91c816bddf..0000000000 --- a/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srsdrmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - } -}] diff --git a/modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 3f02e7b5ad..0000000000 --- a/modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,62 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.service.signalr.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep deleted file mode 100644 index 701bca066f..0000000000 --- a/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srssrmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - kind: 'SignalR' - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-${namePrefix}-${serviceShort}-001' - - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - sku: 'Standard_S1' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 3f02e7b5ad..0000000000 --- a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,62 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.service.signalr.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index c07a791bbf..0000000000 --- a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srssrwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - kind: 'SignalR' - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-${namePrefix}-${serviceShort}-001' - - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - sku: 'Standard_S1' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/signal-r-service/signal-r/version.json b/modules/signal-r-service/signal-r/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/signal-r-service/signal-r/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/signal-r-service/web-pub-sub/MOVED-TO-AVM.md b/modules/signal-r-service/web-pub-sub/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/signal-r-service/web-pub-sub/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index a49dabf0f9..db32b705a6 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -1,1144 +1,7 @@ -# SignalR Web PubSub Services `[Microsoft.SignalRService/webPubSub]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/signal-r-service/web-pub-sub](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/signal-r-service/web-pub-sub).** -This module deploys a SignalR Web PubSub Service. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/signal-r-service/web-pub-sub). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.SignalRService/webPubSub` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2021-10-01/webPubSub) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.web-pub-sub:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpsmin' - params: { - // Required parameters - name: 'srswpsmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srswpsmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpsmax' - params: { - // Required parameters - name: 'srswpsmax-001' - // Non-required parameters - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-srswpsmax-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'webpubsub' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'Standard_S1' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srswpsmax-001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "clientCertEnabled": { - "value": false - }, - "disableAadAuth": { - "value": false - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "networkAcls": { - "value": { - "defaultAction": "Allow", - "privateEndpoints": [ - { - "allow": [], - "deny": [ - "ServerConnection", - "Trace" - ], - "name": "pe-srswpsmax-001" - } - ], - "publicNetwork": { - "allow": [], - "deny": [ - "RESTAPI", - "Trace" - ] - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "webpubsub", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "resourceLogConfigurationsToEnable": { - "value": [ - "ConnectivityLogs" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "Standard_S1" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpspe' - params: { - // Required parameters - name: 'srswpspe-001' - // Non-required parameters - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - sku: 'Standard_S1' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srswpspe-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "sku": { - "value": "Standard_S1" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpswaf' - params: { - // Required parameters - name: 'srswpswaf-001' - // Non-required parameters - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-srswpswaf-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'webpubsub' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sku: 'Standard_S1' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srswpswaf-001" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "clientCertEnabled": { - "value": false - }, - "disableAadAuth": { - "value": false - }, - "disableLocalAuth": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "networkAcls": { - "value": { - "defaultAction": "Allow", - "privateEndpoints": [ - { - "allow": [], - "deny": [ - "ServerConnection", - "Trace" - ], - "name": "pe-srswpswaf-001" - } - ], - "publicNetwork": { - "allow": [], - "deny": [ - "RESTAPI", - "Trace" - ] - } - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "webpubsub", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "resourceLogConfigurationsToEnable": { - "value": [ - "ConnectivityLogs" - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sku": { - "value": "Standard_S1" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Web PubSub Service resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`capacity`](#parameter-capacity) | int | The unit count of the resource. 1 by default. | -| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | Request client certificate during TLS handshake if enabled. | -| [`disableAadAuth`](#parameter-disableaadauth) | bool | When set as true, connection with AuthType=aad won't work. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The location for the resource. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | Pricing tier of the resource. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Web PubSub Service resource. - -- Required: Yes -- Type: string - -### Parameter: `capacity` - -The unit count of the resource. 1 by default. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `clientCertEnabled` - -Request client certificate during TLS handshake if enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableAadAuth` - -When set as true, connection with AuthType=aad won't work. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `disableLocalAuth` - -Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The location for the resource. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `networkAcls` - -Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `resourceLogConfigurationsToEnable` - -Control permission for data plane traffic coming from public networks while private endpoint is enabled. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` -- Allowed: - ```Bicep - [ - 'ConnectivityLogs' - 'MessagingLogs' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -Pricing tier of the resource. - -- Required: No -- Type: string -- Default: `'Standard_S1'` -- Allowed: - ```Bicep - [ - 'Free_F1' - 'Standard_S1' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `externalIP` | string | The Web PubSub externalIP. | -| `hostName` | string | The Web PubSub hostName. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Web PubSub name. | -| `publicPort` | int | The Web PubSub publicPort. | -| `resourceGroupName` | string | The Web PubSub resource group. | -| `resourceId` | string | The Web PubSub resource ID. | -| `serverPort` | int | The Web PubSub serverPort. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep deleted file mode 100644 index 7590254f7a..0000000000 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ /dev/null @@ -1,318 +0,0 @@ -metadata name = 'SignalR Web PubSub Services' -metadata description = 'This module deploys a SignalR Web PubSub Service.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The location for the resource.') -param location string = resourceGroup().location - -@description('Required. The name of the Web PubSub Service resource.') -param name string - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The unit count of the resource. 1 by default.') -param capacity int = 1 - -@allowed([ - 'Free_F1' - 'Standard_S1' -]) -@description('Optional. Pricing tier of the resource.') -param sku string = 'Standard_S1' - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -@description('Optional. When set as true, connection with AuthType=aad won\'t work.') -param disableAadAuth bool = false - -@description('Optional. Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`.') -param disableLocalAuth bool = true - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@allowed([ - 'ConnectivityLogs' - 'MessagingLogs' -]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param resourceLogConfigurationsToEnable array = [ - 'ConnectivityLogs' - 'MessagingLogs' -] - -@description('Optional. Request client certificate during TLS handshake if enabled.') -param clientCertEnabled bool = false - -@description('Optional. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the \'SKU\' is not \'Free_F1\'. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: { - name: configuration - enabled: 'true' -}] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') - 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') - 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') - 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') - 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') - 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = { - name: name - location: location - tags: tags - sku: { - capacity: capacity - name: sku - tier: sku == 'Standard_S1' ? 'Standard' : 'Free' - } - identity: identity - properties: { - disableAadAuth: disableAadAuth - disableLocalAuth: disableLocalAuth - networkACLs: !empty(networkAcls) ? any(networkAcls) : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkAcls) ? 'Disabled' : null) - resourceLogConfiguration: { - categories: resourceLogConfiguration - } - tls: { - clientCertEnabled: clientCertEnabled - } - } -} - -module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-webPubSub-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'webpubsub' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(webPubSub.id, '/'))}-${privateEndpoint.?service ?? 'webpubsub'}-${index}' - serviceResourceId: webPubSub.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: webPubSub -} - -resource webPubSub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(webPubSub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: webPubSub -}] - -@description('The Web PubSub name.') -output name string = webPubSub.name - -@description('The Web PubSub resource group.') -output resourceGroupName string = resourceGroup().name - -@description('The Web PubSub resource ID.') -output resourceId string = webPubSub.id - -@description('The Web PubSub externalIP.') -output externalIP string = webPubSub.properties.externalIP - -@description('The Web PubSub hostName.') -output hostName string = webPubSub.properties.hostName - -@description('The Web PubSub publicPort.') -output publicPort int = webPubSub.properties.publicPort - -@description('The Web PubSub serverPort.') -output serverPort int = webPubSub.properties.serverPort - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(webPubSub.identity, 'principalId') ? webPubSub.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = webPubSub.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json deleted file mode 100644 index b3cfca3ae4..0000000000 --- a/modules/signal-r-service/web-pub-sub/main.json +++ /dev/null @@ -1,1219 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9704119963251935464" - }, - "name": "SignalR Web PubSub Services", - "description": "This module deploys a SignalR Web PubSub Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The location for the resource." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Web PubSub Service resource." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "capacity": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The unit count of the resource. 1 by default." - } - }, - "sku": { - "type": "string", - "defaultValue": "Standard_S1", - "allowedValues": [ - "Free_F1", - "Standard_S1" - ], - "metadata": { - "description": "Optional. Pricing tier of the resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "disableAadAuth": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When set as true, connection with AuthType=aad won't work." - } - }, - "disableLocalAuth": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "resourceLogConfigurationsToEnable": { - "type": "array", - "defaultValue": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "allowedValues": [ - "ConnectivityLogs", - "MessagingLogs" - ], - "metadata": { - "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Request client certificate during TLS handshake if enabled." - } - }, - "networkAcls": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "resourceLogConfiguration", - "count": "[length(parameters('resourceLogConfigurationsToEnable'))]", - "input": { - "name": "[parameters('resourceLogConfigurationsToEnable')[copyIndex('resourceLogConfiguration')]]", - "enabled": "true" - } - } - ], - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", - "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", - "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", - "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", - "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "webPubSub": { - "type": "Microsoft.SignalRService/webPubSub", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "capacity": "[parameters('capacity')]", - "name": "[parameters('sku')]", - "tier": "[if(equals(parameters('sku'), 'Standard_S1'), 'Standard', 'Free')]" - }, - "identity": "[variables('identity')]", - "properties": { - "disableAadAuth": "[parameters('disableAadAuth')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "networkACLs": "[if(not(empty(parameters('networkAcls'))), parameters('networkAcls'), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]", - "resourceLogConfiguration": { - "categories": "[variables('resourceLogConfiguration')]" - }, - "tls": { - "clientCertEnabled": "[parameters('clientCertEnabled')]" - } - } - }, - "webPubSub_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "webPubSub" - ] - }, - "webPubSub_roleAssignments": { - "copy": { - "name": "webPubSub_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "webPubSub" - ] - }, - "webPubSub_privateEndpoints": { - "copy": { - "name": "webPubSub_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-webPubSub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'webpubsub')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'webpubsub'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "webPubSub" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The Web PubSub name." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The Web PubSub resource group." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The Web PubSub resource ID." - }, - "value": "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" - }, - "externalIP": { - "type": "string", - "metadata": { - "description": "The Web PubSub externalIP." - }, - "value": "[reference('webPubSub').externalIP]" - }, - "hostName": { - "type": "string", - "metadata": { - "description": "The Web PubSub hostName." - }, - "value": "[reference('webPubSub').hostName]" - }, - "publicPort": { - "type": "int", - "metadata": { - "description": "The Web PubSub publicPort." - }, - "value": "[reference('webPubSub').publicPort]" - }, - "serverPort": { - "type": "int", - "metadata": { - "description": "The Web PubSub serverPort." - }, - "value": "[reference('webPubSub').serverPort]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('webPubSub', '2021-10-01', 'full').identity, 'principalId')), reference('webPubSub', '2021-10-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('webPubSub', '2021-10-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 4e72d5a97b..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpsmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - } -}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 53f60ba74f..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,62 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.webpubsub.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7c9c967f3a..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpsmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-${namePrefix}-${serviceShort}-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'webpubsub' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - sku: 'Standard_S1' - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index 7817f5a5af..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,51 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.webpubsub.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep deleted file mode 100644 index 0483d13826..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpspe' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - sku: 'Standard_S1' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 53f60ba74f..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,62 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.webpubsub.azure.com' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 03b8af5643..0000000000 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-001' - capacity: 2 - clientCertEnabled: false - disableAadAuth: false - disableLocalAuth: true - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Allow' - privateEndpoints: [ - { - allow: [] - deny: [ - 'ServerConnection' - 'Trace' - ] - name: 'pe-${namePrefix}-${serviceShort}-001' - } - ] - publicNetwork: { - allow: [] - deny: [ - 'RESTAPI' - 'Trace' - ] - } - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'webpubsub' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - resourceLogConfigurationsToEnable: [ - 'ConnectivityLogs' - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - principalType: 'ServicePrincipal' - } - ] - sku: 'Standard_S1' - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/signal-r-service/web-pub-sub/version.json b/modules/signal-r-service/web-pub-sub/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/signal-r-service/web-pub-sub/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index d40d728918..39c973eca1 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -1,1437 +1,7 @@ -# SQL Managed Instances `[Microsoft.Sql/managedInstances]` +

⚠️ Moved to AVM ⚠️

-This module deploys a SQL Managed Instance. +**This module has been evolved into the following AVM module: [avm/res/sql/managed-instance](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/sql/managed-instance).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/sql/managed-instance). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/managedInstances` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances) | -| `Microsoft.Sql/managedInstances/administrators` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/administrators) | -| `Microsoft.Sql/managedInstances/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases) | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/encryptionProtector) | -| `Microsoft.Sql/managedInstances/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/keys) | -| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/securityAlertPolicies) | -| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/vulnerabilityAssessments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/sql.managed-instance:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Vulnassm](#example-3-vulnassm) -- [WAF-aligned](#example-4-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmimin' - params: { - // Required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - name: 'sqlmimin' - subnetId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "name": { - "value": "sqlmimin" - }, - "subnetId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmimax' - params: { - // Required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - name: 'sqlmimax' - subnetId: '' - // Non-required parameters - collation: 'SQL_Latin1_General_CP1_CI_AS' - databases: [ - { - backupLongTermRetentionPolicies: { - name: 'default' - } - backupShortTermRetentionPolicies: { - name: 'default' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'sqlmimax-db-001' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - dnsZonePartner: '' - enableDefaultTelemetry: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - hardwareFamily: 'Gen5' - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - licenseType: 'LicenseIncluded' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentityId: '' - proxyOverride: 'Proxy' - publicDataEndpointEnabled: false - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - servicePrincipal: 'SystemAssigned' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - storageSizeInGB: 32 - timezoneId: 'UTC' - vCores: 4 - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "name": { - "value": "sqlmimax" - }, - "subnetId": { - "value": "" - }, - "collation": { - "value": "SQL_Latin1_General_CP1_CI_AS" - }, - "databases": { - "value": [ - { - "backupLongTermRetentionPolicies": { - "name": "default" - }, - "backupShortTermRetentionPolicies": { - "name": "default" - }, - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "sqlmimax-db-001" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "dnsZonePartner": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionProtectorObj": { - "value": { - "serverKeyName": "", - "serverKeyType": "AzureKeyVault" - } - }, - "hardwareFamily": { - "value": "Gen5" - }, - "keys": { - "value": [ - { - "name": "", - "serverKeyType": "AzureKeyVault", - "uri": "" - } - ] - }, - "licenseType": { - "value": "LicenseIncluded" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentityId": { - "value": "" - }, - "proxyOverride": { - "value": "Proxy" - }, - "publicDataEndpointEnabled": { - "value": false - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "securityAlertPoliciesObj": { - "value": { - "emailAccountAdmins": true, - "name": "default", - "state": "Enabled" - } - }, - "servicePrincipal": { - "value": "SystemAssigned" - }, - "skuName": { - "value": "GP_Gen5" - }, - "skuTier": { - "value": "GeneralPurpose" - }, - "storageSizeInGB": { - "value": 32 - }, - "timezoneId": { - "value": "UTC" - }, - "vCores": { - "value": 4 - }, - "vulnerabilityAssessmentsObj": { - "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } - } -} -``` - -
-

- -### Example 3: _Vulnassm_ - -

- -via Bicep module - -```bicep -module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmivln' - params: { - // Required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - name: 'sqlmivln' - subnetId: '' - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - vulnerabilityAssessmentsObj: { - createStorageRoleAssignment: true - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - useStorageAccountAccessKey: false - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "name": { - "value": "sqlmivln" - }, - "subnetId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "securityAlertPoliciesObj": { - "value": { - "emailAccountAdmins": true, - "name": "default", - "state": "Enabled" - } - }, - "vulnerabilityAssessmentsObj": { - "value": { - "createStorageRoleAssignment": true, - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - }, - "useStorageAccountAccessKey": false - } - } - } -} -``` - -
-

- -### Example 4: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmiwaf' - params: { - // Required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - name: 'sqlmiwaf' - subnetId: '' - // Non-required parameters - collation: 'SQL_Latin1_General_CP1_CI_AS' - databases: [ - { - backupLongTermRetentionPolicies: { - name: 'default' - } - backupShortTermRetentionPolicies: { - name: 'default' - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'sqlmiwaf-db-001' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - dnsZonePartner: '' - enableDefaultTelemetry: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - hardwareFamily: 'Gen5' - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - licenseType: 'LicenseIncluded' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentityId: '' - proxyOverride: 'Proxy' - publicDataEndpointEnabled: false - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - servicePrincipal: 'SystemAssigned' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - storageSizeInGB: 32 - timezoneId: 'UTC' - vCores: 4 - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "name": { - "value": "sqlmiwaf" - }, - "subnetId": { - "value": "" - }, - "collation": { - "value": "SQL_Latin1_General_CP1_CI_AS" - }, - "databases": { - "value": [ - { - "backupLongTermRetentionPolicies": { - "name": "default" - }, - "backupShortTermRetentionPolicies": { - "name": "default" - }, - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "name": "sqlmiwaf-db-001" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "dnsZonePartner": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionProtectorObj": { - "value": { - "serverKeyName": "", - "serverKeyType": "AzureKeyVault" - } - }, - "hardwareFamily": { - "value": "Gen5" - }, - "keys": { - "value": [ - { - "name": "", - "serverKeyType": "AzureKeyVault", - "uri": "" - } - ] - }, - "licenseType": { - "value": "LicenseIncluded" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentityId": { - "value": "" - }, - "proxyOverride": { - "value": "Proxy" - }, - "publicDataEndpointEnabled": { - "value": false - }, - "securityAlertPoliciesObj": { - "value": { - "emailAccountAdmins": true, - "name": "default", - "state": "Enabled" - } - }, - "servicePrincipal": { - "value": "SystemAssigned" - }, - "skuName": { - "value": "GP_Gen5" - }, - "skuTier": { - "value": "GeneralPurpose" - }, - "storageSizeInGB": { - "value": 32 - }, - "timezoneId": { - "value": "UTC" - }, - "vCores": { - "value": 4 - }, - "vulnerabilityAssessmentsObj": { - "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`administratorLogin`](#parameter-administratorlogin) | string | The username used to establish jumpbox VMs. | -| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The password given to the admin user. | -| [`name`](#parameter-name) | string | The name of the SQL managed instance. | -| [`subnetId`](#parameter-subnetid) | string | The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`primaryUserAssignedIdentityId`](#parameter-primaryuserassignedidentityid) | string | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`administratorsObj`](#parameter-administratorsobj) | object | The administrator configuration. | -| [`collation`](#parameter-collation) | string | Collation of the managed instance. | -| [`databases`](#parameter-databases) | array | Databases to create in this server. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`dnsZonePartner`](#parameter-dnszonepartner) | string | The resource ID of another managed instance whose DNS zone this managed instance will share after creation. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionProtectorObj`](#parameter-encryptionprotectorobj) | object | The encryption protection configuration. | -| [`hardwareFamily`](#parameter-hardwarefamily) | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. | -| [`instancePoolResourceId`](#parameter-instancepoolresourceid) | string | The resource ID of the instance pool this managed server belongs to. | -| [`keys`](#parameter-keys) | array | The keys to configure. | -| [`licenseType`](#parameter-licensetype) | string | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managedInstanceCreateMode`](#parameter-managedinstancecreatemode) | string | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | -| [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | -| [`proxyOverride`](#parameter-proxyoverride) | string | Connection type used for connecting to the instance. | -| [`publicDataEndpointEnabled`](#parameter-publicdataendpointenabled) | bool | Whether or not the public data endpoint is enabled. | -| [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type used to store backups for this database. | -| [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securityAlertPoliciesObj`](#parameter-securityalertpoliciesobj) | object | The security alert policy configuration. | -| [`servicePrincipal`](#parameter-serviceprincipal) | string | Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. | -| [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | -| [`skuTier`](#parameter-skutier) | string | The tier or edition of the particular SKU, e.g. Basic, Premium. | -| [`sourceManagedInstanceId`](#parameter-sourcemanagedinstanceid) | string | The resource identifier of the source managed instance associated with create operation of this instance. | -| [`storageSizeInGB`](#parameter-storagesizeingb) | int | Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`timezoneId`](#parameter-timezoneid) | string | ID of the timezone. Allowed values are timezones supported by Windows. | -| [`vCores`](#parameter-vcores) | int | The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | -| [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not multi-az is enabled. | - -### Parameter: `administratorLogin` - -The username used to establish jumpbox VMs. - -- Required: Yes -- Type: string - -### Parameter: `administratorLoginPassword` - -The password given to the admin user. - -- Required: Yes -- Type: securestring - -### Parameter: `name` - -The name of the SQL managed instance. - -- Required: Yes -- Type: string - -### Parameter: `subnetId` - -The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. - -- Required: Yes -- Type: string - -### Parameter: `primaryUserAssignedIdentityId` - -The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `administratorsObj` - -The administrator configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `collation` - -Collation of the managed instance. - -- Required: No -- Type: string -- Default: `'SQL_Latin1_General_CP1_CI_AS'` - -### Parameter: `databases` - -Databases to create in this server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `dnsZonePartner` - -The resource ID of another managed instance whose DNS zone this managed instance will share after creation. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionProtectorObj` - -The encryption protection configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `hardwareFamily` - -If the service has different generations of hardware, for the same SKU, then that can be captured here. - -- Required: No -- Type: string -- Default: `'Gen5'` - -### Parameter: `instancePoolResourceId` - -The resource ID of the instance pool this managed server belongs to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `keys` - -The keys to configure. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `licenseType` - -The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). - -- Required: No -- Type: string -- Default: `'LicenseIncluded'` -- Allowed: - ```Bicep - [ - 'BasePrice' - 'LicenseIncluded' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `managedInstanceCreateMode` - -Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'PointInTimeRestore' - ] - ``` - -### Parameter: `minimalTlsVersion` - -Minimal TLS version allowed. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - 'None' - ] - ``` - -### Parameter: `proxyOverride` - -Connection type used for connecting to the instance. - -- Required: No -- Type: string -- Default: `'Proxy'` -- Allowed: - ```Bicep - [ - 'Default' - 'Proxy' - 'Redirect' - ] - ``` - -### Parameter: `publicDataEndpointEnabled` - -Whether or not the public data endpoint is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `requestedBackupStorageRedundancy` - -The storage account type used to store backups for this database. - -- Required: No -- Type: string -- Default: `'Geo'` -- Allowed: - ```Bicep - [ - 'Geo' - 'GeoZone' - 'Local' - 'Zone' - ] - ``` - -### Parameter: `restorePointInTime` - -Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securityAlertPoliciesObj` - -The security alert policy configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `servicePrincipal` - -Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'None' - 'SystemAssigned' - ] - ``` - -### Parameter: `skuName` - -The name of the SKU, typically, a letter + Number code, e.g. P3. - -- Required: No -- Type: string -- Default: `'GP_Gen5'` - -### Parameter: `skuTier` - -The tier or edition of the particular SKU, e.g. Basic, Premium. - -- Required: No -- Type: string -- Default: `'GeneralPurpose'` - -### Parameter: `sourceManagedInstanceId` - -The resource identifier of the source managed instance associated with create operation of this instance. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageSizeInGB` - -Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. - -- Required: No -- Type: int -- Default: `32` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `timezoneId` - -ID of the timezone. Allowed values are timezones supported by Windows. - -- Required: No -- Type: string -- Default: `'UTC'` - -### Parameter: `vCores` - -The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. - -- Required: No -- Type: int -- Default: `4` - -### Parameter: `vulnerabilityAssessmentsObj` - -The vulnerability assessment configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `zoneRedundant` - -Whether or not multi-az is enabled. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed managed instance. | -| `resourceGroupName` | string | The resource group of the deployed managed instance. | -| `resourceId` | string | The resource ID of the deployed managed instance. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Considerations - -#### Networking - -SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql#network-requirements). - -SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. - -#### Azure AD Authentication - -SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/sql/managed-instance/administrator/README.md b/modules/sql/managed-instance/administrator/README.md deleted file mode 100644 index b6c59f67b3..0000000000 --- a/modules/sql/managed-instance/administrator/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# SQL Managed Instances Administrator `[Microsoft.Sql/managedInstances/administrators]` - -This module deploys a SQL Managed Instance Administrator. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/administrators` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/administrators) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`login`](#parameter-login) | string | Login name of the managed instance administrator. | -| [`sid`](#parameter-sid) | string | SID (object ID) of the managed instance administrator. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tenantId`](#parameter-tenantid) | string | Tenant ID of the managed instance administrator. | - -### Parameter: `login` - -Login name of the managed instance administrator. - -- Required: Yes -- Type: string - -### Parameter: `sid` - -SID (object ID) of the managed instance administrator. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tenantId` - -Tenant ID of the managed instance administrator. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed managed instance administrator. | -| `resourceGroupName` | string | The resource group of the deployed managed instance administrator. | -| `resourceId` | string | The resource ID of the deployed managed instance administrator. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/administrator/main.bicep b/modules/sql/managed-instance/administrator/main.bicep deleted file mode 100644 index ccac8ce6ed..0000000000 --- a/modules/sql/managed-instance/administrator/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'SQL Managed Instances Administrator' -metadata description = 'This module deploys a SQL Managed Instance Administrator.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Required. Login name of the managed instance administrator.') -param login string - -@description('Required. SID (object ID) of the managed instance administrator.') -param sid string - -@description('Optional. Tenant ID of the managed instance administrator.') -param tenantId string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -resource administrator 'Microsoft.Sql/managedInstances/administrators@2022-05-01-preview' = { - name: 'ActiveDirectory' - parent: managedInstance - properties: { - administratorType: 'ActiveDirectory' - login: login - sid: sid - tenantId: tenantId - } -} - -@description('The name of the deployed managed instance administrator.') -output name string = administrator.name - -@description('The resource ID of the deployed managed instance administrator.') -output resourceId string = administrator.id - -@description('The resource group of the deployed managed instance administrator.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/administrator/main.json b/modules/sql/managed-instance/administrator/main.json deleted file mode 100644 index ef471a0da8..0000000000 --- a/modules/sql/managed-instance/administrator/main.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13377515851590815602" - }, - "name": "SQL Managed Instances Administrator", - "description": "This module deploys a SQL Managed Instance Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "login": { - "type": "string", - "metadata": { - "description": "Required. Login name of the managed instance administrator." - } - }, - "sid": { - "type": "string", - "metadata": { - "description": "Required. SID (object ID) of the managed instance administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Tenant ID of the managed instance administrator." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/administrators", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]", - "properties": { - "administratorType": "ActiveDirectory", - "login": "[parameters('login')]", - "sid": "[parameters('sid')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance administrator." - }, - "value": "ActiveDirectory" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance administrator." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/administrators', parameters('managedInstanceName'), 'ActiveDirectory')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance administrator." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/administrator/version.json b/modules/sql/managed-instance/administrator/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/administrator/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md deleted file mode 100644 index a7d39cc286..0000000000 --- a/modules/sql/managed-instance/database/README.md +++ /dev/null @@ -1,332 +0,0 @@ -# SQL Managed Instance Databases `[Microsoft.Sql/managedInstances/databases]` - -This module deploys a SQL Managed Instance Database. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/managedInstances/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases) | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the SQL managed instance database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`longTermRetentionBackupResourceId`](#parameter-longtermretentionbackupresourceid) | string | The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | -| [`recoverableDatabaseId`](#parameter-recoverabledatabaseid) | string | The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. | -| [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. | -| [`sourceDatabaseId`](#parameter-sourcedatabaseid) | string | The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. | -| [`storageContainerSasToken`](#parameter-storagecontainersastoken) | string | Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. | -| [`storageContainerUri`](#parameter-storagecontaineruri) | string | Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backupLongTermRetentionPoliciesObj`](#parameter-backuplongtermretentionpoliciesobj) | object | The configuration for the backup long term retention policy definition. | -| [`backupShortTermRetentionPoliciesObj`](#parameter-backupshorttermretentionpoliciesobj) | object | The configuration for the backup short term retention policy definition. | -| [`catalogCollation`](#parameter-catalogcollation) | string | Collation of the managed instance. | -| [`collation`](#parameter-collation) | string | Collation of the managed instance database. | -| [`createMode`](#parameter-createmode) | string | Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`restorableDroppedDatabaseId`](#parameter-restorabledroppeddatabaseid) | string | The restorable dropped database resource ID to restore when creating this database. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the SQL managed instance database. - -- Required: Yes -- Type: string - -### Parameter: `longTermRetentionBackupResourceId` - -The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `recoverableDatabaseId` - -The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `restorePointInTime` - -Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceDatabaseId` - -The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageContainerSasToken` - -Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageContainerUri` - -Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `backupLongTermRetentionPoliciesObj` - -The configuration for the backup long term retention policy definition. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `backupShortTermRetentionPoliciesObj` - -The configuration for the backup short term retention policy definition. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `catalogCollation` - -Collation of the managed instance. - -- Required: No -- Type: string -- Default: `'SQL_Latin1_General_CP1_CI_AS'` - -### Parameter: `collation` - -Collation of the managed instance database. - -- Required: No -- Type: string -- Default: `'SQL_Latin1_General_CP1_CI_AS'` - -### Parameter: `createMode` - -Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'PointInTimeRestore' - 'Recovery' - 'RestoreExternalBackup' - 'RestoreLongTermRetentionBackup' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `restorableDroppedDatabaseId` - -The restorable dropped database resource ID to restore when creating this database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group the database was deployed into. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md deleted file mode 100644 index 8baceaa025..0000000000 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md +++ /dev/null @@ -1,115 +0,0 @@ -# SQL Managed Instance Database Backup Long-Term Retention Policies `[Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies]` - -This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Long Term Retention backup policy. For example "default". | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseName`](#parameter-databasename) | string | The name of the parent managed instance database. Required if the template is used in a standalone deployment. | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`monthlyRetention`](#parameter-monthlyretention) | string | The monthly retention policy for an LTR backup in an ISO 8601 format. | -| [`weeklyRetention`](#parameter-weeklyretention) | string | The weekly retention policy for an LTR backup in an ISO 8601 format. | -| [`weekOfYear`](#parameter-weekofyear) | int | The week of year to take the yearly backup in an ISO 8601 format. | -| [`yearlyRetention`](#parameter-yearlyretention) | string | The yearly retention policy for an LTR backup in an ISO 8601 format. | - -### Parameter: `name` - -The name of the Long Term Retention backup policy. For example "default". - -- Required: Yes -- Type: string - -### Parameter: `databaseName` - -The name of the parent managed instance database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `monthlyRetention` - -The monthly retention policy for an LTR backup in an ISO 8601 format. - -- Required: No -- Type: string -- Default: `'P1Y'` - -### Parameter: `weeklyRetention` - -The weekly retention policy for an LTR backup in an ISO 8601 format. - -- Required: No -- Type: string -- Default: `'P1M'` - -### Parameter: `weekOfYear` - -The week of year to take the yearly backup in an ISO 8601 format. - -- Required: No -- Type: int -- Default: `5` - -### Parameter: `yearlyRetention` - -The yearly retention policy for an LTR backup in an ISO 8601 format. - -- Required: No -- Type: string -- Default: `'P5Y'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database backup long-term retention policy. | -| `resourceGroupName` | string | The resource group of the deployed database backup long-term retention policy. | -| `resourceId` | string | The resource ID of the deployed database backup long-term retention policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep deleted file mode 100644 index e72c24bfc2..0000000000 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep +++ /dev/null @@ -1,67 +0,0 @@ -metadata name = 'SQL Managed Instance Database Backup Long-Term Retention Policies' -metadata description = 'This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Long Term Retention backup policy. For example "default".') -param name string - -@description('Conditional. The name of the parent managed instance database. Required if the template is used in a standalone deployment.') -param databaseName string - -@description('Conditional. The name of the parent managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. The week of year to take the yearly backup in an ISO 8601 format.') -param weekOfYear int = 5 - -@description('Optional. The weekly retention policy for an LTR backup in an ISO 8601 format.') -param weeklyRetention string = 'P1M' - -@description('Optional. The monthly retention policy for an LTR backup in an ISO 8601 format.') -param monthlyRetention string = 'P1Y' - -@description('Optional. The yearly retention policy for an LTR backup in an ISO 8601 format.') -param yearlyRetention string = 'P5Y' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName - - resource managedInstaceDatabase 'databases@2022-05-01-preview' existing = { - name: databaseName - } -} - -resource backupLongTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies@2022-05-01-preview' = { - name: name - parent: managedInstance::managedInstaceDatabase - properties: { - monthlyRetention: monthlyRetention - weeklyRetention: weeklyRetention - weekOfYear: weekOfYear - yearlyRetention: yearlyRetention - } -} - -@description('The name of the deployed database backup long-term retention policy.') -output name string = backupLongTermRetentionPolicy.name - -@description('The resource ID of the deployed database backup long-term retention policy.') -output resourceId string = backupLongTermRetentionPolicy.id - -@description('The resource group of the deployed database backup long-term retention policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json deleted file mode 100644 index 1c6f131763..0000000000 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16019450329698749532" - }, - "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Long Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance. Required if the template is used in a standalone deployment." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The week of year to take the yearly backup in an ISO 8601 format." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "P1M", - "metadata": { - "description": "Optional. The weekly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "P1Y", - "metadata": { - "description": "Optional. The monthly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "P5Y", - "metadata": { - "description": "Optional. The yearly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup long-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup long-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup long-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/version.json b/modules/sql/managed-instance/database/backup-long-term-retention-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md deleted file mode 100644 index b2dd3475e3..0000000000 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# SQL Managed Instance Database Backup Short-Term Retention Policies `[Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies]` - -This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Short Term Retention backup policy. For example "default". | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseName`](#parameter-databasename) | string | The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`retentionDays`](#parameter-retentiondays) | int | The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | - -### Parameter: `name` - -The name of the Short Term Retention backup policy. For example "default". - -- Required: Yes -- Type: string - -### Parameter: `databaseName` - -The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `retentionDays` - -The backup retention period in days. This is how many days Point-in-Time Restore will be supported. - -- Required: No -- Type: int -- Default: `35` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database backup short-term retention policy. | -| `resourceGroupName` | string | The resource group of the deployed database backup short-term retention policy. | -| `resourceId` | string | The resource ID of the deployed database backup short-term retention policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep deleted file mode 100644 index 3d279edffd..0000000000 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'SQL Managed Instance Database Backup Short-Term Retention Policies' -metadata description = 'This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Short Term Retention backup policy. For example "default".') -param name string - -@description('Conditional. The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment.') -param databaseName string - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. The backup retention period in days. This is how many days Point-in-Time Restore will be supported.') -param retentionDays int = 35 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName - - resource managedInstaceDatabase 'databases@2022-05-01-preview' existing = { - name: databaseName - } -} - -resource backupShortTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies@2022-05-01-preview' = { - name: name - parent: managedInstance::managedInstaceDatabase - properties: { - retentionDays: retentionDays - } -} - -@description('The name of the deployed database backup short-term retention policy.') -output name string = backupShortTermRetentionPolicy.name - -@description('The resource ID of the deployed database backup short-term retention policy.') -output resourceId string = backupShortTermRetentionPolicy.id - -@description('The resource group of the deployed database backup short-term retention policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json deleted file mode 100644 index bef1c487f2..0000000000 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11209046177276627049" - }, - "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Short Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 35, - "metadata": { - "description": "Optional. The backup retention period in days. This is how many days Point-in-Time Restore will be supported." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup short-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup short-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup short-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/version.json b/modules/sql/managed-instance/database/backup-short-term-retention-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep deleted file mode 100644 index d48ab2e7e9..0000000000 --- a/modules/sql/managed-instance/database/main.bicep +++ /dev/null @@ -1,213 +0,0 @@ -metadata name = 'SQL Managed Instance Databases' -metadata description = 'This module deploys a SQL Managed Instance Database.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the SQL managed instance database.') -param name string - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Collation of the managed instance database.') -param collation string = 'SQL_Latin1_General_CP1_CI_AS' - -@description('Optional. Collation of the managed instance.') -param catalogCollation string = 'SQL_Latin1_General_CP1_CI_AS' - -@description('Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required).') -@allowed([ - 'Default' - 'RestoreExternalBackup' - 'PointInTimeRestore' - 'Recovery' - 'RestoreLongTermRetentionBackup' -]) -param createMode string = 'Default' - -@description('Conditional. The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore.') -param sourceDatabaseId string = '' - -@description('Conditional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore.') -param restorePointInTime string = '' - -@description('Optional. The restorable dropped database resource ID to restore when creating this database.') -param restorableDroppedDatabaseId string = '' - -@description('Conditional. Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup.') -param storageContainerUri string = '' - -@description('Conditional. Specifies the storage container sas token. Required if createMode is RestoreExternalBackup.') -param storageContainerSasToken string = '' - -@description('Conditional. The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery.') -param recoverableDatabaseId string = '' - -@description('Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup.') -param longTermRetentionBackupResourceId string = '' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. The configuration for the backup short term retention policy definition.') -param backupShortTermRetentionPoliciesObj object = {} - -@description('Optional. The configuration for the backup long term retention policy definition.') -param backupLongTermRetentionPoliciesObj object = {} - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -resource database 'Microsoft.Sql/managedInstances/databases@2022-05-01-preview' = { - name: name - parent: managedInstance - location: location - tags: tags - properties: { - collation: empty(collation) ? null : collation - restorePointInTime: empty(restorePointInTime) ? null : restorePointInTime - catalogCollation: empty(catalogCollation) ? null : catalogCollation - createMode: empty(createMode) ? null : createMode - storageContainerUri: empty(storageContainerUri) ? null : storageContainerUri - sourceDatabaseId: empty(sourceDatabaseId) ? null : sourceDatabaseId - restorableDroppedDatabaseId: empty(restorableDroppedDatabaseId) ? null : restorableDroppedDatabaseId - storageContainerSasToken: empty(storageContainerSasToken) ? null : storageContainerSasToken - recoverableDatabaseId: empty(recoverableDatabaseId) ? null : recoverableDatabaseId - longTermRetentionBackupResourceId: empty(longTermRetentionBackupResourceId) ? null : longTermRetentionBackupResourceId - } -} - -resource database_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: database -} - -resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: database -}] - -module database_backupShortTermRetentionPolicy 'backup-short-term-retention-policy/main.bicep' = if (!empty(backupShortTermRetentionPoliciesObj)) { - name: '${deployment().name}-BackupShortTRetPol' - params: { - managedInstanceName: managedInstanceName - databaseName: last(split(database.name, '/'))! - name: backupShortTermRetentionPoliciesObj.name - retentionDays: contains(backupShortTermRetentionPoliciesObj, 'retentionDays') ? backupShortTermRetentionPoliciesObj.retentionDays : 35 - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module database_backupLongTermRetentionPolicy 'backup-long-term-retention-policy/main.bicep' = if (!empty(backupLongTermRetentionPoliciesObj)) { - name: '${deployment().name}-BackupLongTRetPol' - params: { - managedInstanceName: managedInstanceName - databaseName: last(split(database.name, '/'))! - name: backupLongTermRetentionPoliciesObj.name - weekOfYear: contains(backupLongTermRetentionPoliciesObj, 'weekOfYear') ? backupLongTermRetentionPoliciesObj.weekOfYear : 5 - weeklyRetention: contains(backupLongTermRetentionPoliciesObj, 'weeklyRetention') ? backupLongTermRetentionPoliciesObj.weeklyRetention : 'P1M' - monthlyRetention: contains(backupLongTermRetentionPoliciesObj, 'monthlyRetention') ? backupLongTermRetentionPoliciesObj.monthlyRetention : 'P1Y' - yearlyRetention: contains(backupLongTermRetentionPoliciesObj, 'yearlyRetention') ? backupLongTermRetentionPoliciesObj.yearlyRetention : 'P5Y' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@description('The name of the deployed database.') -output name string = database.name - -@description('The resource ID of the deployed database.') -output resourceId string = database.id - -@description('The resource group the database was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = database.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json deleted file mode 100644 index 29e8fad7ba..0000000000 --- a/modules/sql/managed-instance/database/main.json +++ /dev/null @@ -1,658 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4106645650177315472" - }, - "name": "SQL Managed Instance Databases", - "description": "This module deploys a SQL Managed Instance Database.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SQL managed instance database." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "collation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. Collation of the managed instance database." - } - }, - "catalogCollation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. Collation of the managed instance." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "RestoreExternalBackup", - "PointInTimeRestore", - "Recovery", - "RestoreLongTermRetentionBackup" - ], - "metadata": { - "description": "Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required)." - } - }, - "sourceDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore." - } - }, - "restorableDroppedDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The restorable dropped database resource ID to restore when creating this database." - } - }, - "storageContainerUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup." - } - }, - "storageContainerSasToken": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the storage container sas token. Required if createMode is RestoreExternalBackup." - } - }, - "recoverableDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery." - } - }, - "longTermRetentionBackupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "backupShortTermRetentionPoliciesObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The configuration for the backup short term retention policy definition." - } - }, - "backupLongTermRetentionPoliciesObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The configuration for the backup long term retention policy definition." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedInstance": { - "existing": true, - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('managedInstanceName')]" - }, - "database": { - "type": "Microsoft.Sql/managedInstances/databases", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "collation": "[if(empty(parameters('collation')), null(), parameters('collation'))]", - "restorePointInTime": "[if(empty(parameters('restorePointInTime')), null(), parameters('restorePointInTime'))]", - "catalogCollation": "[if(empty(parameters('catalogCollation')), null(), parameters('catalogCollation'))]", - "createMode": "[if(empty(parameters('createMode')), null(), parameters('createMode'))]", - "storageContainerUri": "[if(empty(parameters('storageContainerUri')), null(), parameters('storageContainerUri'))]", - "sourceDatabaseId": "[if(empty(parameters('sourceDatabaseId')), null(), parameters('sourceDatabaseId'))]", - "restorableDroppedDatabaseId": "[if(empty(parameters('restorableDroppedDatabaseId')), null(), parameters('restorableDroppedDatabaseId'))]", - "storageContainerSasToken": "[if(empty(parameters('storageContainerSasToken')), null(), parameters('storageContainerSasToken'))]", - "recoverableDatabaseId": "[if(empty(parameters('recoverableDatabaseId')), null(), parameters('recoverableDatabaseId'))]", - "longTermRetentionBackupResourceId": "[if(empty(parameters('longTermRetentionBackupResourceId')), null(), parameters('longTermRetentionBackupResourceId'))]" - }, - "dependsOn": [ - "managedInstance" - ] - }, - "database_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_diagnosticSettings": { - "copy": { - "name": "database_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_backupShortTermRetentionPolicy": { - "condition": "[not(empty(parameters('backupShortTermRetentionPoliciesObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-BackupShortTRetPol', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('managedInstanceName')]" - }, - "databaseName": { - "value": "[last(split(parameters('name'), '/'))]" - }, - "name": { - "value": "[parameters('backupShortTermRetentionPoliciesObj').name]" - }, - "retentionDays": "[if(contains(parameters('backupShortTermRetentionPoliciesObj'), 'retentionDays'), createObject('value', parameters('backupShortTermRetentionPoliciesObj').retentionDays), createObject('value', 35))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11209046177276627049" - }, - "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Short Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 35, - "metadata": { - "description": "Optional. The backup retention period in days. This is how many days Point-in-Time Restore will be supported." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup short-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup short-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup short-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "database" - ] - }, - "database_backupLongTermRetentionPolicy": { - "condition": "[not(empty(parameters('backupLongTermRetentionPoliciesObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-BackupLongTRetPol', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('managedInstanceName')]" - }, - "databaseName": { - "value": "[last(split(parameters('name'), '/'))]" - }, - "name": { - "value": "[parameters('backupLongTermRetentionPoliciesObj').name]" - }, - "weekOfYear": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'weekOfYear'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').weekOfYear), createObject('value', 5))]", - "weeklyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'weeklyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').weeklyRetention), createObject('value', 'P1M'))]", - "monthlyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'monthlyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').monthlyRetention), createObject('value', 'P1Y'))]", - "yearlyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'yearlyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').yearlyRetention), createObject('value', 'P5Y'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16019450329698749532" - }, - "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Long Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance. Required if the template is used in a standalone deployment." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The week of year to take the yearly backup in an ISO 8601 format." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "P1M", - "metadata": { - "description": "Optional. The weekly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "P1Y", - "metadata": { - "description": "Optional. The monthly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "P5Y", - "metadata": { - "description": "Optional. The yearly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup long-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup long-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup long-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "database" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the database was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('database', '2022-05-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/database/version.json b/modules/sql/managed-instance/database/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/encryption-protector/README.md b/modules/sql/managed-instance/encryption-protector/README.md deleted file mode 100644 index 1d1125961d..0000000000 --- a/modules/sql/managed-instance/encryption-protector/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# SQL Managed Instance Encryption Protector `[Microsoft.Sql/managedInstances/encryptionProtector]` - -This module deploys a SQL Managed Instance Encryption Protector. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/encryptionProtector) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverKeyName`](#parameter-serverkeyname) | string | The name of the SQL managed instance key. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoRotationEnabled`](#parameter-autorotationenabled) | bool | Key auto rotation opt-in flag. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | - -### Parameter: `serverKeyName` - -The name of the SQL managed instance key. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `autoRotationEnabled` - -Key auto rotation opt-in flag. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `serverKeyType` - -The encryption protector type like "ServiceManaged", "AzureKeyVault". - -- Required: No -- Type: string -- Default: `'ServiceManaged'` -- Allowed: - ```Bicep - [ - 'AzureKeyVault' - 'ServiceManaged' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed managed instance encryption protector. | -| `resourceGroupName` | string | The resource group of the deployed managed instance encryption protector. | -| `resourceId` | string | The resource ID of the deployed managed instance encryption protector. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/encryption-protector/main.bicep b/modules/sql/managed-instance/encryption-protector/main.bicep deleted file mode 100644 index 3ce435b710..0000000000 --- a/modules/sql/managed-instance/encryption-protector/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'SQL Managed Instance Encryption Protector' -metadata description = 'This module deploys a SQL Managed Instance Encryption Protector.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Required. The name of the SQL managed instance key.') -param serverKeyName string - -@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') -@allowed([ - 'AzureKeyVault' - 'ServiceManaged' -]) -param serverKeyType string = 'ServiceManaged' - -@description('Optional. Key auto rotation opt-in flag.') -param autoRotationEnabled bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -resource encryptionProtector 'Microsoft.Sql/managedInstances/encryptionProtector@2022-05-01-preview' = { - name: 'current' - parent: managedInstance - properties: { - autoRotationEnabled: autoRotationEnabled - serverKeyName: serverKeyName - serverKeyType: serverKeyType - } -} - -@description('The name of the deployed managed instance encryption protector.') -output name string = encryptionProtector.name - -@description('The resource ID of the deployed managed instance encryption protector.') -output resourceId string = encryptionProtector.id - -@description('The resource group of the deployed managed instance encryption protector.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/encryption-protector/main.json b/modules/sql/managed-instance/encryption-protector/main.json deleted file mode 100644 index bf39b8f8bd..0000000000 --- a/modules/sql/managed-instance/encryption-protector/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16033269094870106735" - }, - "name": "SQL Managed Instance Encryption Protector", - "description": "This module deploys a SQL Managed Instance Encryption Protector.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "serverKeyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the SQL managed instance key." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "autoRotationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Key auto rotation opt-in flag." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/encryptionProtector", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'current')]", - "properties": { - "autoRotationEnabled": "[parameters('autoRotationEnabled')]", - "serverKeyName": "[parameters('serverKeyName')]", - "serverKeyType": "[parameters('serverKeyType')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance encryption protector." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance encryption protector." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/encryptionProtector', parameters('managedInstanceName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance encryption protector." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/encryption-protector/version.json b/modules/sql/managed-instance/encryption-protector/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/encryption-protector/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/key/README.md b/modules/sql/managed-instance/key/README.md deleted file mode 100644 index 48c0a3fe3e..0000000000 --- a/modules/sql/managed-instance/key/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# SQL Managed Instance Keys `[Microsoft.Sql/managedInstances/keys]` - -This module deploys a SQL Managed Instance Key. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/keys) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the key. Must follow the [__] pattern. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | -| [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | - -### Parameter: `name` - -The name of the key. Must follow the [__] pattern. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `serverKeyType` - -The encryption protector type like "ServiceManaged", "AzureKeyVault". - -- Required: No -- Type: string -- Default: `'ServiceManaged'` -- Allowed: - ```Bicep - [ - 'AzureKeyVault' - 'ServiceManaged' - ] - ``` - -### Parameter: `uri` - -The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed managed instance key. | -| `resourceGroupName` | string | The resource group of the deployed managed instance key. | -| `resourceId` | string | The resource ID of the deployed managed instance key. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/key/main.bicep b/modules/sql/managed-instance/key/main.bicep deleted file mode 100644 index dd9ac18a17..0000000000 --- a/modules/sql/managed-instance/key/main.bicep +++ /dev/null @@ -1,62 +0,0 @@ -metadata name = 'SQL Managed Instance Keys' -metadata description = 'This module deploys a SQL Managed Instance Key.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the key. Must follow the [__] pattern.') -param name string - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') -@allowed([ - 'AzureKeyVault' - 'ServiceManaged' -]) -param serverKeyType string = 'ServiceManaged' - -@description('Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required.') -param uri string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var splittedKeyUri = split(uri, '/') - -// if serverManaged, use serverManaged, if uri provided use concated uri value -// MUST match the pattern '__' -var serverKeyName = empty(uri) ? 'ServiceManaged' : '${split(splittedKeyUri[2], '.')[0]}_${splittedKeyUri[4]}_${splittedKeyUri[5]}' - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -resource key 'Microsoft.Sql/managedInstances/keys@2022-05-01-preview' = { - name: !empty(name) ? name : serverKeyName - parent: managedInstance - properties: { - serverKeyType: serverKeyType - uri: uri - } -} - -@description('The name of the deployed managed instance key.') -output name string = key.name - -@description('The resource ID of the deployed managed instance key.') -output resourceId string = key.id - -@description('The resource group of the deployed managed instance key.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/key/main.json b/modules/sql/managed-instance/key/main.json deleted file mode 100644 index 4c3185af6a..0000000000 --- a/modules/sql/managed-instance/key/main.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7581585600933737681" - }, - "name": "SQL Managed Instance Keys", - "description": "This module deploys a SQL Managed Instance Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key. Must follow the [__] pattern." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "splittedKeyUri": "[split(parameters('uri'), '/')]", - "serverKeyName": "[if(empty(parameters('uri')), 'ServiceManaged', format('{0}_{1}_{2}', split(variables('splittedKeyUri')[2], '.')[0], variables('splittedKeyUri')[4], variables('splittedKeyUri')[5]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/keys", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "uri": "[parameters('uri')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance key." - }, - "value": "[if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance key." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/keys', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance key." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/key/version.json b/modules/sql/managed-instance/key/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/key/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep deleted file mode 100644 index 955174b9e9..0000000000 --- a/modules/sql/managed-instance/main.bicep +++ /dev/null @@ -1,451 +0,0 @@ -metadata name = 'SQL Managed Instances' -metadata description = 'This module deploys a SQL Managed Instance.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the SQL managed instance.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. The username used to establish jumpbox VMs.') -param administratorLogin string - -@description('Required. The password given to the admin user.') -@secure() -param administratorLoginPassword string - -@description('Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed.') -param subnetId string - -@description('Optional. The name of the SKU, typically, a letter + Number code, e.g. P3.') -param skuName string = 'GP_Gen5' - -@description('Optional. The tier or edition of the particular SKU, e.g. Basic, Premium.') -param skuTier string = 'GeneralPurpose' - -@description('Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only.') -param storageSizeInGB int = 32 - -@description('Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80.') -param vCores int = 4 - -@description('Optional. The license type. Possible values are \'LicenseIncluded\' (regular price inclusive of a new SQL license) and \'BasePrice\' (discounted AHB price for bringing your own SQL licenses).') -@allowed([ - 'LicenseIncluded' - 'BasePrice' -]) -param licenseType string = 'LicenseIncluded' - -@description('Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here.') -param hardwareFamily string = 'Gen5' - -@description('Optional. Whether or not multi-az is enabled.') -param zoneRedundant bool = false - -@description('Optional. Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal.') -@allowed([ - 'None' - 'SystemAssigned' -]) -param servicePrincipal string = 'None' - -@description('Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified.') -@allowed([ - 'Default' - 'PointInTimeRestore' -]) -param managedInstanceCreateMode string = 'Default' - -@description('Optional. The resource ID of another managed instance whose DNS zone this managed instance will share after creation.') -param dnsZonePartner string = '' - -@description('Optional. Collation of the managed instance.') -param collation string = 'SQL_Latin1_General_CP1_CI_AS' - -@description('Optional. Connection type used for connecting to the instance.') -@allowed([ - 'Proxy' - 'Redirect' - 'Default' -]) -param proxyOverride string = 'Proxy' - -@description('Optional. Whether or not the public data endpoint is enabled.') -param publicDataEndpointEnabled bool = false - -@description('Optional. ID of the timezone. Allowed values are timezones supported by Windows.') -param timezoneId string = 'UTC' - -@description('Optional. The resource ID of the instance pool this managed server belongs to.') -param instancePoolResourceId string = '' - -@description('Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database.') -param restorePointInTime string = '' - -@description('Optional. The resource identifier of the source managed instance associated with create operation of this instance.') -param sourceManagedInstanceId string = '' - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') -param primaryUserAssignedIdentityId string = '' - -@description('Optional. Databases to create in this server.') -param databases array = [] - -@description('Optional. The vulnerability assessment configuration.') -param vulnerabilityAssessmentsObj object = {} - -@description('Optional. The security alert policy configuration.') -param securityAlertPoliciesObj object = {} - -@description('Optional. The keys to configure.') -param keys array = [] - -@description('Optional. The encryption protection configuration.') -param encryptionProtectorObj object = {} - -@description('Optional. The administrator configuration.') -param administratorsObj object = {} - -@allowed([ - 'None' - '1.0' - '1.1' - '1.2' -]) -@description('Optional. Minimal TLS version allowed.') -param minimalTlsVersion string = '1.2' - -@description('Optional. The storage account type used to store backups for this database.') -@allowed([ - 'Geo' - 'GeoZone' - 'Local' - 'Zone' -]) -param requestedBackupStorageRedundancy string = 'Geo' - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { - name: name - location: location - identity: identity - sku: { - name: skuName - tier: skuTier - family: hardwareFamily - } - tags: tags - properties: { - managedInstanceCreateMode: managedInstanceCreateMode - administratorLogin: administratorLogin - administratorLoginPassword: administratorLoginPassword - subnetId: subnetId - licenseType: licenseType - vCores: vCores - storageSizeInGB: storageSizeInGB - collation: collation - dnsZonePartner: !empty(dnsZonePartner) ? dnsZonePartner : null - publicDataEndpointEnabled: publicDataEndpointEnabled - sourceManagedInstanceId: !empty(sourceManagedInstanceId) ? sourceManagedInstanceId : null - restorePointInTime: !empty(restorePointInTime) ? restorePointInTime : null - proxyOverride: proxyOverride - timezoneId: timezoneId - instancePoolId: !empty(instancePoolResourceId) ? instancePoolResourceId : null - primaryUserAssignedIdentityId: !empty(primaryUserAssignedIdentityId) ? primaryUserAssignedIdentityId : null - requestedBackupStorageRedundancy: requestedBackupStorageRedundancy - zoneRedundant: zoneRedundant - servicePrincipal: { - type: servicePrincipal - } - minimalTlsVersion: minimalTlsVersion - } -} - -resource managedInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: managedInstance -} - -resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: managedInstance -}] - -resource managedInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(managedInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: managedInstance -}] - -module managedInstance_databases 'database/main.bicep' = [for (database, index) in databases: { - name: '${uniqueString(deployment().name, location)}-SqlMi-DB-${index}' - params: { - name: database.name - managedInstanceName: managedInstance.name - catalogCollation: contains(database, 'catalogCollation') ? database.catalogCollation : 'SQL_Latin1_General_CP1_CI_AS' - collation: contains(database, 'collation') ? database.collation : 'SQL_Latin1_General_CP1_CI_AS' - createMode: contains(database, 'createMode') ? database.createMode : 'Default' - diagnosticSettings: database.?diagnosticSettings - location: contains(database, 'location') ? database.location : managedInstance.location - lock: database.?lock ?? lock - longTermRetentionBackupResourceId: contains(database, 'longTermRetentionBackupResourceId') ? database.longTermRetentionBackupResourceId : '' - recoverableDatabaseId: contains(database, 'recoverableDatabaseId') ? database.recoverableDatabaseId : '' - restorableDroppedDatabaseId: contains(database, 'restorableDroppedDatabaseId') ? database.restorableDroppedDatabaseId : '' - restorePointInTime: contains(database, 'restorePointInTime') ? database.restorePointInTime : '' - sourceDatabaseId: contains(database, 'sourceDatabaseId') ? database.sourceDatabaseId : '' - storageContainerSasToken: contains(database, 'storageContainerSasToken') ? database.storageContainerSasToken : '' - storageContainerUri: contains(database, 'storageContainerUri') ? database.storageContainerUri : '' - tags: database.?tags ?? tags - backupShortTermRetentionPoliciesObj: contains(database, 'backupShortTermRetentionPolicies') ? database.backupShortTermRetentionPolicies : {} - backupLongTermRetentionPoliciesObj: contains(database, 'backupLongTermRetentionPolicies') ? database.backupLongTermRetentionPolicies : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module managedInstance_securityAlertPolicy 'security-alert-policy/main.bicep' = if (!empty(securityAlertPoliciesObj)) { - name: '${uniqueString(deployment().name, location)}-SqlMi-SecAlertPol' - params: { - managedInstanceName: managedInstance.name - name: securityAlertPoliciesObj.name - emailAccountAdmins: contains(securityAlertPoliciesObj, 'emailAccountAdmins') ? securityAlertPoliciesObj.emailAccountAdmins : false - state: contains(securityAlertPoliciesObj, 'state') ? securityAlertPoliciesObj.state : 'Disabled' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj) && (managedIdentities.?systemAssigned ?? false)) { - name: '${uniqueString(deployment().name, location)}-SqlMi-VulnAssessm' - params: { - managedInstanceName: managedInstance.name - name: vulnerabilityAssessmentsObj.name - recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : [] - recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false - recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false - storageAccountResourceId: vulnerabilityAssessmentsObj.storageAccountResourceId - useStorageAccountAccessKey: contains(vulnerabilityAssessmentsObj, 'useStorageAccountAccessKey') ? vulnerabilityAssessmentsObj.useStorageAccountAccessKey : false - createStorageRoleAssignment: contains(vulnerabilityAssessmentsObj, 'createStorageRoleAssignment') ? vulnerabilityAssessmentsObj.createStorageRoleAssignment : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - managedInstance_securityAlertPolicy - ] -} - -module managedInstance_keys 'key/main.bicep' = [for (key, index) in keys: { - name: '${uniqueString(deployment().name, location)}-SqlMi-Key-${index}' - params: { - name: key.name - managedInstanceName: managedInstance.name - serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' - uri: contains(key, 'uri') ? key.uri : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module managedInstance_encryptionProtector 'encryption-protector/main.bicep' = if (!empty(encryptionProtectorObj)) { - name: '${uniqueString(deployment().name, location)}-SqlMi-EncryProtector' - params: { - managedInstanceName: managedInstance.name - serverKeyName: encryptionProtectorObj.serverKeyName - serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged' - autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - managedInstance_keys - ] -} - -module managedInstance_administrator 'administrator/main.bicep' = if (!empty(administratorsObj)) { - name: '${uniqueString(deployment().name, location)}-SqlMi-Admin' - params: { - managedInstanceName: managedInstance.name - login: administratorsObj.name - sid: administratorsObj.sid - tenantId: contains(administratorsObj, 'tenantId') ? administratorsObj.tenantId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@description('The name of the deployed managed instance.') -output name string = managedInstance.name - -@description('The resource ID of the deployed managed instance.') -output resourceId string = managedInstance.id - -@description('The resource group of the deployed managed instance.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(managedInstance.identity, 'principalId') ? managedInstance.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = managedInstance.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json deleted file mode 100644 index 01d4fc7e31..0000000000 --- a/modules/sql/managed-instance/main.json +++ /dev/null @@ -1,2137 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3344803418636007926" - }, - "name": "SQL Managed Instances", - "description": "This module deploys a SQL Managed Instance.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SQL managed instance." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "administratorLogin": { - "type": "string", - "metadata": { - "description": "Required. The username used to establish jumpbox VMs." - } - }, - "administratorLoginPassword": { - "type": "securestring", - "metadata": { - "description": "Required. The password given to the admin user." - } - }, - "subnetId": { - "type": "string", - "metadata": { - "description": "Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed." - } - }, - "skuName": { - "type": "string", - "defaultValue": "GP_Gen5", - "metadata": { - "description": "Optional. The name of the SKU, typically, a letter + Number code, e.g. P3." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "GeneralPurpose", - "metadata": { - "description": "Optional. The tier or edition of the particular SKU, e.g. Basic, Premium." - } - }, - "storageSizeInGB": { - "type": "int", - "defaultValue": 32, - "metadata": { - "description": "Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only." - } - }, - "vCores": { - "type": "int", - "defaultValue": 4, - "metadata": { - "description": "Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "LicenseIncluded", - "allowedValues": [ - "LicenseIncluded", - "BasePrice" - ], - "metadata": { - "description": "Optional. The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses)." - } - }, - "hardwareFamily": { - "type": "string", - "defaultValue": "Gen5", - "metadata": { - "description": "Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not multi-az is enabled." - } - }, - "servicePrincipal": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "None", - "SystemAssigned" - ], - "metadata": { - "description": "Optional. Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal." - } - }, - "managedInstanceCreateMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "PointInTimeRestore" - ], - "metadata": { - "description": "Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified." - } - }, - "dnsZonePartner": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of another managed instance whose DNS zone this managed instance will share after creation." - } - }, - "collation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. Collation of the managed instance." - } - }, - "proxyOverride": { - "type": "string", - "defaultValue": "Proxy", - "allowedValues": [ - "Proxy", - "Redirect", - "Default" - ], - "metadata": { - "description": "Optional. Connection type used for connecting to the instance." - } - }, - "publicDataEndpointEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not the public data endpoint is enabled." - } - }, - "timezoneId": { - "type": "string", - "defaultValue": "UTC", - "metadata": { - "description": "Optional. ID of the timezone. Allowed values are timezones supported by Windows." - } - }, - "instancePoolResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the instance pool this managed server belongs to." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database." - } - }, - "sourceManagedInstanceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource identifier of the source managed instance associated with create operation of this instance." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "primaryUserAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a user assigned identity to be used by default. Required if \"userAssignedIdentities\" is not empty." - } - }, - "databases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Databases to create in this server." - } - }, - "vulnerabilityAssessmentsObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The vulnerability assessment configuration." - } - }, - "securityAlertPoliciesObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The security alert policy configuration." - } - }, - "keys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The keys to configure." - } - }, - "encryptionProtectorObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The encryption protection configuration." - } - }, - "administratorsObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The administrator configuration." - } - }, - "minimalTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "None", - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. Minimal TLS version allowed." - } - }, - "requestedBackupStorageRedundancy": { - "type": "string", - "defaultValue": "Geo", - "allowedValues": [ - "Geo", - "GeoZone", - "Local", - "Zone" - ], - "metadata": { - "description": "Optional. The storage account type used to store backups for this database." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedInstance": { - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "sku": { - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]", - "family": "[parameters('hardwareFamily')]" - }, - "tags": "[parameters('tags')]", - "properties": { - "managedInstanceCreateMode": "[parameters('managedInstanceCreateMode')]", - "administratorLogin": "[parameters('administratorLogin')]", - "administratorLoginPassword": "[parameters('administratorLoginPassword')]", - "subnetId": "[parameters('subnetId')]", - "licenseType": "[parameters('licenseType')]", - "vCores": "[parameters('vCores')]", - "storageSizeInGB": "[parameters('storageSizeInGB')]", - "collation": "[parameters('collation')]", - "dnsZonePartner": "[if(not(empty(parameters('dnsZonePartner'))), parameters('dnsZonePartner'), null())]", - "publicDataEndpointEnabled": "[parameters('publicDataEndpointEnabled')]", - "sourceManagedInstanceId": "[if(not(empty(parameters('sourceManagedInstanceId'))), parameters('sourceManagedInstanceId'), null())]", - "restorePointInTime": "[if(not(empty(parameters('restorePointInTime'))), parameters('restorePointInTime'), null())]", - "proxyOverride": "[parameters('proxyOverride')]", - "timezoneId": "[parameters('timezoneId')]", - "instancePoolId": "[if(not(empty(parameters('instancePoolResourceId'))), parameters('instancePoolResourceId'), null())]", - "primaryUserAssignedIdentityId": "[if(not(empty(parameters('primaryUserAssignedIdentityId'))), parameters('primaryUserAssignedIdentityId'), null())]", - "requestedBackupStorageRedundancy": "[parameters('requestedBackupStorageRedundancy')]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "servicePrincipal": { - "type": "[parameters('servicePrincipal')]" - }, - "minimalTlsVersion": "[parameters('minimalTlsVersion')]" - } - }, - "managedInstance_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_diagnosticSettings": { - "copy": { - "name": "managedInstance_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_roleAssignments": { - "copy": { - "name": "managedInstance_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Sql/managedInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_databases": { - "copy": { - "name": "managedInstance_databases", - "count": "[length(parameters('databases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-DB-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('databases')[copyIndex()].name]" - }, - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "catalogCollation": "[if(contains(parameters('databases')[copyIndex()], 'catalogCollation'), createObject('value', parameters('databases')[copyIndex()].catalogCollation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", - "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", - "createMode": "[if(contains(parameters('databases')[copyIndex()], 'createMode'), createObject('value', parameters('databases')[copyIndex()].createMode), createObject('value', 'Default'))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('databases')[copyIndex()], 'diagnosticSettings')]" - }, - "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference('managedInstance', '2022-05-01-preview', 'full').location))]", - "lock": { - "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "longTermRetentionBackupResourceId": "[if(contains(parameters('databases')[copyIndex()], 'longTermRetentionBackupResourceId'), createObject('value', parameters('databases')[copyIndex()].longTermRetentionBackupResourceId), createObject('value', ''))]", - "recoverableDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'recoverableDatabaseId'), createObject('value', parameters('databases')[copyIndex()].recoverableDatabaseId), createObject('value', ''))]", - "restorableDroppedDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'restorableDroppedDatabaseId'), createObject('value', parameters('databases')[copyIndex()].restorableDroppedDatabaseId), createObject('value', ''))]", - "restorePointInTime": "[if(contains(parameters('databases')[copyIndex()], 'restorePointInTime'), createObject('value', parameters('databases')[copyIndex()].restorePointInTime), createObject('value', ''))]", - "sourceDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'sourceDatabaseId'), createObject('value', parameters('databases')[copyIndex()].sourceDatabaseId), createObject('value', ''))]", - "storageContainerSasToken": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerSasToken'), createObject('value', parameters('databases')[copyIndex()].storageContainerSasToken), createObject('value', ''))]", - "storageContainerUri": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerUri'), createObject('value', parameters('databases')[copyIndex()].storageContainerUri), createObject('value', ''))]", - "tags": { - "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "backupShortTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupShortTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupShortTermRetentionPolicies), createObject('value', createObject()))]", - "backupLongTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupLongTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupLongTermRetentionPolicies), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4106645650177315472" - }, - "name": "SQL Managed Instance Databases", - "description": "This module deploys a SQL Managed Instance Database.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SQL managed instance database." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "collation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. Collation of the managed instance database." - } - }, - "catalogCollation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. Collation of the managed instance." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "RestoreExternalBackup", - "PointInTimeRestore", - "Recovery", - "RestoreLongTermRetentionBackup" - ], - "metadata": { - "description": "Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required)." - } - }, - "sourceDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore." - } - }, - "restorableDroppedDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The restorable dropped database resource ID to restore when creating this database." - } - }, - "storageContainerUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup." - } - }, - "storageContainerSasToken": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the storage container sas token. Required if createMode is RestoreExternalBackup." - } - }, - "recoverableDatabaseId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery." - } - }, - "longTermRetentionBackupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "backupShortTermRetentionPoliciesObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The configuration for the backup short term retention policy definition." - } - }, - "backupLongTermRetentionPoliciesObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The configuration for the backup long term retention policy definition." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedInstance": { - "existing": true, - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('managedInstanceName')]" - }, - "database": { - "type": "Microsoft.Sql/managedInstances/databases", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "collation": "[if(empty(parameters('collation')), null(), parameters('collation'))]", - "restorePointInTime": "[if(empty(parameters('restorePointInTime')), null(), parameters('restorePointInTime'))]", - "catalogCollation": "[if(empty(parameters('catalogCollation')), null(), parameters('catalogCollation'))]", - "createMode": "[if(empty(parameters('createMode')), null(), parameters('createMode'))]", - "storageContainerUri": "[if(empty(parameters('storageContainerUri')), null(), parameters('storageContainerUri'))]", - "sourceDatabaseId": "[if(empty(parameters('sourceDatabaseId')), null(), parameters('sourceDatabaseId'))]", - "restorableDroppedDatabaseId": "[if(empty(parameters('restorableDroppedDatabaseId')), null(), parameters('restorableDroppedDatabaseId'))]", - "storageContainerSasToken": "[if(empty(parameters('storageContainerSasToken')), null(), parameters('storageContainerSasToken'))]", - "recoverableDatabaseId": "[if(empty(parameters('recoverableDatabaseId')), null(), parameters('recoverableDatabaseId'))]", - "longTermRetentionBackupResourceId": "[if(empty(parameters('longTermRetentionBackupResourceId')), null(), parameters('longTermRetentionBackupResourceId'))]" - }, - "dependsOn": [ - "managedInstance" - ] - }, - "database_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_diagnosticSettings": { - "copy": { - "name": "database_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_backupShortTermRetentionPolicy": { - "condition": "[not(empty(parameters('backupShortTermRetentionPoliciesObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-BackupShortTRetPol', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('managedInstanceName')]" - }, - "databaseName": { - "value": "[last(split(parameters('name'), '/'))]" - }, - "name": { - "value": "[parameters('backupShortTermRetentionPoliciesObj').name]" - }, - "retentionDays": "[if(contains(parameters('backupShortTermRetentionPoliciesObj'), 'retentionDays'), createObject('value', parameters('backupShortTermRetentionPoliciesObj').retentionDays), createObject('value', 35))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11209046177276627049" - }, - "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Short Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 35, - "metadata": { - "description": "Optional. The backup retention period in days. This is how many days Point-in-Time Restore will be supported." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup short-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup short-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup short-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "database" - ] - }, - "database_backupLongTermRetentionPolicy": { - "condition": "[not(empty(parameters('backupLongTermRetentionPoliciesObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-BackupLongTRetPol', deployment().name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('managedInstanceName')]" - }, - "databaseName": { - "value": "[last(split(parameters('name'), '/'))]" - }, - "name": { - "value": "[parameters('backupLongTermRetentionPoliciesObj').name]" - }, - "weekOfYear": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'weekOfYear'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').weekOfYear), createObject('value', 5))]", - "weeklyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'weeklyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').weeklyRetention), createObject('value', 'P1M'))]", - "monthlyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'monthlyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').monthlyRetention), createObject('value', 'P1Y'))]", - "yearlyRetention": "[if(contains(parameters('backupLongTermRetentionPoliciesObj'), 'yearlyRetention'), createObject('value', parameters('backupLongTermRetentionPoliciesObj').yearlyRetention), createObject('value', 'P5Y'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16019450329698749532" - }, - "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", - "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Long Term Retention backup policy. For example \"default\"." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance database. Required if the template is used in a standalone deployment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed instance. Required if the template is used in a standalone deployment." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Optional. The week of year to take the yearly backup in an ISO 8601 format." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "P1M", - "metadata": { - "description": "Optional. The weekly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "P1Y", - "metadata": { - "description": "Optional. The monthly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "P5Y", - "metadata": { - "description": "Optional. The yearly retention policy for an LTR backup in an ISO 8601 format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database backup long-term retention policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database backup long-term retention policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database backup long-term retention policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "database" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the database was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('database', '2022-05-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_securityAlertPolicy": { - "condition": "[not(empty(parameters('securityAlertPoliciesObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-SecAlertPol', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('securityAlertPoliciesObj').name]" - }, - "emailAccountAdmins": "[if(contains(parameters('securityAlertPoliciesObj'), 'emailAccountAdmins'), createObject('value', parameters('securityAlertPoliciesObj').emailAccountAdmins), createObject('value', false()))]", - "state": "[if(contains(parameters('securityAlertPoliciesObj'), 'state'), createObject('value', parameters('securityAlertPoliciesObj').state), createObject('value', 'Disabled'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5872425656575904293" - }, - "name": "SQL Managed Instance Security Alert Policies", - "description": "This module deploys a SQL Managed Instance Security Alert Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the security alert policy." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "state": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided." - } - }, - "emailAccountAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/securityAlertPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "properties": { - "state": "[parameters('state')]", - "emailAccountAdmins": "[parameters('emailAccountAdmins')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security alert policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security alert policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/securityAlertPolicies', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed security alert policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_vulnerabilityAssessment": { - "condition": "[and(not(empty(parameters('vulnerabilityAssessmentsObj'))), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-VulnAssessm', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('vulnerabilityAssessmentsObj').name]" - }, - "recurringScansEmails": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmails'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmails), createObject('value', createArray()))]", - "recurringScansEmailSubscriptionAdmins": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmailSubscriptionAdmins'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmailSubscriptionAdmins), createObject('value', false()))]", - "recurringScansIsEnabled": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansIsEnabled'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansIsEnabled), createObject('value', false()))]", - "storageAccountResourceId": { - "value": "[parameters('vulnerabilityAssessmentsObj').storageAccountResourceId]" - }, - "useStorageAccountAccessKey": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'useStorageAccountAccessKey'), createObject('value', parameters('vulnerabilityAssessmentsObj').useStorageAccountAccessKey), createObject('value', false()))]", - "createStorageRoleAssignment": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'createStorageRoleAssignment'), createObject('value', parameters('vulnerabilityAssessmentsObj').createStorageRoleAssignment), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8033336711737173681" - }, - "name": "SQL Managed Instance Vulnerability Assessments", - "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the vulnerability assessment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "recurringScansIsEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Recurring scans state." - } - }, - "recurringScansEmailSubscriptionAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "recurringScansEmails": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the scan notification is sent." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. A blob storage to hold the scan results." - } - }, - "useStorageAccountAccessKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." - } - }, - "createStorageRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "properties": { - "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", - "recurringScans": { - "isEnabled": "[parameters('recurringScansIsEnabled')]", - "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", - "emails": "[parameters('recurringScansEmails')]" - } - } - }, - { - "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", - "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11127995627829971090" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "managedInstanceIdentityPrincipalId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", - "principalType": "ServicePrincipal" - } - } - ] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed vulnerability assessment." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed vulnerability assessment." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/vulnerabilityAssessments', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed vulnerability assessment." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedInstance", - "managedInstance_securityAlertPolicy" - ] - }, - "managedInstance_keys": { - "copy": { - "name": "managedInstance_keys", - "count": "[length(parameters('keys'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-Key-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('keys')[copyIndex()].name]" - }, - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "serverKeyType": "[if(contains(parameters('keys')[copyIndex()], 'serverKeyType'), createObject('value', parameters('keys')[copyIndex()].serverKeyType), createObject('value', 'ServiceManaged'))]", - "uri": "[if(contains(parameters('keys')[copyIndex()], 'uri'), createObject('value', parameters('keys')[copyIndex()].uri), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7581585600933737681" - }, - "name": "SQL Managed Instance Keys", - "description": "This module deploys a SQL Managed Instance Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key. Must follow the [__] pattern." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "splittedKeyUri": "[split(parameters('uri'), '/')]", - "serverKeyName": "[if(empty(parameters('uri')), 'ServiceManaged', format('{0}_{1}_{2}', split(variables('splittedKeyUri')[2], '.')[0], variables('splittedKeyUri')[4], variables('splittedKeyUri')[5]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/keys", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "uri": "[parameters('uri')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance key." - }, - "value": "[if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance key." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/keys', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance key." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedInstance" - ] - }, - "managedInstance_encryptionProtector": { - "condition": "[not(empty(parameters('encryptionProtectorObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-EncryProtector', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "serverKeyName": { - "value": "[parameters('encryptionProtectorObj').serverKeyName]" - }, - "serverKeyType": "[if(contains(parameters('encryptionProtectorObj'), 'serverKeyType'), createObject('value', parameters('encryptionProtectorObj').serverKeyType), createObject('value', 'ServiceManaged'))]", - "autoRotationEnabled": "[if(contains(parameters('encryptionProtectorObj'), 'autoRotationEnabled'), createObject('value', parameters('encryptionProtectorObj').autoRotationEnabled), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16033269094870106735" - }, - "name": "SQL Managed Instance Encryption Protector", - "description": "This module deploys a SQL Managed Instance Encryption Protector.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "serverKeyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the SQL managed instance key." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "autoRotationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Key auto rotation opt-in flag." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/encryptionProtector", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'current')]", - "properties": { - "autoRotationEnabled": "[parameters('autoRotationEnabled')]", - "serverKeyName": "[parameters('serverKeyName')]", - "serverKeyType": "[parameters('serverKeyType')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance encryption protector." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance encryption protector." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/encryptionProtector', parameters('managedInstanceName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance encryption protector." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedInstance", - "managedInstance_keys" - ] - }, - "managedInstance_administrator": { - "condition": "[not(empty(parameters('administratorsObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-Admin', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedInstanceName": { - "value": "[parameters('name')]" - }, - "login": { - "value": "[parameters('administratorsObj').name]" - }, - "sid": { - "value": "[parameters('administratorsObj').sid]" - }, - "tenantId": "[if(contains(parameters('administratorsObj'), 'tenantId'), createObject('value', parameters('administratorsObj').tenantId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13377515851590815602" - }, - "name": "SQL Managed Instances Administrator", - "description": "This module deploys a SQL Managed Instance Administrator.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "login": { - "type": "string", - "metadata": { - "description": "Required. Login name of the managed instance administrator." - } - }, - "sid": { - "type": "string", - "metadata": { - "description": "Required. SID (object ID) of the managed instance administrator." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Tenant ID of the managed instance administrator." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/administrators", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]", - "properties": { - "administratorType": "ActiveDirectory", - "login": "[parameters('login')]", - "sid": "[parameters('sid')]", - "tenantId": "[parameters('tenantId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance administrator." - }, - "value": "ActiveDirectory" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance administrator." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/administrators', parameters('managedInstanceName'), 'ActiveDirectory')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance administrator." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedInstance" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed managed instance." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed managed instance." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed managed instance." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedInstance', '2022-05-01-preview', 'full').identity, 'principalId')), reference('managedInstance', '2022-05-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('managedInstance', '2022-05-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/security-alert-policy/README.md b/modules/sql/managed-instance/security-alert-policy/README.md deleted file mode 100644 index 30d21ff3a8..0000000000 --- a/modules/sql/managed-instance/security-alert-policy/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# SQL Managed Instance Security Alert Policies `[Microsoft.Sql/managedInstances/securityAlertPolicies]` - -This module deploys a SQL Managed Instance Security Alert Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/securityAlertPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the security alert policy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`emailAccountAdmins`](#parameter-emailaccountadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`state`](#parameter-state) | string | Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | - -### Parameter: `name` - -The name of the security alert policy. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `emailAccountAdmins` - -Specifies that the schedule scan notification will be is sent to the subscription administrators. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `state` - -Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed security alert policy. | -| `resourceGroupName` | string | The resource group of the deployed security alert policy. | -| `resourceId` | string | The resource ID of the deployed security alert policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/security-alert-policy/main.bicep b/modules/sql/managed-instance/security-alert-policy/main.bicep deleted file mode 100644 index a0e786183d..0000000000 --- a/modules/sql/managed-instance/security-alert-policy/main.bicep +++ /dev/null @@ -1,56 +0,0 @@ -metadata name = 'SQL Managed Instance Security Alert Policies' -metadata description = 'This module deploys a SQL Managed Instance Security Alert Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the security alert policy.') -param name string - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param state string = 'Disabled' - -@description('Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators.') -param emailAccountAdmins bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -resource securityAlertPolicy 'Microsoft.Sql/managedInstances/securityAlertPolicies@2022-05-01-preview' = { - name: name - parent: managedInstance - properties: { - state: state - emailAccountAdmins: emailAccountAdmins - } -} - -@description('The name of the deployed security alert policy.') -output name string = securityAlertPolicy.name - -@description('The resource ID of the deployed security alert policy.') -output resourceId string = securityAlertPolicy.id - -@description('The resource group of the deployed security alert policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/security-alert-policy/main.json b/modules/sql/managed-instance/security-alert-policy/main.json deleted file mode 100644 index a18b716232..0000000000 --- a/modules/sql/managed-instance/security-alert-policy/main.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "5872425656575904293" - }, - "name": "SQL Managed Instance Security Alert Policies", - "description": "This module deploys a SQL Managed Instance Security Alert Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the security alert policy." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "state": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided." - } - }, - "emailAccountAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/securityAlertPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "properties": { - "state": "[parameters('state')]", - "emailAccountAdmins": "[parameters('emailAccountAdmins')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security alert policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security alert policy." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/securityAlertPolicies', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed security alert policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/security-alert-policy/version.json b/modules/sql/managed-instance/security-alert-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/security-alert-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index b1f97e3ddf..0000000000 --- a/modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,288 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' -var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'SqlManagement' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 100 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1438' - '1440' - '1452' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetSaw' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1440' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability through Corpnet ranges' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetPublic' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 102 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' - properties: { - description: 'Allow Azure Load Balancer inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'AzureLoadBalancer' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 103 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 104 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI services outbound traffic over https' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'AzureCloud' - access: 'Allow' - priority: 100 - direction: 'Outbound' - destinationPortRanges: [ - '443' - '12000' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal outbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - ] - } -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location - properties: { - disableBgpRoutePropagation: false - routes: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' - properties: { - addressPrefix: addressPrefix - nextHopType: 'VnetLocal' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' - properties: { - addressPrefix: 'Storage' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' - properties: { - addressPrefix: 'SqlManagement' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' - properties: { - addressPrefix: 'AzureMonitor' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' - properties: { - addressPrefix: 'CorpNetSaw' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' - properties: { - addressPrefix: 'CorpNetPublic' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' - properties: { - addressPrefix: 'AzureActiveDirectory' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' - properties: { - addressPrefix: 'AzureCloud.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' - properties: { - addressPrefix: 'AzureCloud.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' - properties: { - addressPrefix: 'Storage.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' - properties: { - addressPrefix: 'Storage.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' - properties: { - addressPrefix: 'EventHub.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' - properties: { - addressPrefix: 'EventHub.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'ManagedInstance' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - routeTable: { - id: routeTable.id - } - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'managedInstanceDelegation' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } - ] - } - } - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep b/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 80ccb391bc..0000000000 --- a/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,67 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmimin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - subnetId: nestedDependencies.outputs.subnetResourceId - } -}] diff --git a/modules/sql/managed-instance/tests/e2e/max/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/max/dependencies.bicep deleted file mode 100644 index c4e9dfd575..0000000000 --- a/modules/sql/managed-instance/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,350 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' -var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'SqlManagement' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 100 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1438' - '1440' - '1452' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetSaw' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1440' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability through Corpnet ranges' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetPublic' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 102 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' - properties: { - description: 'Allow Azure Load Balancer inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'AzureLoadBalancer' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 103 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 104 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI services outbound traffic over https' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'AzureCloud' - access: 'Allow' - priority: 100 - direction: 'Outbound' - destinationPortRanges: [ - '443' - '12000' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal outbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - ] - } -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location - properties: { - disableBgpRoutePropagation: false - routes: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' - properties: { - addressPrefix: addressPrefix - nextHopType: 'VnetLocal' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' - properties: { - addressPrefix: 'Storage' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' - properties: { - addressPrefix: 'SqlManagement' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' - properties: { - addressPrefix: 'AzureMonitor' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' - properties: { - addressPrefix: 'CorpNetSaw' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' - properties: { - addressPrefix: 'CorpNetPublic' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' - properties: { - addressPrefix: 'AzureActiveDirectory' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' - properties: { - addressPrefix: 'AzureCloud.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' - properties: { - addressPrefix: 'AzureCloud.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' - properties: { - addressPrefix: 'Storage.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' - properties: { - addressPrefix: 'Storage.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' - properties: { - addressPrefix: 'EventHub.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' - properties: { - addressPrefix: 'EventHub.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'ManagedInstance' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - routeTable: { - id: routeTable.id - } - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'managedInstanceDelegation' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault.') -output keyVaultName string = keyVault.name diff --git a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep deleted file mode 100644 index 62ecd613a7..0000000000 --- a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,192 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmimax' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - subnetId: nestedDependencies.outputs.subnetResourceId - collation: 'SQL_Latin1_General_CP1_CI_AS' - databases: [ - { - backupLongTermRetentionPolicies: { - name: 'default' - } - backupShortTermRetentionPolicies: { - name: 'default' - } - name: '${namePrefix}-${serviceShort}-db-001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - dnsZonePartner: '' - encryptionProtectorObj: { - serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - } - hardwareFamily: 'Gen5' - keys: [ - { - name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - } - ] - licenseType: 'LicenseIncluded' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - proxyOverride: 'Proxy' - publicDataEndpointEnabled: false - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - servicePrincipal: 'SystemAssigned' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - storageSizeInGB: 32 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - timezoneId: 'UTC' - vCores: 4 - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } -}] diff --git a/modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep deleted file mode 100644 index d06ccfa76e..0000000000 --- a/modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep +++ /dev/null @@ -1,386 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' -var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'SqlManagement' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 100 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1438' - '1440' - '1452' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetSaw' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1440' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability through Corpnet ranges' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetPublic' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 102 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' - properties: { - description: 'Allow Azure Load Balancer inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'AzureLoadBalancer' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 103 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 104 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-aad-out-${addressPrefixString}-v11' - properties: { - description: 'Allow communication with Azure Active Directory over https' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'AzureActiveDirectory' - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-onedsc-out-${addressPrefixString}-v11' - properties: { - description: 'Allow communication with the One DS Collector over https' - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'OneDsCollector' - access: 'Allow' - priority: 102 - direction: 'Outbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI services outbound traffic over https' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'AzureCloud' - access: 'Allow' - priority: 100 - direction: 'Outbound' - destinationPortRanges: [ - '443' - '12000' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal outbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 103 - direction: 'Outbound' - } - } - { - name: 'mi-strg-p-out-${addressPrefixString}-v11' - properties: { - description: 'Allow outbound communication with storage over HTTPS' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'Storage.eastus' - access: 'Allow' - priority: 104 - direction: 'Outbound' - } - } - { - name: 'mi-strg-s-out-${addressPrefixString}-v11' - properties: { - description: 'Allow outbound communication with storage over HTTPS' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '443' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'Storage.westus' - access: 'Allow' - priority: 105 - direction: 'Outbound' - } - } - ] - } -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location - properties: { - disableBgpRoutePropagation: false - routes: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' - properties: { - addressPrefix: addressPrefix - nextHopType: 'VnetLocal' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' - properties: { - addressPrefix: 'Storage' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.eastus' - properties: { - addressPrefix: 'Storage.eastus' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westus' - properties: { - addressPrefix: 'Storage.westus' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' - properties: { - addressPrefix: 'SqlManagement' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' - properties: { - addressPrefix: 'AzureMonitor' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' - properties: { - addressPrefix: 'CorpNetSaw' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' - properties: { - addressPrefix: 'CorpNetPublic' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' - properties: { - addressPrefix: 'AzureActiveDirectory' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-OneDsCollector' - properties: { - addressPrefix: 'OneDsCollector' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' - properties: { - addressPrefix: 'AzureCloud.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' - properties: { - addressPrefix: 'AzureCloud.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' - properties: { - addressPrefix: 'Storage.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' - properties: { - addressPrefix: 'Storage.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' - properties: { - addressPrefix: 'EventHub.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' - properties: { - addressPrefix: 'EventHub.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'ManagedInstance' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - routeTable: { - id: routeTable.id - } - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'managedInstanceDelegation' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } - ] - } - } - ] - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: storageAccountName - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_LRS' - } - properties: { - allowBlobPublicAccess: false - } -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep b/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep deleted file mode 100644 index b93e5f73ec..0000000000 --- a/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep +++ /dev/null @@ -1,90 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmivln' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - location: location - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - subnetId: nestedDependencies.outputs.subnetResourceId - managedIdentities: { - systemAssigned: true - } - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - useStorageAccountAccessKey: false - createStorageRoleAssignment: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } -}] diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index c4e9dfd575..0000000000 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,350 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Route Table to create.') -param routeTableName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' -var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'SqlManagement' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 100 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1438' - '1440' - '1452' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetSaw' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - '1440' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI Supportability through Corpnet ranges' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: 'CorpNetPublic' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 102 - direction: 'Inbound' - destinationPortRanges: [ - '9000' - '9003' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' - properties: { - description: 'Allow Azure Load Balancer inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: 'AzureLoadBalancer' - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 103 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal inbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 104 - direction: 'Inbound' - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI services outbound traffic over https' - protocol: 'Tcp' - sourcePortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: 'AzureCloud' - access: 'Allow' - priority: 100 - direction: 'Outbound' - destinationPortRanges: [ - '443' - '12000' - ] - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' - properties: { - description: 'Allow MI internal outbound traffic' - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: addressPrefix - destinationAddressPrefix: addressPrefix - access: 'Allow' - priority: 101 - direction: 'Outbound' - } - } - ] - } -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { - name: routeTableName - location: location - properties: { - disableBgpRoutePropagation: false - routes: [ - { - name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' - properties: { - addressPrefix: addressPrefix - nextHopType: 'VnetLocal' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' - properties: { - addressPrefix: 'Storage' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' - properties: { - addressPrefix: 'SqlManagement' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' - properties: { - addressPrefix: 'AzureMonitor' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' - properties: { - addressPrefix: 'CorpNetSaw' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' - properties: { - addressPrefix: 'CorpNetPublic' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' - properties: { - addressPrefix: 'AzureActiveDirectory' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' - properties: { - addressPrefix: 'AzureCloud.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' - properties: { - addressPrefix: 'AzureCloud.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' - properties: { - addressPrefix: 'Storage.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' - properties: { - addressPrefix: 'Storage.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' - properties: { - addressPrefix: 'EventHub.westeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - { - name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' - properties: { - addressPrefix: 'EventHub.northeurope' - nextHopType: 'Internet' - hasBgpOverride: false - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'ManagedInstance' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - routeTable: { - id: routeTable.id - } - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'managedInstanceDelegation' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault.') -output keyVaultName string = keyVault.name diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 9f69895001..0000000000 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,175 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmiwaf' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - subnetId: nestedDependencies.outputs.subnetResourceId - collation: 'SQL_Latin1_General_CP1_CI_AS' - databases: [ - { - backupLongTermRetentionPolicies: { - name: 'default' - } - backupShortTermRetentionPolicies: { - name: 'default' - } - name: '${namePrefix}-${serviceShort}-db-001' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - dnsZonePartner: '' - encryptionProtectorObj: { - serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - } - hardwareFamily: 'Gen5' - keys: [ - { - name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - } - ] - licenseType: 'LicenseIncluded' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - proxyOverride: 'Proxy' - publicDataEndpointEnabled: false - securityAlertPoliciesObj: { - emailAccountAdmins: true - name: 'default' - state: 'Enabled' - } - servicePrincipal: 'SystemAssigned' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - storageSizeInGB: 32 - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - timezoneId: 'UTC' - vCores: 4 - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } -}] diff --git a/modules/sql/managed-instance/version.json b/modules/sql/managed-instance/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/managed-instance/vulnerability-assessment/README.md b/modules/sql/managed-instance/vulnerability-assessment/README.md deleted file mode 100644 index a231617216..0000000000 --- a/modules/sql/managed-instance/vulnerability-assessment/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# SQL Managed Instance Vulnerability Assessments `[Microsoft.Sql/managedInstances/vulnerabilityAssessments]` - -This module deploys a SQL Managed Instance Vulnerability Assessment. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/vulnerabilityAssessments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the vulnerability assessment. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`createStorageRoleAssignment`](#parameter-createstorageroleassignment) | bool | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`recurringScansEmails`](#parameter-recurringscansemails) | array | Specifies an array of email addresses to which the scan notification is sent. | -| [`recurringScansEmailSubscriptionAdmins`](#parameter-recurringscansemailsubscriptionadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | -| [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | - -### Parameter: `name` - -The name of the vulnerability assessment. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountResourceId` - -A blob storage to hold the scan results. - -- Required: Yes -- Type: string - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `createStorageRoleAssignment` - -Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `recurringScansEmails` - -Specifies an array of email addresses to which the scan notification is sent. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `recurringScansEmailSubscriptionAdmins` - -Specifies that the schedule scan notification will be is sent to the subscription administrators. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `recurringScansIsEnabled` - -Recurring scans state. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `useStorageAccountAccessKey` - -Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed vulnerability assessment. | -| `resourceGroupName` | string | The resource group of the deployed vulnerability assessment. | -| `resourceId` | string | The resource ID of the deployed vulnerability assessment. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.bicep b/modules/sql/managed-instance/vulnerability-assessment/main.bicep deleted file mode 100644 index 81cc946945..0000000000 --- a/modules/sql/managed-instance/vulnerability-assessment/main.bicep +++ /dev/null @@ -1,79 +0,0 @@ -metadata name = 'SQL Managed Instance Vulnerability Assessments' -metadata description = 'This module deploys a SQL Managed Instance Vulnerability Assessment.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the vulnerability assessment.') -param name string - -@description('Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment.') -param managedInstanceName string - -@description('Optional. Recurring scans state.') -param recurringScansIsEnabled bool = false - -@description('Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators.') -param recurringScansEmailSubscriptionAdmins bool = false - -@description('Optional. Specifies an array of email addresses to which the scan notification is sent.') -param recurringScansEmails array = [] - -@description('Required. A blob storage to hold the scan results.') -param storageAccountResourceId string - -@description('Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account.') -param useStorageAccountAccessKey bool = false - -@description('Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account.') -param createStorageRoleAssignment bool = true - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: managedInstanceName -} - -// Assign SQL MI MSI access to storage account -module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { - name: '${managedInstance.name}-sbdc-rbac' - scope: resourceGroup(split(storageAccountResourceId, '/')[4]) - params: { - storageAccountName: last(split(storageAccountResourceId, '/')) - managedInstanceIdentityPrincipalId: managedInstance.identity.principalId - } -} - -resource vulnerabilityAssessment 'Microsoft.Sql/managedInstances/vulnerabilityAssessments@2022-05-01-preview' = { - name: name - parent: managedInstance - properties: { - storageContainerPath: 'https://${last(split(storageAccountResourceId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/' - storageAccountAccessKey: useStorageAccountAccessKey ? listKeys(storageAccountResourceId, '2019-06-01').keys[0].value : any(null) - recurringScans: { - isEnabled: recurringScansIsEnabled - emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins - emails: recurringScansEmails - } - } -} - -@description('The name of the deployed vulnerability assessment.') -output name string = vulnerabilityAssessment.name - -@description('The resource ID of the deployed vulnerability assessment.') -output resourceId string = vulnerabilityAssessment.id - -@description('The resource group of the deployed vulnerability assessment.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json deleted file mode 100644 index e731e7a912..0000000000 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8033336711737173681" - }, - "name": "SQL Managed Instance Vulnerability Assessments", - "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the vulnerability assessment." - } - }, - "managedInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL managed instance. Required if the template is used in a standalone deployment." - } - }, - "recurringScansIsEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Recurring scans state." - } - }, - "recurringScansEmailSubscriptionAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "recurringScansEmails": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the scan notification is sent." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. A blob storage to hold the scan results." - } - }, - "useStorageAccountAccessKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." - } - }, - "createStorageRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", - "properties": { - "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", - "recurringScans": { - "isEnabled": "[parameters('recurringScansIsEnabled')]", - "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", - "emails": "[parameters('recurringScansEmails')]" - } - } - }, - { - "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", - "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11127995627829971090" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "managedInstanceIdentityPrincipalId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", - "principalType": "ServicePrincipal" - } - } - ] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed vulnerability assessment." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed vulnerability assessment." - }, - "value": "[resourceId('Microsoft.Sql/managedInstances/vulnerabilityAssessments', parameters('managedInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed vulnerability assessment." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep b/modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep deleted file mode 100644 index 7855e9f142..0000000000 --- a/modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep +++ /dev/null @@ -1,17 +0,0 @@ -param storageAccountName string -param managedInstanceIdentityPrincipalId string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { - name: storageAccountName -} - -// Assign Storage Blob Data Contributor RBAC role -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor') - scope: storageAccount - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - principalId: managedInstanceIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} diff --git a/modules/sql/managed-instance/vulnerability-assessment/version.json b/modules/sql/managed-instance/vulnerability-assessment/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/managed-instance/vulnerability-assessment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/MOVED-TO-AVM.md b/modules/sql/server/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/sql/server/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 66ae1bdfeb..9a41847b7b 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -1,1737 +1,7 @@ -# Azure SQL Servers `[Microsoft.Sql/servers]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/sql/server](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/sql/server).** -This module deploys an Azure SQL Server. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/sql/server). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Sql/servers` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers) | -| `Microsoft.Sql/servers/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases) | -| `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | -| `Microsoft.Sql/servers/elasticPools` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/elasticPools) | -| `Microsoft.Sql/servers/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/encryptionProtector) | -| `Microsoft.Sql/servers/firewallRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/firewallRules) | -| `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | -| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/securityAlertPolicies) | -| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/virtualNetworkRules) | -| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/vulnerabilityAssessments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/sql.server:1.0.0`. - -- [Admin](#example-1-admin) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Pe](#example-3-pe) -- [Secondary](#example-4-secondary) -- [Vulnassm](#example-5-vulnassm) -- [WAF-aligned](#example-6-waf-aligned) - -### Example 1: _Admin_ - -
- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' - params: { - // Required parameters - name: 'sqlsadmin' - // Non-required parameters - administrators: { - azureADOnlyAuthentication: true - login: 'myspn' - principalType: 'Application' - sid: '' - tenantId: '' - } - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsadmin" - }, - // Non-required parameters - "administrators": { - "value": { - "azureADOnlyAuthentication": true, - "login": "myspn", - "principalType": "Application", - "sid": "", - "tenantId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsmax' - params: { - // Required parameters - name: 'sqlsmax' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - capacity: 0 - collation: 'SQL_Latin1_General_CP1_CI_AS' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - elasticPoolId: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - licenseType: 'LicenseIncluded' - maxSizeBytes: 34359738368 - name: 'sqlsmaxdb-001' - skuName: 'ElasticPool' - skuTier: 'GeneralPurpose' - } - ] - elasticPools: [ - { - maintenanceConfigurationId: '' - name: 'sqlsmax-ep-001' - skuCapacity: 10 - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - ] - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentityId: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - restrictOutboundNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - securityAlertPolicies: [ - { - emailAccountAdmins: true - name: 'Default' - state: 'Enabled' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: '' - } - ] - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "sqlsmax" - }, - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "databases": { - "value": [ - { - "backupLongTermRetentionPolicy": { - "monthlyRetention": "P6M" - }, - "backupShortTermRetentionPolicy": { - "retentionDays": 14 - }, - "capacity": 0, - "collation": "SQL_Latin1_General_CP1_CI_AS", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "elasticPoolId": "", - "encryptionProtectorObj": { - "serverKeyName": "", - "serverKeyType": "AzureKeyVault" - }, - "licenseType": "LicenseIncluded", - "maxSizeBytes": 34359738368, - "name": "sqlsmaxdb-001", - "skuName": "ElasticPool", - "skuTier": "GeneralPurpose" - } - ] - }, - "elasticPools": { - "value": [ - { - "maintenanceConfigurationId": "", - "name": "sqlsmax-ep-001", - "skuCapacity": 10, - "skuName": "GP_Gen5", - "skuTier": "GeneralPurpose" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallRules": { - "value": [ - { - "endIpAddress": "0.0.0.0", - "name": "AllowAllWindowsAzureIps", - "startIpAddress": "0.0.0.0" - } - ] - }, - "keys": { - "value": [ - { - "name": "", - "serverKeyType": "AzureKeyVault", - "uri": "" - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentityId": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "sqlServer", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "restrictOutboundNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "securityAlertPolicies": { - "value": [ - { - "emailAccountAdmins": true, - "name": "Default", - "state": "Enabled" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualNetworkRules": { - "value": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "name": "newVnetRule1", - "virtualNetworkSubnetId": "" - } - ] - }, - "vulnerabilityAssessmentsObj": { - "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "" - } - } - } -} -``` - -
-

- -### Example 3: _Pe_ - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlspe' - params: { - // Required parameters - name: 'sqlspe' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlspe" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Secondary_ - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsec' - params: { - // Required parameters - name: 'sqlsec-sec' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - createMode: 'Secondary' - maxSizeBytes: 2147483648 - name: '' - skuName: 'Basic' - skuTier: 'Basic' - sourceDatabaseResourceId: '' - } - ] - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsec-sec" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "databases": { - "value": [ - { - "createMode": "Secondary", - "maxSizeBytes": 2147483648, - "name": "", - "skuName": "Basic", - "skuTier": "Basic", - "sourceDatabaseResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _Vulnassm_ - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsvln' - params: { - // Required parameters - name: 'sqlsvln' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - location: '' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentityId: '' - securityAlertPolicies: [ - { - emailAccountAdmins: true - name: 'Default' - state: 'Enabled' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vulnerabilityAssessmentsObj: { - createStorageRoleAssignment: true - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - useStorageAccountAccessKey: false - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsvln" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentityId": { - "value": "" - }, - "securityAlertPolicies": { - "value": [ - { - "emailAccountAdmins": true, - "name": "Default", - "state": "Enabled" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vulnerabilityAssessmentsObj": { - "value": { - "createStorageRoleAssignment": true, - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "", - "useStorageAccountAccessKey": false - } - } - } -} -``` - -
-

- -### Example 6: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlswaf' - params: { - // Required parameters - name: 'sqlswaf' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - capacity: 0 - collation: 'SQL_Latin1_General_CP1_CI_AS' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - elasticPoolId: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - licenseType: 'LicenseIncluded' - maxSizeBytes: 34359738368 - name: 'sqlswafdb-001' - skuName: 'ElasticPool' - skuTier: 'GeneralPurpose' - } - ] - elasticPools: [ - { - maintenanceConfigurationId: '' - name: 'sqlswaf-ep-001' - skuCapacity: 10 - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - ] - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - primaryUserAssignedIdentityId: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - restrictOutboundNetworkAccess: 'Disabled' - securityAlertPolicies: [ - { - emailAccountAdmins: true - name: 'Default' - state: 'Enabled' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: '' - } - ] - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "sqlswaf" - }, - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "databases": { - "value": [ - { - "backupLongTermRetentionPolicy": { - "monthlyRetention": "P6M" - }, - "backupShortTermRetentionPolicy": { - "retentionDays": 14 - }, - "capacity": 0, - "collation": "SQL_Latin1_General_CP1_CI_AS", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "elasticPoolId": "", - "encryptionProtectorObj": { - "serverKeyName": "", - "serverKeyType": "AzureKeyVault" - }, - "licenseType": "LicenseIncluded", - "maxSizeBytes": 34359738368, - "name": "sqlswafdb-001", - "skuName": "ElasticPool", - "skuTier": "GeneralPurpose" - } - ] - }, - "elasticPools": { - "value": [ - { - "maintenanceConfigurationId": "", - "name": "sqlswaf-ep-001", - "skuCapacity": 10, - "skuName": "GP_Gen5", - "skuTier": "GeneralPurpose" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallRules": { - "value": [ - { - "endIpAddress": "0.0.0.0", - "name": "AllowAllWindowsAzureIps", - "startIpAddress": "0.0.0.0" - } - ] - }, - "keys": { - "value": [ - { - "name": "", - "serverKeyType": "AzureKeyVault", - "uri": "" - } - ] - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentityId": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "sqlServer", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "restrictOutboundNetworkAccess": { - "value": "Disabled" - }, - "securityAlertPolicies": { - "value": [ - { - "emailAccountAdmins": true, - "name": "Default", - "state": "Enabled" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualNetworkRules": { - "value": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "name": "newVnetRule1", - "virtualNetworkSubnetId": "" - } - ] - }, - "vulnerabilityAssessmentsObj": { - "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the server. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. | -| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. Required if no `administrators` object for AAD authentication is provided. | -| [`administrators`](#parameter-administrators) | object | The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. | -| [`primaryUserAssignedIdentityId`](#parameter-primaryuserassignedidentityid) | string | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databases`](#parameter-databases) | array | The databases to create in the server. | -| [`elasticPools`](#parameter-elasticpools) | array | The Elastic Pools to create in the server. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionProtectorObj`](#parameter-encryptionprotectorobj) | object | The encryption protection configuration. | -| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the server. | -| [`keys`](#parameter-keys) | array | The keys to configure. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | -| [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | -| [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | - -### Parameter: `name` - -The name of the server. - -- Required: Yes -- Type: string - -### Parameter: `administratorLogin` - -The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `administratorLoginPassword` - -The administrator login password. Required if no `administrators` object for AAD authentication is provided. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `administrators` - -The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `primaryUserAssignedIdentityId` - -The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `databases` - -The databases to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `elasticPools` - -The Elastic Pools to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionProtectorObj` - -The encryption protection configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `firewallRules` - -The firewall rules to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `keys` - -The keys to configure. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `minimalTlsVersion` - -Minimal TLS version allowed. - -- Required: No -- Type: string -- Default: `'1.2'` -- Allowed: - ```Bicep - [ - '1.0' - '1.1' - '1.2' - ] - ``` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `restrictOutboundNetworkAccess` - -Whether or not to restrict outbound network access for this server. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `securityAlertPolicies` - -The security alert policies to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualNetworkRules` - -The virtual network rules to create in the server. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `vulnerabilityAssessmentsObj` - -The vulnerability assessment configuration. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed SQL server. | -| `resourceGroupName` | string | The resource group of the deployed SQL server. | -| `resourceId` | string | The resource ID of the deployed SQL server. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `administrators` - -Configure Azure Active Directory Authentication method for server administrator. - - -

- -Parameter JSON format - -```json -"administrators": { - "value": { - "azureADOnlyAuthentication": true, - "login": "John Doe", // if application can be anything - "sid": "[[objectId]]", // if application, the object ID - "principalType" : "User", // options: "User", "Group", "Application" - "tenantId": "[[tenantId]]" - } -} -``` - -
- -
- -Bicep format - -```bicep -administrators: { - azureADOnlyAuthentication: true - login: 'John Doe' // if application can be anything - sid: '[[objectId]]' // if application the object ID - 'principalType' : 'User' // options: 'User' 'Group' 'Application' - tenantId: '[[tenantId]]' -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md deleted file mode 100644 index 3afe36f94b..0000000000 --- a/modules/sql/server/database/README.md +++ /dev/null @@ -1,455 +0,0 @@ -# SQL Server Database `[Microsoft.Sql/servers/databases]` - -This module deploys an Azure SQL Server Database. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/servers/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases) | -| `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the database. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoPauseDelay`](#parameter-autopausedelay) | int | Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. | -| [`backupLongTermRetentionPolicy`](#parameter-backuplongtermretentionpolicy) | object | The long term backup retention policy to create for the database. | -| [`backupShortTermRetentionPolicy`](#parameter-backupshorttermretentionpolicy) | object | The short term backup retention policy to create for the database. | -| [`collation`](#parameter-collation) | string | The collation of the database. | -| [`createMode`](#parameter-createmode) | string | Specifies the mode of database creation. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`elasticPoolId`](#parameter-elasticpoolid) | string | The resource ID of the elastic pool containing this database. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`highAvailabilityReplicaCount`](#parameter-highavailabilityreplicacount) | int | The number of readonly secondary replicas associated with the database. | -| [`isLedgerOn`](#parameter-isledgeron) | bool | Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | -| [`licenseType`](#parameter-licensetype) | string | The license type to apply for this database. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`maintenanceConfigurationId`](#parameter-maintenanceconfigurationid) | string | Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. | -| [`maxSizeBytes`](#parameter-maxsizebytes) | int | The max size of the database expressed in bytes. | -| [`minCapacity`](#parameter-mincapacity) | string | Minimal capacity that database will always have allocated. | -| [`preferredEnclaveType`](#parameter-preferredenclavetype) | string | Type of enclave requested on the database i.e. Default or VBS enclaves. | -| [`readScale`](#parameter-readscale) | string | The state of read-only routing. | -| [`recoveryServicesRecoveryPointResourceId`](#parameter-recoveryservicesrecoverypointresourceid) | string | Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. | -| [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type to be used to store backups for this database. | -| [`restorePointInTime`](#parameter-restorepointintime) | string | Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. | -| [`sampleName`](#parameter-samplename) | string | The name of the sample schema to apply when creating this database. | -| [`skuCapacity`](#parameter-skucapacity) | int | Capacity of the particular SKU. | -| [`skuFamily`](#parameter-skufamily) | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. | -| [`skuName`](#parameter-skuname) | string | The name of the SKU. | -| [`skuSize`](#parameter-skusize) | string | Size of the particular SKU. | -| [`skuTier`](#parameter-skutier) | string | The skuTier or edition of the particular SKU. | -| [`sourceDatabaseDeletionDate`](#parameter-sourcedatabasedeletiondate) | string | The time that the database was deleted when restoring a deleted database. | -| [`sourceDatabaseResourceId`](#parameter-sourcedatabaseresourceid) | string | Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this database is zone redundant. | - -### Parameter: `name` - -The name of the database. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `autoPauseDelay` - -Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `backupLongTermRetentionPolicy` - -The long term backup retention policy to create for the database. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `backupShortTermRetentionPolicy` - -The short term backup retention policy to create for the database. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `collation` - -The collation of the database. - -- Required: No -- Type: string -- Default: `'SQL_Latin1_General_CP1_CI_AS'` - -### Parameter: `createMode` - -Specifies the mode of database creation. - -- Required: No -- Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Copy' - 'Default' - 'OnlineSecondary' - 'PointInTimeRestore' - 'Recovery' - 'Restore' - 'RestoreLongTermRetentionBackup' - 'Secondary' - ] - ``` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `elasticPoolId` - -The resource ID of the elastic pool containing this database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `highAvailabilityReplicaCount` - -The number of readonly secondary replicas associated with the database. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `isLedgerOn` - -Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `licenseType` - -The license type to apply for this database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `maintenanceConfigurationId` - -Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `maxSizeBytes` - -The max size of the database expressed in bytes. - -- Required: No -- Type: int -- Default: `34359738368` - -### Parameter: `minCapacity` - -Minimal capacity that database will always have allocated. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `preferredEnclaveType` - -Type of enclave requested on the database i.e. Default or VBS enclaves. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Default' - 'VBS' - ] - ``` - -### Parameter: `readScale` - -The state of read-only routing. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `recoveryServicesRecoveryPointResourceId` - -Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `requestedBackupStorageRedundancy` - -The storage account type to be used to store backups for this database. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Geo' - 'Local' - 'Zone' - ] - ``` - -### Parameter: `restorePointInTime` - -Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sampleName` - -The name of the sample schema to apply when creating this database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuCapacity` - -Capacity of the particular SKU. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `skuFamily` - -If the service has different generations of hardware, for the same SKU, then that can be captured here. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuName` - -The name of the SKU. - -- Required: No -- Type: string -- Default: `'GP_Gen5_2'` - -### Parameter: `skuSize` - -Size of the particular SKU. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuTier` - -The skuTier or edition of the particular SKU. - -- Required: No -- Type: string -- Default: `'GeneralPurpose'` - -### Parameter: `sourceDatabaseDeletionDate` - -The time that the database was deleted when restoring a deleted database. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceDatabaseResourceId` - -Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneRedundant` - -Whether or not this database is zone redundant. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group of the deployed database. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/database/backup-long-term-retention-policy/README.md b/modules/sql/server/database/backup-long-term-retention-policy/README.md deleted file mode 100644 index 657bb34d3d..0000000000 --- a/modules/sql/server/database/backup-long-term-retention-policy/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# SQL Server Database Long Term Backup Retention Policies `[Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies]` - -This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseName`](#parameter-databasename) | string | The name of the parent database. | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`monthlyRetention`](#parameter-monthlyretention) | string | Weekly retention in ISO 8601 duration format. | -| [`weeklyRetention`](#parameter-weeklyretention) | string | Monthly retention in ISO 8601 duration format. | -| [`weekOfYear`](#parameter-weekofyear) | int | Week of year backup to keep for yearly retention. | -| [`yearlyRetention`](#parameter-yearlyretention) | string | Yearly retention in ISO 8601 duration format. | - -### Parameter: `databaseName` - -The name of the parent database. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `monthlyRetention` - -Weekly retention in ISO 8601 duration format. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `weeklyRetention` - -Monthly retention in ISO 8601 duration format. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `weekOfYear` - -Week of year backup to keep for yearly retention. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `yearlyRetention` - -Yearly retention in ISO 8601 duration format. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the long-term policy. | -| `resourceGroupName` | string | The resource group the long-term policy was deployed into. | -| `resourceId` | string | The resource ID of the long-term policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/database/backup-long-term-retention-policy/main.bicep b/modules/sql/server/database/backup-long-term-retention-policy/main.bicep deleted file mode 100644 index 26f40f072c..0000000000 --- a/modules/sql/server/database/backup-long-term-retention-policy/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'SQL Server Database Long Term Backup Retention Policies' -metadata description = 'This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the parent SQL Server.') -param serverName string - -@description('Required. The name of the parent database.') -param databaseName string - -@description('Optional. Monthly retention in ISO 8601 duration format.') -param weeklyRetention string = '' - -@description('Optional. Weekly retention in ISO 8601 duration format.') -param monthlyRetention string = '' - -@description('Optional. Week of year backup to keep for yearly retention.') -param weekOfYear int = 1 - -@description('Optional. Yearly retention in ISO 8601 duration format.') -param yearlyRetention string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource database 'Microsoft.Sql/servers/databases@2022-05-01-preview' existing = { - name: databaseName - parent: server -} - -resource backupLongTermRetentionPolicy 'Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies@2022-05-01-preview' = { - name: 'default' - parent: database - properties: { - monthlyRetention: monthlyRetention - weeklyRetention: weeklyRetention - weekOfYear: weekOfYear - yearlyRetention: yearlyRetention - } -} - -@description('The resource group the long-term policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the long-term policy.') -output name string = backupLongTermRetentionPolicy.name - -@description('The resource ID of the long-term policy.') -output resourceId string = backupLongTermRetentionPolicy.id diff --git a/modules/sql/server/database/backup-long-term-retention-policy/main.json b/modules/sql/server/database/backup-long-term-retention-policy/main.json deleted file mode 100644 index 6e8367af41..0000000000 --- a/modules/sql/server/database/backup-long-term-retention-policy/main.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6078887169611486577" - }, - "name": "SQL Server Database Long Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Monthly retention in ISO 8601 duration format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Weekly retention in ISO 8601 duration format." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Week of year backup to keep for yearly retention." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Yearly retention in ISO 8601 duration format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the long-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the long-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the long-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/database/backup-long-term-retention-policy/version.json b/modules/sql/server/database/backup-long-term-retention-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/database/backup-long-term-retention-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/database/backup-short-term-retention-policy/README.md b/modules/sql/server/database/backup-short-term-retention-policy/README.md deleted file mode 100644 index 5b9bab597d..0000000000 --- a/modules/sql/server/database/backup-short-term-retention-policy/README.md +++ /dev/null @@ -1,84 +0,0 @@ -# Azure SQL Server Database Short Term Backup Retention Policies `[Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies]` - -This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseName`](#parameter-databasename) | string | The name of the parent database. | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diffBackupIntervalInHours`](#parameter-diffbackupintervalinhours) | int | Differential backup interval in hours. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`retentionDays`](#parameter-retentiondays) | int | Poin-in-time retention in days. | - -### Parameter: `databaseName` - -The name of the parent database. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. - -- Required: Yes -- Type: string - -### Parameter: `diffBackupIntervalInHours` - -Differential backup interval in hours. - -- Required: No -- Type: int -- Default: `24` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `retentionDays` - -Poin-in-time retention in days. - -- Required: No -- Type: int -- Default: `7` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the short-term policy. | -| `resourceGroupName` | string | The resource group the short-term policy was deployed into. | -| `resourceId` | string | The resource ID of the short-term policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/database/backup-short-term-retention-policy/main.bicep b/modules/sql/server/database/backup-short-term-retention-policy/main.bicep deleted file mode 100644 index b23fd26e8e..0000000000 --- a/modules/sql/server/database/backup-short-term-retention-policy/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'Azure SQL Server Database Short Term Backup Retention Policies' -metadata description = 'This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the parent SQL Server.') -param serverName string - -@description('Required. The name of the parent database.') -param databaseName string - -@description('Optional. Differential backup interval in hours.') -param diffBackupIntervalInHours int = 24 - -@description('Optional. Poin-in-time retention in days.') -param retentionDays int = 7 - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource database 'Microsoft.Sql/servers/databases@2022-05-01-preview' existing = { - name: databaseName - parent: server -} - -resource backupShortTermRetentionPolicy 'Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies@2022-05-01-preview' = { - name: 'default' - parent: database - properties: { - diffBackupIntervalInHours: diffBackupIntervalInHours - retentionDays: retentionDays - } -} - -@description('The resource group the short-term policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the short-term policy.') -output name string = backupShortTermRetentionPolicy.name - -@description('The resource ID of the short-term policy.') -output resourceId string = backupShortTermRetentionPolicy.id diff --git a/modules/sql/server/database/backup-short-term-retention-policy/main.json b/modules/sql/server/database/backup-short-term-retention-policy/main.json deleted file mode 100644 index 5502db4fc5..0000000000 --- a/modules/sql/server/database/backup-short-term-retention-policy/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16957286289914102707" - }, - "name": "Azure SQL Server Database Short Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "diffBackupIntervalInHours": { - "type": "int", - "defaultValue": 24, - "metadata": { - "description": "Optional. Differential backup interval in hours." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 7, - "metadata": { - "description": "Optional. Poin-in-time retention in days." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "diffBackupIntervalInHours": "[parameters('diffBackupIntervalInHours')]", - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the short-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the short-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the short-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/database/backup-short-term-retention-policy/version.json b/modules/sql/server/database/backup-short-term-retention-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/database/backup-short-term-retention-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/database/main.bicep b/modules/sql/server/database/main.bicep deleted file mode 100644 index 606a2a7151..0000000000 --- a/modules/sql/server/database/main.bicep +++ /dev/null @@ -1,283 +0,0 @@ -metadata name = 'SQL Server Database' -metadata description = 'This module deploys an Azure SQL Server Database.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the database.') -param name string - -@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. The collation of the database.') -param collation string = 'SQL_Latin1_General_CP1_CI_AS' - -@description('Optional. The skuTier or edition of the particular SKU.') -param skuTier string = 'GeneralPurpose' - -@description('Optional. The name of the SKU.') -param skuName string = 'GP_Gen5_2' - -@description('Optional. Capacity of the particular SKU.') -param skuCapacity int = -1 - -@description('Optional. Type of enclave requested on the database i.e. Default or VBS enclaves.') -@allowed([ - '' - 'Default' - 'VBS' -]) -param preferredEnclaveType string = '' - -@description('Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here.') -param skuFamily string = '' - -@description('Optional. Size of the particular SKU.') -param skuSize string = '' - -@description('Optional. The max size of the database expressed in bytes.') -param maxSizeBytes int = 34359738368 - -@description('Optional. The name of the sample schema to apply when creating this database.') -param sampleName string = '' - -@description('Optional. Whether or not this database is zone redundant.') -param zoneRedundant bool = false - -@description('Optional. The license type to apply for this database.') -param licenseType string = '' - -@description('Optional. The state of read-only routing.') -@allowed([ - 'Enabled' - 'Disabled' -]) -param readScale string = 'Disabled' - -@description('Optional. The number of readonly secondary replicas associated with the database.') -param highAvailabilityReplicaCount int = 0 - -@description('Optional. Minimal capacity that database will always have allocated.') -param minCapacity string = '' - -@description('Optional. Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled.') -param autoPauseDelay int = 0 - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The resource ID of the elastic pool containing this database.') -param elasticPoolId string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Specifies the mode of database creation.') -@allowed([ - 'Default' - 'Copy' - 'OnlineSecondary' - 'PointInTimeRestore' - 'Recovery' - 'Restore' - 'RestoreLongTermRetentionBackup' - 'Secondary' -]) -param createMode string = 'Default' - -@description('Optional. Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore.') -param sourceDatabaseResourceId string = '' - -@description('Optional. The time that the database was deleted when restoring a deleted database.') -param sourceDatabaseDeletionDate string = '' - -@description('Optional. Resource ID of backup if createMode set to RestoreLongTermRetentionBackup.') -param recoveryServicesRecoveryPointResourceId string = '' - -@description('Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore.') -param restorePointInTime string = '' - -@description('Optional. The storage account type to be used to store backups for this database.') -@allowed([ - 'Geo' - 'Local' - 'Zone' - '' -]) -param requestedBackupStorageRedundancy string = '' - -@description('Optional. Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created.') -param isLedgerOn bool = false - -@description('Optional. Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur.') -param maintenanceConfigurationId string = '' - -@description('Optional. The short term backup retention policy to create for the database.') -param backupShortTermRetentionPolicy object = {} - -@description('Optional. The long term backup retention policy to create for the database.') -param backupLongTermRetentionPolicy object = {} - -// The SKU object must be built in a variable -// The alternative, 'null' as default values, leads to non-terminating deployments -var skuVar = union({ - name: skuName - tier: skuTier - }, (skuCapacity != -1) ? { - capacity: skuCapacity - } : !empty(skuFamily) ? { - family: skuFamily - } : !empty(skuSize) ? { - size: skuSize - } : {}) - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource database 'Microsoft.Sql/servers/databases@2022-05-01-preview' = { - name: name - parent: server - location: location - tags: tags - properties: { - preferredEnclaveType: !empty(preferredEnclaveType) ? preferredEnclaveType : null - collation: collation - maxSizeBytes: maxSizeBytes - sampleName: sampleName - zoneRedundant: zoneRedundant - licenseType: licenseType - readScale: readScale - minCapacity: !empty(minCapacity) ? json(minCapacity) : 0 // The json() function is used to allow specifying a decimal value. - autoPauseDelay: autoPauseDelay - highAvailabilityReplicaCount: highAvailabilityReplicaCount - requestedBackupStorageRedundancy: any(requestedBackupStorageRedundancy) - isLedgerOn: isLedgerOn - maintenanceConfigurationId: !empty(maintenanceConfigurationId) ? maintenanceConfigurationId : null - elasticPoolId: elasticPoolId - createMode: createMode - sourceDatabaseId: !empty(sourceDatabaseResourceId) ? sourceDatabaseResourceId : null - sourceDatabaseDeletionDate: !empty(sourceDatabaseDeletionDate) ? sourceDatabaseDeletionDate : null - recoveryServicesRecoveryPointId: !empty(recoveryServicesRecoveryPointResourceId) ? recoveryServicesRecoveryPointResourceId : null - restorePointInTime: !empty(restorePointInTime) ? restorePointInTime : null - } - sku: skuVar -} - -resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: database -}] - -module database_backupShortTermRetentionPolicy 'backup-short-term-retention-policy/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-${name}-shBakRetPol' - params: { - serverName: serverName - databaseName: database.name - diffBackupIntervalInHours: contains(backupShortTermRetentionPolicy, 'diffBackupIntervalInHours') ? backupShortTermRetentionPolicy.diffBackupIntervalInHours : 24 - retentionDays: contains(backupShortTermRetentionPolicy, 'retentionDays') ? backupShortTermRetentionPolicy.retentionDays : 7 - } -} - -module database_backupLongTermRetentionPolicy 'backup-long-term-retention-policy/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-${name}-lgBakRetPol' - params: { - serverName: serverName - databaseName: database.name - weeklyRetention: contains(backupLongTermRetentionPolicy, 'weeklyRetention') ? backupLongTermRetentionPolicy.weeklyRetention : '' - monthlyRetention: contains(backupLongTermRetentionPolicy, 'monthlyRetention') ? backupLongTermRetentionPolicy.monthlyRetention : '' - yearlyRetention: contains(backupLongTermRetentionPolicy, 'yearlyRetention') ? backupLongTermRetentionPolicy.yearlyRetention : '' - weekOfYear: contains(backupLongTermRetentionPolicy, 'weekOfYear') ? backupLongTermRetentionPolicy.weekOfYear : 1 - } -} - -@description('The name of the deployed database.') -output name string = database.name - -@description('The resource ID of the deployed database.') -output resourceId string = database.id - -@description('The resource group of the deployed database.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = database.location -// =============== // -// Definitions // -// =============== // - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json deleted file mode 100644 index 34f0ec70b3..0000000000 --- a/modules/sql/server/database/main.json +++ /dev/null @@ -1,741 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4314496383428784436" - }, - "name": "SQL Server Database", - "description": "This module deploys an Azure SQL Server Database.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "GeneralPurpose", - "metadata": { - "description": "Optional. The skuTier or edition of the particular SKU." - } - }, - "skuName": { - "type": "string", - "defaultValue": "GP_Gen5_2", - "metadata": { - "description": "Optional. The name of the SKU." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Capacity of the particular SKU." - } - }, - "preferredEnclaveType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "VBS" - ], - "metadata": { - "description": "Optional. Type of enclave requested on the database i.e. Default or VBS enclaves." - } - }, - "skuFamily": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here." - } - }, - "skuSize": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Size of the particular SKU." - } - }, - "maxSizeBytes": { - "type": "int", - "defaultValue": 34359738368, - "metadata": { - "description": "Optional. The max size of the database expressed in bytes." - } - }, - "sampleName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the sample schema to apply when creating this database." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this database is zone redundant." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The license type to apply for this database." - } - }, - "readScale": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The state of read-only routing." - } - }, - "highAvailabilityReplicaCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The number of readonly secondary replicas associated with the database." - } - }, - "minCapacity": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Minimal capacity that database will always have allocated." - } - }, - "autoPauseDelay": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "elasticPoolId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the elastic pool containing this database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "Copy", - "OnlineSecondary", - "PointInTimeRestore", - "Recovery", - "Restore", - "RestoreLongTermRetentionBackup", - "Secondary" - ], - "metadata": { - "description": "Optional. Specifies the mode of database creation." - } - }, - "sourceDatabaseResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore." - } - }, - "sourceDatabaseDeletionDate": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The time that the database was deleted when restoring a deleted database." - } - }, - "recoveryServicesRecoveryPointResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of backup if createMode set to RestoreLongTermRetentionBackup." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore." - } - }, - "requestedBackupStorageRedundancy": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Geo", - "Local", - "Zone", - "" - ], - "metadata": { - "description": "Optional. The storage account type to be used to store backups for this database." - } - }, - "isLedgerOn": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created." - } - }, - "maintenanceConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur." - } - }, - "backupShortTermRetentionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The short term backup retention policy to create for the database." - } - }, - "backupLongTermRetentionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The long term backup retention policy to create for the database." - } - } - }, - "variables": { - "skuVar": "[union(createObject('name', parameters('skuName'), 'tier', parameters('skuTier')), if(not(equals(parameters('skuCapacity'), -1)), createObject('capacity', parameters('skuCapacity')), if(not(empty(parameters('skuFamily'))), createObject('family', parameters('skuFamily')), if(not(empty(parameters('skuSize'))), createObject('size', parameters('skuSize')), createObject()))))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "existing": true, - "type": "Microsoft.Sql/servers", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('serverName')]" - }, - "database": { - "type": "Microsoft.Sql/servers/databases", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "preferredEnclaveType": "[if(not(empty(parameters('preferredEnclaveType'))), parameters('preferredEnclaveType'), null())]", - "collation": "[parameters('collation')]", - "maxSizeBytes": "[parameters('maxSizeBytes')]", - "sampleName": "[parameters('sampleName')]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "licenseType": "[parameters('licenseType')]", - "readScale": "[parameters('readScale')]", - "minCapacity": "[if(not(empty(parameters('minCapacity'))), json(parameters('minCapacity')), 0)]", - "autoPauseDelay": "[parameters('autoPauseDelay')]", - "highAvailabilityReplicaCount": "[parameters('highAvailabilityReplicaCount')]", - "requestedBackupStorageRedundancy": "[parameters('requestedBackupStorageRedundancy')]", - "isLedgerOn": "[parameters('isLedgerOn')]", - "maintenanceConfigurationId": "[if(not(empty(parameters('maintenanceConfigurationId'))), parameters('maintenanceConfigurationId'), null())]", - "elasticPoolId": "[parameters('elasticPoolId')]", - "createMode": "[parameters('createMode')]", - "sourceDatabaseId": "[if(not(empty(parameters('sourceDatabaseResourceId'))), parameters('sourceDatabaseResourceId'), null())]", - "sourceDatabaseDeletionDate": "[if(not(empty(parameters('sourceDatabaseDeletionDate'))), parameters('sourceDatabaseDeletionDate'), null())]", - "recoveryServicesRecoveryPointId": "[if(not(empty(parameters('recoveryServicesRecoveryPointResourceId'))), parameters('recoveryServicesRecoveryPointResourceId'), null())]", - "restorePointInTime": "[if(not(empty(parameters('restorePointInTime'))), parameters('restorePointInTime'), null())]" - }, - "sku": "[variables('skuVar')]", - "dependsOn": [ - "server" - ] - }, - "database_diagnosticSettings": { - "copy": { - "name": "database_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('serverName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_backupShortTermRetentionPolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-shBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "serverName": { - "value": "[parameters('serverName')]" - }, - "databaseName": { - "value": "[parameters('name')]" - }, - "diffBackupIntervalInHours": "[if(contains(parameters('backupShortTermRetentionPolicy'), 'diffBackupIntervalInHours'), createObject('value', parameters('backupShortTermRetentionPolicy').diffBackupIntervalInHours), createObject('value', 24))]", - "retentionDays": "[if(contains(parameters('backupShortTermRetentionPolicy'), 'retentionDays'), createObject('value', parameters('backupShortTermRetentionPolicy').retentionDays), createObject('value', 7))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16957286289914102707" - }, - "name": "Azure SQL Server Database Short Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "diffBackupIntervalInHours": { - "type": "int", - "defaultValue": 24, - "metadata": { - "description": "Optional. Differential backup interval in hours." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 7, - "metadata": { - "description": "Optional. Poin-in-time retention in days." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "diffBackupIntervalInHours": "[parameters('diffBackupIntervalInHours')]", - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the short-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the short-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the short-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } - } - }, - "dependsOn": [ - "database" - ] - }, - "database_backupLongTermRetentionPolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-lgBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "serverName": { - "value": "[parameters('serverName')]" - }, - "databaseName": { - "value": "[parameters('name')]" - }, - "weeklyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'weeklyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').weeklyRetention), createObject('value', ''))]", - "monthlyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'monthlyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').monthlyRetention), createObject('value', ''))]", - "yearlyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'yearlyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').yearlyRetention), createObject('value', ''))]", - "weekOfYear": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'weekOfYear'), createObject('value', parameters('backupLongTermRetentionPolicy').weekOfYear), createObject('value', 1))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6078887169611486577" - }, - "name": "SQL Server Database Long Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Monthly retention in ISO 8601 duration format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Weekly retention in ISO 8601 duration format." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Week of year backup to keep for yearly retention." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Yearly retention in ISO 8601 duration format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the long-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the long-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the long-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } - } - }, - "dependsOn": [ - "database" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('database', '2022-05-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/database/version.json b/modules/sql/server/database/version.json deleted file mode 100644 index 40ec00be0e..0000000000 --- a/modules/sql/server/database/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "1.0", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md deleted file mode 100644 index f3f1863128..0000000000 --- a/modules/sql/server/elastic-pool/README.md +++ /dev/null @@ -1,195 +0,0 @@ -# SQL Server Elastic Pool `[Microsoft.Sql/servers/elasticPools]` - -This module deploys an Azure SQL Server Elastic Pool. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/elasticPools` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/elasticPools) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Elastic Pool. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`databaseMaxCapacity`](#parameter-databasemaxcapacity) | int | The maximum capacity any one database can consume. | -| [`databaseMinCapacity`](#parameter-databasemincapacity) | int | The minimum capacity all databases are guaranteed. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`highAvailabilityReplicaCount`](#parameter-highavailabilityreplicacount) | int | The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. | -| [`licenseType`](#parameter-licensetype) | string | The license type to apply for this elastic pool. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`maintenanceConfigurationId`](#parameter-maintenanceconfigurationid) | string | Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. | -| [`maxSizeBytes`](#parameter-maxsizebytes) | int | The storage limit for the database elastic pool in bytes. | -| [`minCapacity`](#parameter-mincapacity) | int | Minimal capacity that serverless pool will not shrink below, if not paused. | -| [`skuCapacity`](#parameter-skucapacity) | int | Capacity of the particular SKU. | -| [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | -| [`skuTier`](#parameter-skutier) | string | The tier or edition of the particular SKU, e.g. Basic, Premium. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. | - -### Parameter: `name` - -The name of the Elastic Pool. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `databaseMaxCapacity` - -The maximum capacity any one database can consume. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `databaseMinCapacity` - -The minimum capacity all databases are guaranteed. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `highAvailabilityReplicaCount` - -The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `licenseType` - -The license type to apply for this elastic pool. - -- Required: No -- Type: string -- Default: `'LicenseIncluded'` -- Allowed: - ```Bicep - [ - 'BasePrice' - 'LicenseIncluded' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `maintenanceConfigurationId` - -Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `maxSizeBytes` - -The storage limit for the database elastic pool in bytes. - -- Required: No -- Type: int -- Default: `34359738368` - -### Parameter: `minCapacity` - -Minimal capacity that serverless pool will not shrink below, if not paused. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `skuCapacity` - -Capacity of the particular SKU. - -- Required: No -- Type: int -- Default: `2` - -### Parameter: `skuName` - -The name of the SKU, typically, a letter + Number code, e.g. P3. - -- Required: No -- Type: string -- Default: `'GP_Gen5'` - -### Parameter: `skuTier` - -The tier or edition of the particular SKU, e.g. Basic, Premium. - -- Required: No -- Type: string -- Default: `'GeneralPurpose'` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `zoneRedundant` - -Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed Elastic Pool. | -| `resourceGroupName` | string | The resource group of the deployed Elastic Pool. | -| `resourceId` | string | The resource ID of the deployed Elastic Pool. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/elastic-pool/main.bicep b/modules/sql/server/elastic-pool/main.bicep deleted file mode 100644 index 4269c2e8d1..0000000000 --- a/modules/sql/server/elastic-pool/main.bicep +++ /dev/null @@ -1,107 +0,0 @@ -metadata name = 'SQL Server Elastic Pool' -metadata description = 'This module deploys an Azure SQL Server Elastic Pool.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Elastic Pool.') -param name string - -@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Capacity of the particular SKU.') -param skuCapacity int = 2 - -@description('Optional. The name of the SKU, typically, a letter + Number code, e.g. P3.') -param skuName string = 'GP_Gen5' - -@description('Optional. The tier or edition of the particular SKU, e.g. Basic, Premium.') -param skuTier string = 'GeneralPurpose' - -@description('Optional. The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools.') -param highAvailabilityReplicaCount int = -1 - -@description('Optional. The license type to apply for this elastic pool.') -@allowed([ - 'BasePrice' - 'LicenseIncluded' -]) -param licenseType string = 'LicenseIncluded' - -@description('Optional. Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur.') -param maintenanceConfigurationId string = '' - -@description('Optional. The storage limit for the database elastic pool in bytes.') -param maxSizeBytes int = 34359738368 - -@description('Optional. Minimal capacity that serverless pool will not shrink below, if not paused.') -param minCapacity int = -1 - -@description('Optional. The maximum capacity any one database can consume.') -param databaseMaxCapacity int = 2 - -@description('Optional. The minimum capacity all databases are guaranteed.') -param databaseMinCapacity int = 0 - -@description('Optional. Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones.') -param zoneRedundant bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource elasticPool 'Microsoft.Sql/servers/elasticPools@2022-05-01-preview' = { - name: name - location: location - parent: server - tags: tags - sku: { - capacity: skuCapacity - name: skuName - tier: skuTier - } - properties: { - highAvailabilityReplicaCount: highAvailabilityReplicaCount > -1 ? highAvailabilityReplicaCount : null - licenseType: licenseType - maintenanceConfigurationId: maintenanceConfigurationId - maxSizeBytes: maxSizeBytes - minCapacity: minCapacity - perDatabaseSettings: { - minCapacity: databaseMinCapacity - maxCapacity: databaseMaxCapacity - } - zoneRedundant: zoneRedundant - } -} - -@description('The name of the deployed Elastic Pool.') -output name string = elasticPool.name - -@description('The resource ID of the deployed Elastic Pool.') -output resourceId string = elasticPool.id - -@description('The resource group of the deployed Elastic Pool.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = elasticPool.location diff --git a/modules/sql/server/elastic-pool/main.json b/modules/sql/server/elastic-pool/main.json deleted file mode 100644 index 1f94baec98..0000000000 --- a/modules/sql/server/elastic-pool/main.json +++ /dev/null @@ -1,210 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2462504606421092214" - }, - "name": "SQL Server Elastic Pool", - "description": "This module deploys an Azure SQL Server Elastic Pool.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Elastic Pool." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Capacity of the particular SKU." - } - }, - "skuName": { - "type": "string", - "defaultValue": "GP_Gen5", - "metadata": { - "description": "Optional. The name of the SKU, typically, a letter + Number code, e.g. P3." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "GeneralPurpose", - "metadata": { - "description": "Optional. The tier or edition of the particular SKU, e.g. Basic, Premium." - } - }, - "highAvailabilityReplicaCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "LicenseIncluded", - "allowedValues": [ - "BasePrice", - "LicenseIncluded" - ], - "metadata": { - "description": "Optional. The license type to apply for this elastic pool." - } - }, - "maintenanceConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur." - } - }, - "maxSizeBytes": { - "type": "int", - "defaultValue": 34359738368, - "metadata": { - "description": "Optional. The storage limit for the database elastic pool in bytes." - } - }, - "minCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Minimal capacity that serverless pool will not shrink below, if not paused." - } - }, - "databaseMaxCapacity": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The maximum capacity any one database can consume." - } - }, - "databaseMinCapacity": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The minimum capacity all databases are guaranteed." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "existing": true, - "type": "Microsoft.Sql/servers", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('serverName')]" - }, - "elasticPool": { - "type": "Microsoft.Sql/servers/elasticPools", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "capacity": "[parameters('skuCapacity')]", - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "properties": { - "highAvailabilityReplicaCount": "[if(greater(parameters('highAvailabilityReplicaCount'), -1), parameters('highAvailabilityReplicaCount'), null())]", - "licenseType": "[parameters('licenseType')]", - "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]", - "maxSizeBytes": "[parameters('maxSizeBytes')]", - "minCapacity": "[parameters('minCapacity')]", - "perDatabaseSettings": { - "minCapacity": "[parameters('databaseMinCapacity')]", - "maxCapacity": "[parameters('databaseMaxCapacity')]" - }, - "zoneRedundant": "[parameters('zoneRedundant')]" - }, - "dependsOn": [ - "server" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed Elastic Pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Elastic Pool." - }, - "value": "[resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed Elastic Pool." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('elasticPool', '2022-05-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/elastic-pool/version.json b/modules/sql/server/elastic-pool/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/sql/server/elastic-pool/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/encryption-protector/README.md b/modules/sql/server/encryption-protector/README.md deleted file mode 100644 index 4807f2ee25..0000000000 --- a/modules/sql/server/encryption-protector/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Azure SQL Server Encryption Protector `[Microsoft.Sql/servers/encryptionProtector]` - -This module deploys an Azure SQL Server Encryption Protector. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/encryptionProtector) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverKeyName`](#parameter-serverkeyname) | string | The name of the server key. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`sqlServerName`](#parameter-sqlservername) | string | The name of the sql server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`autoRotationEnabled`](#parameter-autorotationenabled) | bool | Key auto rotation opt-in. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type. | - -### Parameter: `serverKeyName` - -The name of the server key. - -- Required: Yes -- Type: string - -### Parameter: `sqlServerName` - -The name of the sql server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `autoRotationEnabled` - -Key auto rotation opt-in. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `serverKeyType` - -The encryption protector type. - -- Required: No -- Type: string -- Default: `'ServiceManaged'` -- Allowed: - ```Bicep - [ - 'AzureKeyVault' - 'ServiceManaged' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed encryption protector. | -| `resourceGroupName` | string | The resource group of the deployed encryption protector. | -| `resourceId` | string | The resource ID of the encryption protector. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/encryption-protector/main.bicep b/modules/sql/server/encryption-protector/main.bicep deleted file mode 100644 index 1f2b50faa3..0000000000 --- a/modules/sql/server/encryption-protector/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'Azure SQL Server Encryption Protector' -metadata description = 'This module deploys an Azure SQL Server Encryption Protector.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the sql server. Required if the template is used in a standalone deployment.') -param sqlServerName string - -@description('Required. The name of the server key.') -param serverKeyName string - -@description('Optional. Key auto rotation opt-in.') -param autoRotationEnabled bool = false - -@description('Optional. The encryption protector type.') -@allowed([ - 'AzureKeyVault' - 'ServiceManaged' -]) -param serverKeyType string = 'ServiceManaged' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: sqlServerName -} - -resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-05-01-preview' = { - name: 'current' - parent: sqlServer - properties: { - serverKeyType: serverKeyType - autoRotationEnabled: autoRotationEnabled - serverKeyName: serverKeyName - } -} - -@description('The name of the deployed encryption protector.') -output name string = encryptionProtector.name - -@description('The resource ID of the encryption protector.') -output resourceId string = encryptionProtector.id - -@description('The resource group of the deployed encryption protector.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/encryption-protector/main.json b/modules/sql/server/encryption-protector/main.json deleted file mode 100644 index bae7f41f59..0000000000 --- a/modules/sql/server/encryption-protector/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17270982128022391504" - }, - "name": "Azure SQL Server Encryption Protector", - "description": "This module deploys an Azure SQL Server Encryption Protector.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "sqlServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the sql server. Required if the template is used in a standalone deployment." - } - }, - "serverKeyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the server key." - } - }, - "autoRotationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Key auto rotation opt-in." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/encryptionProtector", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('sqlServerName'), 'current')]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "autoRotationEnabled": "[parameters('autoRotationEnabled')]", - "serverKeyName": "[parameters('serverKeyName')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed encryption protector." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the encryption protector." - }, - "value": "[resourceId('Microsoft.Sql/servers/encryptionProtector', parameters('sqlServerName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed encryption protector." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/encryption-protector/version.json b/modules/sql/server/encryption-protector/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/sql/server/encryption-protector/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/firewall-rule/README.md b/modules/sql/server/firewall-rule/README.md deleted file mode 100644 index adbb3b1ee1..0000000000 --- a/modules/sql/server/firewall-rule/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Azure SQL Server Firewall Rule `[Microsoft.Sql/servers/firewallRules]` - -This module deploys an Azure SQL Server Firewall Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/firewallRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/firewallRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Server Firewall Rule. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | - -### Parameter: `name` - -The name of the Server Firewall Rule. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `endIpAddress` - -The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: No -- Type: string -- Default: `'0.0.0.0'` - -### Parameter: `startIpAddress` - -The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. - -- Required: No -- Type: string -- Default: `'0.0.0.0'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed firewall rule. | -| `resourceGroupName` | string | The resource group of the deployed firewall rule. | -| `resourceId` | string | The resource ID of the deployed firewall rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/firewall-rule/main.bicep b/modules/sql/server/firewall-rule/main.bicep deleted file mode 100644 index 3cfee2a3f7..0000000000 --- a/modules/sql/server/firewall-rule/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Azure SQL Server Firewall Rule' -metadata description = 'This module deploys an Azure SQL Server Firewall Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Server Firewall Rule.') -param name string - -@description('Optional. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param endIpAddress string = '0.0.0.0' - -@description('Optional. The start IP address of the firewall rule. Must be IPv4 format. Use value \'0.0.0.0\' for all Azure-internal IP addresses.') -param startIpAddress string = '0.0.0.0' - -@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource firewallRule 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = { - name: name - parent: server - properties: { - endIpAddress: endIpAddress - startIpAddress: startIpAddress - } -} - -@description('The name of the deployed firewall rule.') -output name string = firewallRule.name - -@description('The resource ID of the deployed firewall rule.') -output resourceId string = firewallRule.id - -@description('The resource group of the deployed firewall rule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/firewall-rule/main.json b/modules/sql/server/firewall-rule/main.json deleted file mode 100644 index ae9f77780b..0000000000 --- a/modules/sql/server/firewall-rule/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6791289458860590076" - }, - "name": "Azure SQL Server Firewall Rule", - "description": "This module deploys an Azure SQL Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Server Firewall Rule." - } - }, - "endIpAddress": { - "type": "string", - "defaultValue": "0.0.0.0", - "metadata": { - "description": "Optional. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "startIpAddress": { - "type": "string", - "defaultValue": "0.0.0.0", - "metadata": { - "description": "Optional. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.Sql/servers/firewallRules', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/firewall-rule/version.json b/modules/sql/server/firewall-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/firewall-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/key/README.md b/modules/sql/server/key/README.md deleted file mode 100644 index f2e1ac3ea2..0000000000 --- a/modules/sql/server/key/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Azure SQL Server Keys `[Microsoft.Sql/servers/keys]` - -This module deploys an Azure SQL Server Key. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the key. Must follow the [__] pattern. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | -| [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | - -### Parameter: `name` - -The name of the key. Must follow the [__] pattern. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `serverKeyType` - -The encryption protector type like "ServiceManaged", "AzureKeyVault". - -- Required: No -- Type: string -- Default: `'ServiceManaged'` -- Allowed: - ```Bicep - [ - 'AzureKeyVault' - 'ServiceManaged' - ] - ``` - -### Parameter: `uri` - -The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed server key. | -| `resourceGroupName` | string | The resource group of the deployed server key. | -| `resourceId` | string | The resource ID of the deployed server key. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/key/main.bicep b/modules/sql/server/key/main.bicep deleted file mode 100644 index 922b53b679..0000000000 --- a/modules/sql/server/key/main.bicep +++ /dev/null @@ -1,62 +0,0 @@ -metadata name = 'Azure SQL Server Keys' -metadata description = 'This module deploys an Azure SQL Server Key.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the key. Must follow the [__] pattern.') -param name string - -@description('Conditional. The name of the parent SQL server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') -@allowed([ - 'AzureKeyVault' - 'ServiceManaged' -]) -param serverKeyType string = 'ServiceManaged' - -@description('Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required.') -param uri string = '' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var splittedKeyUri = split(uri, '/') - -// if serverManaged, use serverManaged, if uri provided use concated uri value -// MUST match the pattern '__' -var serverKeyName = empty(uri) ? 'ServiceManaged' : '${split(splittedKeyUri[2], '.')[0]}_${splittedKeyUri[4]}_${splittedKeyUri[5]}' - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource key 'Microsoft.Sql/servers/keys@2022-05-01-preview' = { - name: !empty(name) ? name : serverKeyName - parent: server - properties: { - serverKeyType: serverKeyType - uri: uri - } -} - -@description('The name of the deployed server key.') -output name string = key.name - -@description('The resource ID of the deployed server key.') -output resourceId string = key.id - -@description('The resource group of the deployed server key.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/key/main.json b/modules/sql/server/key/main.json deleted file mode 100644 index 25b6ba22c5..0000000000 --- a/modules/sql/server/key/main.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11306919877164146196" - }, - "name": "Azure SQL Server Keys", - "description": "This module deploys an Azure SQL Server Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key. Must follow the [__] pattern." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL server. Required if the template is used in a standalone deployment." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "splittedKeyUri": "[split(parameters('uri'), '/')]", - "serverKeyName": "[if(empty(parameters('uri')), 'ServiceManaged', format('{0}_{1}_{2}', split(variables('splittedKeyUri')[2], '.')[0], variables('splittedKeyUri')[4], variables('splittedKeyUri')[5]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/keys", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "uri": "[parameters('uri')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed server key." - }, - "value": "[if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed server key." - }, - "value": "[resourceId('Microsoft.Sql/servers/keys', parameters('serverName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed server key." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/key/version.json b/modules/sql/server/key/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/key/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep deleted file mode 100644 index c3654e9520..0000000000 --- a/modules/sql/server/main.bicep +++ /dev/null @@ -1,464 +0,0 @@ -metadata name = 'Azure SQL Servers' -metadata description = 'This module deploys an Azure SQL Server.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The administrator username for the server. Required if no `administrators` object for AAD authentication is provided.') -param administratorLogin string = '' - -@description('Conditional. The administrator login password. Required if no `administrators` object for AAD authentication is provided.') -@secure() -param administratorLoginPassword string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Required. The name of the server.') -param name string - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') -param primaryUserAssignedIdentityId string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The databases to create in the server.') -param databases array = [] - -@description('Optional. The Elastic Pools to create in the server.') -param elasticPools array = [] - -@description('Optional. The firewall rules to create in the server.') -param firewallRules array = [] - -@description('Optional. The virtual network rules to create in the server.') -param virtualNetworkRules array = [] - -@description('Optional. The security alert policies to create in the server.') -param securityAlertPolicies array = [] - -@description('Optional. The keys to configure.') -param keys array = [] - -@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.') -param administrators object = {} - -@allowed([ - '1.0' - '1.1' - '1.2' -]) -@description('Optional. Minimal TLS version allowed.') -param minimalTlsVersion string = '1.2' - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Whether or not to restrict outbound network access for this server.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param restrictOutboundNetworkAccess string = '' - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -@description('Optional. The encryption protection configuration.') -param encryptionProtectorObj object = {} - -@description('Optional. The vulnerability assessment configuration.') -param vulnerabilityAssessmentsObj object = {} - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' = { - location: location - name: name - tags: tags - identity: identity - properties: { - administratorLogin: !empty(administratorLogin) ? administratorLogin : null - administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null - administrators: !empty(administrators) ? { - administratorType: 'ActiveDirectory' - azureADOnlyAuthentication: administrators.azureADOnlyAuthentication - login: administrators.login - principalType: administrators.principalType - sid: administrators.sid - tenantId: administrators.tenantId - } : null - version: '12.0' - minimalTlsVersion: minimalTlsVersion - primaryUserAssignedIdentityId: !empty(primaryUserAssignedIdentityId) ? primaryUserAssignedIdentityId : null - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(firewallRules) && empty(virtualNetworkRules) ? 'Disabled' : null) - restrictOutboundNetworkAccess: !empty(restrictOutboundNetworkAccess) ? restrictOutboundNetworkAccess : null - } -} - -resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: server -} - -resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: server -}] - -module server_databases 'database/main.bicep' = [for (database, index) in databases: { - name: '${uniqueString(deployment().name, location)}-Sql-DB-${index}' - params: { - name: database.name - serverName: server.name - skuTier: contains(database, 'skuTier') ? database.skuTier : 'GeneralPurpose' - skuName: contains(database, 'skuName') ? database.skuName : 'GP_Gen5_2' - skuCapacity: contains(database, 'skuCapacity') ? database.skuCapacity : -1 - skuFamily: contains(database, 'skuFamily') ? database.skuFamily : '' - skuSize: contains(database, 'skuSize') ? database.skuSize : '' - collation: contains(database, 'collation') ? database.collation : 'SQL_Latin1_General_CP1_CI_AS' - maxSizeBytes: contains(database, 'maxSizeBytes') ? database.maxSizeBytes : 34359738368 - autoPauseDelay: contains(database, 'autoPauseDelay') ? database.autoPauseDelay : 0 - diagnosticSettings: database.?diagnosticSettings - isLedgerOn: contains(database, 'isLedgerOn') ? database.isLedgerOn : false - location: location - licenseType: contains(database, 'licenseType') ? database.licenseType : '' - maintenanceConfigurationId: contains(database, 'maintenanceConfigurationId') ? database.maintenanceConfigurationId : '' - minCapacity: contains(database, 'minCapacity') ? database.minCapacity : '' - highAvailabilityReplicaCount: contains(database, 'highAvailabilityReplicaCount') ? database.highAvailabilityReplicaCount : 0 - readScale: contains(database, 'readScale') ? database.readScale : 'Disabled' - requestedBackupStorageRedundancy: contains(database, 'requestedBackupStorageRedundancy') ? database.requestedBackupStorageRedundancy : '' - sampleName: contains(database, 'sampleName') ? database.sampleName : '' - tags: database.?tags ?? tags - zoneRedundant: contains(database, 'zoneRedundant') ? database.zoneRedundant : false - elasticPoolId: contains(database, 'elasticPoolId') ? database.elasticPoolId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - backupShortTermRetentionPolicy: contains(database, 'backupShortTermRetentionPolicy') ? database.backupShortTermRetentionPolicy : {} - backupLongTermRetentionPolicy: contains(database, 'backupLongTermRetentionPolicy') ? database.backupLongTermRetentionPolicy : {} - createMode: contains(database, 'createMode') ? database.createMode : 'Default' - sourceDatabaseResourceId: contains(database, 'sourceDatabaseResourceId') ? database.sourceDatabaseResourceId : '' - sourceDatabaseDeletionDate: contains(database, 'sourceDatabaseDeletionDate') ? database.sourceDatabaseDeletionDate : '' - recoveryServicesRecoveryPointResourceId: contains(database, 'recoveryServicesRecoveryPointResourceId') ? database.recoveryServicesRecoveryPointResourceId : '' - restorePointInTime: contains(database, 'restorePointInTime') ? database.restorePointInTime : '' - } - dependsOn: [ - server_elasticPools // Enables us to add databases to existing elastic pools - ] -}] - -module server_elasticPools 'elastic-pool/main.bicep' = [for (elasticPool, index) in elasticPools: { - name: '${uniqueString(deployment().name, location)}-SQLServer-ElasticPool-${index}' - params: { - name: elasticPool.name - serverName: server.name - databaseMaxCapacity: contains(elasticPool, 'databaseMaxCapacity') ? elasticPool.databaseMaxCapacity : 2 - databaseMinCapacity: contains(elasticPool, 'databaseMinCapacity') ? elasticPool.databaseMinCapacity : 0 - highAvailabilityReplicaCount: contains(elasticPool, 'highAvailabilityReplicaCount') ? elasticPool.highAvailabilityReplicaCount : -1 - licenseType: contains(elasticPool, 'licenseType') ? elasticPool.licenseType : 'LicenseIncluded' - maintenanceConfigurationId: contains(elasticPool, 'maintenanceConfigurationId') ? elasticPool.maintenanceConfigurationId : '' - maxSizeBytes: contains(elasticPool, 'maxSizeBytes') ? elasticPool.maxSizeBytes : 34359738368 - minCapacity: contains(elasticPool, 'minCapacity') ? elasticPool.minCapacity : -1 - skuCapacity: contains(elasticPool, 'skuCapacity') ? elasticPool.skuCapacity : 2 - skuName: contains(elasticPool, 'skuName') ? elasticPool.skuName : 'GP_Gen5' - skuTier: contains(elasticPool, 'skuTier') ? elasticPool.skuTier : 'GeneralPurpose' - zoneRedundant: contains(elasticPool, 'zoneRedundant') ? elasticPool.zoneRedundant : false - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location - tags: elasticPool.?tags ?? tags - } -}] - -module server_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-server-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'sqlServer' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(server.id, '/'))}-${privateEndpoint.?service ?? 'sqlServer'}-${index}' - serviceResourceId: server.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -module server_firewallRules 'firewall-rule/main.bicep' = [for (firewallRule, index) in firewallRules: { - name: '${uniqueString(deployment().name, location)}-Sql-FirewallRules-${index}' - params: { - name: firewallRule.name - serverName: server.name - endIpAddress: contains(firewallRule, 'endIpAddress') ? firewallRule.endIpAddress : '0.0.0.0' - startIpAddress: contains(firewallRule, 'startIpAddress') ? firewallRule.startIpAddress : '0.0.0.0' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module server_virtualNetworkRules 'virtual-network-rule/main.bicep' = [for (virtualNetworkRule, index) in virtualNetworkRules: { - name: '${uniqueString(deployment().name, location)}-Sql-VirtualNetworkRules-${index}' - params: { - name: virtualNetworkRule.name - serverName: server.name - ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : false - virtualNetworkSubnetId: virtualNetworkRule.virtualNetworkSubnetId - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module server_securityAlertPolicies 'security-alert-policy/main.bicep' = [for (securityAlertPolicy, index) in securityAlertPolicies: { - name: '${uniqueString(deployment().name, location)}-Sql-SecAlertPolicy-${index}' - params: { - name: securityAlertPolicy.name - serverName: server.name - disabledAlerts: contains(securityAlertPolicy, 'disabledAlerts') ? securityAlertPolicy.disabledAlerts : [] - emailAccountAdmins: contains(securityAlertPolicy, 'emailAccountAdmins') ? securityAlertPolicy.emailAccountAdmins : false - emailAddresses: contains(securityAlertPolicy, 'emailAddresses') ? securityAlertPolicy.emailAddresses : [] - retentionDays: contains(securityAlertPolicy, 'retentionDays') ? securityAlertPolicy.retentionDays : 0 - state: contains(securityAlertPolicy, 'state') ? securityAlertPolicy.state : 'Disabled' - storageAccountAccessKey: contains(securityAlertPolicy, 'storageAccountAccessKey') ? securityAlertPolicy.storageAccountAccessKey : '' - storageEndpoint: contains(securityAlertPolicy, 'storageEndpoint') ? securityAlertPolicy.storageEndpoint : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module server_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj)) { - name: '${uniqueString(deployment().name, location)}-Sql-VulnAssessm' - params: { - serverName: server.name - name: vulnerabilityAssessmentsObj.name - recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : [] - recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false - recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false - storageAccountResourceId: vulnerabilityAssessmentsObj.storageAccountResourceId - useStorageAccountAccessKey: contains(vulnerabilityAssessmentsObj, 'useStorageAccountAccessKey') ? vulnerabilityAssessmentsObj.useStorageAccountAccessKey : false - createStorageRoleAssignment: contains(vulnerabilityAssessmentsObj, 'createStorageRoleAssignment') ? vulnerabilityAssessmentsObj.createStorageRoleAssignment : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - server_securityAlertPolicies - ] -} - -module server_keys 'key/main.bicep' = [for (key, index) in keys: { - name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}' - params: { - name: key.name - serverName: server.name - serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' - uri: contains(key, 'uri') ? key.uri : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module server_encryptionProtector 'encryption-protector/main.bicep' = if (!empty(encryptionProtectorObj)) { - name: '${uniqueString(deployment().name, location)}-Sql-EncryProtector' - params: { - sqlServerName: server.name - serverKeyName: encryptionProtectorObj.serverKeyName - serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged' - autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - server_keys - ] -} - -@description('The name of the deployed SQL server.') -output name string = server.name - -@description('The resource ID of the deployed SQL server.') -output resourceId string = server.id - -@description('The resource group of the deployed SQL server.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(server.identity, 'principalId') ? server.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = server.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json deleted file mode 100644 index 362e1a67bd..0000000000 --- a/modules/sql/server/main.json +++ /dev/null @@ -1,3200 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13872952382016158092" - }, - "name": "Azure SQL Servers", - "description": "This module deploys an Azure SQL Server.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "administratorLogin": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The administrator username for the server. Required if no `administrators` object for AAD authentication is provided." - } - }, - "administratorLoginPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. The administrator login password. Required if no `administrators` object for AAD authentication is provided." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the server." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "primaryUserAssignedIdentityId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a user assigned identity to be used by default. Required if \"userAssignedIdentities\" is not empty." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "databases": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The databases to create in the server." - } - }, - "elasticPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The Elastic Pools to create in the server." - } - }, - "firewallRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The firewall rules to create in the server." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The virtual network rules to create in the server." - } - }, - "securityAlertPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The security alert policies to create in the server." - } - }, - "keys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The keys to configure." - } - }, - "administrators": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided." - } - }, - "minimalTlsVersion": { - "type": "string", - "defaultValue": "1.2", - "allowedValues": [ - "1.0", - "1.1", - "1.2" - ], - "metadata": { - "description": "Optional. Minimal TLS version allowed." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set." - } - }, - "restrictOutboundNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not to restrict outbound network access for this server." - } - }, - "encryptionProtectorObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The encryption protection configuration." - } - }, - "vulnerabilityAssessmentsObj": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The vulnerability assessment configuration." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "type": "Microsoft.Sql/servers", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "administratorLogin": "[if(not(empty(parameters('administratorLogin'))), parameters('administratorLogin'), null())]", - "administratorLoginPassword": "[if(not(empty(parameters('administratorLoginPassword'))), parameters('administratorLoginPassword'), null())]", - "administrators": "[if(not(empty(parameters('administrators'))), createObject('administratorType', 'ActiveDirectory', 'azureADOnlyAuthentication', parameters('administrators').azureADOnlyAuthentication, 'login', parameters('administrators').login, 'principalType', parameters('administrators').principalType, 'sid', parameters('administrators').sid, 'tenantId', parameters('administrators').tenantId), null())]", - "version": "12.0", - "minimalTlsVersion": "[parameters('minimalTlsVersion')]", - "primaryUserAssignedIdentityId": "[if(not(empty(parameters('primaryUserAssignedIdentityId'))), parameters('primaryUserAssignedIdentityId'), null())]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(and(not(empty(parameters('privateEndpoints'))), empty(parameters('firewallRules'))), empty(parameters('virtualNetworkRules'))), 'Disabled', null()))]", - "restrictOutboundNetworkAccess": "[if(not(empty(parameters('restrictOutboundNetworkAccess'))), parameters('restrictOutboundNetworkAccess'), null())]" - } - }, - "server_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "server" - ] - }, - "server_roleAssignments": { - "copy": { - "name": "server_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Sql/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "server" - ] - }, - "server_databases": { - "copy": { - "name": "server_databases", - "count": "[length(parameters('databases'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-DB-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('databases')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "skuTier": "[if(contains(parameters('databases')[copyIndex()], 'skuTier'), createObject('value', parameters('databases')[copyIndex()].skuTier), createObject('value', 'GeneralPurpose'))]", - "skuName": "[if(contains(parameters('databases')[copyIndex()], 'skuName'), createObject('value', parameters('databases')[copyIndex()].skuName), createObject('value', 'GP_Gen5_2'))]", - "skuCapacity": "[if(contains(parameters('databases')[copyIndex()], 'skuCapacity'), createObject('value', parameters('databases')[copyIndex()].skuCapacity), createObject('value', -1))]", - "skuFamily": "[if(contains(parameters('databases')[copyIndex()], 'skuFamily'), createObject('value', parameters('databases')[copyIndex()].skuFamily), createObject('value', ''))]", - "skuSize": "[if(contains(parameters('databases')[copyIndex()], 'skuSize'), createObject('value', parameters('databases')[copyIndex()].skuSize), createObject('value', ''))]", - "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", - "maxSizeBytes": "[if(contains(parameters('databases')[copyIndex()], 'maxSizeBytes'), createObject('value', parameters('databases')[copyIndex()].maxSizeBytes), createObject('value', json('34359738368')))]", - "autoPauseDelay": "[if(contains(parameters('databases')[copyIndex()], 'autoPauseDelay'), createObject('value', parameters('databases')[copyIndex()].autoPauseDelay), createObject('value', 0))]", - "diagnosticSettings": { - "value": "[tryGet(parameters('databases')[copyIndex()], 'diagnosticSettings')]" - }, - "isLedgerOn": "[if(contains(parameters('databases')[copyIndex()], 'isLedgerOn'), createObject('value', parameters('databases')[copyIndex()].isLedgerOn), createObject('value', false()))]", - "location": { - "value": "[parameters('location')]" - }, - "licenseType": "[if(contains(parameters('databases')[copyIndex()], 'licenseType'), createObject('value', parameters('databases')[copyIndex()].licenseType), createObject('value', ''))]", - "maintenanceConfigurationId": "[if(contains(parameters('databases')[copyIndex()], 'maintenanceConfigurationId'), createObject('value', parameters('databases')[copyIndex()].maintenanceConfigurationId), createObject('value', ''))]", - "minCapacity": "[if(contains(parameters('databases')[copyIndex()], 'minCapacity'), createObject('value', parameters('databases')[copyIndex()].minCapacity), createObject('value', ''))]", - "highAvailabilityReplicaCount": "[if(contains(parameters('databases')[copyIndex()], 'highAvailabilityReplicaCount'), createObject('value', parameters('databases')[copyIndex()].highAvailabilityReplicaCount), createObject('value', 0))]", - "readScale": "[if(contains(parameters('databases')[copyIndex()], 'readScale'), createObject('value', parameters('databases')[copyIndex()].readScale), createObject('value', 'Disabled'))]", - "requestedBackupStorageRedundancy": "[if(contains(parameters('databases')[copyIndex()], 'requestedBackupStorageRedundancy'), createObject('value', parameters('databases')[copyIndex()].requestedBackupStorageRedundancy), createObject('value', ''))]", - "sampleName": "[if(contains(parameters('databases')[copyIndex()], 'sampleName'), createObject('value', parameters('databases')[copyIndex()].sampleName), createObject('value', ''))]", - "tags": { - "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "zoneRedundant": "[if(contains(parameters('databases')[copyIndex()], 'zoneRedundant'), createObject('value', parameters('databases')[copyIndex()].zoneRedundant), createObject('value', false()))]", - "elasticPoolId": "[if(contains(parameters('databases')[copyIndex()], 'elasticPoolId'), createObject('value', parameters('databases')[copyIndex()].elasticPoolId), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "backupShortTermRetentionPolicy": "[if(contains(parameters('databases')[copyIndex()], 'backupShortTermRetentionPolicy'), createObject('value', parameters('databases')[copyIndex()].backupShortTermRetentionPolicy), createObject('value', createObject()))]", - "backupLongTermRetentionPolicy": "[if(contains(parameters('databases')[copyIndex()], 'backupLongTermRetentionPolicy'), createObject('value', parameters('databases')[copyIndex()].backupLongTermRetentionPolicy), createObject('value', createObject()))]", - "createMode": "[if(contains(parameters('databases')[copyIndex()], 'createMode'), createObject('value', parameters('databases')[copyIndex()].createMode), createObject('value', 'Default'))]", - "sourceDatabaseResourceId": "[if(contains(parameters('databases')[copyIndex()], 'sourceDatabaseResourceId'), createObject('value', parameters('databases')[copyIndex()].sourceDatabaseResourceId), createObject('value', ''))]", - "sourceDatabaseDeletionDate": "[if(contains(parameters('databases')[copyIndex()], 'sourceDatabaseDeletionDate'), createObject('value', parameters('databases')[copyIndex()].sourceDatabaseDeletionDate), createObject('value', ''))]", - "recoveryServicesRecoveryPointResourceId": "[if(contains(parameters('databases')[copyIndex()], 'recoveryServicesRecoveryPointResourceId'), createObject('value', parameters('databases')[copyIndex()].recoveryServicesRecoveryPointResourceId), createObject('value', ''))]", - "restorePointInTime": "[if(contains(parameters('databases')[copyIndex()], 'restorePointInTime'), createObject('value', parameters('databases')[copyIndex()].restorePointInTime), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4314496383428784436" - }, - "name": "SQL Server Database", - "description": "This module deploys an Azure SQL Server Database.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the database." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "collation": { - "type": "string", - "defaultValue": "SQL_Latin1_General_CP1_CI_AS", - "metadata": { - "description": "Optional. The collation of the database." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "GeneralPurpose", - "metadata": { - "description": "Optional. The skuTier or edition of the particular SKU." - } - }, - "skuName": { - "type": "string", - "defaultValue": "GP_Gen5_2", - "metadata": { - "description": "Optional. The name of the SKU." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Capacity of the particular SKU." - } - }, - "preferredEnclaveType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Default", - "VBS" - ], - "metadata": { - "description": "Optional. Type of enclave requested on the database i.e. Default or VBS enclaves." - } - }, - "skuFamily": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here." - } - }, - "skuSize": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Size of the particular SKU." - } - }, - "maxSizeBytes": { - "type": "int", - "defaultValue": 34359738368, - "metadata": { - "description": "Optional. The max size of the database expressed in bytes." - } - }, - "sampleName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the sample schema to apply when creating this database." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this database is zone redundant." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The license type to apply for this database." - } - }, - "readScale": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The state of read-only routing." - } - }, - "highAvailabilityReplicaCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The number of readonly secondary replicas associated with the database." - } - }, - "minCapacity": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Minimal capacity that database will always have allocated." - } - }, - "autoPauseDelay": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "elasticPoolId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the elastic pool containing this database." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "createMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "Copy", - "OnlineSecondary", - "PointInTimeRestore", - "Recovery", - "Restore", - "RestoreLongTermRetentionBackup", - "Secondary" - ], - "metadata": { - "description": "Optional. Specifies the mode of database creation." - } - }, - "sourceDatabaseResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore." - } - }, - "sourceDatabaseDeletionDate": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The time that the database was deleted when restoring a deleted database." - } - }, - "recoveryServicesRecoveryPointResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of backup if createMode set to RestoreLongTermRetentionBackup." - } - }, - "restorePointInTime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore." - } - }, - "requestedBackupStorageRedundancy": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Geo", - "Local", - "Zone", - "" - ], - "metadata": { - "description": "Optional. The storage account type to be used to store backups for this database." - } - }, - "isLedgerOn": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created." - } - }, - "maintenanceConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur." - } - }, - "backupShortTermRetentionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The short term backup retention policy to create for the database." - } - }, - "backupLongTermRetentionPolicy": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The long term backup retention policy to create for the database." - } - } - }, - "variables": { - "skuVar": "[union(createObject('name', parameters('skuName'), 'tier', parameters('skuTier')), if(not(equals(parameters('skuCapacity'), -1)), createObject('capacity', parameters('skuCapacity')), if(not(empty(parameters('skuFamily'))), createObject('family', parameters('skuFamily')), if(not(empty(parameters('skuSize'))), createObject('size', parameters('skuSize')), createObject()))))]" - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "existing": true, - "type": "Microsoft.Sql/servers", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('serverName')]" - }, - "database": { - "type": "Microsoft.Sql/servers/databases", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "preferredEnclaveType": "[if(not(empty(parameters('preferredEnclaveType'))), parameters('preferredEnclaveType'), null())]", - "collation": "[parameters('collation')]", - "maxSizeBytes": "[parameters('maxSizeBytes')]", - "sampleName": "[parameters('sampleName')]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "licenseType": "[parameters('licenseType')]", - "readScale": "[parameters('readScale')]", - "minCapacity": "[if(not(empty(parameters('minCapacity'))), json(parameters('minCapacity')), 0)]", - "autoPauseDelay": "[parameters('autoPauseDelay')]", - "highAvailabilityReplicaCount": "[parameters('highAvailabilityReplicaCount')]", - "requestedBackupStorageRedundancy": "[parameters('requestedBackupStorageRedundancy')]", - "isLedgerOn": "[parameters('isLedgerOn')]", - "maintenanceConfigurationId": "[if(not(empty(parameters('maintenanceConfigurationId'))), parameters('maintenanceConfigurationId'), null())]", - "elasticPoolId": "[parameters('elasticPoolId')]", - "createMode": "[parameters('createMode')]", - "sourceDatabaseId": "[if(not(empty(parameters('sourceDatabaseResourceId'))), parameters('sourceDatabaseResourceId'), null())]", - "sourceDatabaseDeletionDate": "[if(not(empty(parameters('sourceDatabaseDeletionDate'))), parameters('sourceDatabaseDeletionDate'), null())]", - "recoveryServicesRecoveryPointId": "[if(not(empty(parameters('recoveryServicesRecoveryPointResourceId'))), parameters('recoveryServicesRecoveryPointResourceId'), null())]", - "restorePointInTime": "[if(not(empty(parameters('restorePointInTime'))), parameters('restorePointInTime'), null())]" - }, - "sku": "[variables('skuVar')]", - "dependsOn": [ - "server" - ] - }, - "database_diagnosticSettings": { - "copy": { - "name": "database_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('serverName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "database" - ] - }, - "database_backupShortTermRetentionPolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-shBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "serverName": { - "value": "[parameters('serverName')]" - }, - "databaseName": { - "value": "[parameters('name')]" - }, - "diffBackupIntervalInHours": "[if(contains(parameters('backupShortTermRetentionPolicy'), 'diffBackupIntervalInHours'), createObject('value', parameters('backupShortTermRetentionPolicy').diffBackupIntervalInHours), createObject('value', 24))]", - "retentionDays": "[if(contains(parameters('backupShortTermRetentionPolicy'), 'retentionDays'), createObject('value', parameters('backupShortTermRetentionPolicy').retentionDays), createObject('value', 7))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16957286289914102707" - }, - "name": "Azure SQL Server Database Short Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "diffBackupIntervalInHours": { - "type": "int", - "defaultValue": 24, - "metadata": { - "description": "Optional. Differential backup interval in hours." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 7, - "metadata": { - "description": "Optional. Poin-in-time retention in days." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "diffBackupIntervalInHours": "[parameters('diffBackupIntervalInHours')]", - "retentionDays": "[parameters('retentionDays')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the short-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the short-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the short-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } - } - }, - "dependsOn": [ - "database" - ] - }, - "database_backupLongTermRetentionPolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-lgBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "serverName": { - "value": "[parameters('serverName')]" - }, - "databaseName": { - "value": "[parameters('name')]" - }, - "weeklyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'weeklyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').weeklyRetention), createObject('value', ''))]", - "monthlyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'monthlyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').monthlyRetention), createObject('value', ''))]", - "yearlyRetention": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'yearlyRetention'), createObject('value', parameters('backupLongTermRetentionPolicy').yearlyRetention), createObject('value', ''))]", - "weekOfYear": "[if(contains(parameters('backupLongTermRetentionPolicy'), 'weekOfYear'), createObject('value', parameters('backupLongTermRetentionPolicy').weekOfYear), createObject('value', 1))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6078887169611486577" - }, - "name": "SQL Server Database Long Term Backup Retention Policies", - "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "serverName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent SQL Server." - } - }, - "databaseName": { - "type": "string", - "metadata": { - "description": "Required. The name of the parent database." - } - }, - "weeklyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Monthly retention in ISO 8601 duration format." - } - }, - "monthlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Weekly retention in ISO 8601 duration format." - } - }, - "weekOfYear": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Week of year backup to keep for yearly retention." - } - }, - "yearlyRetention": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Yearly retention in ISO 8601 duration format." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('serverName'), parameters('databaseName'), 'default')]", - "properties": { - "monthlyRetention": "[parameters('monthlyRetention')]", - "weeklyRetention": "[parameters('weeklyRetention')]", - "weekOfYear": "[parameters('weekOfYear')]", - "yearlyRetention": "[parameters('yearlyRetention')]" - } - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the long-term policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the long-term policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the long-term policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies', parameters('serverName'), parameters('databaseName'), 'default')]" - } - } - } - }, - "dependsOn": [ - "database" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed database." - }, - "value": "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed database." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('database', '2022-05-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "server", - "server_elasticPools" - ] - }, - "server_elasticPools": { - "copy": { - "name": "server_elasticPools", - "count": "[length(parameters('elasticPools'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SQLServer-ElasticPool-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('elasticPools')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "databaseMaxCapacity": "[if(contains(parameters('elasticPools')[copyIndex()], 'databaseMaxCapacity'), createObject('value', parameters('elasticPools')[copyIndex()].databaseMaxCapacity), createObject('value', 2))]", - "databaseMinCapacity": "[if(contains(parameters('elasticPools')[copyIndex()], 'databaseMinCapacity'), createObject('value', parameters('elasticPools')[copyIndex()].databaseMinCapacity), createObject('value', 0))]", - "highAvailabilityReplicaCount": "[if(contains(parameters('elasticPools')[copyIndex()], 'highAvailabilityReplicaCount'), createObject('value', parameters('elasticPools')[copyIndex()].highAvailabilityReplicaCount), createObject('value', -1))]", - "licenseType": "[if(contains(parameters('elasticPools')[copyIndex()], 'licenseType'), createObject('value', parameters('elasticPools')[copyIndex()].licenseType), createObject('value', 'LicenseIncluded'))]", - "maintenanceConfigurationId": "[if(contains(parameters('elasticPools')[copyIndex()], 'maintenanceConfigurationId'), createObject('value', parameters('elasticPools')[copyIndex()].maintenanceConfigurationId), createObject('value', ''))]", - "maxSizeBytes": "[if(contains(parameters('elasticPools')[copyIndex()], 'maxSizeBytes'), createObject('value', parameters('elasticPools')[copyIndex()].maxSizeBytes), createObject('value', json('34359738368')))]", - "minCapacity": "[if(contains(parameters('elasticPools')[copyIndex()], 'minCapacity'), createObject('value', parameters('elasticPools')[copyIndex()].minCapacity), createObject('value', -1))]", - "skuCapacity": "[if(contains(parameters('elasticPools')[copyIndex()], 'skuCapacity'), createObject('value', parameters('elasticPools')[copyIndex()].skuCapacity), createObject('value', 2))]", - "skuName": "[if(contains(parameters('elasticPools')[copyIndex()], 'skuName'), createObject('value', parameters('elasticPools')[copyIndex()].skuName), createObject('value', 'GP_Gen5'))]", - "skuTier": "[if(contains(parameters('elasticPools')[copyIndex()], 'skuTier'), createObject('value', parameters('elasticPools')[copyIndex()].skuTier), createObject('value', 'GeneralPurpose'))]", - "zoneRedundant": "[if(contains(parameters('elasticPools')[copyIndex()], 'zoneRedundant'), createObject('value', parameters('elasticPools')[copyIndex()].zoneRedundant), createObject('value', false()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('elasticPools')[copyIndex()], 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2462504606421092214" - }, - "name": "SQL Server Elastic Pool", - "description": "This module deploys an Azure SQL Server Elastic Pool.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Elastic Pool." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Capacity of the particular SKU." - } - }, - "skuName": { - "type": "string", - "defaultValue": "GP_Gen5", - "metadata": { - "description": "Optional. The name of the SKU, typically, a letter + Number code, e.g. P3." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "GeneralPurpose", - "metadata": { - "description": "Optional. The tier or edition of the particular SKU, e.g. Basic, Premium." - } - }, - "highAvailabilityReplicaCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "LicenseIncluded", - "allowedValues": [ - "BasePrice", - "LicenseIncluded" - ], - "metadata": { - "description": "Optional. The license type to apply for this elastic pool." - } - }, - "maintenanceConfigurationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur." - } - }, - "maxSizeBytes": { - "type": "int", - "defaultValue": 34359738368, - "metadata": { - "description": "Optional. The storage limit for the database elastic pool in bytes." - } - }, - "minCapacity": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Minimal capacity that serverless pool will not shrink below, if not paused." - } - }, - "databaseMaxCapacity": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. The maximum capacity any one database can consume." - } - }, - "databaseMinCapacity": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The minimum capacity all databases are guaranteed." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "server": { - "existing": true, - "type": "Microsoft.Sql/servers", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('serverName')]" - }, - "elasticPool": { - "type": "Microsoft.Sql/servers/elasticPools", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "capacity": "[parameters('skuCapacity')]", - "name": "[parameters('skuName')]", - "tier": "[parameters('skuTier')]" - }, - "properties": { - "highAvailabilityReplicaCount": "[if(greater(parameters('highAvailabilityReplicaCount'), -1), parameters('highAvailabilityReplicaCount'), null())]", - "licenseType": "[parameters('licenseType')]", - "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]", - "maxSizeBytes": "[parameters('maxSizeBytes')]", - "minCapacity": "[parameters('minCapacity')]", - "perDatabaseSettings": { - "minCapacity": "[parameters('databaseMinCapacity')]", - "maxCapacity": "[parameters('databaseMaxCapacity')]" - }, - "zoneRedundant": "[parameters('zoneRedundant')]" - }, - "dependsOn": [ - "server" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed Elastic Pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Elastic Pool." - }, - "value": "[resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed Elastic Pool." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('elasticPool', '2022-05-01-preview', 'full').location]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_privateEndpoints": { - "copy": { - "name": "server_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-server-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sqlServer')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Sql/servers', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sqlServer'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Sql/servers', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_firewallRules": { - "copy": { - "name": "server_firewallRules", - "count": "[length(parameters('firewallRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-FirewallRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('firewallRules')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "endIpAddress": "[if(contains(parameters('firewallRules')[copyIndex()], 'endIpAddress'), createObject('value', parameters('firewallRules')[copyIndex()].endIpAddress), createObject('value', '0.0.0.0'))]", - "startIpAddress": "[if(contains(parameters('firewallRules')[copyIndex()], 'startIpAddress'), createObject('value', parameters('firewallRules')[copyIndex()].startIpAddress), createObject('value', '0.0.0.0'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6791289458860590076" - }, - "name": "Azure SQL Server Firewall Rule", - "description": "This module deploys an Azure SQL Server Firewall Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Server Firewall Rule." - } - }, - "endIpAddress": { - "type": "string", - "defaultValue": "0.0.0.0", - "metadata": { - "description": "Optional. The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "startIpAddress": { - "type": "string", - "defaultValue": "0.0.0.0", - "metadata": { - "description": "Optional. The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "endIpAddress": "[parameters('endIpAddress')]", - "startIpAddress": "[parameters('startIpAddress')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed firewall rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed firewall rule." - }, - "value": "[resourceId('Microsoft.Sql/servers/firewallRules', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed firewall rule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_virtualNetworkRules": { - "copy": { - "name": "server_virtualNetworkRules", - "count": "[length(parameters('virtualNetworkRules'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-VirtualNetworkRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('virtualNetworkRules')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex()], 'ignoreMissingVnetServiceEndpoint'), createObject('value', parameters('virtualNetworkRules')[copyIndex()].ignoreMissingVnetServiceEndpoint), createObject('value', false()))]", - "virtualNetworkSubnetId": { - "value": "[parameters('virtualNetworkRules')[copyIndex()].virtualNetworkSubnetId]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8445811621384772574" - }, - "name": "Azure SQL Server Virtual Network Rules", - "description": "This module deploys an Azure SQL Server Virtual Network Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Server Virtual Network Rule." - } - }, - "ignoreMissingVnetServiceEndpoint": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Allow creating a firewall rule before the virtual network has vnet service endpoint enabled." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the virtual network subnet." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/virtualNetworkRules", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]", - "virtualNetworkSubnetId": "[parameters('virtualNetworkSubnetId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network rule." - }, - "value": "[resourceId('Microsoft.Sql/servers/virtualNetworkRules', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network rule." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_securityAlertPolicies": { - "copy": { - "name": "server_securityAlertPolicies", - "count": "[length(parameters('securityAlertPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-SecAlertPolicy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('securityAlertPolicies')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "disabledAlerts": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'disabledAlerts'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].disabledAlerts), createObject('value', createArray()))]", - "emailAccountAdmins": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'emailAccountAdmins'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].emailAccountAdmins), createObject('value', false()))]", - "emailAddresses": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'emailAddresses'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].emailAddresses), createObject('value', createArray()))]", - "retentionDays": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'retentionDays'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].retentionDays), createObject('value', 0))]", - "state": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'state'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].state), createObject('value', 'Disabled'))]", - "storageAccountAccessKey": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'storageAccountAccessKey'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].storageAccountAccessKey), createObject('value', ''))]", - "storageEndpoint": "[if(contains(parameters('securityAlertPolicies')[copyIndex()], 'storageEndpoint'), createObject('value', parameters('securityAlertPolicies')[copyIndex()].storageEndpoint), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15800765189083682209" - }, - "name": "Azure SQL Server Security Alert Policies", - "description": "This module deploys an Azure SQL Server Security Alert Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Security Alert Policy." - } - }, - "disabledAlerts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force." - } - }, - "emailAccountAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the alert is sent to the account administrators." - } - }, - "emailAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the alert is sent." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Specifies the number of days to keep in the Threat Detection audit logs." - } - }, - "state": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database." - } - }, - "storageAccountAccessKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the identifier key of the Threat Detection audit storage account.." - } - }, - "storageEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "disabledAlerts": "[parameters('disabledAlerts')]", - "emailAccountAdmins": "[parameters('emailAccountAdmins')]", - "emailAddresses": "[parameters('emailAddresses')]", - "retentionDays": "[parameters('retentionDays')]", - "state": "[parameters('state')]", - "storageAccountAccessKey": "[if(empty(parameters('storageAccountAccessKey')), null(), parameters('storageAccountAccessKey'))]", - "storageEndpoint": "[if(empty(parameters('storageEndpoint')), null(), parameters('storageEndpoint'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security alert policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security alert policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed security alert policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_vulnerabilityAssessment": { - "condition": "[not(empty(parameters('vulnerabilityAssessmentsObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-VulnAssessm', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "serverName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('vulnerabilityAssessmentsObj').name]" - }, - "recurringScansEmails": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmails'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmails), createObject('value', createArray()))]", - "recurringScansEmailSubscriptionAdmins": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmailSubscriptionAdmins'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmailSubscriptionAdmins), createObject('value', false()))]", - "recurringScansIsEnabled": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansIsEnabled'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansIsEnabled), createObject('value', false()))]", - "storageAccountResourceId": { - "value": "[parameters('vulnerabilityAssessmentsObj').storageAccountResourceId]" - }, - "useStorageAccountAccessKey": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'useStorageAccountAccessKey'), createObject('value', parameters('vulnerabilityAssessmentsObj').useStorageAccountAccessKey), createObject('value', false()))]", - "createStorageRoleAssignment": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'createStorageRoleAssignment'), createObject('value', parameters('vulnerabilityAssessmentsObj').createStorageRoleAssignment), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2867406426882642505" - }, - "name": "Azure SQL Server Vulnerability Assessments", - "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the vulnerability assessment." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment." - } - }, - "recurringScansIsEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Recurring scans state." - } - }, - "recurringScansEmailSubscriptionAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "recurringScansEmails": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the scan notification is sent." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. A blob storage to hold the scan results." - } - }, - "useStorageAccountAccessKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." - } - }, - "createStorageRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-9319755b-f697-4146-b966-4656e0b46cac-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", - "recurringScans": { - "isEnabled": "[parameters('recurringScansIsEnabled')]", - "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", - "emails": "[parameters('recurringScansEmails')]" - } - } - }, - { - "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sbdc-rbac', parameters('serverName'))]", - "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2022-05-01-preview', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11127995627829971090" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "managedInstanceIdentityPrincipalId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", - "principalType": "ServicePrincipal" - } - } - ] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed vulnerability assessment." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed vulnerability assessment." - }, - "value": "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed vulnerability assessment." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server", - "server_securityAlertPolicies" - ] - }, - "server_keys": { - "copy": { - "name": "server_keys", - "count": "[length(parameters('keys'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-Key-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('keys')[copyIndex()].name]" - }, - "serverName": { - "value": "[parameters('name')]" - }, - "serverKeyType": "[if(contains(parameters('keys')[copyIndex()], 'serverKeyType'), createObject('value', parameters('keys')[copyIndex()].serverKeyType), createObject('value', 'ServiceManaged'))]", - "uri": "[if(contains(parameters('keys')[copyIndex()], 'uri'), createObject('value', parameters('keys')[copyIndex()].uri), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11306919877164146196" - }, - "name": "Azure SQL Server Keys", - "description": "This module deploys an Azure SQL Server Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the key. Must follow the [__] pattern." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL server. Required if the template is used in a standalone deployment." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type like \"ServiceManaged\", \"AzureKeyVault\"." - } - }, - "uri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "splittedKeyUri": "[split(parameters('uri'), '/')]", - "serverKeyName": "[if(empty(parameters('uri')), 'ServiceManaged', format('{0}_{1}_{2}', split(variables('splittedKeyUri')[2], '.')[0], variables('splittedKeyUri')[4], variables('splittedKeyUri')[5]))]" - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/keys", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "uri": "[parameters('uri')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed server key." - }, - "value": "[if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed server key." - }, - "value": "[resourceId('Microsoft.Sql/servers/keys', parameters('serverName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed server key." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server" - ] - }, - "server_encryptionProtector": { - "condition": "[not(empty(parameters('encryptionProtectorObj')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-EncryProtector', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "sqlServerName": { - "value": "[parameters('name')]" - }, - "serverKeyName": { - "value": "[parameters('encryptionProtectorObj').serverKeyName]" - }, - "serverKeyType": "[if(contains(parameters('encryptionProtectorObj'), 'serverKeyType'), createObject('value', parameters('encryptionProtectorObj').serverKeyType), createObject('value', 'ServiceManaged'))]", - "autoRotationEnabled": "[if(contains(parameters('encryptionProtectorObj'), 'autoRotationEnabled'), createObject('value', parameters('encryptionProtectorObj').autoRotationEnabled), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17270982128022391504" - }, - "name": "Azure SQL Server Encryption Protector", - "description": "This module deploys an Azure SQL Server Encryption Protector.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "sqlServerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the sql server. Required if the template is used in a standalone deployment." - } - }, - "serverKeyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the server key." - } - }, - "autoRotationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Key auto rotation opt-in." - } - }, - "serverKeyType": { - "type": "string", - "defaultValue": "ServiceManaged", - "allowedValues": [ - "AzureKeyVault", - "ServiceManaged" - ], - "metadata": { - "description": "Optional. The encryption protector type." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/encryptionProtector", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('sqlServerName'), 'current')]", - "properties": { - "serverKeyType": "[parameters('serverKeyType')]", - "autoRotationEnabled": "[parameters('autoRotationEnabled')]", - "serverKeyName": "[parameters('serverKeyName')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed encryption protector." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the encryption protector." - }, - "value": "[resourceId('Microsoft.Sql/servers/encryptionProtector', parameters('sqlServerName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed encryption protector." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "server", - "server_keys" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SQL server." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SQL server." - }, - "value": "[resourceId('Microsoft.Sql/servers', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SQL server." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('server', '2022-05-01-preview', 'full').identity, 'principalId')), reference('server', '2022-05-01-preview', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('server', '2022-05-01-preview', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/security-alert-policy/README.md b/modules/sql/server/security-alert-policy/README.md deleted file mode 100644 index 6a90d70d38..0000000000 --- a/modules/sql/server/security-alert-policy/README.md +++ /dev/null @@ -1,141 +0,0 @@ -# Azure SQL Server Security Alert Policies `[Microsoft.Sql/servers/securityAlertPolicies]` - -This module deploys an Azure SQL Server Security Alert Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/securityAlertPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Security Alert Policy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`disabledAlerts`](#parameter-disabledalerts) | array | Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. | -| [`emailAccountAdmins`](#parameter-emailaccountadmins) | bool | Specifies that the alert is sent to the account administrators. | -| [`emailAddresses`](#parameter-emailaddresses) | array | Specifies an array of email addresses to which the alert is sent. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`retentionDays`](#parameter-retentiondays) | int | Specifies the number of days to keep in the Threat Detection audit logs. | -| [`state`](#parameter-state) | string | Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. | -| [`storageAccountAccessKey`](#parameter-storageaccountaccesskey) | securestring | Specifies the identifier key of the Threat Detection audit storage account.. | -| [`storageEndpoint`](#parameter-storageendpoint) | string | Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. | - -### Parameter: `name` - -The name of the Security Alert Policy. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `disabledAlerts` - -Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `emailAccountAdmins` - -Specifies that the alert is sent to the account administrators. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `emailAddresses` - -Specifies an array of email addresses to which the alert is sent. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `retentionDays` - -Specifies the number of days to keep in the Threat Detection audit logs. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `state` - -Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `storageAccountAccessKey` - -Specifies the identifier key of the Threat Detection audit storage account.. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `storageEndpoint` - -Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed security alert policy. | -| `resourceGroupName` | string | The resource group of the deployed security alert policy. | -| `resourceId` | string | The resource ID of the deployed security alert policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/security-alert-policy/main.bicep b/modules/sql/server/security-alert-policy/main.bicep deleted file mode 100644 index 458579d834..0000000000 --- a/modules/sql/server/security-alert-policy/main.bicep +++ /dev/null @@ -1,77 +0,0 @@ -metadata name = 'Azure SQL Server Security Alert Policies' -metadata description = 'This module deploys an Azure SQL Server Security Alert Policy.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Security Alert Policy.') -param name string - -@description('Optional. Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force.') -param disabledAlerts array = [] - -@description('Optional. Specifies that the alert is sent to the account administrators.') -param emailAccountAdmins bool = false - -@description('Optional. Specifies an array of email addresses to which the alert is sent.') -param emailAddresses array = [] - -@description('Optional. Specifies the number of days to keep in the Threat Detection audit logs.') -param retentionDays int = 0 - -@description('Optional. Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.') -@allowed([ - 'Disabled' - 'Enabled' -]) -param state string = 'Disabled' - -@description('Optional. Specifies the identifier key of the Threat Detection audit storage account..') -@secure() -param storageAccountAccessKey string = '' - -@description('Optional. Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs.') -param storageEndpoint string = '' - -@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource securityAlertPolicy 'Microsoft.Sql/servers/securityAlertPolicies@2022-05-01-preview' = { - name: name - parent: server - properties: { - disabledAlerts: disabledAlerts - emailAccountAdmins: emailAccountAdmins - emailAddresses: emailAddresses - retentionDays: retentionDays - state: state - storageAccountAccessKey: empty(storageAccountAccessKey) ? null : storageAccountAccessKey - storageEndpoint: empty(storageEndpoint) ? null : storageEndpoint - } -} - -@description('The name of the deployed security alert policy.') -output name string = securityAlertPolicy.name - -@description('The resource ID of the deployed security alert policy.') -output resourceId string = securityAlertPolicy.id - -@description('The resource group of the deployed security alert policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/security-alert-policy/main.json b/modules/sql/server/security-alert-policy/main.json deleted file mode 100644 index 2ab1e02c88..0000000000 --- a/modules/sql/server/security-alert-policy/main.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15800765189083682209" - }, - "name": "Azure SQL Server Security Alert Policies", - "description": "This module deploys an Azure SQL Server Security Alert Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Security Alert Policy." - } - }, - "disabledAlerts": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force." - } - }, - "emailAccountAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the alert is sent to the account administrators." - } - }, - "emailAddresses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the alert is sent." - } - }, - "retentionDays": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Specifies the number of days to keep in the Threat Detection audit logs." - } - }, - "state": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database." - } - }, - "storageAccountAccessKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the identifier key of the Threat Detection audit storage account.." - } - }, - "storageEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "disabledAlerts": "[parameters('disabledAlerts')]", - "emailAccountAdmins": "[parameters('emailAccountAdmins')]", - "emailAddresses": "[parameters('emailAddresses')]", - "retentionDays": "[parameters('retentionDays')]", - "state": "[parameters('state')]", - "storageAccountAccessKey": "[if(empty(parameters('storageAccountAccessKey')), null(), parameters('storageAccountAccessKey'))]", - "storageEndpoint": "[if(empty(parameters('storageEndpoint')), null(), parameters('storageEndpoint'))]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed security alert policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed security alert policy." - }, - "value": "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed security alert policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/security-alert-policy/version.json b/modules/sql/server/security-alert-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/security-alert-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/tests/e2e/admin/dependencies.bicep b/modules/sql/server/tests/e2e/admin/dependencies.bicep deleted file mode 100644 index 29b9641692..0000000000 --- a/modules/sql/server/tests/e2e/admin/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/sql/server/tests/e2e/admin/main.test.bicep b/modules/sql/server/tests/e2e/admin/main.test.bicep deleted file mode 100644 index 9a30d64ae7..0000000000 --- a/modules/sql/server/tests/e2e/admin/main.test.bicep +++ /dev/null @@ -1,61 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlsadmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administrators: { - azureADOnlyAuthentication: true - login: 'myspn' - sid: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'Application' - tenantId: tenant().tenantId - } - } -}] diff --git a/modules/sql/server/tests/e2e/max/dependencies.bicep b/modules/sql/server/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 5f68856202..0000000000 --- a/modules/sql/server/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,111 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, i) - } - }) - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.sqlServerHostname}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created virtual network subnet for a Private Endpoint.') -output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created virtual network subnet for a Service Endpoint.') -output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault.') -output keyVaultName string = keyVault.name diff --git a/modules/sql/server/tests/e2e/max/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep deleted file mode 100644 index a71f7575a2..0000000000 --- a/modules/sql/server/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,208 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlsmax' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - administratorLogin: 'adminUserName' - administratorLoginPassword: password - location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - vulnerabilityAssessmentsObj: { - name: 'default' - emailSubscriptionAdmins: true - recurringScansIsEnabled: true - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - } - elasticPools: [ - { - name: '${namePrefix}-${serviceShort}-ep-001' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - skuCapacity: 10 - // Pre-existing 'public' configuration - maintenanceConfigurationId: '${subscription().id}/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_${location}_DB_1' - } - ] - databases: [ - { - name: '${namePrefix}-${serviceShort}db-001' - collation: 'SQL_Latin1_General_CP1_CI_AS' - skuTier: 'GeneralPurpose' - skuName: 'ElasticPool' - capacity: 0 - maxSizeBytes: 34359738368 - licenseType: 'LicenseIncluded' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/${namePrefix}-${serviceShort}/elasticPools/${namePrefix}-${serviceShort}-ep-001' - encryptionProtectorObj: { - serverKeyType: 'AzureKeyVault' - serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - } - ] - firewallRules: [ - { - name: 'AllowAllWindowsAzureIps' - endIpAddress: '0.0.0.0' - startIpAddress: '0.0.0.0' - } - ] - securityAlertPolicies: [ - { - name: 'Default' - state: 'Enabled' - emailAccountAdmins: true - } - ] - keys: [ - { - name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId - service: 'sqlServer' - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: nestedDependencies.outputs.serviceEndpointSubnetResourceId - } - ] - restrictOutboundNetworkAccess: 'Disabled' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/sql/server/tests/e2e/pe/dependencies.bicep b/modules/sql/server/tests/e2e/pe/dependencies.bicep deleted file mode 100644 index ef2f9239a0..0000000000 --- a/modules/sql/server/tests/e2e/pe/dependencies.bicep +++ /dev/null @@ -1,50 +0,0 @@ -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.sqlServerHostname}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -@description('The resource ID of the created virtual network subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/sql/server/tests/e2e/pe/main.test.bicep b/modules/sql/server/tests/e2e/pe/main.test.bicep deleted file mode 100644 index 069d4f0e80..0000000000 --- a/modules/sql/server/tests/e2e/pe/main.test.bicep +++ /dev/null @@ -1,79 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlspe' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/sql/server/tests/e2e/secondary/dependencies.bicep b/modules/sql/server/tests/e2e/secondary/dependencies.bicep deleted file mode 100644 index d67dcca0fa..0000000000 --- a/modules/sql/server/tests/e2e/secondary/dependencies.bicep +++ /dev/null @@ -1,36 +0,0 @@ -@description('Required. The name of the server.') -param serverName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -resource server 'Microsoft.Sql/servers@2021-11-01' = { - name: serverName - location: location - properties: { - administratorLogin: 'adminUserName' - administratorLoginPassword: password - } - - resource database 'databases@2021-11-01' = { - name: 'db1' - location: location - sku: { - name: 'Basic' - tier: 'Basic' - } - properties: { - maxSizeBytes: 2147483648 - } - } -} - -@description('The resource ID of the created database.') -output databaseResourceId string = server::database.id - -@description('The name of the created database.') -output databaseName string = server::database.name diff --git a/modules/sql/server/tests/e2e/secondary/main.test.bicep b/modules/sql/server/tests/e2e/secondary/main.test.bicep deleted file mode 100644 index 96bef59aa8..0000000000 --- a/modules/sql/server/tests/e2e/secondary/main.test.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlsec' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - serverName: 'dep-${namePrefix}-${serviceShort}-pri' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}-sec' - administratorLogin: 'adminUserName' - administratorLoginPassword: password - databases: [ - { - name: nestedDependencies.outputs.databaseName - skuTier: 'Basic' - skuName: 'Basic' - maxSizeBytes: 2147483648 - createMode: 'Secondary' - sourceDatabaseResourceId: nestedDependencies.outputs.databaseResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep b/modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep deleted file mode 100644 index 6eb808e8c6..0000000000 --- a/modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep +++ /dev/null @@ -1,35 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - allowBlobPublicAccess: false - networkAcls: { - defaultAction: 'Deny' - bypass: 'AzureServices' - } - } -} - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id diff --git a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep deleted file mode 100644 index 9b105db908..0000000000 --- a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlsvln' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - administratorLogin: 'adminUserName' - administratorLoginPassword: password - location: location - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - useStorageAccountAccessKey: false - createStorageRoleAssignment: true - } - securityAlertPolicies: [ - { - name: 'Default' - state: 'Enabled' - emailAccountAdmins: true - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 5f68856202..0000000000 --- a/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,111 +0,0 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: map(range(0, 2), i => { - name: 'subnet-${i}' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 24, i) - } - }) - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink${environment().suffixes.sqlServerHostname}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created managed identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created virtual network subnet for a Private Endpoint.') -output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created virtual network subnet for a Service Endpoint.') -output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnets[1].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The URL of the created Key Vault Encryption Key.') -output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion - -@description('The name of the created Key Vault Encryption Key.') -output keyVaultKeyName string = keyVault::key.name - -@description('The name of the created Key Vault.') -output keyVaultName string = keyVault.name diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index c72c12cfee..0000000000 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,191 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlswaf' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - location: location - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId - administratorLogin: 'adminUserName' - administratorLoginPassword: password - location: location - vulnerabilityAssessmentsObj: { - name: 'default' - emailSubscriptionAdmins: true - recurringScansIsEnabled: true - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - } - elasticPools: [ - { - name: '${namePrefix}-${serviceShort}-ep-001' - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - skuCapacity: 10 - // Pre-existing 'public' configuration - maintenanceConfigurationId: '${subscription().id}/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_${location}_DB_1' - } - ] - databases: [ - { - name: '${namePrefix}-${serviceShort}db-001' - collation: 'SQL_Latin1_General_CP1_CI_AS' - skuTier: 'GeneralPurpose' - skuName: 'ElasticPool' - capacity: 0 - maxSizeBytes: 34359738368 - licenseType: 'LicenseIncluded' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/${namePrefix}-${serviceShort}/elasticPools/${namePrefix}-${serviceShort}-ep-001' - encryptionProtectorObj: { - serverKeyType: 'AzureKeyVault' - serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - } - ] - firewallRules: [ - { - name: 'AllowAllWindowsAzureIps' - endIpAddress: '0.0.0.0' - startIpAddress: '0.0.0.0' - } - ] - securityAlertPolicies: [ - { - name: 'Default' - state: 'Enabled' - emailAccountAdmins: true - } - ] - keys: [ - { - name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' - serverKeyType: 'AzureKeyVault' - uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId - service: 'sqlServer' - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: nestedDependencies.outputs.serviceEndpointSubnetResourceId - } - ] - restrictOutboundNetworkAccess: 'Disabled' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/sql/server/version.json b/modules/sql/server/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/sql/server/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/virtual-network-rule/README.md b/modules/sql/server/virtual-network-rule/README.md deleted file mode 100644 index a0eaf2fb10..0000000000 --- a/modules/sql/server/virtual-network-rule/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Azure SQL Server Virtual Network Rules `[Microsoft.Sql/servers/virtualNetworkRules]` - -This module deploys an Azure SQL Server Virtual Network Rule. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/virtualNetworkRules) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Server Virtual Network Rule. | -| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | The resource ID of the virtual network subnet. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ignoreMissingVnetServiceEndpoint`](#parameter-ignoremissingvnetserviceendpoint) | bool | Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. | - -### Parameter: `name` - -The name of the Server Virtual Network Rule. - -- Required: Yes -- Type: string - -### Parameter: `virtualNetworkSubnetId` - -The resource ID of the virtual network subnet. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ignoreMissingVnetServiceEndpoint` - -Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed virtual network rule. | -| `resourceGroupName` | string | The resource group of the deployed virtual network rule. | -| `resourceId` | string | The resource ID of the deployed virtual network rule. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/virtual-network-rule/main.bicep b/modules/sql/server/virtual-network-rule/main.bicep deleted file mode 100644 index ce53442168..0000000000 --- a/modules/sql/server/virtual-network-rule/main.bicep +++ /dev/null @@ -1,52 +0,0 @@ -metadata name = 'Azure SQL Server Virtual Network Rules' -metadata description = 'This module deploys an Azure SQL Server Virtual Network Rule.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Server Virtual Network Rule.') -param name string - -@description('Optional. Allow creating a firewall rule before the virtual network has vnet service endpoint enabled.') -param ignoreMissingVnetServiceEndpoint bool = false - -@description('Required. The resource ID of the virtual network subnet.') -param virtualNetworkSubnetId string - -@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -resource virtualNetworkRule 'Microsoft.Sql/servers/virtualNetworkRules@2022-05-01-preview' = { - name: name - parent: server - properties: { - ignoreMissingVnetServiceEndpoint: ignoreMissingVnetServiceEndpoint - virtualNetworkSubnetId: virtualNetworkSubnetId - } -} - -@description('The name of the deployed virtual network rule.') -output name string = virtualNetworkRule.name - -@description('The resource ID of the deployed virtual network rule.') -output resourceId string = virtualNetworkRule.id - -@description('The resource group of the deployed virtual network rule.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/virtual-network-rule/main.json b/modules/sql/server/virtual-network-rule/main.json deleted file mode 100644 index 52b74413a7..0000000000 --- a/modules/sql/server/virtual-network-rule/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8445811621384772574" - }, - "name": "Azure SQL Server Virtual Network Rules", - "description": "This module deploys an Azure SQL Server Virtual Network Rule.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Server Virtual Network Rule." - } - }, - "ignoreMissingVnetServiceEndpoint": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Allow creating a firewall rule before the virtual network has vnet service endpoint enabled." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the virtual network subnet." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/virtualNetworkRules", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]", - "virtualNetworkSubnetId": "[parameters('virtualNetworkSubnetId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network rule." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network rule." - }, - "value": "[resourceId('Microsoft.Sql/servers/virtualNetworkRules', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network rule." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/virtual-network-rule/version.json b/modules/sql/server/virtual-network-rule/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/sql/server/virtual-network-rule/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/sql/server/vulnerability-assessment/README.md b/modules/sql/server/vulnerability-assessment/README.md deleted file mode 100644 index 24fa7fed0b..0000000000 --- a/modules/sql/server/vulnerability-assessment/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# Azure SQL Server Vulnerability Assessments `[Microsoft.Sql/servers/vulnerabilityAssessments]` - -This module deploys an Azure SQL Server Vulnerability Assessment. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/vulnerabilityAssessments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the vulnerability assessment. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`serverName`](#parameter-servername) | string | The Name of SQL Server. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`createStorageRoleAssignment`](#parameter-createstorageroleassignment) | bool | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`recurringScansEmails`](#parameter-recurringscansemails) | array | Specifies an array of email addresses to which the scan notification is sent. | -| [`recurringScansEmailSubscriptionAdmins`](#parameter-recurringscansemailsubscriptionadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | -| [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | - -### Parameter: `name` - -The name of the vulnerability assessment. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountResourceId` - -A blob storage to hold the scan results. - -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The Name of SQL Server. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `createStorageRoleAssignment` - -Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `recurringScansEmails` - -Specifies an array of email addresses to which the scan notification is sent. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `recurringScansEmailSubscriptionAdmins` - -Specifies that the schedule scan notification will be is sent to the subscription administrators. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `recurringScansIsEnabled` - -Recurring scans state. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `useStorageAccountAccessKey` - -Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed vulnerability assessment. | -| `resourceGroupName` | string | The resource group of the deployed vulnerability assessment. | -| `resourceId` | string | The resource ID of the deployed vulnerability assessment. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/vulnerability-assessment/main.bicep b/modules/sql/server/vulnerability-assessment/main.bicep deleted file mode 100644 index de649ee8d3..0000000000 --- a/modules/sql/server/vulnerability-assessment/main.bicep +++ /dev/null @@ -1,79 +0,0 @@ -metadata name = 'Azure SQL Server Vulnerability Assessments' -metadata description = 'This module deploys an Azure SQL Server Vulnerability Assessment.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the vulnerability assessment.') -param name string - -@description('Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment.') -param serverName string - -@description('Optional. Recurring scans state.') -param recurringScansIsEnabled bool = false - -@description('Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators.') -param recurringScansEmailSubscriptionAdmins bool = false - -@description('Optional. Specifies an array of email addresses to which the scan notification is sent.') -param recurringScansEmails array = [] - -@description('Required. A blob storage to hold the scan results.') -param storageAccountResourceId string - -@description('Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account.') -param useStorageAccountAccessKey bool = false - -@description('Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account.') -param createStorageRoleAssignment bool = true - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-9319755b-f697-4146-b966-4656e0b46cac-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: serverName -} - -// Assign SQL Server MSI access to storage account -module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { - name: '${server.name}-sbdc-rbac' - scope: resourceGroup(split(storageAccountResourceId, '/')[4]) - params: { - storageAccountName: last(split(storageAccountResourceId, '/')) - managedInstanceIdentityPrincipalId: server.identity.principalId - } -} - -resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2022-05-01-preview' = { - name: name - parent: server - properties: { - storageContainerPath: 'https://${last(split(storageAccountResourceId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/' - storageAccountAccessKey: useStorageAccountAccessKey ? listKeys(storageAccountResourceId, '2019-06-01').keys[0].value : any(null) - recurringScans: { - isEnabled: recurringScansIsEnabled - emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins - emails: recurringScansEmails - } - } -} - -@description('The name of the deployed vulnerability assessment.') -output name string = vulnerabilityAssessment.name - -@description('The resource ID of the deployed vulnerability assessment.') -output resourceId string = vulnerabilityAssessment.id - -@description('The resource group of the deployed vulnerability assessment.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/sql/server/vulnerability-assessment/main.json b/modules/sql/server/vulnerability-assessment/main.json deleted file mode 100644 index bd156145db..0000000000 --- a/modules/sql/server/vulnerability-assessment/main.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2867406426882642505" - }, - "name": "Azure SQL Server Vulnerability Assessments", - "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the vulnerability assessment." - } - }, - "serverName": { - "type": "string", - "metadata": { - "description": "Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment." - } - }, - "recurringScansIsEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Recurring scans state." - } - }, - "recurringScansEmailSubscriptionAdmins": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." - } - }, - "recurringScansEmails": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies an array of email addresses to which the scan notification is sent." - } - }, - "storageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. A blob storage to hold the scan results." - } - }, - "useStorageAccountAccessKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." - } - }, - "createStorageRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-9319755b-f697-4146-b966-4656e0b46cac-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2022-05-01-preview", - "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", - "properties": { - "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", - "recurringScans": { - "isEnabled": "[parameters('recurringScansIsEnabled')]", - "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", - "emails": "[parameters('recurringScansEmails')]" - } - } - }, - { - "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sbdc-rbac', parameters('serverName'))]", - "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2022-05-01-preview', 'full').identity.principalId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11127995627829971090" - } - }, - "parameters": { - "storageAccountName": { - "type": "string" - }, - "managedInstanceIdentityPrincipalId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", - "principalType": "ServicePrincipal" - } - } - ] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed vulnerability assessment." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed vulnerability assessment." - }, - "value": "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('serverName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed vulnerability assessment." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep b/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep deleted file mode 100644 index 7855e9f142..0000000000 --- a/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep +++ /dev/null @@ -1,17 +0,0 @@ -param storageAccountName string -param managedInstanceIdentityPrincipalId string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { - name: storageAccountName -} - -// Assign Storage Blob Data Contributor RBAC role -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor') - scope: storageAccount - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - principalId: managedInstanceIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} diff --git a/modules/sql/server/vulnerability-assessment/version.json b/modules/sql/server/vulnerability-assessment/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/sql/server/vulnerability-assessment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/MOVED-TO-AVM.md b/modules/storage/storage-account/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/storage/storage-account/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 463821394f..bf26b6a248 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1,2757 +1,7 @@ -# Storage Accounts `[Microsoft.Storage/storageAccounts]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/storage/storage-account](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/storage/storage-account).** -This module deploys a Storage Account. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/storage/storage-account). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Storage/storageAccounts` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts) | -| `Microsoft.Storage/storageAccounts/blobServices` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices) | -| `Microsoft.Storage/storageAccounts/blobServices/containers` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers) | -| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers/immutabilityPolicies) | -| `Microsoft.Storage/storageAccounts/fileServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices) | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | -| `Microsoft.Storage/storageAccounts/localUsers` | [2022-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-05-01/storageAccounts/localUsers) | -| `Microsoft.Storage/storageAccounts/managementPolicies` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/managementPolicies) | -| `Microsoft.Storage/storageAccounts/queueServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices) | -| `Microsoft.Storage/storageAccounts/queueServices/queues` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices/queues) | -| `Microsoft.Storage/storageAccounts/tableServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices) | -| `Microsoft.Storage/storageAccounts/tableServices/tables` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices/tables) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/storage.storage-account:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encr](#example-2-encr) -- [Using large parameter set](#example-3-using-large-parameter-set) -- [Nfs](#example-4-nfs) -- [V1](#example-5-v1) -- [WAF-aligned](#example-6-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssamin' - params: { - // Required parameters - name: 'ssamin001' - // Non-required parameters - allowBlobPublicAccess: false - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssamin001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encr_ - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssaencr' - params: { - // Required parameters - name: 'ssaencr001' - // Non-required parameters - allowBlobPublicAccess: false - blobServices: { - automaticSnapshotPolicyEnabled: true - changeFeedEnabled: true - changeFeedRetentionInDays: 10 - containerDeleteRetentionPolicyAllowPermanentDelete: true - containerDeleteRetentionPolicyDays: 10 - containerDeleteRetentionPolicyEnabled: true - containers: [ - { - name: 'container' - publicAccess: 'None' - } - ] - defaultServiceVersion: '2008-10-27' - deleteRetentionPolicyDays: 9 - deleteRetentionPolicyEnabled: true - isVersioningEnabled: true - lastAccessTimeTrackingPolicyEnable: true - restorePolicyDays: 8 - restorePolicyEnabled: true - } - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - requireInfrastructureEncryption: true - skuName: 'Standard_LRS' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssaencr001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "blobServices": { - "value": { - "automaticSnapshotPolicyEnabled": true, - "changeFeedEnabled": true, - "changeFeedRetentionInDays": 10, - "containerDeleteRetentionPolicyAllowPermanentDelete": true, - "containerDeleteRetentionPolicyDays": 10, - "containerDeleteRetentionPolicyEnabled": true, - "containers": [ - { - "name": "container", - "publicAccess": "None" - } - ], - "defaultServiceVersion": "2008-10-27", - "deleteRetentionPolicyDays": 9, - "deleteRetentionPolicyEnabled": true, - "isVersioningEnabled": true, - "lastAccessTimeTrackingPolicyEnable": true, - "restorePolicyDays": 8, - "restorePolicyEnabled": true - } - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "requireInfrastructureEncryption": { - "value": true - }, - "skuName": { - "value": "Standard_LRS" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssamax' - params: { - // Required parameters - name: 'ssamax001' - // Non-required parameters - allowBlobPublicAccess: false - blobServices: { - automaticSnapshotPolicyEnabled: true - containerDeleteRetentionPolicyDays: 10 - containerDeleteRetentionPolicyEnabled: true - containers: [ - { - enableNfsV3AllSquash: true - enableNfsV3RootSquash: true - name: 'avdscripts' - publicAccess: 'None' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - } - { - allowProtectedAppendWrites: false - enableWORM: true - metadata: { - testKey: 'testValue' - } - name: 'archivecontainer' - publicAccess: 'None' - WORMRetention: 666 - } - ] - deleteRetentionPolicyDays: 9 - deleteRetentionPolicyEnabled: true - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - lastAccessTimeTrackingPolicyEnabled: true - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableHierarchicalNamespace: true - enableNfsV3: true - enableSftp: true - fileServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - shares: [ - { - accessTier: 'Hot' - name: 'avdprofiles' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - shareQuota: 5120 - } - { - name: 'avdprofiles2' - shareQuota: 102400 - } - ] - } - largeFileSharesState: 'Enabled' - localUsers: [ - { - hasSharedKey: false - hasSshKey: true - hasSshPassword: false - homeDirectory: 'avdscripts' - name: 'testuser' - permissionScopes: [ - { - permissions: 'r' - resourceName: 'avdscripts' - service: 'blob' - } - ] - storageAccountName: 'ssamax001' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - managementPolicyRules: [ - { - definition: { - actions: { - baseBlob: { - delete: { - daysAfterModificationGreaterThan: 30 - } - tierToCool: { - daysAfterLastAccessTimeGreaterThan: 5 - } - } - } - filters: { - blobIndexMatch: [ - { - name: 'BlobIndex' - op: '==' - value: '1' - } - ] - blobTypes: [ - 'blockBlob' - ] - prefixMatch: [ - 'sample-container/log' - ] - } - } - enabled: true - name: 'FirstRule' - type: 'Lifecycle' - } - ] - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] - virtualNetworkRules: [ - { - action: 'Allow' - id: '' - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - queueServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - queues: [ - { - metadata: { - key1: 'value1' - key2: 'value2' - } - name: 'queue1' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - } - { - metadata: {} - name: 'queue2' - } - ] - } - requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sasExpirationPeriod: '180.00:00:00' - skuName: 'Standard_LRS' - tableServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - tables: [ - 'table1' - 'table2' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssamax001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "blobServices": { - "value": { - "automaticSnapshotPolicyEnabled": true, - "containerDeleteRetentionPolicyDays": 10, - "containerDeleteRetentionPolicyEnabled": true, - "containers": [ - { - "enableNfsV3AllSquash": true, - "enableNfsV3RootSquash": true, - "name": "avdscripts", - "publicAccess": "None", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - { - "allowProtectedAppendWrites": false, - "enableWORM": true, - "metadata": { - "testKey": "testValue" - }, - "name": "archivecontainer", - "publicAccess": "None", - "WORMRetention": 666 - } - ], - "deleteRetentionPolicyDays": 9, - "deleteRetentionPolicyEnabled": true, - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "lastAccessTimeTrackingPolicyEnabled": true - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableHierarchicalNamespace": { - "value": true - }, - "enableNfsV3": { - "value": true - }, - "enableSftp": { - "value": true - }, - "fileServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "shares": [ - { - "accessTier": "Hot", - "name": "avdprofiles", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ], - "shareQuota": 5120 - }, - { - "name": "avdprofiles2", - "shareQuota": 102400 - } - ] - } - }, - "largeFileSharesState": { - "value": "Enabled" - }, - "localUsers": { - "value": [ - { - "hasSharedKey": false, - "hasSshKey": true, - "hasSshPassword": false, - "homeDirectory": "avdscripts", - "name": "testuser", - "permissionScopes": [ - { - "permissions": "r", - "resourceName": "avdscripts", - "service": "blob" - } - ], - "storageAccountName": "ssamax001" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "managementPolicyRules": { - "value": [ - { - "definition": { - "actions": { - "baseBlob": { - "delete": { - "daysAfterModificationGreaterThan": 30 - }, - "tierToCool": { - "daysAfterLastAccessTimeGreaterThan": 5 - } - } - }, - "filters": { - "blobIndexMatch": [ - { - "name": "BlobIndex", - "op": "==", - "value": "1" - } - ], - "blobTypes": [ - "blockBlob" - ], - "prefixMatch": [ - "sample-container/log" - ] - } - }, - "enabled": true, - "name": "FirstRule", - "type": "Lifecycle" - } - ] - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "value": "1.1.1.1" - } - ], - "virtualNetworkRules": [ - { - "action": "Allow", - "id": "" - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "queueServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "queues": [ - { - "metadata": { - "key1": "value1", - "key2": "value2" - }, - "name": "queue1", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - { - "metadata": {}, - "name": "queue2" - } - ] - } - }, - "requireInfrastructureEncryption": { - "value": true - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sasExpirationPeriod": { - "value": "180.00:00:00" - }, - "skuName": { - "value": "Standard_LRS" - }, - "tableServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "tables": [ - "table1", - "table2" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Nfs_ - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssanfs' - params: { - // Required parameters - name: 'ssanfs001' - // Non-required parameters - allowBlobPublicAccess: false - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - fileServices: { - shares: [ - { - enabledProtocols: 'NFS' - name: 'nfsfileshare' - } - ] - } - kind: 'FileStorage' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - skuName: 'Premium_LRS' - supportsHttpsTrafficOnly: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssanfs001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "fileServices": { - "value": { - "shares": [ - { - "enabledProtocols": "NFS", - "name": "nfsfileshare" - } - ] - } - }, - "kind": { - "value": "FileStorage" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "skuName": { - "value": "Premium_LRS" - }, - "supportsHttpsTrafficOnly": { - "value": false - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _V1_ - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssav1' - params: { - // Required parameters - name: 'ssav1001' - // Non-required parameters - allowBlobPublicAccess: false - enableDefaultTelemetry: '' - kind: 'Storage' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssav1001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Storage" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 6: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssawaf' - params: { - // Required parameters - name: 'ssawaf001' - // Non-required parameters - allowBlobPublicAccess: false - blobServices: { - automaticSnapshotPolicyEnabled: true - containerDeleteRetentionPolicyDays: 10 - containerDeleteRetentionPolicyEnabled: true - containers: [ - { - enableNfsV3AllSquash: true - enableNfsV3RootSquash: true - name: 'avdscripts' - publicAccess: 'None' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - { - allowProtectedAppendWrites: false - enableWORM: true - metadata: { - testKey: 'testValue' - } - name: 'archivecontainer' - publicAccess: 'None' - WORMRetention: 666 - } - ] - deleteRetentionPolicyDays: 9 - deleteRetentionPolicyEnabled: true - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - lastAccessTimeTrackingPolicyEnabled: true - } - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - enableHierarchicalNamespace: true - enableNfsV3: true - enableSftp: true - fileServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - shares: [ - { - accessTier: 'Hot' - name: 'avdprofiles' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - shareQuota: 5120 - } - { - name: 'avdprofiles2' - shareQuota: 102400 - } - ] - } - largeFileSharesState: 'Enabled' - localUsers: [ - { - hasSharedKey: false - hasSshKey: true - hasSshPassword: false - homeDirectory: 'avdscripts' - name: 'testuser' - permissionScopes: [ - { - permissions: 'r' - resourceName: 'avdscripts' - service: 'blob' - } - ] - storageAccountName: 'ssawaf001' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - managementPolicyRules: [ - { - definition: { - actions: { - baseBlob: { - delete: { - daysAfterModificationGreaterThan: 30 - } - tierToCool: { - daysAfterLastAccessTimeGreaterThan: 5 - } - } - } - filters: { - blobIndexMatch: [ - { - name: 'BlobIndex' - op: '==' - value: '1' - } - ] - blobTypes: [ - 'blockBlob' - ] - prefixMatch: [ - 'sample-container/log' - ] - } - } - enabled: true - name: 'FirstRule' - type: 'Lifecycle' - } - ] - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] - virtualNetworkRules: [ - { - action: 'Allow' - id: '' - } - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - queueServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - queues: [ - { - metadata: { - key1: 'value1' - key2: 'value2' - } - name: 'queue1' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - { - metadata: {} - name: 'queue2' - } - ] - } - requireInfrastructureEncryption: true - sasExpirationPeriod: '180.00:00:00' - skuName: 'Standard_LRS' - tableServices: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - tables: [ - 'table1' - 'table2' - ] - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssawaf001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "blobServices": { - "value": { - "automaticSnapshotPolicyEnabled": true, - "containerDeleteRetentionPolicyDays": 10, - "containerDeleteRetentionPolicyEnabled": true, - "containers": [ - { - "enableNfsV3AllSquash": true, - "enableNfsV3RootSquash": true, - "name": "avdscripts", - "publicAccess": "None", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - { - "allowProtectedAppendWrites": false, - "enableWORM": true, - "metadata": { - "testKey": "testValue" - }, - "name": "archivecontainer", - "publicAccess": "None", - "WORMRetention": 666 - } - ], - "deleteRetentionPolicyDays": 9, - "deleteRetentionPolicyEnabled": true, - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "lastAccessTimeTrackingPolicyEnabled": true - } - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableHierarchicalNamespace": { - "value": true - }, - "enableNfsV3": { - "value": true - }, - "enableSftp": { - "value": true - }, - "fileServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "shares": [ - { - "accessTier": "Hot", - "name": "avdprofiles", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "shareQuota": 5120 - }, - { - "name": "avdprofiles2", - "shareQuota": 102400 - } - ] - } - }, - "largeFileSharesState": { - "value": "Enabled" - }, - "localUsers": { - "value": [ - { - "hasSharedKey": false, - "hasSshKey": true, - "hasSshPassword": false, - "homeDirectory": "avdscripts", - "name": "testuser", - "permissionScopes": [ - { - "permissions": "r", - "resourceName": "avdscripts", - "service": "blob" - } - ], - "storageAccountName": "ssawaf001" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "managementPolicyRules": { - "value": [ - { - "definition": { - "actions": { - "baseBlob": { - "delete": { - "daysAfterModificationGreaterThan": 30 - }, - "tierToCool": { - "daysAfterLastAccessTimeGreaterThan": 5 - } - } - }, - "filters": { - "blobIndexMatch": [ - { - "name": "BlobIndex", - "op": "==", - "value": "1" - } - ], - "blobTypes": [ - "blockBlob" - ], - "prefixMatch": [ - "sample-container/log" - ] - } - }, - "enabled": true, - "name": "FirstRule", - "type": "Lifecycle" - } - ] - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "value": "1.1.1.1" - } - ], - "virtualNetworkRules": [ - { - "action": "Allow", - "id": "" - } - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "queueServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "queues": [ - { - "metadata": { - "key1": "value1", - "key2": "value2" - }, - "name": "queue1", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - { - "metadata": {}, - "name": "queue2" - } - ] - } - }, - "requireInfrastructureEncryption": { - "value": true - }, - "sasExpirationPeriod": { - "value": "180.00:00:00" - }, - "skuName": { - "value": "Standard_LRS" - }, - "tableServices": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "tables": [ - "table1", - "table2" - ] - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the Storage Account. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessTier`](#parameter-accesstier) | string | Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. | -| [`enableHierarchicalNamespace`](#parameter-enablehierarchicalnamespace) | bool | If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowBlobPublicAccess`](#parameter-allowblobpublicaccess) | bool | Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | -| [`allowCrossTenantReplication`](#parameter-allowcrosstenantreplication) | bool | Allow or disallow cross AAD tenant object replication. | -| [`allowedCopyScope`](#parameter-allowedcopyscope) | string | Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. | -| [`allowSharedKeyAccess`](#parameter-allowsharedkeyaccess) | bool | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | -| [`azureFilesIdentityBasedAuthentication`](#parameter-azurefilesidentitybasedauthentication) | object | Provides the identity based authentication settings for Azure Files. | -| [`blobServices`](#parameter-blobservices) | object | Blob service and containers to deploy. | -| [`customDomainName`](#parameter-customdomainname) | string | Sets the custom domain name assigned to the storage account. Name is the CNAME source. | -| [`customDomainUseSubDomainName`](#parameter-customdomainusesubdomainname) | bool | Indicates whether indirect CName validation is enabled. This should only be set on updates. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`defaultToOAuthAuthentication`](#parameter-defaulttooauthauthentication) | bool | A boolean flag which indicates whether the default authentication is OAuth or not. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`dnsEndpointType`](#parameter-dnsendpointtype) | string | Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableNfsV3`](#parameter-enablenfsv3) | bool | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | -| [`enableSftp`](#parameter-enablesftp) | bool | If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. | -| [`fileServices`](#parameter-fileservices) | object | File service and shares to deploy. | -| [`isLocalUserEnabled`](#parameter-islocaluserenabled) | bool | Enables local users feature, if set to true. | -| [`kind`](#parameter-kind) | string | Type of Storage Account to create. | -| [`largeFileSharesState`](#parameter-largefilesharesstate) | string | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). | -| [`localUsers`](#parameter-localusers) | array | Local users to deploy for SFTP authentication. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managementPolicyRules`](#parameter-managementpolicyrules) | array | The Storage Account ManagementPolicies Rules. | -| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Set the minimum TLS version on request to storage. | -| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| [`queueServices`](#parameter-queueservices) | object | Queue service and queues to create. | -| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sasExpirationPeriod`](#parameter-sasexpirationperiod) | string | The SAS expiration period. DD.HH:MM:SS. | -| [`skuName`](#parameter-skuname) | string | Storage Account Sku Name. | -| [`supportsHttpsTrafficOnly`](#parameter-supportshttpstrafficonly) | bool | Allows HTTPS traffic only to storage service if sets to true. | -| [`tableServices`](#parameter-tableservices) | object | Table service and tables to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -Name of the Storage Account. - -- Required: Yes -- Type: string - -### Parameter: `accessTier` - -Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. - -- Required: No -- Type: string -- Default: `'Hot'` -- Allowed: - ```Bicep - [ - 'Cool' - 'Hot' - 'Premium' - ] - ``` - -### Parameter: `enableHierarchicalNamespace` - -If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `allowBlobPublicAccess` - -Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `allowCrossTenantReplication` - -Allow or disallow cross AAD tenant object replication. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `allowedCopyScope` - -Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AAD' - 'PrivateLink' - ] - ``` - -### Parameter: `allowSharedKeyAccess` - -Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `azureFilesIdentityBasedAuthentication` - -Provides the identity based authentication settings for Azure Files. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `blobServices` - -Blob service and containers to deploy. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `customDomainName` - -Sets the custom domain name assigned to the storage account. Name is the CNAME source. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customDomainUseSubDomainName` - -Indicates whether indirect CName validation is enabled. This should only be set on updates. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `defaultToOAuthAuthentication` - -A boolean flag which indicates whether the default authentication is OAuth or not. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `dnsEndpointType` - -Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'AzureDnsZone' - 'Standard' - ] - ``` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableNfsV3` - -If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableSftp` - -If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `fileServices` - -File service and shares to deploy. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `isLocalUserEnabled` - -Enables local users feature, if set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `kind` - -Type of Storage Account to create. - -- Required: No -- Type: string -- Default: `'StorageV2'` -- Allowed: - ```Bicep - [ - 'BlobStorage' - 'BlockBlobStorage' - 'FileStorage' - 'Storage' - 'StorageV2' - ] - ``` - -### Parameter: `largeFileSharesState` - -Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `localUsers` - -Local users to deploy for SFTP authentication. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `managementPolicyRules` - -The Storage Account ManagementPolicies Rules. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `minimumTlsVersion` - -Set the minimum TLS version on request to storage. - -- Required: No -- Type: string -- Default: `'TLS1_2'` -- Allowed: - ```Bicep - [ - 'TLS1_0' - 'TLS1_1' - 'TLS1_2' - ] - ``` - -### Parameter: `networkAcls` - -Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `queueServices` - -Queue service and queues to create. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `requireInfrastructureEncryption` - -A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sasExpirationPeriod` - -The SAS expiration period. DD.HH:MM:SS. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `skuName` - -Storage Account Sku Name. - -- Required: No -- Type: string -- Default: `'Standard_GRS'` -- Allowed: - ```Bicep - [ - 'Premium_LRS' - 'Premium_ZRS' - 'Standard_GRS' - 'Standard_GZRS' - 'Standard_LRS' - 'Standard_RAGRS' - 'Standard_RAGZRS' - 'Standard_ZRS' - ] - ``` - -### Parameter: `supportsHttpsTrafficOnly` - -Allows HTTPS traffic only to storage service if sets to true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tableServices` - -Table service and tables to create. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed storage account. | -| `primaryBlobEndpoint` | string | The primary blob endpoint reference if blob services are deployed. | -| `resourceGroupName` | string | The resource group of the deployed storage account. | -| `resourceId` | string | The resource ID of the deployed storage account. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. -The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/storage/storage-account/blob-service/README.md b/modules/storage/storage-account/blob-service/README.md deleted file mode 100644 index 34a9181734..0000000000 --- a/modules/storage/storage-account/blob-service/README.md +++ /dev/null @@ -1,294 +0,0 @@ -# Storage Account blob Services `[Microsoft.Storage/storageAccounts/blobServices]` - -This module deploys a Storage Account Blob Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Storage/storageAccounts/blobServices` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices) | -| `Microsoft.Storage/storageAccounts/blobServices/containers` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers) | -| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers/immutabilityPolicies) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`automaticSnapshotPolicyEnabled`](#parameter-automaticsnapshotpolicyenabled) | bool | Automatic Snapshot is enabled if set to true. | -| [`changeFeedEnabled`](#parameter-changefeedenabled) | bool | The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. | -| [`changeFeedRetentionInDays`](#parameter-changefeedretentionindays) | int | Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. | -| [`containerDeleteRetentionPolicyAllowPermanentDelete`](#parameter-containerdeleteretentionpolicyallowpermanentdelete) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | -| [`containerDeleteRetentionPolicyDays`](#parameter-containerdeleteretentionpolicydays) | int | Indicates the number of days that the deleted item should be retained. | -| [`containerDeleteRetentionPolicyEnabled`](#parameter-containerdeleteretentionpolicyenabled) | bool | The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. | -| [`containers`](#parameter-containers) | array | Blob containers to create. | -| [`corsRules`](#parameter-corsrules) | array | Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. | -| [`defaultServiceVersion`](#parameter-defaultserviceversion) | string | Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. | -| [`deleteRetentionPolicyAllowPermanentDelete`](#parameter-deleteretentionpolicyallowpermanentdelete) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | -| [`deleteRetentionPolicyDays`](#parameter-deleteretentionpolicydays) | int | Indicates the number of days that the deleted blob should be retained. | -| [`deleteRetentionPolicyEnabled`](#parameter-deleteretentionpolicyenabled) | bool | The blob service properties for blob soft delete. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`isVersioningEnabled`](#parameter-isversioningenabled) | bool | Use versioning to automatically maintain previous versions of your blobs. | -| [`lastAccessTimeTrackingPolicyEnabled`](#parameter-lastaccesstimetrackingpolicyenabled) | bool | The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. | -| [`restorePolicyDays`](#parameter-restorepolicydays) | int | How long this blob can be restored. It should be less than DeleteRetentionPolicy days. | -| [`restorePolicyEnabled`](#parameter-restorepolicyenabled) | bool | The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. | - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `automaticSnapshotPolicyEnabled` - -Automatic Snapshot is enabled if set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `changeFeedEnabled` - -The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `changeFeedRetentionInDays` - -Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. - -- Required: No -- Type: int - -### Parameter: `containerDeleteRetentionPolicyAllowPermanentDelete` - -This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `containerDeleteRetentionPolicyDays` - -Indicates the number of days that the deleted item should be retained. - -- Required: No -- Type: int - -### Parameter: `containerDeleteRetentionPolicyEnabled` - -The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `containers` - -Blob containers to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `corsRules` - -Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `defaultServiceVersion` - -Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `deleteRetentionPolicyAllowPermanentDelete` - -This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `deleteRetentionPolicyDays` - -Indicates the number of days that the deleted blob should be retained. - -- Required: No -- Type: int - -### Parameter: `deleteRetentionPolicyEnabled` - -The blob service properties for blob soft delete. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `isVersioningEnabled` - -Use versioning to automatically maintain previous versions of your blobs. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `lastAccessTimeTrackingPolicyEnabled` - -The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `restorePolicyDays` - -How long this blob can be restored. It should be less than DeleteRetentionPolicy days. - -- Required: No -- Type: int - -### Parameter: `restorePolicyEnabled` - -The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed blob service. | -| `resourceGroupName` | string | The name of the deployed blob service. | -| `resourceId` | string | The resource ID of the deployed blob service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md deleted file mode 100644 index 34149b563a..0000000000 --- a/modules/storage/storage-account/blob-service/container/README.md +++ /dev/null @@ -1,252 +0,0 @@ -# Storage Account Blob Containers `[Microsoft.Storage/storageAccounts/blobServices/containers]` - -This module deploys a Storage Account Blob Container. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Storage/storageAccounts/blobServices/containers` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers) | -| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers/immutabilityPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the storage container to deploy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`defaultEncryptionScope`](#parameter-defaultencryptionscope) | string | Default the container to use specified encryption scope for all writes. | -| [`denyEncryptionScopeOverride`](#parameter-denyencryptionscopeoverride) | bool | Block override of encryption scope from the container default. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enableNfsV3AllSquash`](#parameter-enablenfsv3allsquash) | bool | Enable NFSv3 all squash on blob container. | -| [`enableNfsV3RootSquash`](#parameter-enablenfsv3rootsquash) | bool | Enable NFSv3 root squash on blob container. | -| [`immutabilityPolicyName`](#parameter-immutabilitypolicyname) | string | Name of the immutable policy. | -| [`immutabilityPolicyProperties`](#parameter-immutabilitypolicyproperties) | object | Configure immutability policy. | -| [`immutableStorageWithVersioningEnabled`](#parameter-immutablestoragewithversioningenabled) | bool | This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. | -| [`metadata`](#parameter-metadata) | object | A name-value pair to associate with the container as metadata. | -| [`publicAccess`](#parameter-publicaccess) | string | Specifies whether data in the container may be accessed publicly and the level of access. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | - -### Parameter: `name` - -The name of the storage container to deploy. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `defaultEncryptionScope` - -Default the container to use specified encryption scope for all writes. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `denyEncryptionScopeOverride` - -Block override of encryption scope from the container default. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableNfsV3AllSquash` - -Enable NFSv3 all squash on blob container. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableNfsV3RootSquash` - -Enable NFSv3 root squash on blob container. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `immutabilityPolicyName` - -Name of the immutable policy. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `immutabilityPolicyProperties` - -Configure immutability policy. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `immutableStorageWithVersioningEnabled` - -This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `metadata` - -A name-value pair to associate with the container as metadata. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `publicAccess` - -Specifies whether data in the container may be accessed publicly and the level of access. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'Blob' - 'Container' - 'None' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed container. | -| `resourceGroupName` | string | The resource group of the deployed container. | -| `resourceId` | string | The resource ID of the deployed container. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md b/modules/storage/storage-account/blob-service/container/immutability-policy/README.md deleted file mode 100644 index 074aec61c7..0000000000 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md +++ /dev/null @@ -1,93 +0,0 @@ -# Storage Account Blob Container Immutability Policies `[Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies]` - -This module deploys a Storage Account Blob Container Immutability Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers/immutabilityPolicies) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containerName`](#parameter-containername) | string | The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowProtectedAppendWrites`](#parameter-allowprotectedappendwrites) | bool | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. | -| [`allowProtectedAppendWritesAll`](#parameter-allowprotectedappendwritesall) | bool | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`immutabilityPeriodSinceCreationInDays`](#parameter-immutabilityperiodsincecreationindays) | int | The immutability period for the blobs in the container since the policy creation, in days. | - -### Parameter: `containerName` - -The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allowProtectedAppendWrites` - -This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `allowProtectedAppendWritesAll` - -This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `immutabilityPeriodSinceCreationInDays` - -The immutability period for the blobs in the container since the policy creation, in days. - -- Required: No -- Type: int -- Default: `365` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed immutability policy. | -| `resourceGroupName` | string | The resource group of the deployed immutability policy. | -| `resourceId` | string | The resource ID of the deployed immutability policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/main.bicep b/modules/storage/storage-account/blob-service/container/immutability-policy/main.bicep deleted file mode 100644 index 80fcc92a51..0000000000 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/main.bicep +++ /dev/null @@ -1,65 +0,0 @@ -metadata name = 'Storage Account Blob Container Immutability Policies' -metadata description = 'This module deploys a Storage Account Blob Container Immutability Policy.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment.') -param containerName string - -@description('Optional. The immutability period for the blobs in the container since the policy creation, in days.') -param immutabilityPeriodSinceCreationInDays int = 365 - -@description('Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API.') -param allowProtectedAppendWrites bool = true - -@description('Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive.') -param allowProtectedAppendWritesAll bool = true - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = { - name: storageAccountName - - resource blobServices 'blobServices@2022-09-01' existing = { - name: 'default' - - resource container 'containers@2022-09-01' existing = { - name: containerName - } - } -} - -resource immutabilityPolicy 'Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies@2022-09-01' = { - name: 'default' - parent: storageAccount::blobServices::container - properties: { - immutabilityPeriodSinceCreationInDays: immutabilityPeriodSinceCreationInDays - allowProtectedAppendWrites: allowProtectedAppendWrites - allowProtectedAppendWritesAll: allowProtectedAppendWritesAll - } -} - -@description('The name of the deployed immutability policy.') -output name string = immutabilityPolicy.name - -@description('The resource ID of the deployed immutability policy.') -output resourceId string = immutabilityPolicy.id - -@description('The resource group of the deployed immutability policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json deleted file mode 100644 index acccffe952..0000000000 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4658218767079659572" - }, - "name": "Storage Account Blob Container Immutability Policies", - "description": "This module deploys a Storage Account Blob Container Immutability Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment." - } - }, - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]", - "properties": { - "immutabilityPeriodSinceCreationInDays": "[parameters('immutabilityPeriodSinceCreationInDays')]", - "allowProtectedAppendWrites": "[parameters('allowProtectedAppendWrites')]", - "allowProtectedAppendWritesAll": "[parameters('allowProtectedAppendWritesAll')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed immutability policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed immutability policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed immutability policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/version.json b/modules/storage/storage-account/blob-service/container/immutability-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/blob-service/container/main.bicep b/modules/storage/storage-account/blob-service/container/main.bicep deleted file mode 100644 index 2515388344..0000000000 --- a/modules/storage/storage-account/blob-service/container/main.bicep +++ /dev/null @@ -1,172 +0,0 @@ -metadata name = 'Storage Account Blob Containers' -metadata description = 'This module deploys a Storage Account Blob Container.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Required. The name of the storage container to deploy.') -param name string - -@description('Optional. Default the container to use specified encryption scope for all writes.') -param defaultEncryptionScope string = '' - -@description('Optional. Block override of encryption scope from the container default.') -param denyEncryptionScopeOverride bool = false - -@description('Optional. Enable NFSv3 all squash on blob container.') -param enableNfsV3AllSquash bool = false - -@description('Optional. Enable NFSv3 root squash on blob container.') -param enableNfsV3RootSquash bool = false - -@description('Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process.') -param immutableStorageWithVersioningEnabled bool = false - -@description('Optional. Name of the immutable policy.') -param immutabilityPolicyName string = 'default' - -@description('Optional. Configure immutability policy.') -param immutabilityPolicyProperties object = {} - -@description('Optional. A name-value pair to associate with the container as metadata.') -param metadata object = {} - -@allowed([ - 'Container' - 'Blob' - 'None' -]) -@description('Optional. Specifies whether data in the container may be accessed publicly and the level of access.') -param publicAccess string = 'None' - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = { - name: storageAccountName - - resource blobServices 'blobServices@2022-09-01' existing = { - name: 'default' - } -} - -resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01' = { - name: name - parent: storageAccount::blobServices - properties: { - defaultEncryptionScope: !empty(defaultEncryptionScope) ? defaultEncryptionScope : null - denyEncryptionScopeOverride: denyEncryptionScopeOverride == true ? denyEncryptionScopeOverride : null - enableNfsV3AllSquash: enableNfsV3AllSquash == true ? enableNfsV3AllSquash : null - enableNfsV3RootSquash: enableNfsV3RootSquash == true ? enableNfsV3RootSquash : null - immutableStorageWithVersioning: immutableStorageWithVersioningEnabled == true ? { - enabled: immutableStorageWithVersioningEnabled - } : null - metadata: metadata - publicAccess: publicAccess - } -} - -module immutabilityPolicy 'immutability-policy/main.bicep' = if (!empty(immutabilityPolicyProperties)) { - name: immutabilityPolicyName - params: { - storageAccountName: storageAccount.name - containerName: container.name - immutabilityPeriodSinceCreationInDays: contains(immutabilityPolicyProperties, 'immutabilityPeriodSinceCreationInDays') ? immutabilityPolicyProperties.immutabilityPeriodSinceCreationInDays : 365 - allowProtectedAppendWrites: contains(immutabilityPolicyProperties, 'allowProtectedAppendWrites') ? immutabilityPolicyProperties.allowProtectedAppendWrites : true - allowProtectedAppendWritesAll: contains(immutabilityPolicyProperties, 'allowProtectedAppendWritesAll') ? immutabilityPolicyProperties.allowProtectedAppendWritesAll : true - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource container_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(container.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: container -}] - -@description('The name of the deployed container.') -output name string = container.name - -@description('The resource ID of the deployed container.') -output resourceId string = container.id - -@description('The resource group of the deployed container.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json deleted file mode 100644 index 32e4f44927..0000000000 --- a/modules/storage/storage-account/blob-service/container/main.json +++ /dev/null @@ -1,435 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12877248389226548296" - }, - "name": "Storage Account Blob Containers", - "description": "This module deploys a Storage Account Blob Container.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicyName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. Name of the immutable policy." - } - }, - "immutabilityPolicyProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A name-value pair to associate with the container as metadata." - } - }, - "publicAccess": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Container", - "Blob", - "None" - ], - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::blobServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('storageAccountName')]" - }, - "container": { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "defaultEncryptionScope": "[if(not(empty(parameters('defaultEncryptionScope'))), parameters('defaultEncryptionScope'), null())]", - "denyEncryptionScopeOverride": "[if(equals(parameters('denyEncryptionScopeOverride'), true()), parameters('denyEncryptionScopeOverride'), null())]", - "enableNfsV3AllSquash": "[if(equals(parameters('enableNfsV3AllSquash'), true()), parameters('enableNfsV3AllSquash'), null())]", - "enableNfsV3RootSquash": "[if(equals(parameters('enableNfsV3RootSquash'), true()), parameters('enableNfsV3RootSquash'), null())]", - "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", - "metadata": "[parameters('metadata')]", - "publicAccess": "[parameters('publicAccess')]" - }, - "dependsOn": [ - "storageAccount::blobServices" - ] - }, - "container_roleAssignments": { - "copy": { - "name": "container_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "container" - ] - }, - "immutabilityPolicy": { - "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[parameters('immutabilityPolicyName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "containerName": { - "value": "[parameters('name')]" - }, - "immutabilityPeriodSinceCreationInDays": "[if(contains(parameters('immutabilityPolicyProperties'), 'immutabilityPeriodSinceCreationInDays'), createObject('value', parameters('immutabilityPolicyProperties').immutabilityPeriodSinceCreationInDays), createObject('value', 365))]", - "allowProtectedAppendWrites": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWrites'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWrites), createObject('value', true()))]", - "allowProtectedAppendWritesAll": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWritesAll'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWritesAll), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4658218767079659572" - }, - "name": "Storage Account Blob Container Immutability Policies", - "description": "This module deploys a Storage Account Blob Container Immutability Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment." - } - }, - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]", - "properties": { - "immutabilityPeriodSinceCreationInDays": "[parameters('immutabilityPeriodSinceCreationInDays')]", - "allowProtectedAppendWrites": "[parameters('allowProtectedAppendWrites')]", - "allowProtectedAppendWritesAll": "[parameters('allowProtectedAppendWritesAll')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed immutability policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed immutability policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed immutability policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "container", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed container." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed container." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/blob-service/container/version.json b/modules/storage/storage-account/blob-service/container/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/blob-service/container/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/blob-service/main.bicep b/modules/storage/storage-account/blob-service/main.bicep deleted file mode 100644 index 114c0ece36..0000000000 --- a/modules/storage/storage-account/blob-service/main.bicep +++ /dev/null @@ -1,219 +0,0 @@ -metadata name = 'Storage Account blob Services' -metadata description = 'This module deploys a Storage Account Blob Service.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Optional. Automatic Snapshot is enabled if set to true.') -param automaticSnapshotPolicyEnabled bool = false - -@description('Optional. The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service.') -param changeFeedEnabled bool = true - -@minValue(0) -@maxValue(146000) -@description('Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed.') -param changeFeedRetentionInDays int? - -@description('Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled.') -param containerDeleteRetentionPolicyEnabled bool = true - -@minValue(1) -@maxValue(365) -@description('Optional. Indicates the number of days that the deleted item should be retained.') -param containerDeleteRetentionPolicyDays int? - -@description('Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share.') -param containerDeleteRetentionPolicyAllowPermanentDelete bool = false - -@description('Optional. Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service.') -param corsRules array = [] - -@description('Optional. Indicates the default version to use for requests to the Blob service if an incoming request\'s version is not specified. Possible values include version 2008-10-27 and all more recent versions.') -param defaultServiceVersion string = '' - -@description('Optional. The blob service properties for blob soft delete.') -param deleteRetentionPolicyEnabled bool = true - -@minValue(1) -@maxValue(365) -@description('Optional. Indicates the number of days that the deleted blob should be retained.') -param deleteRetentionPolicyDays int? - -@description('Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share.') -param deleteRetentionPolicyAllowPermanentDelete bool = false - -@description('Optional. Use versioning to automatically maintain previous versions of your blobs.') -param isVersioningEnabled bool = true - -@description('Optional. The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled.') -param lastAccessTimeTrackingPolicyEnabled bool = false - -@description('Optional. The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled.') -param restorePolicyEnabled bool = true - -@minValue(1) -@description('Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days.') -param restorePolicyDays int? - -@description('Optional. Blob containers to create.') -param containers array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// The name of the blob services -var name = 'default' - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = { - name: storageAccountName -} - -resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = { - name: name - parent: storageAccount - properties: { - automaticSnapshotPolicyEnabled: automaticSnapshotPolicyEnabled - changeFeed: changeFeedEnabled ? { - enabled: true - retentionInDays: changeFeedRetentionInDays - } : null - containerDeleteRetentionPolicy: { - enabled: containerDeleteRetentionPolicyEnabled - days: containerDeleteRetentionPolicyDays - allowPermanentDelete: containerDeleteRetentionPolicyEnabled == true ? containerDeleteRetentionPolicyAllowPermanentDelete : null - } - cors: { - corsRules: corsRules - } - defaultServiceVersion: !empty(defaultServiceVersion) ? defaultServiceVersion : null - deleteRetentionPolicy: { - enabled: deleteRetentionPolicyEnabled - days: deleteRetentionPolicyDays - allowPermanentDelete: deleteRetentionPolicyEnabled && deleteRetentionPolicyAllowPermanentDelete ? true : null - } - isVersioningEnabled: isVersioningEnabled - lastAccessTimeTrackingPolicy: { - enable: lastAccessTimeTrackingPolicyEnabled - name: lastAccessTimeTrackingPolicyEnabled == true ? 'AccessTimeTracking' : null - trackingGranularityInDays: lastAccessTimeTrackingPolicyEnabled == true ? 1 : null - } - restorePolicy: restorePolicyEnabled ? { - enabled: true - days: restorePolicyDays - } : null - } -} - -resource blobServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: blobServices -}] - -module blobServices_container 'container/main.bicep' = [for (container, index) in containers: { - name: '${deployment().name}-Container-${index}' - params: { - storageAccountName: storageAccount.name - name: container.name - defaultEncryptionScope: contains(container, 'defaultEncryptionScope') ? container.defaultEncryptionScope : '' - denyEncryptionScopeOverride: contains(container, 'denyEncryptionScopeOverride') ? container.denyEncryptionScopeOverride : false - enableNfsV3AllSquash: contains(container, 'enableNfsV3AllSquash') ? container.enableNfsV3AllSquash : false - enableNfsV3RootSquash: contains(container, 'enableNfsV3RootSquash') ? container.enableNfsV3RootSquash : false - immutableStorageWithVersioningEnabled: contains(container, 'immutableStorageWithVersioningEnabled') ? container.immutableStorageWithVersioningEnabled : false - metadata: contains(container, 'metadata') ? container.metadata : {} - publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None' - roleAssignments: contains(container, 'roleAssignments') ? container.roleAssignments : [] - immutabilityPolicyProperties: contains(container, 'immutabilityPolicyProperties') ? container.immutabilityPolicyProperties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed blob service.') -output name string = blobServices.name - -@description('The resource ID of the deployed blob service.') -output resourceId string = blobServices.id - -@description('The name of the deployed blob service.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json deleted file mode 100644 index c0f00a1339..0000000000 --- a/modules/storage/storage-account/blob-service/main.json +++ /dev/null @@ -1,842 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "15895331301993414988" - }, - "name": "Storage Account blob Services", - "description": "This module deploys a Storage Account Blob Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "automaticSnapshotPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Automatic Snapshot is enabled if set to true." - } - }, - "changeFeedEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service." - } - }, - "changeFeedRetentionInDays": { - "type": "int", - "nullable": true, - "minValue": 0, - "maxValue": 146000, - "metadata": { - "description": "Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A \"0\" value indicates an infinite retention of the change feed." - } - }, - "containerDeleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled." - } - }, - "containerDeleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted item should be retained." - } - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "corsRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service." - } - }, - "defaultServiceVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions." - } - }, - "deleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for blob soft delete." - } - }, - "deleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted blob should be retained." - } - }, - "deleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "isVersioningEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Use versioning to automatically maintain previous versions of your blobs." - } - }, - "lastAccessTimeTrackingPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled." - } - }, - "restorePolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled." - } - }, - "restorePolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "metadata": { - "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Blob containers to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('storageAccountName')]" - }, - "blobServices": { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": { - "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]", - "changeFeed": "[if(parameters('changeFeedEnabled'), createObject('enabled', true(), 'retentionInDays', parameters('changeFeedRetentionInDays')), null())]", - "containerDeleteRetentionPolicy": { - "enabled": "[parameters('containerDeleteRetentionPolicyEnabled')]", - "days": "[parameters('containerDeleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyAllowPermanentDelete'), null())]" - }, - "cors": { - "corsRules": "[parameters('corsRules')]" - }, - "defaultServiceVersion": "[if(not(empty(parameters('defaultServiceVersion'))), parameters('defaultServiceVersion'), null())]", - "deleteRetentionPolicy": { - "enabled": "[parameters('deleteRetentionPolicyEnabled')]", - "days": "[parameters('deleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(and(parameters('deleteRetentionPolicyEnabled'), parameters('deleteRetentionPolicyAllowPermanentDelete')), true(), null())]" - }, - "isVersioningEnabled": "[parameters('isVersioningEnabled')]", - "lastAccessTimeTrackingPolicy": { - "enable": "[parameters('lastAccessTimeTrackingPolicyEnabled')]", - "name": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 'AccessTimeTracking', null())]", - "trackingGranularityInDays": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 1, null())]" - }, - "restorePolicy": "[if(parameters('restorePolicyEnabled'), createObject('enabled', true(), 'days', parameters('restorePolicyDays')), null())]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "blobServices_diagnosticSettings": { - "copy": { - "name": "blobServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "blobServices" - ] - }, - "blobServices_container": { - "copy": { - "name": "blobServices_container", - "count": "[length(parameters('containers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Container-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "name": { - "value": "[parameters('containers')[copyIndex()].name]" - }, - "defaultEncryptionScope": "[if(contains(parameters('containers')[copyIndex()], 'defaultEncryptionScope'), createObject('value', parameters('containers')[copyIndex()].defaultEncryptionScope), createObject('value', ''))]", - "denyEncryptionScopeOverride": "[if(contains(parameters('containers')[copyIndex()], 'denyEncryptionScopeOverride'), createObject('value', parameters('containers')[copyIndex()].denyEncryptionScopeOverride), createObject('value', false()))]", - "enableNfsV3AllSquash": "[if(contains(parameters('containers')[copyIndex()], 'enableNfsV3AllSquash'), createObject('value', parameters('containers')[copyIndex()].enableNfsV3AllSquash), createObject('value', false()))]", - "enableNfsV3RootSquash": "[if(contains(parameters('containers')[copyIndex()], 'enableNfsV3RootSquash'), createObject('value', parameters('containers')[copyIndex()].enableNfsV3RootSquash), createObject('value', false()))]", - "immutableStorageWithVersioningEnabled": "[if(contains(parameters('containers')[copyIndex()], 'immutableStorageWithVersioningEnabled'), createObject('value', parameters('containers')[copyIndex()].immutableStorageWithVersioningEnabled), createObject('value', false()))]", - "metadata": "[if(contains(parameters('containers')[copyIndex()], 'metadata'), createObject('value', parameters('containers')[copyIndex()].metadata), createObject('value', createObject()))]", - "publicAccess": "[if(contains(parameters('containers')[copyIndex()], 'publicAccess'), createObject('value', parameters('containers')[copyIndex()].publicAccess), createObject('value', 'None'))]", - "roleAssignments": "[if(contains(parameters('containers')[copyIndex()], 'roleAssignments'), createObject('value', parameters('containers')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "immutabilityPolicyProperties": "[if(contains(parameters('containers')[copyIndex()], 'immutabilityPolicyProperties'), createObject('value', parameters('containers')[copyIndex()].immutabilityPolicyProperties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12877248389226548296" - }, - "name": "Storage Account Blob Containers", - "description": "This module deploys a Storage Account Blob Container.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicyName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. Name of the immutable policy." - } - }, - "immutabilityPolicyProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A name-value pair to associate with the container as metadata." - } - }, - "publicAccess": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Container", - "Blob", - "None" - ], - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::blobServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('storageAccountName')]" - }, - "container": { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "defaultEncryptionScope": "[if(not(empty(parameters('defaultEncryptionScope'))), parameters('defaultEncryptionScope'), null())]", - "denyEncryptionScopeOverride": "[if(equals(parameters('denyEncryptionScopeOverride'), true()), parameters('denyEncryptionScopeOverride'), null())]", - "enableNfsV3AllSquash": "[if(equals(parameters('enableNfsV3AllSquash'), true()), parameters('enableNfsV3AllSquash'), null())]", - "enableNfsV3RootSquash": "[if(equals(parameters('enableNfsV3RootSquash'), true()), parameters('enableNfsV3RootSquash'), null())]", - "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", - "metadata": "[parameters('metadata')]", - "publicAccess": "[parameters('publicAccess')]" - }, - "dependsOn": [ - "storageAccount::blobServices" - ] - }, - "container_roleAssignments": { - "copy": { - "name": "container_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "container" - ] - }, - "immutabilityPolicy": { - "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[parameters('immutabilityPolicyName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "containerName": { - "value": "[parameters('name')]" - }, - "immutabilityPeriodSinceCreationInDays": "[if(contains(parameters('immutabilityPolicyProperties'), 'immutabilityPeriodSinceCreationInDays'), createObject('value', parameters('immutabilityPolicyProperties').immutabilityPeriodSinceCreationInDays), createObject('value', 365))]", - "allowProtectedAppendWrites": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWrites'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWrites), createObject('value', true()))]", - "allowProtectedAppendWritesAll": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWritesAll'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWritesAll), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4658218767079659572" - }, - "name": "Storage Account Blob Container Immutability Policies", - "description": "This module deploys a Storage Account Blob Container Immutability Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment." - } - }, - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]", - "properties": { - "immutabilityPeriodSinceCreationInDays": "[parameters('immutabilityPeriodSinceCreationInDays')]", - "allowProtectedAppendWrites": "[parameters('allowProtectedAppendWrites')]", - "allowProtectedAppendWritesAll": "[parameters('allowProtectedAppendWritesAll')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed immutability policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed immutability policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed immutability policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "container", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed container." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed container." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed blob service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/blob-service/version.json b/modules/storage/storage-account/blob-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/blob-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md deleted file mode 100644 index f62b23abcc..0000000000 --- a/modules/storage/storage-account/file-service/README.md +++ /dev/null @@ -1,194 +0,0 @@ -# Storage Account File Share Services `[Microsoft.Storage/storageAccounts/fileServices]` - -This module deploys a Storage Account File Share Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Storage/storageAccounts/fileServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices) | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`name`](#parameter-name) | string | The name of the file service. | -| [`protocolSettings`](#parameter-protocolsettings) | object | Protocol settings for file service. | -| [`shareDeleteRetentionPolicy`](#parameter-sharedeleteretentionpolicy) | object | The service properties for soft delete. | -| [`shares`](#parameter-shares) | array | File shares to create. | - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `name` - -The name of the file service. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `protocolSettings` - -Protocol settings for file service. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `shareDeleteRetentionPolicy` - -The service properties for soft delete. - -- Required: No -- Type: object -- Default: - ```Bicep - { - days: 7 - enabled: true - } - ``` - -### Parameter: `shares` - -File shares to create. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed file share service. | -| `resourceGroupName` | string | The resource group of the deployed file share service. | -| `resourceId` | string | The resource ID of the deployed file share service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/file-service/main.bicep b/modules/storage/storage-account/file-service/main.bicep deleted file mode 100644 index 78cd4e4df7..0000000000 --- a/modules/storage/storage-account/file-service/main.bicep +++ /dev/null @@ -1,148 +0,0 @@ -metadata name = 'Storage Account File Share Services' -metadata description = 'This module deploys a Storage Account File Share Service.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Optional. The name of the file service.') -param name string = 'default' - -@description('Optional. Protocol settings for file service.') -param protocolSettings object = {} - -@description('Optional. The service properties for soft delete.') -param shareDeleteRetentionPolicy object = { - enabled: true - days: 7 -} - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. File shares to create.') -param shares array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var enableReferencedModulesTelemetry = false - -var defaultShareAccessTier = storageAccount.kind == 'FileStorage' ? 'Premium' : 'TransactionOptimized' // default share accessTier depends on the Storage Account kind: 'Premium' for 'FileStorage' kind, 'TransactionOptimized' otherwise - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName -} - -resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2021-09-01' = { - name: name - parent: storageAccount - properties: { - protocolSettings: protocolSettings - shareDeleteRetentionPolicy: shareDeleteRetentionPolicy - } -} - -resource fileServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: fileServices -}] - -module fileServices_shares 'share/main.bicep' = [for (share, index) in shares: { - name: '${deployment().name}-shares-${index}' - params: { - storageAccountName: storageAccount.name - fileServicesName: fileServices.name - name: share.name - accessTier: contains(share, 'accessTier') ? share.accessTier : defaultShareAccessTier - enabledProtocols: contains(share, 'enabledProtocols') ? share.enabledProtocols : 'SMB' - rootSquash: contains(share, 'rootSquash') ? share.rootSquash : 'NoRootSquash' - shareQuota: contains(share, 'shareQuota') ? share.shareQuota : 5120 - roleAssignments: contains(share, 'roleAssignments') ? share.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed file share service.') -output name string = fileServices.name - -@description('The resource ID of the deployed file share service.') -output resourceId string = fileServices.id - -@description('The resource group of the deployed file share service.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json deleted file mode 100644 index 62cc609f66..0000000000 --- a/modules/storage/storage-account/file-service/main.json +++ /dev/null @@ -1,740 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5919540891902254282" - }, - "name": "Storage Account File Share Services", - "description": "This module deploys a Storage Account File Share Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the file service." - } - }, - "protocolSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Protocol settings for file service." - } - }, - "shareDeleteRetentionPolicy": { - "type": "object", - "defaultValue": { - "enabled": true, - "days": 7 - }, - "metadata": { - "description": "Optional. The service properties for soft delete." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "shares": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. File shares to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "fileServices": { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "protocolSettings": "[parameters('protocolSettings')]", - "shareDeleteRetentionPolicy": "[parameters('shareDeleteRetentionPolicy')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "fileServices_diagnosticSettings": { - "copy": { - "name": "fileServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}', parameters('storageAccountName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "fileServices" - ] - }, - "fileServices_shares": { - "copy": { - "name": "fileServices_shares", - "count": "[length(parameters('shares'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-shares-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "fileServicesName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('shares')[copyIndex()].name]" - }, - "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference('storageAccount', '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", - "enabledProtocols": "[if(contains(parameters('shares')[copyIndex()], 'enabledProtocols'), createObject('value', parameters('shares')[copyIndex()].enabledProtocols), createObject('value', 'SMB'))]", - "rootSquash": "[if(contains(parameters('shares')[copyIndex()], 'rootSquash'), createObject('value', parameters('shares')[copyIndex()].rootSquash), createObject('value', 'NoRootSquash'))]", - "shareQuota": "[if(contains(parameters('shares')[copyIndex()], 'shareQuota'), createObject('value', parameters('shares')[copyIndex()].shareQuota), createObject('value', 5120))]", - "roleAssignments": "[if(contains(parameters('shares')[copyIndex()], 'roleAssignments'), createObject('value', parameters('shares')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3643709768620634256" - }, - "name": "Storage Account File Shares", - "description": "This module deploys a Storage Account File Share.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "fileServicesName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Conditional. The name of the parent file service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share to create." - } - }, - "accessTier": { - "type": "string", - "defaultValue": "TransactionOptimized", - "allowedValues": [ - "Premium", - "Hot", - "Cool", - "TransactionOptimized" - ], - "metadata": { - "description": "Conditional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool." - } - }, - "shareQuota": { - "type": "int", - "defaultValue": 5120, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "enabledProtocols": { - "type": "string", - "defaultValue": "SMB", - "allowedValues": [ - "NFS", - "SMB" - ], - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "defaultValue": "NoRootSquash", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "storageAccount::fileService": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "fileShare": { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "properties": { - "accessTier": "[parameters('accessTier')]", - "shareQuota": "[parameters('shareQuota')]", - "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", - "enabledProtocols": "[parameters('enabledProtocols')]" - }, - "dependsOn": [ - "storageAccount::fileService" - ] - }, - "fileShare_roleAssignments": { - "condition": "[not(empty(parameters('roleAssignments')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "fileShareResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "roleAssignments": { - "value": "[parameters('roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12925188407376905475" - } - }, - "parameters": { - "roleAssignments": { - "type": "array", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "fileShareResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the file share to assign the roles to." - } - } - }, - "variables": { - "$fxv#0": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string", - "metadata": { - "description": "Required. The scope to deploy the role assignment to." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition Id to assign." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "defaultValue": "2.0", - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[[parameters('scope')]", - "name": "[[parameters('name')]", - "properties": { - "roleDefinitionId": "[[parameters('roleDefinitionId')]", - "principalId": "[[parameters('principalId')]", - "description": "[[parameters('description')]", - "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "Outer" - }, - "template": "[variables('$fxv#0')]", - "parameters": { - "scope": { - "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" - }, - "name": { - "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" - }, - "roleDefinitionId": { - "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" - }, - "principalId": { - "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" - }, - "principalType": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" - }, - "description": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" - }, - "condition": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" - }, - "conditionVersion": { - "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" - }, - "delegatedManagedIdentityResourceId": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - } - } - } - } - ] - } - }, - "dependsOn": [ - "fileShare" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "fileServices", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md deleted file mode 100644 index e34cc1ad9d..0000000000 --- a/modules/storage/storage-account/file-service/share/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Storage Account File Shares `[Microsoft.Storage/storageAccounts/fileServices/shares]` - -This module deploys a Storage Account File Share. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the file share to create. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessTier`](#parameter-accesstier) | string | Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. | -| [`fileServicesName`](#parameter-fileservicesname) | string | The name of the parent file service. Required if the template is used in a standalone deployment. | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enabledProtocols`](#parameter-enabledprotocols) | string | The authentication protocol that is used for the file share. Can only be specified when creating a share. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`rootSquash`](#parameter-rootsquash) | string | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | -| [`shareQuota`](#parameter-sharequota) | int | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | - -### Parameter: `name` - -The name of the file share to create. - -- Required: Yes -- Type: string - -### Parameter: `accessTier` - -Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. - -- Required: No -- Type: string -- Default: `'TransactionOptimized'` -- Allowed: - ```Bicep - [ - 'Cool' - 'Hot' - 'Premium' - 'TransactionOptimized' - ] - ``` - -### Parameter: `fileServicesName` - -The name of the parent file service. Required if the template is used in a standalone deployment. - -- Required: No -- Type: string -- Default: `'default'` - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enabledProtocols` - -The authentication protocol that is used for the file share. Can only be specified when creating a share. - -- Required: No -- Type: string -- Default: `'SMB'` -- Allowed: - ```Bicep - [ - 'NFS' - 'SMB' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `rootSquash` - -Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. - -- Required: No -- Type: string -- Default: `'NoRootSquash'` -- Allowed: - ```Bicep - [ - 'AllSquash' - 'NoRootSquash' - 'RootSquash' - ] - ``` - -### Parameter: `shareQuota` - -The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). - -- Required: No -- Type: int -- Default: `5120` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed file share. | -| `resourceGroupName` | string | The resource group of the deployed file share. | -| `resourceId` | string | The resource ID of the deployed file share. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep deleted file mode 100644 index dff258f06b..0000000000 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ /dev/null @@ -1,122 +0,0 @@ -metadata name = 'Storage Account File Shares' -metadata description = 'This module deploys a Storage Account File Share.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Conditional. The name of the parent file service. Required if the template is used in a standalone deployment.') -param fileServicesName string = 'default' - -@description('Required. The name of the file share to create.') -param name string - -@allowed([ - 'Premium' - 'Hot' - 'Cool' - 'TransactionOptimized' -]) -@description('Conditional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool.') -param accessTier string = 'TransactionOptimized' - -@description('Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB).') -param shareQuota int = 5120 - -@allowed([ - 'NFS' - 'SMB' -]) -@description('Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share.') -param enabledProtocols string = 'SMB' - -@allowed([ - 'AllSquash' - 'NoRootSquash' - 'RootSquash' -]) -@description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.') -param rootSquash string = 'NoRootSquash' - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName - - resource fileService 'fileServices@2021-09-01' existing = { - name: fileServicesName - } -} - -resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-01-01' = { - name: name - parent: storageAccount::fileService - properties: { - accessTier: accessTier - shareQuota: shareQuota - rootSquash: enabledProtocols == 'NFS' ? rootSquash : null - enabledProtocols: enabledProtocols - } -} - -// NOTE: This is a workaround for a bug of the resource provider. Ref: https://github.com/Azure/bicep-types-az/issues/1532 -module fileShare_roleAssignments 'modules/nested_roleAssignment.bicep' = if (!empty(roleAssignments)) { - name: '${uniqueString(deployment().name)}-Share-Rbac' - params: { - fileShareResourceId: fileShare.id - roleAssignments: roleAssignments! - } -} - -@description('The name of the deployed file share.') -output name string = fileShare.name - -@description('The resource ID of the deployed file share.') -output resourceId string = fileShare.id - -@description('The resource group of the deployed file share.') -output resourceGroupName string = resourceGroup().name - -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json deleted file mode 100644 index 485ca37a88..0000000000 --- a/modules/storage/storage-account/file-service/share/main.json +++ /dev/null @@ -1,443 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3643709768620634256" - }, - "name": "Storage Account File Shares", - "description": "This module deploys a Storage Account File Share.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "fileServicesName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Conditional. The name of the parent file service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share to create." - } - }, - "accessTier": { - "type": "string", - "defaultValue": "TransactionOptimized", - "allowedValues": [ - "Premium", - "Hot", - "Cool", - "TransactionOptimized" - ], - "metadata": { - "description": "Conditional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool." - } - }, - "shareQuota": { - "type": "int", - "defaultValue": 5120, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "enabledProtocols": { - "type": "string", - "defaultValue": "SMB", - "allowedValues": [ - "NFS", - "SMB" - ], - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "defaultValue": "NoRootSquash", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "storageAccount::fileService": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "fileShare": { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "properties": { - "accessTier": "[parameters('accessTier')]", - "shareQuota": "[parameters('shareQuota')]", - "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", - "enabledProtocols": "[parameters('enabledProtocols')]" - }, - "dependsOn": [ - "storageAccount::fileService" - ] - }, - "fileShare_roleAssignments": { - "condition": "[not(empty(parameters('roleAssignments')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "fileShareResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "roleAssignments": { - "value": "[parameters('roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12925188407376905475" - } - }, - "parameters": { - "roleAssignments": { - "type": "array", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "fileShareResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the file share to assign the roles to." - } - } - }, - "variables": { - "$fxv#0": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string", - "metadata": { - "description": "Required. The scope to deploy the role assignment to." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition Id to assign." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "defaultValue": "2.0", - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[[parameters('scope')]", - "name": "[[parameters('name')]", - "properties": { - "roleDefinitionId": "[[parameters('roleDefinitionId')]", - "principalId": "[[parameters('principalId')]", - "description": "[[parameters('description')]", - "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "Outer" - }, - "template": "[variables('$fxv#0')]", - "parameters": { - "scope": { - "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" - }, - "name": { - "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" - }, - "roleDefinitionId": { - "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" - }, - "principalId": { - "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" - }, - "principalType": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" - }, - "description": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" - }, - "condition": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" - }, - "conditionVersion": { - "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" - }, - "delegatedManagedIdentityResourceId": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - } - } - } - } - ] - } - }, - "dependsOn": [ - "fileShare" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json b/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json deleted file mode 100644 index 12470dd7d0..0000000000 --- a/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string", - "metadata": { - "description": "Required. The scope to deploy the role assignment to." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition Id to assign." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "defaultValue": "2.0", - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[parameters('scope')]", - "name": "[parameters('name')]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "principalId": "[parameters('principalId')]", - "description": "[parameters('description')]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] -} diff --git a/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep b/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep deleted file mode 100644 index a557511193..0000000000 --- a/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@description('Optional. Array of role assignments to create.') -param roleAssignments array - -@description('Required. The resource id of the file share to assign the roles to.') -param fileShareResourceId string - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource fileShare_roleAssignments 'Microsoft.Resources/deployments@2021-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: '${uniqueString(deployment().name)}-Share-Rbac-${index}' - properties: { - mode: 'Incremental' - expressionEvaluationOptions: { - scope: 'Outer' - } - template: loadJsonContent('nested_inner_roleAssignment.json') - parameters: { - scope: { - value: replace(fileShareResourceId, '/shares/', '/fileShares/') - } - name: { - value: guid(fileShareResourceId, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName, 'tyfa') - } - roleDefinitionId: { - value: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - } - principalId: { - value: roleAssignment.principalId - } - principalType: { - value: roleAssignment.?principalType - } - description: { - value: roleAssignment.?description - } - condition: { - value: roleAssignment.?condition - } - conditionVersion: { - value: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - } - delegatedManagedIdentityResourceId: { - value: roleAssignment.?delegatedManagedIdentityResourceId - } - } - } -}] diff --git a/modules/storage/storage-account/file-service/share/version.json b/modules/storage/storage-account/file-service/share/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/storage/storage-account/file-service/share/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/file-service/version.json b/modules/storage/storage-account/file-service/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/storage/storage-account/file-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/local-user/README.md b/modules/storage/storage-account/local-user/README.md deleted file mode 100644 index f6ddd9aa7a..0000000000 --- a/modules/storage/storage-account/local-user/README.md +++ /dev/null @@ -1,122 +0,0 @@ -# Storage Account Local Users `[Microsoft.Storage/storageAccounts/localUsers]` - -This module deploys a Storage Account Local User, which is used for SFTP authentication. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Storage/storageAccounts/localUsers` | [2022-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-05-01/storageAccounts/localUsers) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hasSshKey`](#parameter-hassshkey) | bool | Indicates whether SSH key exists. Set it to false to remove existing SSH key. | -| [`hasSshPassword`](#parameter-hassshpassword) | bool | Indicates whether SSH password exists. Set it to false to remove existing SSH password. | -| [`name`](#parameter-name) | string | The name of the local user used for SFTP Authentication. | -| [`permissionScopes`](#parameter-permissionscopes) | array | The permission scopes of the local user. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hasSharedKey`](#parameter-hassharedkey) | bool | Indicates whether shared key exists. Set it to false to remove existing shared key. | -| [`homeDirectory`](#parameter-homedirectory) | string | The local user home directory. | -| [`sshAuthorizedKeys`](#parameter-sshauthorizedkeys) | array | The local user SSH authorized keys for SFTP. | - -### Parameter: `hasSshKey` - -Indicates whether SSH key exists. Set it to false to remove existing SSH key. - -- Required: Yes -- Type: bool - -### Parameter: `hasSshPassword` - -Indicates whether SSH password exists. Set it to false to remove existing SSH password. - -- Required: Yes -- Type: bool - -### Parameter: `name` - -The name of the local user used for SFTP Authentication. - -- Required: Yes -- Type: string - -### Parameter: `permissionScopes` - -The permission scopes of the local user. - -- Required: Yes -- Type: array - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hasSharedKey` - -Indicates whether shared key exists. Set it to false to remove existing shared key. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `homeDirectory` - -The local user home directory. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sshAuthorizedKeys` - -The local user SSH authorized keys for SFTP. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed local user. | -| `resourceGroupName` | string | The resource group of the deployed local user. | -| `resourceId` | string | The resource ID of the deployed local user. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/local-user/main.bicep b/modules/storage/storage-account/local-user/main.bicep deleted file mode 100644 index 0b6304b7c4..0000000000 --- a/modules/storage/storage-account/local-user/main.bicep +++ /dev/null @@ -1,69 +0,0 @@ -metadata name = 'Storage Account Local Users' -metadata description = 'This module deploys a Storage Account Local User, which is used for SFTP authentication.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Required. The name of the local user used for SFTP Authentication.') -param name string - -@description('Optional. Indicates whether shared key exists. Set it to false to remove existing shared key.') -param hasSharedKey bool = false - -@description('Required. Indicates whether SSH key exists. Set it to false to remove existing SSH key.') -param hasSshKey bool - -@description('Required. Indicates whether SSH password exists. Set it to false to remove existing SSH password.') -param hasSshPassword bool - -@description('Optional. The local user home directory.') -param homeDirectory string = '' - -@description('Required. The permission scopes of the local user.') -param permissionScopes array - -@description('Optional. The local user SSH authorized keys for SFTP.') -param sshAuthorizedKeys array = [] - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName -} - -resource localUsers 'Microsoft.Storage/storageAccounts/localUsers@2022-05-01' = { - name: name - parent: storageAccount - properties: { - hasSharedKey: hasSharedKey - hasSshKey: hasSshKey - hasSshPassword: hasSshPassword - homeDirectory: homeDirectory - permissionScopes: permissionScopes - sshAuthorizedKeys: !empty(sshAuthorizedKeys) ? sshAuthorizedKeys : null - } -} - -@description('The name of the deployed local user.') -output name string = localUsers.name - -@description('The resource group of the deployed local user.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the deployed local user.') -output resourceId string = localUsers.id diff --git a/modules/storage/storage-account/local-user/main.json b/modules/storage/storage-account/local-user/main.json deleted file mode 100644 index 741cf04608..0000000000 --- a/modules/storage/storage-account/local-user/main.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9451599245128557073" - }, - "name": "Storage Account Local Users", - "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the local user used for SFTP Authentication." - } - }, - "hasSharedKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether shared key exists. Set it to false to remove existing shared key." - } - }, - "hasSshKey": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH key exists. Set it to false to remove existing SSH key." - } - }, - "hasSshPassword": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH password exists. Set it to false to remove existing SSH password." - } - }, - "homeDirectory": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The local user home directory." - } - }, - "permissionScopes": { - "type": "array", - "metadata": { - "description": "Required. The permission scopes of the local user." - } - }, - "sshAuthorizedKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The local user SSH authorized keys for SFTP." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/localUsers", - "apiVersion": "2022-05-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "hasSharedKey": "[parameters('hasSharedKey')]", - "hasSshKey": "[parameters('hasSshKey')]", - "hasSshPassword": "[parameters('hasSshPassword')]", - "homeDirectory": "[parameters('homeDirectory')]", - "permissionScopes": "[parameters('permissionScopes')]", - "sshAuthorizedKeys": "[if(not(empty(parameters('sshAuthorizedKeys'))), parameters('sshAuthorizedKeys'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed local user." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed local user." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed local user." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/localUsers', parameters('storageAccountName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/local-user/version.json b/modules/storage/storage-account/local-user/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/local-user/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep deleted file mode 100644 index 81f8427eda..0000000000 --- a/modules/storage/storage-account/main.bicep +++ /dev/null @@ -1,631 +0,0 @@ -metadata name = 'Storage Accounts' -metadata description = 'This module deploys a Storage Account.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Required. Name of the Storage Account.') -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@allowed([ - 'Storage' - 'StorageV2' - 'BlobStorage' - 'FileStorage' - 'BlockBlobStorage' -]) -@description('Optional. Type of Storage Account to create.') -param kind string = 'StorageV2' - -@allowed([ - 'Standard_LRS' - 'Standard_GRS' - 'Standard_RAGRS' - 'Standard_ZRS' - 'Premium_LRS' - 'Premium_ZRS' - 'Standard_GZRS' - 'Standard_RAGZRS' -]) -@description('Optional. Storage Account Sku Name.') -param skuName string = 'Standard_GRS' - -@allowed([ - 'Premium' - 'Hot' - 'Cool' -]) -@description('Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.') -param accessTier string = 'Hot' - -@allowed([ - 'Disabled' - 'Enabled' -]) -@description('Optional. Allow large file shares if sets to \'Enabled\'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares).') -param largeFileSharesState string = 'Disabled' - -@description('Optional. Provides the identity based authentication settings for Azure Files.') -param azureFilesIdentityBasedAuthentication object = {} - -@description('Optional. A boolean flag which indicates whether the default authentication is OAuth or not.') -param defaultToOAuthAuthentication bool = false - -@description('Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.') -param allowSharedKeyAccess bool = true - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The Storage Account ManagementPolicies Rules.') -param managementPolicyRules array = [] - -@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} - -@description('Optional. A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') -param requireInfrastructureEncryption bool = true - -@description('Optional. Allow or disallow cross AAD tenant object replication.') -param allowCrossTenantReplication bool = true - -@description('Optional. Sets the custom domain name assigned to the storage account. Name is the CNAME source.') -param customDomainName string = '' - -@description('Optional. Indicates whether indirect CName validation is enabled. This should only be set on updates.') -param customDomainUseSubDomainName bool = false - -@description('Optional. Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.') -@allowed([ - '' - 'AzureDnsZone' - 'Standard' -]) -param dnsEndpointType string = '' - -@description('Optional. Blob service and containers to deploy.') -param blobServices object = {} - -@description('Optional. File service and shares to deploy.') -param fileServices object = {} - -@description('Optional. Queue service and queues to create.') -param queueServices object = {} - -@description('Optional. Table service and tables to create.') -param tableServices object = {} - -@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') -param allowBlobPublicAccess bool = false - -@allowed([ - 'TLS1_0' - 'TLS1_1' - 'TLS1_2' -]) -@description('Optional. Set the minimum TLS version on request to storage.') -param minimumTlsVersion string = 'TLS1_2' - -@description('Conditional. If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true.') -param enableHierarchicalNamespace bool = false - -@description('Optional. If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true.') -param enableSftp bool = false - -@description('Optional. Local users to deploy for SFTP authentication.') -param localUsers array = [] - -@description('Optional. Enables local users feature, if set to true.') -param isLocalUserEnabled bool = false - -@description('Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true.') -param enableNfsV3 bool = false - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.') -@allowed([ - '' - 'AAD' - 'PrivateLink' -]) -param allowedCopyScope string = '' - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Allows HTTPS traffic only to storage service if sets to true.') -param supportsHttpsTrafficOnly bool = true - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. The SAS expiration period. DD.HH:MM:SS.') -param sasExpirationPeriod string = '' - -var supportsBlobService = kind == 'BlockBlobStorage' || kind == 'BlobStorage' || kind == 'StorageV2' || kind == 'Storage' -var supportsFileService = kind == 'FileStorage' || kind == 'StorageV2' || kind == 'Storage' - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: name - location: location - kind: kind - sku: { - name: skuName - } - identity: identity - tags: tags - properties: { - allowSharedKeyAccess: allowSharedKeyAccess - defaultToOAuthAuthentication: defaultToOAuthAuthentication - allowCrossTenantReplication: allowCrossTenantReplication - allowedCopyScope: !empty(allowedCopyScope) ? allowedCopyScope : null - customDomain: { - name: customDomainName - useSubDomainName: customDomainUseSubDomainName - } - dnsEndpointType: !empty(dnsEndpointType) ? dnsEndpointType : null - isLocalUserEnabled: isLocalUserEnabled - encryption: { - keySource: !empty(customerManagedKey) ? 'Microsoft.Keyvault' : 'Microsoft.Storage' - services: { - blob: supportsBlobService ? { - enabled: true - } : null - file: supportsFileService ? { - enabled: true - } : null - table: { - enabled: true - } - queue: { - enabled: true - } - } - requireInfrastructureEncryption: kind != 'Storage' ? requireInfrastructureEncryption : null - keyvaultproperties: !empty(customerManagedKey) ? { - keyname: customerManagedKey!.keyName - keyvaulturi: cMKKeyVault.properties.vaultUri - keyversion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) - } : null - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - } - accessTier: kind != 'Storage' ? accessTier : null - sasPolicy: !empty(sasExpirationPeriod) ? { - expirationAction: 'Log' - sasExpirationPeriod: sasExpirationPeriod - } : null - supportsHttpsTrafficOnly: supportsHttpsTrafficOnly - isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null - isSftpEnabled: enableSftp - isNfsV3Enabled: enableNfsV3 ? enableNfsV3 : any('') - largeFileSharesState: (skuName == 'Standard_LRS') || (skuName == 'Standard_ZRS') ? largeFileSharesState : null - minimumTlsVersion: minimumTlsVersion - networkAcls: !empty(networkAcls) ? { - bypass: contains(networkAcls, 'bypass') ? networkAcls.bypass : null - defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : null - virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] - ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] - } : null - allowBlobPublicAccess: allowBlobPublicAccess - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(networkAcls) ? 'Disabled' : null) - azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null - } -} - -resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: storageAccount -}] - -resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: storageAccount -} - -resource storageAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(storageAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: storageAccount -}] - -module storageAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-storageAccount-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(storageAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: storageAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -// Lifecycle Policy -module storageAccount_managementPolicies 'management-policy/main.bicep' = if (!empty(managementPolicyRules)) { - name: '${uniqueString(deployment().name, location)}-Storage-ManagementPolicies' - params: { - storageAccountName: storageAccount.name - rules: managementPolicyRules - enableDefaultTelemetry: enableReferencedModulesTelemetry - } - dependsOn: [ - storageAccount_blobServices // To ensure the lastAccessTimeTrackingPolicy is set first (if used in rule) - ] -} - -// SFTP user settings -module storageAccount_localUsers 'local-user/main.bicep' = [for (localUser, index) in localUsers: { - name: '${uniqueString(deployment().name, location)}-Storage-LocalUsers-${index}' - params: { - storageAccountName: storageAccount.name - name: localUser.name - hasSshKey: localUser.hasSshKey - hasSshPassword: localUser.hasSshPassword - permissionScopes: localUser.permissionScopes - hasSharedKey: contains(localUser, 'hasSharedKey') ? localUser.hasSharedKey : false - homeDirectory: contains(localUser, 'homeDirectory') ? localUser.homeDirectory : '' - sshAuthorizedKeys: contains(localUser, 'sshAuthorizedKeys') ? localUser.sshAuthorizedKeys : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// Containers -module storageAccount_blobServices 'blob-service/main.bicep' = if (!empty(blobServices)) { - name: '${uniqueString(deployment().name, location)}-Storage-BlobServices' - params: { - storageAccountName: storageAccount.name - containers: contains(blobServices, 'containers') ? blobServices.containers : [] - automaticSnapshotPolicyEnabled: contains(blobServices, 'automaticSnapshotPolicyEnabled') ? blobServices.automaticSnapshotPolicyEnabled : false - changeFeedEnabled: contains(blobServices, 'changeFeedEnabled') ? blobServices.changeFeedEnabled : false - changeFeedRetentionInDays: blobServices.?changeFeedRetentionInDays - containerDeleteRetentionPolicyEnabled: contains(blobServices, 'containerDeleteRetentionPolicyEnabled') ? blobServices.containerDeleteRetentionPolicyEnabled : false - containerDeleteRetentionPolicyDays: blobServices.?containerDeleteRetentionPolicyDays - containerDeleteRetentionPolicyAllowPermanentDelete: contains(blobServices, 'containerDeleteRetentionPolicyAllowPermanentDelete') ? blobServices.containerDeleteRetentionPolicyAllowPermanentDelete : false - corsRules: contains(blobServices, 'corsRules') ? blobServices.corsRules : [] - defaultServiceVersion: contains(blobServices, 'defaultServiceVersion') ? blobServices.defaultServiceVersion : '' - deleteRetentionPolicyAllowPermanentDelete: contains(blobServices, 'deleteRetentionPolicyAllowPermanentDelete') ? blobServices.deleteRetentionPolicyAllowPermanentDelete : false - deleteRetentionPolicyEnabled: contains(blobServices, 'deleteRetentionPolicyEnabled') ? blobServices.deleteRetentionPolicyEnabled : false - deleteRetentionPolicyDays: blobServices.?deleteRetentionPolicyDays - isVersioningEnabled: contains(blobServices, 'isVersioningEnabled') ? blobServices.isVersioningEnabled : false - lastAccessTimeTrackingPolicyEnabled: contains(blobServices, 'lastAccessTimeTrackingPolicyEnabled') ? blobServices.lastAccessTimeTrackingPolicyEnabled : false - restorePolicyEnabled: contains(blobServices, 'restorePolicyEnabled') ? blobServices.restorePolicyEnabled : false - restorePolicyDays: blobServices.?restorePolicyDays - diagnosticSettings: blobServices.?diagnosticSettings - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -// File Shares -module storageAccount_fileServices 'file-service/main.bicep' = if (!empty(fileServices)) { - name: '${uniqueString(deployment().name, location)}-Storage-FileServices' - params: { - storageAccountName: storageAccount.name - diagnosticSettings: blobServices.?diagnosticSettings - protocolSettings: contains(fileServices, 'protocolSettings') ? fileServices.protocolSettings : {} - shareDeleteRetentionPolicy: contains(fileServices, 'shareDeleteRetentionPolicy') ? fileServices.shareDeleteRetentionPolicy : { - enabled: true - days: 7 - } - shares: contains(fileServices, 'shares') ? fileServices.shares : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -// Queue -module storageAccount_queueServices 'queue-service/main.bicep' = if (!empty(queueServices)) { - name: '${uniqueString(deployment().name, location)}-Storage-QueueServices' - params: { - storageAccountName: storageAccount.name - diagnosticSettings: blobServices.?diagnosticSettings - queues: contains(queueServices, 'queues') ? queueServices.queues : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -// Table -module storageAccount_tableServices 'table-service/main.bicep' = if (!empty(tableServices)) { - name: '${uniqueString(deployment().name, location)}-Storage-TableServices' - params: { - storageAccountName: storageAccount.name - diagnosticSettings: blobServices.?diagnosticSettings - tables: contains(tableServices, 'tables') ? tableServices.tables : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@description('The resource ID of the deployed storage account.') -output resourceId string = storageAccount.id - -@description('The name of the deployed storage account.') -output name string = storageAccount.name - -@description('The resource group of the deployed storage account.') -output resourceGroupName string = resourceGroup().name - -@description('The primary blob endpoint reference if blob services are deployed.') -output primaryBlobEndpoint string = !empty(blobServices) && contains(blobServices, 'containers') ? reference('Microsoft.Storage/storageAccounts/${storageAccount.name}', '2019-04-01').primaryEndpoints.blob : '' - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(storageAccount.identity, 'principalId') ? storageAccount.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = storageAccount.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json deleted file mode 100644 index d51f4396a4..0000000000 --- a/modules/storage/storage-account/main.json +++ /dev/null @@ -1,4416 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "18392898268305996931" - }, - "name": "Storage Accounts", - "description": "This module deploys a Storage Account.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. Name of the Storage Account." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "kind": { - "type": "string", - "defaultValue": "StorageV2", - "allowedValues": [ - "Storage", - "StorageV2", - "BlobStorage", - "FileStorage", - "BlockBlobStorage" - ], - "metadata": { - "description": "Optional. Type of Storage Account to create." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard_GRS", - "allowedValues": [ - "Standard_LRS", - "Standard_GRS", - "Standard_RAGRS", - "Standard_ZRS", - "Premium_LRS", - "Premium_ZRS", - "Standard_GZRS", - "Standard_RAGZRS" - ], - "metadata": { - "description": "Optional. Storage Account Sku Name." - } - }, - "accessTier": { - "type": "string", - "defaultValue": "Hot", - "allowedValues": [ - "Premium", - "Hot", - "Cool" - ], - "metadata": { - "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." - } - }, - "largeFileSharesState": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." - } - }, - "azureFilesIdentityBasedAuthentication": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Provides the identity based authentication settings for Azure Files." - } - }, - "defaultToOAuthAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A boolean flag which indicates whether the default authentication is OAuth or not." - } - }, - "allowSharedKeyAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "managementPolicyRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The Storage Account ManagementPolicies Rules." - } - }, - "networkAcls": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny." - } - }, - "requireInfrastructureEncryption": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true." - } - }, - "allowCrossTenantReplication": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Allow or disallow cross AAD tenant object replication." - } - }, - "customDomainName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Sets the custom domain name assigned to the storage account. Name is the CNAME source." - } - }, - "customDomainUseSubDomainName": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether indirect CName validation is enabled. This should only be set on updates." - } - }, - "dnsEndpointType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "AzureDnsZone", - "Standard" - ], - "metadata": { - "description": "Optional. Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier." - } - }, - "blobServices": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Blob service and containers to deploy." - } - }, - "fileServices": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. File service and shares to deploy." - } - }, - "queueServices": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Queue service and queues to create." - } - }, - "tableServices": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Table service and tables to create." - } - }, - "allowBlobPublicAccess": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_0", - "TLS1_1", - "TLS1_2" - ], - "metadata": { - "description": "Optional. Set the minimum TLS version on request to storage." - } - }, - "enableHierarchicalNamespace": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Conditional. If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true." - } - }, - "enableSftp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true." - } - }, - "localUsers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Local users to deploy for SFTP authentication." - } - }, - "isLocalUserEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables local users feature, if set to true." - } - }, - "enableNfsV3": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "allowedCopyScope": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "AAD", - "PrivateLink" - ], - "metadata": { - "description": "Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set." - } - }, - "supportsHttpsTrafficOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Allows HTTPS traffic only to storage service if sets to true." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "sasExpirationPeriod": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The SAS expiration period. DD.HH:MM:SS." - } - } - }, - "variables": { - "supportsBlobService": "[or(or(or(equals(parameters('kind'), 'BlockBlobStorage'), equals(parameters('kind'), 'BlobStorage')), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "storageAccount": { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": { - "allowSharedKeyAccess": "[parameters('allowSharedKeyAccess')]", - "defaultToOAuthAuthentication": "[parameters('defaultToOAuthAuthentication')]", - "allowCrossTenantReplication": "[parameters('allowCrossTenantReplication')]", - "allowedCopyScope": "[if(not(empty(parameters('allowedCopyScope'))), parameters('allowedCopyScope'), null())]", - "customDomain": { - "name": "[parameters('customDomainName')]", - "useSubDomainName": "[parameters('customDomainUseSubDomainName')]" - }, - "dnsEndpointType": "[if(not(empty(parameters('dnsEndpointType'))), parameters('dnsEndpointType'), null())]", - "isLocalUserEnabled": "[parameters('isLocalUserEnabled')]", - "encryption": { - "keySource": "[if(not(empty(parameters('customerManagedKey'))), 'Microsoft.Keyvault', 'Microsoft.Storage')]", - "services": { - "blob": "[if(variables('supportsBlobService'), createObject('enabled', true()), null())]", - "file": "[if(variables('supportsFileService'), createObject('enabled', true()), null())]", - "table": { - "enabled": true - }, - "queue": { - "enabled": true - } - }, - "requireInfrastructureEncryption": "[if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())]", - "keyvaultproperties": "[if(not(empty(parameters('customerManagedKey'))), createObject('keyname', parameters('customerManagedKey').keyName, 'keyvaulturi', reference('cMKKeyVault').vaultUri, 'keyversion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/')))), null())]", - "identity": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null())]" - }, - "accessTier": "[if(not(equals(parameters('kind'), 'Storage')), parameters('accessTier'), null())]", - "sasPolicy": "[if(not(empty(parameters('sasExpirationPeriod'))), createObject('expirationAction', 'Log', 'sasExpirationPeriod', parameters('sasExpirationPeriod')), null())]", - "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]", - "isHnsEnabled": "[if(parameters('enableHierarchicalNamespace'), parameters('enableHierarchicalNamespace'), null())]", - "isSftpEnabled": "[parameters('enableSftp')]", - "isNfsV3Enabled": "[if(parameters('enableNfsV3'), parameters('enableNfsV3'), '')]", - "largeFileSharesState": "[if(or(equals(parameters('skuName'), 'Standard_LRS'), equals(parameters('skuName'), 'Standard_ZRS')), parameters('largeFileSharesState'), null())]", - "minimumTlsVersion": "[parameters('minimumTlsVersion')]", - "networkAcls": "[if(not(empty(parameters('networkAcls'))), createObject('bypass', if(contains(parameters('networkAcls'), 'bypass'), parameters('networkAcls').bypass, null()), 'defaultAction', if(contains(parameters('networkAcls'), 'defaultAction'), parameters('networkAcls').defaultAction, null()), 'virtualNetworkRules', if(contains(parameters('networkAcls'), 'virtualNetworkRules'), parameters('networkAcls').virtualNetworkRules, createArray()), 'ipRules', if(contains(parameters('networkAcls'), 'ipRules'), parameters('networkAcls').ipRules, createArray())), null())]", - "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]", - "azureFilesIdentityBasedAuthentication": "[if(not(empty(parameters('azureFilesIdentityBasedAuthentication'))), parameters('azureFilesIdentityBasedAuthentication'), null())]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "storageAccount_diagnosticSettings": { - "copy": { - "name": "storageAccount_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_roleAssignments": { - "copy": { - "name": "storageAccount_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_privateEndpoints": { - "copy": { - "name": "storageAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-storageAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "11154909986774213690" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "6129461321051281170" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_managementPolicies": { - "condition": "[not(empty(parameters('managementPolicyRules')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-ManagementPolicies', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "rules": { - "value": "[parameters('managementPolicyRules')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17367295274678732206" - }, - "name": "Storage Account Management Policies", - "description": "This module deploys a Storage Account Management Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "rules": { - "type": "array", - "metadata": { - "description": "Required. The Storage Account ManagementPolicies Rules." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[not(empty(parameters('rules')))]", - "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "properties": { - "policy": { - "rules": "[parameters('rules')]" - } - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed management policy." - }, - "value": "default" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed management policy." - }, - "value": "default" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed management policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount", - "storageAccount_blobServices" - ] - }, - "storageAccount_localUsers": { - "copy": { - "name": "storageAccount_localUsers", - "count": "[length(parameters('localUsers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-LocalUsers-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('localUsers')[copyIndex()].name]" - }, - "hasSshKey": { - "value": "[parameters('localUsers')[copyIndex()].hasSshKey]" - }, - "hasSshPassword": { - "value": "[parameters('localUsers')[copyIndex()].hasSshPassword]" - }, - "permissionScopes": { - "value": "[parameters('localUsers')[copyIndex()].permissionScopes]" - }, - "hasSharedKey": "[if(contains(parameters('localUsers')[copyIndex()], 'hasSharedKey'), createObject('value', parameters('localUsers')[copyIndex()].hasSharedKey), createObject('value', false()))]", - "homeDirectory": "[if(contains(parameters('localUsers')[copyIndex()], 'homeDirectory'), createObject('value', parameters('localUsers')[copyIndex()].homeDirectory), createObject('value', ''))]", - "sshAuthorizedKeys": "[if(contains(parameters('localUsers')[copyIndex()], 'sshAuthorizedKeys'), createObject('value', parameters('localUsers')[copyIndex()].sshAuthorizedKeys), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "9451599245128557073" - }, - "name": "Storage Account Local Users", - "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the local user used for SFTP Authentication." - } - }, - "hasSharedKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether shared key exists. Set it to false to remove existing shared key." - } - }, - "hasSshKey": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH key exists. Set it to false to remove existing SSH key." - } - }, - "hasSshPassword": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH password exists. Set it to false to remove existing SSH password." - } - }, - "homeDirectory": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The local user home directory." - } - }, - "permissionScopes": { - "type": "array", - "metadata": { - "description": "Required. The permission scopes of the local user." - } - }, - "sshAuthorizedKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The local user SSH authorized keys for SFTP." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/localUsers", - "apiVersion": "2022-05-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "hasSharedKey": "[parameters('hasSharedKey')]", - "hasSshKey": "[parameters('hasSshKey')]", - "hasSshPassword": "[parameters('hasSshPassword')]", - "homeDirectory": "[parameters('homeDirectory')]", - "permissionScopes": "[parameters('permissionScopes')]", - "sshAuthorizedKeys": "[if(not(empty(parameters('sshAuthorizedKeys'))), parameters('sshAuthorizedKeys'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed local user." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed local user." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed local user." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/localUsers', parameters('storageAccountName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_blobServices": { - "condition": "[not(empty(parameters('blobServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-BlobServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "containers": "[if(contains(parameters('blobServices'), 'containers'), createObject('value', parameters('blobServices').containers), createObject('value', createArray()))]", - "automaticSnapshotPolicyEnabled": "[if(contains(parameters('blobServices'), 'automaticSnapshotPolicyEnabled'), createObject('value', parameters('blobServices').automaticSnapshotPolicyEnabled), createObject('value', false()))]", - "changeFeedEnabled": "[if(contains(parameters('blobServices'), 'changeFeedEnabled'), createObject('value', parameters('blobServices').changeFeedEnabled), createObject('value', false()))]", - "changeFeedRetentionInDays": { - "value": "[tryGet(parameters('blobServices'), 'changeFeedRetentionInDays')]" - }, - "containerDeleteRetentionPolicyEnabled": "[if(contains(parameters('blobServices'), 'containerDeleteRetentionPolicyEnabled'), createObject('value', parameters('blobServices').containerDeleteRetentionPolicyEnabled), createObject('value', false()))]", - "containerDeleteRetentionPolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'containerDeleteRetentionPolicyDays')]" - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": "[if(contains(parameters('blobServices'), 'containerDeleteRetentionPolicyAllowPermanentDelete'), createObject('value', parameters('blobServices').containerDeleteRetentionPolicyAllowPermanentDelete), createObject('value', false()))]", - "corsRules": "[if(contains(parameters('blobServices'), 'corsRules'), createObject('value', parameters('blobServices').corsRules), createObject('value', createArray()))]", - "defaultServiceVersion": "[if(contains(parameters('blobServices'), 'defaultServiceVersion'), createObject('value', parameters('blobServices').defaultServiceVersion), createObject('value', ''))]", - "deleteRetentionPolicyAllowPermanentDelete": "[if(contains(parameters('blobServices'), 'deleteRetentionPolicyAllowPermanentDelete'), createObject('value', parameters('blobServices').deleteRetentionPolicyAllowPermanentDelete), createObject('value', false()))]", - "deleteRetentionPolicyEnabled": "[if(contains(parameters('blobServices'), 'deleteRetentionPolicyEnabled'), createObject('value', parameters('blobServices').deleteRetentionPolicyEnabled), createObject('value', false()))]", - "deleteRetentionPolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'deleteRetentionPolicyDays')]" - }, - "isVersioningEnabled": "[if(contains(parameters('blobServices'), 'isVersioningEnabled'), createObject('value', parameters('blobServices').isVersioningEnabled), createObject('value', false()))]", - "lastAccessTimeTrackingPolicyEnabled": "[if(contains(parameters('blobServices'), 'lastAccessTimeTrackingPolicyEnabled'), createObject('value', parameters('blobServices').lastAccessTimeTrackingPolicyEnabled), createObject('value', false()))]", - "restorePolicyEnabled": "[if(contains(parameters('blobServices'), 'restorePolicyEnabled'), createObject('value', parameters('blobServices').restorePolicyEnabled), createObject('value', false()))]", - "restorePolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'restorePolicyDays')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "15895331301993414988" - }, - "name": "Storage Account blob Services", - "description": "This module deploys a Storage Account Blob Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "automaticSnapshotPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Automatic Snapshot is enabled if set to true." - } - }, - "changeFeedEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service." - } - }, - "changeFeedRetentionInDays": { - "type": "int", - "nullable": true, - "minValue": 0, - "maxValue": 146000, - "metadata": { - "description": "Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A \"0\" value indicates an infinite retention of the change feed." - } - }, - "containerDeleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled." - } - }, - "containerDeleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted item should be retained." - } - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "corsRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service." - } - }, - "defaultServiceVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions." - } - }, - "deleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for blob soft delete." - } - }, - "deleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted blob should be retained." - } - }, - "deleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "isVersioningEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Use versioning to automatically maintain previous versions of your blobs." - } - }, - "lastAccessTimeTrackingPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled." - } - }, - "restorePolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled." - } - }, - "restorePolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "metadata": { - "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." - } - }, - "containers": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Blob containers to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('storageAccountName')]" - }, - "blobServices": { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": { - "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]", - "changeFeed": "[if(parameters('changeFeedEnabled'), createObject('enabled', true(), 'retentionInDays', parameters('changeFeedRetentionInDays')), null())]", - "containerDeleteRetentionPolicy": { - "enabled": "[parameters('containerDeleteRetentionPolicyEnabled')]", - "days": "[parameters('containerDeleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyAllowPermanentDelete'), null())]" - }, - "cors": { - "corsRules": "[parameters('corsRules')]" - }, - "defaultServiceVersion": "[if(not(empty(parameters('defaultServiceVersion'))), parameters('defaultServiceVersion'), null())]", - "deleteRetentionPolicy": { - "enabled": "[parameters('deleteRetentionPolicyEnabled')]", - "days": "[parameters('deleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(and(parameters('deleteRetentionPolicyEnabled'), parameters('deleteRetentionPolicyAllowPermanentDelete')), true(), null())]" - }, - "isVersioningEnabled": "[parameters('isVersioningEnabled')]", - "lastAccessTimeTrackingPolicy": { - "enable": "[parameters('lastAccessTimeTrackingPolicyEnabled')]", - "name": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 'AccessTimeTracking', null())]", - "trackingGranularityInDays": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 1, null())]" - }, - "restorePolicy": "[if(parameters('restorePolicyEnabled'), createObject('enabled', true(), 'days', parameters('restorePolicyDays')), null())]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "blobServices_diagnosticSettings": { - "copy": { - "name": "blobServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "blobServices" - ] - }, - "blobServices_container": { - "copy": { - "name": "blobServices_container", - "count": "[length(parameters('containers'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Container-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "name": { - "value": "[parameters('containers')[copyIndex()].name]" - }, - "defaultEncryptionScope": "[if(contains(parameters('containers')[copyIndex()], 'defaultEncryptionScope'), createObject('value', parameters('containers')[copyIndex()].defaultEncryptionScope), createObject('value', ''))]", - "denyEncryptionScopeOverride": "[if(contains(parameters('containers')[copyIndex()], 'denyEncryptionScopeOverride'), createObject('value', parameters('containers')[copyIndex()].denyEncryptionScopeOverride), createObject('value', false()))]", - "enableNfsV3AllSquash": "[if(contains(parameters('containers')[copyIndex()], 'enableNfsV3AllSquash'), createObject('value', parameters('containers')[copyIndex()].enableNfsV3AllSquash), createObject('value', false()))]", - "enableNfsV3RootSquash": "[if(contains(parameters('containers')[copyIndex()], 'enableNfsV3RootSquash'), createObject('value', parameters('containers')[copyIndex()].enableNfsV3RootSquash), createObject('value', false()))]", - "immutableStorageWithVersioningEnabled": "[if(contains(parameters('containers')[copyIndex()], 'immutableStorageWithVersioningEnabled'), createObject('value', parameters('containers')[copyIndex()].immutableStorageWithVersioningEnabled), createObject('value', false()))]", - "metadata": "[if(contains(parameters('containers')[copyIndex()], 'metadata'), createObject('value', parameters('containers')[copyIndex()].metadata), createObject('value', createObject()))]", - "publicAccess": "[if(contains(parameters('containers')[copyIndex()], 'publicAccess'), createObject('value', parameters('containers')[copyIndex()].publicAccess), createObject('value', 'None'))]", - "roleAssignments": "[if(contains(parameters('containers')[copyIndex()], 'roleAssignments'), createObject('value', parameters('containers')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "immutabilityPolicyProperties": "[if(contains(parameters('containers')[copyIndex()], 'immutabilityPolicyProperties'), createObject('value', parameters('containers')[copyIndex()].immutabilityPolicyProperties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12877248389226548296" - }, - "name": "Storage Account Blob Containers", - "description": "This module deploys a Storage Account Blob Container.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicyName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. Name of the immutable policy." - } - }, - "immutabilityPolicyProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A name-value pair to associate with the container as metadata." - } - }, - "publicAccess": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Container", - "Blob", - "None" - ], - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::blobServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[parameters('storageAccountName')]" - }, - "container": { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "defaultEncryptionScope": "[if(not(empty(parameters('defaultEncryptionScope'))), parameters('defaultEncryptionScope'), null())]", - "denyEncryptionScopeOverride": "[if(equals(parameters('denyEncryptionScopeOverride'), true()), parameters('denyEncryptionScopeOverride'), null())]", - "enableNfsV3AllSquash": "[if(equals(parameters('enableNfsV3AllSquash'), true()), parameters('enableNfsV3AllSquash'), null())]", - "enableNfsV3RootSquash": "[if(equals(parameters('enableNfsV3RootSquash'), true()), parameters('enableNfsV3RootSquash'), null())]", - "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", - "metadata": "[parameters('metadata')]", - "publicAccess": "[parameters('publicAccess')]" - }, - "dependsOn": [ - "storageAccount::blobServices" - ] - }, - "container_roleAssignments": { - "copy": { - "name": "container_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "container" - ] - }, - "immutabilityPolicy": { - "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[parameters('immutabilityPolicyName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "containerName": { - "value": "[parameters('name')]" - }, - "immutabilityPeriodSinceCreationInDays": "[if(contains(parameters('immutabilityPolicyProperties'), 'immutabilityPeriodSinceCreationInDays'), createObject('value', parameters('immutabilityPolicyProperties').immutabilityPeriodSinceCreationInDays), createObject('value', 365))]", - "allowProtectedAppendWrites": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWrites'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWrites), createObject('value', true()))]", - "allowProtectedAppendWritesAll": "[if(contains(parameters('immutabilityPolicyProperties'), 'allowProtectedAppendWritesAll'), createObject('value', parameters('immutabilityPolicyProperties').allowProtectedAppendWritesAll), createObject('value', true()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4658218767079659572" - }, - "name": "Storage Account Blob Container Immutability Policies", - "description": "This module deploys a Storage Account Blob Container Immutability Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment." - } - }, - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]", - "properties": { - "immutabilityPeriodSinceCreationInDays": "[parameters('immutabilityPeriodSinceCreationInDays')]", - "allowProtectedAppendWrites": "[parameters('allowProtectedAppendWrites')]", - "allowProtectedAppendWritesAll": "[parameters('allowProtectedAppendWritesAll')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed immutability policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed immutability policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed immutability policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "container", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed container." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed container." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed blob service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_fileServices": { - "condition": "[not(empty(parameters('fileServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-FileServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" - }, - "protocolSettings": "[if(contains(parameters('fileServices'), 'protocolSettings'), createObject('value', parameters('fileServices').protocolSettings), createObject('value', createObject()))]", - "shareDeleteRetentionPolicy": "[if(contains(parameters('fileServices'), 'shareDeleteRetentionPolicy'), createObject('value', parameters('fileServices').shareDeleteRetentionPolicy), createObject('value', createObject('enabled', true(), 'days', 7)))]", - "shares": "[if(contains(parameters('fileServices'), 'shares'), createObject('value', parameters('fileServices').shares), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5919540891902254282" - }, - "name": "Storage Account File Share Services", - "description": "This module deploys a Storage Account File Share Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the file service." - } - }, - "protocolSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Protocol settings for file service." - } - }, - "shareDeleteRetentionPolicy": { - "type": "object", - "defaultValue": { - "enabled": true, - "days": 7 - }, - "metadata": { - "description": "Optional. The service properties for soft delete." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "shares": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. File shares to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "fileServices": { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "protocolSettings": "[parameters('protocolSettings')]", - "shareDeleteRetentionPolicy": "[parameters('shareDeleteRetentionPolicy')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "fileServices_diagnosticSettings": { - "copy": { - "name": "fileServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}', parameters('storageAccountName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "fileServices" - ] - }, - "fileServices_shares": { - "copy": { - "name": "fileServices_shares", - "count": "[length(parameters('shares'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-shares-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "fileServicesName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('shares')[copyIndex()].name]" - }, - "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference('storageAccount', '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", - "enabledProtocols": "[if(contains(parameters('shares')[copyIndex()], 'enabledProtocols'), createObject('value', parameters('shares')[copyIndex()].enabledProtocols), createObject('value', 'SMB'))]", - "rootSquash": "[if(contains(parameters('shares')[copyIndex()], 'rootSquash'), createObject('value', parameters('shares')[copyIndex()].rootSquash), createObject('value', 'NoRootSquash'))]", - "shareQuota": "[if(contains(parameters('shares')[copyIndex()], 'shareQuota'), createObject('value', parameters('shares')[copyIndex()].shareQuota), createObject('value', 5120))]", - "roleAssignments": "[if(contains(parameters('shares')[copyIndex()], 'roleAssignments'), createObject('value', parameters('shares')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3643709768620634256" - }, - "name": "Storage Account File Shares", - "description": "This module deploys a Storage Account File Share.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "fileServicesName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Conditional. The name of the parent file service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share to create." - } - }, - "accessTier": { - "type": "string", - "defaultValue": "TransactionOptimized", - "allowedValues": [ - "Premium", - "Hot", - "Cool", - "TransactionOptimized" - ], - "metadata": { - "description": "Conditional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool." - } - }, - "shareQuota": { - "type": "int", - "defaultValue": 5120, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "enabledProtocols": { - "type": "string", - "defaultValue": "SMB", - "allowedValues": [ - "NFS", - "SMB" - ], - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "defaultValue": "NoRootSquash", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": { - "storageAccount::fileService": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "fileShare": { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "properties": { - "accessTier": "[parameters('accessTier')]", - "shareQuota": "[parameters('shareQuota')]", - "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", - "enabledProtocols": "[parameters('enabledProtocols')]" - }, - "dependsOn": [ - "storageAccount::fileService" - ] - }, - "fileShare_roleAssignments": { - "condition": "[not(empty(parameters('roleAssignments')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "fileShareResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "roleAssignments": { - "value": "[parameters('roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12925188407376905475" - } - }, - "parameters": { - "roleAssignments": { - "type": "array", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "fileShareResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the file share to assign the roles to." - } - } - }, - "variables": { - "$fxv#0": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string", - "metadata": { - "description": "Required. The scope to deploy the role assignment to." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition Id to assign." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "defaultValue": "2.0", - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[[parameters('scope')]", - "name": "[[parameters('name')]", - "properties": { - "roleDefinitionId": "[[parameters('roleDefinitionId')]", - "principalId": "[[parameters('principalId')]", - "description": "[[parameters('description')]", - "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "Outer" - }, - "template": "[variables('$fxv#0')]", - "parameters": { - "scope": { - "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" - }, - "name": { - "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" - }, - "roleDefinitionId": { - "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" - }, - "principalId": { - "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" - }, - "principalType": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" - }, - "description": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" - }, - "condition": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" - }, - "conditionVersion": { - "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" - }, - "delegatedManagedIdentityResourceId": { - "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - } - } - } - } - ] - } - }, - "dependsOn": [ - "fileShare" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "fileServices", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_queueServices": { - "condition": "[not(empty(parameters('queueServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-QueueServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" - }, - "queues": "[if(contains(parameters('queueServices'), 'queues'), createObject('value', parameters('queueServices').queues), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "488727166620230076" - }, - "name": "Storage Account Queue Services", - "description": "This module deploys a Storage Account Queue Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "queues": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Queues to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "queueServices": { - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {}, - "dependsOn": [ - "storageAccount" - ] - }, - "queueServices_diagnosticSettings": { - "copy": { - "name": "queueServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "queueServices" - ] - }, - "queueServices_queues": { - "copy": { - "name": "queueServices_queues", - "count": "[length(parameters('queues'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Queue-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "name": { - "value": "[parameters('queues')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('queues')[copyIndex()], 'metadata'), createObject('value', parameters('queues')[copyIndex()].metadata), createObject('value', createObject()))]", - "roleAssignments": "[if(contains(parameters('queues')[copyIndex()], 'roleAssignments'), createObject('value', parameters('queues')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "100286929116341954" - }, - "name": "Storage Account Queues", - "description": "This module deploys a Storage Account Queue.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage queue to deploy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Required. A name-value pair that represents queue metadata." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::queueServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "queue": { - "type": "Microsoft.Storage/storageAccounts/queueServices/queues", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]" - }, - "dependsOn": [ - "storageAccount::queueServices" - ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_tableServices": { - "condition": "[not(empty(parameters('tableServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-TableServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" - }, - "tables": "[if(contains(parameters('tableServices'), 'tables'), createObject('value', parameters('tableServices').tables), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4899998340898025880" - }, - "name": "Storage Account Table Services", - "description": "This module deploys a Storage Account Table Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "tables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. tables to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "tableServices": { - "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {}, - "dependsOn": [ - "storageAccount" - ] - }, - "tableServices_diagnosticSettings": { - "copy": { - "name": "tableServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/tableServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "tableServices" - ] - }, - "tableServices_tables": { - "copy": { - "name": "tableServices_tables", - "count": "[length(parameters('tables'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Table-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('tables')[copyIndex()]]" - }, - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12296091632007980628" - }, - "name": "Storage Account Table", - "description": "This module deploys a Storage Account Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the table." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed table service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed table service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed table service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed storage account." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed storage account." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed storage account." - }, - "value": "[resourceGroup().name]" - }, - "primaryBlobEndpoint": { - "type": "string", - "metadata": { - "description": "The primary blob endpoint reference if blob services are deployed." - }, - "value": "[if(and(not(empty(parameters('blobServices'))), contains(parameters('blobServices'), 'containers')), reference(format('Microsoft.Storage/storageAccounts/{0}', parameters('name')), '2019-04-01').primaryEndpoints.blob, '')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('storageAccount', '2022-09-01', 'full').identity, 'principalId')), reference('storageAccount', '2022-09-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('storageAccount', '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md deleted file mode 100644 index 1a8c25c5d1..0000000000 --- a/modules/storage/storage-account/management-policy/README.md +++ /dev/null @@ -1,71 +0,0 @@ -# Storage Account Management Policies `[Microsoft.Storage/storageAccounts/managementPolicies]` - -This module deploys a Storage Account Management Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Storage/storageAccounts/managementPolicies` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/managementPolicies) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`rules`](#parameter-rules) | array | The Storage Account ManagementPolicies Rules. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `rules` - -The Storage Account ManagementPolicies Rules. - -- Required: Yes -- Type: array - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed management policy. | -| `resourceGroupName` | string | The resource group of the deployed management policy. | -| `resourceId` | string | The resource ID of the deployed management policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/management-policy/main.bicep b/modules/storage/storage-account/management-policy/main.bicep deleted file mode 100644 index de6c694754..0000000000 --- a/modules/storage/storage-account/management-policy/main.bicep +++ /dev/null @@ -1,49 +0,0 @@ -metadata name = 'Storage Account Management Policies' -metadata description = 'This module deploys a Storage Account Management Policy.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Required. The Storage Account ManagementPolicies Rules.') -param rules array - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { - name: storageAccountName -} - -// lifecycle policy -resource managementPolicy 'Microsoft.Storage/storageAccounts/managementPolicies@2023-01-01' = if (!empty(rules)) { - name: 'default' - parent: storageAccount - properties: { - policy: { - rules: rules - } - } -} - -@description('The resource ID of the deployed management policy.') -output resourceId string = managementPolicy.name - -@description('The name of the deployed management policy.') -output name string = managementPolicy.name - -@description('The resource group of the deployed management policy.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/storage/storage-account/management-policy/main.json b/modules/storage/storage-account/management-policy/main.json deleted file mode 100644 index e14e0b5a9e..0000000000 --- a/modules/storage/storage-account/management-policy/main.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17367295274678732206" - }, - "name": "Storage Account Management Policies", - "description": "This module deploys a Storage Account Management Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "rules": { - "type": "array", - "metadata": { - "description": "Required. The Storage Account ManagementPolicies Rules." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "condition": "[not(empty(parameters('rules')))]", - "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2023-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "properties": { - "policy": { - "rules": "[parameters('rules')]" - } - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed management policy." - }, - "value": "default" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed management policy." - }, - "value": "default" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed management policy." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/management-policy/version.json b/modules/storage/storage-account/management-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/management-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/queue-service/README.md b/modules/storage/storage-account/queue-service/README.md deleted file mode 100644 index 7971dff96e..0000000000 --- a/modules/storage/storage-account/queue-service/README.md +++ /dev/null @@ -1,162 +0,0 @@ -# Storage Account Queue Services `[Microsoft.Storage/storageAccounts/queueServices]` - -This module deploys a Storage Account Queue Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Storage/storageAccounts/queueServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices) | -| `Microsoft.Storage/storageAccounts/queueServices/queues` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices/queues) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`queues`](#parameter-queues) | array | Queues to create. | - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `queues` - -Queues to create. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed file share service. | -| `resourceGroupName` | string | The resource group of the deployed file share service. | -| `resourceId` | string | The resource ID of the deployed file share service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/queue-service/main.bicep b/modules/storage/storage-account/queue-service/main.bicep deleted file mode 100644 index 6bd363d8fb..0000000000 --- a/modules/storage/storage-account/queue-service/main.bicep +++ /dev/null @@ -1,130 +0,0 @@ -metadata name = 'Storage Account Queue Services' -metadata description = 'This module deploys a Storage Account Queue Service.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Optional. Queues to create.') -param queues array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// The name of the blob services -var name = 'default' - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName -} - -resource queueServices 'Microsoft.Storage/storageAccounts/queueServices@2021-09-01' = { - name: name - parent: storageAccount - properties: {} -} - -resource queueServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: queueServices -}] - -module queueServices_queues 'queue/main.bicep' = [for (queue, index) in queues: { - name: '${deployment().name}-Queue-${index}' - params: { - storageAccountName: storageAccount.name - name: queue.name - metadata: contains(queue, 'metadata') ? queue.metadata : {} - roleAssignments: contains(queue, 'roleAssignments') ? queue.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed file share service.') -output name string = queueServices.name - -@description('The resource ID of the deployed file share service.') -output resourceId string = queueServices.id - -@description('The resource group of the deployed file share service.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json deleted file mode 100644 index 5c2212b540..0000000000 --- a/modules/storage/storage-account/queue-service/main.json +++ /dev/null @@ -1,495 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "488727166620230076" - }, - "name": "Storage Account Queue Services", - "description": "This module deploys a Storage Account Queue Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "queues": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Queues to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "queueServices": { - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {}, - "dependsOn": [ - "storageAccount" - ] - }, - "queueServices_diagnosticSettings": { - "copy": { - "name": "queueServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "queueServices" - ] - }, - "queueServices_queues": { - "copy": { - "name": "queueServices_queues", - "count": "[length(parameters('queues'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Queue-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "name": { - "value": "[parameters('queues')[copyIndex()].name]" - }, - "metadata": "[if(contains(parameters('queues')[copyIndex()], 'metadata'), createObject('value', parameters('queues')[copyIndex()].metadata), createObject('value', createObject()))]", - "roleAssignments": "[if(contains(parameters('queues')[copyIndex()], 'roleAssignments'), createObject('value', parameters('queues')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "100286929116341954" - }, - "name": "Storage Account Queues", - "description": "This module deploys a Storage Account Queue.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage queue to deploy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Required. A name-value pair that represents queue metadata." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::queueServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "queue": { - "type": "Microsoft.Storage/storageAccounts/queueServices/queues", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]" - }, - "dependsOn": [ - "storageAccount::queueServices" - ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md deleted file mode 100644 index 2d25dd1845..0000000000 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ /dev/null @@ -1,171 +0,0 @@ -# Storage Account Queues `[Microsoft.Storage/storageAccounts/queueServices/queues]` - -This module deploys a Storage Account Queue. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Storage/storageAccounts/queueServices/queues` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices/queues) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`metadata`](#parameter-metadata) | object | A name-value pair that represents queue metadata. | -| [`name`](#parameter-name) | string | The name of the storage queue to deploy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | - -### Parameter: `metadata` - -A name-value pair that represents queue metadata. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `name` - -The name of the storage queue to deploy. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed queue. | -| `resourceGroupName` | string | The resource group of the deployed queue. | -| `resourceId` | string | The resource ID of the deployed queue. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/queue-service/queue/main.bicep b/modules/storage/storage-account/queue-service/queue/main.bicep deleted file mode 100644 index 8394d222c7..0000000000 --- a/modules/storage/storage-account/queue-service/queue/main.bicep +++ /dev/null @@ -1,121 +0,0 @@ -metadata name = 'Storage Account Queues' -metadata description = 'This module deploys a Storage Account Queue.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Required. The name of the storage queue to deploy.') -param name string - -@description('Required. A name-value pair that represents queue metadata.') -param metadata object = {} - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName - - resource queueServices 'queueServices@2021-09-01' existing = { - name: 'default' - } -} - -resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2021-09-01' = { - name: name - parent: storageAccount::queueServices - properties: { - metadata: metadata - } -} - -resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: queue -}] - -@description('The name of the deployed queue.') -output name string = queue.name - -@description('The resource ID of the deployed queue.') -output resourceId string = queue.id - -@description('The resource group of the deployed queue.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json deleted file mode 100644 index 908d9584b7..0000000000 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "100286929116341954" - }, - "name": "Storage Account Queues", - "description": "This module deploys a Storage Account Queue.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage queue to deploy." - } - }, - "metadata": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Required. A name-value pair that represents queue metadata." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::queueServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "dependsOn": [ - "storageAccount" - ] - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "queue": { - "type": "Microsoft.Storage/storageAccounts/queueServices/queues", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]" - }, - "dependsOn": [ - "storageAccount::queueServices" - ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/queue-service/queue/version.json b/modules/storage/storage-account/queue-service/queue/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/queue-service/queue/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/queue-service/version.json b/modules/storage/storage-account/queue-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/queue-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/table-service/README.md b/modules/storage/storage-account/table-service/README.md deleted file mode 100644 index 17526658f2..0000000000 --- a/modules/storage/storage-account/table-service/README.md +++ /dev/null @@ -1,161 +0,0 @@ -# Storage Account Table Services `[Microsoft.Storage/storageAccounts/tableServices]` - -This module deploys a Storage Account Table Service. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Storage/storageAccounts/tableServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices) | -| `Microsoft.Storage/storageAccounts/tableServices/tables` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices/tables) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`tables`](#parameter-tables) | array | tables to create. | - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `tables` - -tables to create. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed table service. | -| `resourceGroupName` | string | The resource group of the deployed table service. | -| `resourceId` | string | The resource ID of the deployed table service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/table-service/main.bicep b/modules/storage/storage-account/table-service/main.bicep deleted file mode 100644 index c200aa9314..0000000000 --- a/modules/storage/storage-account/table-service/main.bicep +++ /dev/null @@ -1,128 +0,0 @@ -metadata name = 'Storage Account Table Services' -metadata description = 'This module deploys a Storage Account Table Service.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Optional. tables to create.') -param tables array = [] - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// The name of the table service -var name = 'default' - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName -} - -resource tableServices 'Microsoft.Storage/storageAccounts/tableServices@2021-09-01' = { - name: name - parent: storageAccount - properties: {} -} - -resource tableServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: tableServices -}] - -module tableServices_tables 'table/main.bicep' = [for (tableName, index) in tables: { - name: '${deployment().name}-Table-${index}' - params: { - name: tableName - storageAccountName: storageAccount.name - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -@description('The name of the deployed table service.') -output name string = tableServices.name - -@description('The resource ID of the deployed table service.') -output resourceId string = tableServices.id - -@description('The resource group of the deployed table service.') -output resourceGroupName string = resourceGroup().name -// =============== // -// Definitions // -// =============== // - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/storage/storage-account/table-service/main.json b/modules/storage/storage-account/table-service/main.json deleted file mode 100644 index b8cf06226e..0000000000 --- a/modules/storage/storage-account/table-service/main.json +++ /dev/null @@ -1,342 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "4899998340898025880" - }, - "name": "Storage Account Table Services", - "description": "This module deploys a Storage Account Table Service.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "tables": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. tables to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-09-01", - "name": "[parameters('storageAccountName')]" - }, - "tableServices": { - "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {}, - "dependsOn": [ - "storageAccount" - ] - }, - "tableServices_diagnosticSettings": { - "copy": { - "name": "tableServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/tableServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "tableServices" - ] - }, - "tableServices_tables": { - "copy": { - "name": "tableServices_tables", - "count": "[length(parameters('tables'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Table-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('tables')[copyIndex()]]" - }, - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12296091632007980628" - }, - "name": "Storage Account Table", - "description": "This module deploys a Storage Account Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the table." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed table service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed table service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed table service." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/table-service/table/README.md b/modules/storage/storage-account/table-service/table/README.md deleted file mode 100644 index 797f1baa2a..0000000000 --- a/modules/storage/storage-account/table-service/table/README.md +++ /dev/null @@ -1,71 +0,0 @@ -# Storage Account Table `[Microsoft.Storage/storageAccounts/tableServices/tables]` - -This module deploys a Storage Account Table. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Storage/storageAccounts/tableServices/tables` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices/tables) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the table. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -Name of the table. - -- Required: Yes -- Type: string - -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed file share service. | -| `resourceGroupName` | string | The resource group of the deployed file share service. | -| `resourceId` | string | The resource ID of the deployed file share service. | - -## Cross-referenced modules - -_None_ diff --git a/modules/storage/storage-account/table-service/table/main.bicep b/modules/storage/storage-account/table-service/table/main.bicep deleted file mode 100644 index adae0ab488..0000000000 --- a/modules/storage/storage-account/table-service/table/main.bicep +++ /dev/null @@ -1,47 +0,0 @@ -metadata name = 'Storage Account Table' -metadata description = 'This module deploys a Storage Account Table.' -metadata owner = 'Azure/module-maintainers' - -@maxLength(24) -@description('Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment.') -param storageAccountName string - -@description('Required. Name of the table.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { - name: storageAccountName - - resource tableServices 'tableServices@2021-09-01' existing = { - name: 'default' - } -} - -resource table 'Microsoft.Storage/storageAccounts/tableServices/tables@2021-09-01' = { - name: name - parent: storageAccount::tableServices -} - -@description('The name of the deployed file share service.') -output name string = table.name - -@description('The resource ID of the deployed file share service.') -output resourceId string = table.id - -@description('The resource group of the deployed file share service.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/storage/storage-account/table-service/table/main.json b/modules/storage/storage-account/table-service/table/main.json deleted file mode 100644 index 7c0d098231..0000000000 --- a/modules/storage/storage-account/table-service/table/main.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "12296091632007980628" - }, - "name": "Storage Account Table", - "description": "This module deploys a Storage Account Table.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the table." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2021-09-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/storage/storage-account/table-service/table/version.json b/modules/storage/storage-account/table-service/table/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/table-service/table/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/table-service/version.json b/modules/storage/storage-account/table-service/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/storage/storage-account/table-service/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep b/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 1a754ad2b7..0000000000 --- a/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,50 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - allowBlobPublicAccess: false - } -}] diff --git a/modules/storage/storage-account/tests/e2e/encr/dependencies.bicep b/modules/storage/storage-account/tests/e2e/encr/dependencies.bicep deleted file mode 100644 index f01760e1ff..0000000000 --- a/modules/storage/storage-account/tests/e2e/encr/dependencies.bicep +++ /dev/null @@ -1,113 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.blob.${environment().suffixes.storage}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Reader-RoleAssignment.') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the created encryption key.') -output keyName string = keyVault::key.name diff --git a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep deleted file mode 100644 index eb5638b6a1..0000000000 --- a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep +++ /dev/null @@ -1,114 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssaencr' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Standard_LRS' - allowBlobPublicAccess: false - requireInfrastructureEncryption: true - privateEndpoints: [ - { - service: 'blob' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - blobServices: { - containers: [ - { - name: '${namePrefix}container' - publicAccess: 'None' - } - ] - automaticSnapshotPolicyEnabled: true - changeFeedEnabled: true - changeFeedRetentionInDays: 10 - containerDeleteRetentionPolicyEnabled: true - containerDeleteRetentionPolicyDays: 10 - containerDeleteRetentionPolicyAllowPermanentDelete: true - defaultServiceVersion: '2008-10-27' - deleteRetentionPolicyEnabled: true - deleteRetentionPolicyDays: 9 - isVersioningEnabled: true - lastAccessTimeTrackingPolicyEnable: true - restorePolicyEnabled: true - restorePolicyDays: 8 - } - managedIdentities: { - systemAssigned: false - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - customerManagedKey: { - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/storage/storage-account/tests/e2e/max/dependencies.bicep b/modules/storage/storage-account/tests/e2e/max/dependencies.bicep deleted file mode 100644 index b7cff8b3d2..0000000000 --- a/modules/storage/storage-account/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.blob.${environment().suffixes.storage}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/storage/storage-account/tests/e2e/max/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep deleted file mode 100644 index 8f1a304088..0000000000 --- a/modules/storage/storage-account/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,374 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssamax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Standard_LRS' - allowBlobPublicAccess: false - requireInfrastructureEncryption: true - largeFileSharesState: 'Enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - enableHierarchicalNamespace: true - enableSftp: true - enableNfsV3: true - privateEndpoints: [ - { - service: 'blob' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - virtualNetworkRules: [ - { - action: 'Allow' - id: nestedDependencies.outputs.subnetResourceId - } - ] - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] - } - localUsers: [ - { - storageAccountName: '${namePrefix}${serviceShort}001' - name: 'testuser' - hasSharedKey: false - hasSshKey: true - hasSshPassword: false - homeDirectory: 'avdscripts' - permissionScopes: [ - { - permissions: 'r' - service: 'blob' - resourceName: 'avdscripts' - } - ] - } - ] - blobServices: { - lastAccessTimeTrackingPolicyEnabled: true - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - containers: [ - { - name: 'avdscripts' - enableNfsV3AllSquash: true - enableNfsV3RootSquash: true - publicAccess: 'None' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'archivecontainer' - publicAccess: 'None' - metadata: { - testKey: 'testValue' - } - enableWORM: true - WORMRetention: 666 - allowProtectedAppendWrites: false - } - ] - automaticSnapshotPolicyEnabled: true - containerDeleteRetentionPolicyEnabled: true - containerDeleteRetentionPolicyDays: 10 - deleteRetentionPolicyEnabled: true - deleteRetentionPolicyDays: 9 - } - fileServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - shares: [ - { - name: 'avdprofiles' - accessTier: 'Hot' - shareQuota: 5120 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'avdprofiles2' - shareQuota: 102400 - } - ] - } - tableServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tables: [ - 'table1' - 'table2' - ] - } - queueServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - queues: [ - { - name: 'queue1' - metadata: { - key1: 'value1' - key2: 'value2' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'queue2' - metadata: {} - } - ] - } - sasExpirationPeriod: '180.00:00:00' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - managementPolicyRules: [ - { - enabled: true - name: 'FirstRule' - type: 'Lifecycle' - definition: { - actions: { - baseBlob: { - delete: { - daysAfterModificationGreaterThan: 30 - } - tierToCool: { - daysAfterLastAccessTimeGreaterThan: 5 - } - } - } - filters: { - blobIndexMatch: [ - { - name: 'BlobIndex' - op: '==' - value: '1' - } - ] - blobTypes: [ - 'blockBlob' - ] - prefixMatch: [ - 'sample-container/log' - ] - } - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep b/modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep deleted file mode 100644 index cc8645d745..0000000000 --- a/modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep deleted file mode 100644 index 59e23e6707..0000000000 --- a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep +++ /dev/null @@ -1,126 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssanfs' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Premium_LRS' - kind: 'FileStorage' - allowBlobPublicAccess: false - supportsHttpsTrafficOnly: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - fileServices: { - shares: [ - { - name: 'nfsfileshare' - enabledProtocols: 'NFS' - } - ] - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/storage/storage-account/tests/e2e/v1/main.test.bicep b/modules/storage/storage-account/tests/e2e/v1/main.test.bicep deleted file mode 100644 index 057738ca6a..0000000000 --- a/modules/storage/storage-account/tests/e2e/v1/main.test.bicep +++ /dev/null @@ -1,53 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssav1' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'Storage' - allowBlobPublicAccess: false - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index b7cff8b3d2..0000000000 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - ] - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.blob.${environment().suffixes.storage}' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 1ceb919f76..0000000000 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,327 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssawaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - skuName: 'Standard_LRS' - allowBlobPublicAccess: false - requireInfrastructureEncryption: true - largeFileSharesState: 'Enabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - enableHierarchicalNamespace: true - enableSftp: true - enableNfsV3: true - privateEndpoints: [ - { - service: 'blob' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - virtualNetworkRules: [ - { - action: 'Allow' - id: nestedDependencies.outputs.subnetResourceId - } - ] - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] - } - localUsers: [ - { - storageAccountName: '${namePrefix}${serviceShort}001' - name: 'testuser' - hasSharedKey: false - hasSshKey: true - hasSshPassword: false - homeDirectory: 'avdscripts' - permissionScopes: [ - { - permissions: 'r' - service: 'blob' - resourceName: 'avdscripts' - } - ] - } - ] - blobServices: { - lastAccessTimeTrackingPolicyEnabled: true - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - containers: [ - { - name: 'avdscripts' - enableNfsV3AllSquash: true - enableNfsV3RootSquash: true - publicAccess: 'None' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'archivecontainer' - publicAccess: 'None' - metadata: { - testKey: 'testValue' - } - enableWORM: true - WORMRetention: 666 - allowProtectedAppendWrites: false - } - ] - automaticSnapshotPolicyEnabled: true - containerDeleteRetentionPolicyEnabled: true - containerDeleteRetentionPolicyDays: 10 - deleteRetentionPolicyEnabled: true - deleteRetentionPolicyDays: 9 - } - fileServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - shares: [ - { - name: 'avdprofiles' - accessTier: 'Hot' - shareQuota: 5120 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'avdprofiles2' - shareQuota: 102400 - } - ] - } - tableServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - tables: [ - 'table1' - 'table2' - ] - } - queueServices: { - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - queues: [ - { - name: 'queue1' - metadata: { - key1: 'value1' - key2: 'value2' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - { - name: 'queue2' - metadata: {} - } - ] - } - sasExpirationPeriod: '180.00:00:00' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - managementPolicyRules: [ - { - enabled: true - name: 'FirstRule' - type: 'Lifecycle' - definition: { - actions: { - baseBlob: { - delete: { - daysAfterModificationGreaterThan: 30 - } - tierToCool: { - daysAfterLastAccessTimeGreaterThan: 5 - } - } - } - filters: { - blobIndexMatch: [ - { - name: 'BlobIndex' - op: '==' - value: '1' - } - ] - blobTypes: [ - 'blockBlob' - ] - prefixMatch: [ - 'sample-container/log' - ] - } - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/storage/storage-account/version.json b/modules/storage/storage-account/version.json deleted file mode 100644 index 04a0dd1a80..0000000000 --- a/modules/storage/storage-account/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 1cc54fa4b1..a80a86661d 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -1,774 +1,7 @@ -# Azure Synapse Analytics `[Microsoft.Synapse/privateLinkHubs]` +

⚠️ Moved to AVM ⚠️

-This module deploys an Azure Synapse Analytics (Private Link Hub). +**This module has been evolved into the following AVM module: [avm/res/synapse/private-link-hub](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/synapse/private-link-hub).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/synapse/private-link-hub). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Synapse/privateLinkHubs` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/privateLinkHubs) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.private-link-hub:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-splhmin' - params: { - // Required parameters - name: 'splhmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "splhmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-splhmax' - params: { - // Required parameters - name: 'splhmax001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'Web' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "splhmax001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "Web", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-splhwaf' - params: { - // Required parameters - name: 'splhwaf001' - // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'Web' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "splhwaf001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "Web", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Private Link Hub. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | - -### Parameter: `name` - -The name of the Private Link Hub. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The geo-location where the resource lives. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed Synapse Private Link Hub. | -| `resourceGroupName` | string | The resource group of the deployed Synapse Private Link Hub. | -| `resourceId` | string | The resource ID of the deployed Synapse Private Link Hub. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep deleted file mode 100644 index bd100e3ab1..0000000000 --- a/modules/synapse/private-link-hub/main.bicep +++ /dev/null @@ -1,217 +0,0 @@ -metadata name = 'Azure Synapse Analytics' -metadata description = 'This module deploys an Azure Synapse Analytics (Private Link Hub).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The name of the Private Link Hub.') -param name string - -@description('Optional. The geo-location where the resource lives.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource privateLinkHub 'Microsoft.Synapse/privateLinkHubs@2021-06-01' = { - name: name - location: location - tags: tags -} - -// Resource Lock -resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: privateLinkHub -} - -// RBAC -resource privateLinkHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(privateLinkHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: privateLinkHub -}] - -// Private Endpoints -module privateLinkHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-privateLinkHub-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(privateLinkHub.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: privateLinkHub.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The resource ID of the deployed Synapse Private Link Hub.') -output resourceId string = privateLinkHub.id - -@description('The name of the deployed Synapse Private Link Hub.') -output name string = privateLinkHub.name - -@description('The resource group of the deployed Synapse Private Link Hub.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = privateLinkHub.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json deleted file mode 100644 index 789ade5675..0000000000 --- a/modules/synapse/private-link-hub/main.json +++ /dev/null @@ -1,1044 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8159099394121602956" - }, - "name": "Azure Synapse Analytics", - "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Private Link Hub." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The geo-location where the resource lives." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateLinkHub": { - "type": "Microsoft.Synapse/privateLinkHubs", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - "privateLinkHub_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateLinkHub" - ] - }, - "privateLinkHub_roleAssignments": { - "copy": { - "name": "privateLinkHub_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateLinkHub" - ] - }, - "privateLinkHub_privateEndpoints": { - "copy": { - "name": "privateLinkHub_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-privateLinkHub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "privateLinkHub" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Synapse Private Link Hub." - }, - "value": "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed Synapse Private Link Hub." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed Synapse Private Link Hub." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateLinkHub', '2021-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index d25afb53a7..0000000000 --- a/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'splhmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep deleted file mode 100644 index d7ca02fccb..0000000000 --- a/modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: {} -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azuresynapse.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep deleted file mode 100644 index a4718d62b4..0000000000 --- a/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'splhmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Web' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index d7ca02fccb..0000000000 --- a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: {} -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azuresynapse.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index cda0f2510d..0000000000 --- a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,94 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'splhwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Web' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/synapse/private-link-hub/version.json b/modules/synapse/private-link-hub/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/synapse/private-link-hub/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 2b9461cd16..66963860a0 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -1,1448 +1,7 @@ -# Synapse Workspaces `[Microsoft.Synapse/workspaces]` +

⚠️ Moved to AVM ⚠️

-This module deploys a Synapse Workspace. +**This module has been evolved into the following AVM module: [avm/res/synapse/workspace](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/synapse/workspace).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/synapse/workspace). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Synapse/workspaces` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces) | -| `Microsoft.Synapse/workspaces/integrationRuntimes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/integrationRuntimes) | -| `Microsoft.Synapse/workspaces/keys` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.workspace:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Encrwsai](#example-2-encrwsai) -- [Encrwuai](#example-3-encrwuai) -- [Managedvnet](#example-4-managedvnet) -- [Using large parameter set](#example-5-using-large-parameter-set) -- [WAF-aligned](#example-6-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmin' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swmin001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swmin001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Encrwsai_ - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swensa' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swensa001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - } - enableDefaultTelemetry: '' - encryptionActivateWorkspace: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swensa001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionActivateWorkspace": { - "value": true - } - } -} -``` - -
-

- -### Example 3: _Encrwuai_ - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swenua' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swenua001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swenua001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 4: _Managedvnet_ - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmanv' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swmanv001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - allowedAadTenantIdsForLinking: [ - '' - ] - enableDefaultTelemetry: '' - managedVirtualNetwork: true - preventDataExfiltration: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swmanv001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "allowedAadTenantIdsForLinking": { - "value": [ - "" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedVirtualNetwork": { - "value": true - }, - "preventDataExfiltration": { - "value": true - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 5: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmax' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swmax001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'SynapseRbacOperations' - } - { - category: 'SynapseLinkEvent' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - initialWorkspaceAdminObjectID: '' - integrationRuntimes: [ - { - name: 'shir01' - type: 'SelfHosted' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managedVirtualNetwork: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'SQL' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swmax001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "SynapseRbacOperations" - }, - { - "category": "SynapseLinkEvent" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "initialWorkspaceAdminObjectID": { - "value": "" - }, - "integrationRuntimes": { - "value": [ - { - "name": "shir01", - "type": "SelfHosted" - } - ] - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedVirtualNetwork": { - "value": true - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "SQL", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - } - } -} -``` - -
-

- -### Example 6: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swwaf' - params: { - // Required parameters - defaultDataLakeStorageAccountResourceId: '' - defaultDataLakeStorageFilesystem: '' - name: 'swwaf001' - sqlAdministratorLogin: 'synwsadmin' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'SynapseRbacOperations' - } - { - category: 'SynapseLinkEvent' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - initialWorkspaceAdminObjectID: '' - integrationRuntimes: [ - { - name: 'shir01' - type: 'SelfHosted' - } - ] - managedIdentities: { - userAssignedResourceIds: [ - '' - ] - } - managedVirtualNetwork: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'SQL' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "defaultDataLakeStorageAccountResourceId": { - "value": "" - }, - "defaultDataLakeStorageFilesystem": { - "value": "" - }, - "name": { - "value": "swwaf001" - }, - "sqlAdministratorLogin": { - "value": "synwsadmin" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "SynapseRbacOperations" - }, - { - "category": "SynapseLinkEvent" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "initialWorkspaceAdminObjectID": { - "value": "" - }, - "integrationRuntimes": { - "value": [ - { - "name": "shir01", - "type": "SelfHosted" - } - ] - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "" - ] - } - }, - "managedVirtualNetwork": { - "value": true - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "SQL", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`defaultDataLakeStorageAccountResourceId`](#parameter-defaultdatalakestorageaccountresourceid) | string | Resource ID of the default ADLS Gen2 storage account. | -| [`defaultDataLakeStorageFilesystem`](#parameter-defaultdatalakestoragefilesystem) | string | The default ADLS Gen2 file system. | -| [`name`](#parameter-name) | string | The name of the Synapse Workspace. | -| [`sqlAdministratorLogin`](#parameter-sqladministratorlogin) | string | Login for administrator access to the workspace's SQL pools. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowedAadTenantIdsForLinking`](#parameter-allowedaadtenantidsforlinking) | array | Allowed AAD Tenant IDs For Linking. | -| [`azureADOnlyAuthentication`](#parameter-azureadonlyauthentication) | bool | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | -| [`defaultDataLakeStorageCreateManagedPrivateEndpoint`](#parameter-defaultdatalakestoragecreatemanagedprivateendpoint) | bool | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryptionActivateWorkspace`](#parameter-encryptionactivateworkspace) | bool | Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. | -| [`initialWorkspaceAdminObjectID`](#parameter-initialworkspaceadminobjectid) | string | AAD object ID of initial workspace admin. | -| [`integrationRuntimes`](#parameter-integrationruntimes) | array | The Integration Runtimes to create. | -| [`linkedAccessCheckOnTargetResource`](#parameter-linkedaccesscheckontargetresource) | bool | Linked Access Check On Target Resource. | -| [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | -| [`managedVirtualNetwork`](#parameter-managedvirtualnetwork) | bool | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | -| [`preventDataExfiltration`](#parameter-preventdataexfiltration) | bool | Prevent Data Exfiltration. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Enable or Disable public network access to workspace. | -| [`purviewResourceID`](#parameter-purviewresourceid) | string | Purview Resource ID. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | - -### Parameter: `defaultDataLakeStorageAccountResourceId` - -Resource ID of the default ADLS Gen2 storage account. - -- Required: Yes -- Type: string - -### Parameter: `defaultDataLakeStorageFilesystem` - -The default ADLS Gen2 file system. - -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the Synapse Workspace. - -- Required: Yes -- Type: string - -### Parameter: `sqlAdministratorLogin` - -Login for administrator access to the workspace's SQL pools. - -- Required: Yes -- Type: string - -### Parameter: `allowedAadTenantIdsForLinking` - -Allowed AAD Tenant IDs For Linking. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `azureADOnlyAuthentication` - -Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - -- Required: No -- Type: string - -### Parameter: `defaultDataLakeStorageCreateManagedPrivateEndpoint` - -Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `encryptionActivateWorkspace` - -Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `initialWorkspaceAdminObjectID` - -AAD object ID of initial workspace admin. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `integrationRuntimes` - -The Integration Runtimes to create. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `linkedAccessCheckOnTargetResource` - -Linked Access Check On Target Resource. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `location` - -The geo-location where the resource lives. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `managedResourceGroupName` - -Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedVirtualNetwork` - -Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `preventDataExfiltration` - -Prevent Data Exfiltration. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Enable or Disable public network access to workspace. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `purviewResourceID` - -Purview Resource ID. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sqlAdministratorLoginPassword` - -Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `workspaceRepositoryConfiguration` - -Git integration settings. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `connectivityEndpoints` | object | The workspace connectivity endpoints. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed Synapse Workspace. | -| `resourceGroupName` | string | The resource group of the deployed Synapse Workspace. | -| `resourceID` | string | The resource ID of the deployed Synapse Workspace. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/synapse/workspace/integration-runtime/README.md b/modules/synapse/workspace/integration-runtime/README.md deleted file mode 100644 index 20c5510bc2..0000000000 --- a/modules/synapse/workspace/integration-runtime/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# Synapse Workspace Integration Runtimes `[Microsoft.Synapse/workspaces/integrationRuntimes]` - -This module deploys a Synapse Workspace Integration Runtime. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Synapse/workspaces/integrationRuntimes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/integrationRuntimes) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the Integration Runtime. | -| [`type`](#parameter-type) | string | The type of Integration Runtime. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`typeProperties`](#parameter-typeproperties) | object | Integration Runtime type properties. Required if type is "Managed". | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `name` - -The name of the Integration Runtime. - -- Required: Yes -- Type: string - -### Parameter: `type` - -The type of Integration Runtime. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Managed' - 'SelfHosted' - ] - ``` - -### Parameter: `typeProperties` - -Integration Runtime type properties. Required if type is "Managed". - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `workspaceName` - -The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Integration Runtime. | -| `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | -| `resourceId` | string | The resource ID of the Integration Runtime. | - -## Cross-referenced modules - -_None_ diff --git a/modules/synapse/workspace/integration-runtime/main.bicep b/modules/synapse/workspace/integration-runtime/main.bicep deleted file mode 100644 index 4076dc34ce..0000000000 --- a/modules/synapse/workspace/integration-runtime/main.bicep +++ /dev/null @@ -1,62 +0,0 @@ -metadata name = 'Synapse Workspace Integration Runtimes' -metadata description = 'This module deploys a Synapse Workspace Integration Runtime.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Required. The name of the Integration Runtime.') -param name string - -@allowed([ - 'Managed' - 'SelfHosted' -]) -@description('Required. The type of Integration Runtime.') -param type string - -@description('Conditional. Integration Runtime type properties. Required if type is "Managed".') -param typeProperties object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' existing = { - name: workspaceName -} - -resource integrationRuntime 'Microsoft.Synapse/workspaces/integrationRuntimes@2021-06-01' = { - name: name - parent: workspace - properties: type == 'Managed' ? { - type: type - managedVirtualNetwork: { - referenceName: 'default' - type: 'ManagedVirtualNetworkReference' - } - typeProperties: typeProperties - } : { - type: type - } -} - -@description('The name of the Resource Group the Integration Runtime was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Integration Runtime.') -output name string = integrationRuntime.name - -@description('The resource ID of the Integration Runtime.') -output resourceId string = integrationRuntime.id diff --git a/modules/synapse/workspace/integration-runtime/main.json b/modules/synapse/workspace/integration-runtime/main.json deleted file mode 100644 index f23599a93a..0000000000 --- a/modules/synapse/workspace/integration-runtime/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15433128731134325120" - }, - "name": "Synapse Workspace Integration Runtimes", - "description": "This module deploys a Synapse Workspace Integration Runtime.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Integration Runtime." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Managed", - "SelfHosted" - ], - "metadata": { - "description": "Required. The type of Integration Runtime." - } - }, - "typeProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. Integration Runtime type properties. Required if type is \"Managed\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Synapse/workspaces/integrationRuntimes", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": "[if(equals(parameters('type'), 'Managed'), createObject('type', parameters('type'), 'managedVirtualNetwork', createObject('referenceName', 'default', 'type', 'ManagedVirtualNetworkReference'), 'typeProperties', parameters('typeProperties')), createObject('type', parameters('type')))]" - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Integration Runtime was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Integration Runtime." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Integration Runtime." - }, - "value": "[resourceId('Microsoft.Synapse/workspaces/integrationRuntimes', parameters('workspaceName'), parameters('name'))]" - } - } -} \ No newline at end of file diff --git a/modules/synapse/workspace/integration-runtime/version.json b/modules/synapse/workspace/integration-runtime/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/synapse/workspace/integration-runtime/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md deleted file mode 100644 index 667aefb54b..0000000000 --- a/modules/synapse/workspace/key/README.md +++ /dev/null @@ -1,96 +0,0 @@ -# Synapse Workspaces Keys `[Microsoft.Synapse/workspaces/keys]` - -This module deploys a Synapse Workspaces Key. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Synapse/workspaces/keys` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`isActiveCMK`](#parameter-isactivecmk) | bool | Used to activate the workspace after a customer managed key is provided. | -| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`name`](#parameter-name) | string | Encryption key name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`workspaceName`](#parameter-workspacename) | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | The geo-location where the resource lives. | - -### Parameter: `isActiveCMK` - -Used to activate the workspace after a customer managed key is provided. - -- Required: Yes -- Type: bool - -### Parameter: `keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Encryption key name. - -- Required: Yes -- Type: string - -### Parameter: `workspaceName` - -The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -The geo-location where the resource lives. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed key. | -| `resourceGroupName` | string | The resource group of the deployed key. | -| `resourceId` | string | The resource ID of the deployed key. | - -## Cross-referenced modules - -_None_ diff --git a/modules/synapse/workspace/key/main.bicep b/modules/synapse/workspace/key/main.bicep deleted file mode 100644 index 7ae64222fc..0000000000 --- a/modules/synapse/workspace/key/main.bicep +++ /dev/null @@ -1,64 +0,0 @@ -metadata name = 'Synapse Workspaces Keys' -metadata description = 'This module deploys a Synapse Workspaces Key.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Encryption key name.') -param name string - -@description('Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment.') -param workspaceName string - -@description('Optional. The geo-location where the resource lives.') -param location string = resourceGroup().location - -@description('Required. Used to activate the workspace after a customer managed key is provided.') -param isActiveCMK bool - -@description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') -param keyVaultResourceId string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = { - name: last(split(keyVaultResourceId, '/')) - scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = { - name: name - } -} - -resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' existing = { - name: workspaceName -} - -resource key 'Microsoft.Synapse/workspaces/keys@2021-06-01' = { - name: name - parent: workspace - properties: { - isActiveCMK: isActiveCMK - keyVaultUrl: cMKKeyVault::cMKKey.properties.keyUri - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@description('The name of the deployed key.') -output name string = key.name - -@description('The resource ID of the deployed key.') -output resourceId string = key.id - -@description('The resource group of the deployed key.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/synapse/workspace/key/main.json b/modules/synapse/workspace/key/main.json deleted file mode 100644 index 371874873e..0000000000 --- a/modules/synapse/workspace/key/main.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17878422697036938783" - }, - "name": "Synapse Workspaces Keys", - "description": "This module deploys a Synapse Workspaces Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Encryption key name." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The geo-location where the resource lives." - } - }, - "isActiveCMK": { - "type": "bool", - "metadata": { - "description": "Required. Used to activate the workspace after a customer managed key is provided." - } - }, - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "type": "Microsoft.Synapse/workspaces/keys", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "isActiveCMK": "[parameters('isActiveCMK')]", - "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '2023-02-01').keyUri]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed key." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed key." - }, - "value": "[resourceId('Microsoft.Synapse/workspaces/keys', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed key." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/synapse/workspace/key/version.json b/modules/synapse/workspace/key/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/synapse/workspace/key/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep deleted file mode 100644 index 5071d3792b..0000000000 --- a/modules/synapse/workspace/main.bicep +++ /dev/null @@ -1,473 +0,0 @@ -metadata name = 'Synapse Workspaces' -metadata description = 'This module deploys a Synapse Workspace.' -metadata owner = 'Azure/module-maintainers' - -// Parameters -@maxLength(50) -@description('Required. The name of the Synapse Workspace.') -param name string - -@description('Optional. The geo-location where the resource lives.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource.') -param azureADOnlyAuthentication bool = false - -@description('Optional. AAD object ID of initial workspace admin.') -param initialWorkspaceAdminObjectID string = '' - -@description('Required. Resource ID of the default ADLS Gen2 storage account.') -param defaultDataLakeStorageAccountResourceId string - -@description('Required. The default ADLS Gen2 file system.') -param defaultDataLakeStorageFilesystem string - -@description('Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace\'s primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account.') -param defaultDataLakeStorageCreateManagedPrivateEndpoint bool = false - -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType - -@description('Optional. Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace.') -param encryptionActivateWorkspace bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@maxLength(90) -@description('Optional. Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and \'-\', \'_\', \'(\', \')\' and\'.\'. Note that the name cannot end with \'.\'.') -param managedResourceGroupName string = '' - -@description('Optional. Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources.') -param managedVirtualNetwork bool = false - -@description('Optional. The Integration Runtimes to create.') -param integrationRuntimes array = [] - -@description('Optional. Allowed AAD Tenant IDs For Linking.') -param allowedAadTenantIdsForLinking array = [] - -@description('Optional. Linked Access Check On Target Resource.') -param linkedAccessCheckOnTargetResource bool = false - -@description('Optional. Prevent Data Exfiltration.') -param preventDataExfiltration bool = false - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. Enable or Disable public network access to workspace.') -param publicNetworkAccess string = 'Enabled' - -@description('Optional. Purview Resource ID.') -param purviewResourceID string = '' - -@description('Required. Login for administrator access to the workspace\'s SQL pools.') -param sqlAdministratorLogin string - -@description('Optional. Password for administrator access to the workspace\'s SQL pools. If you don\'t provide a password, one will be automatically generated. You can change the password later.') -#disable-next-line secure-secrets-in-params // Not a secret -param sqlAdministratorLoginPassword string = '' - -@description('Optional. Git integration settings.') -param workspaceRepositoryConfiguration object = {} - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -// Variables - -var cmkUserAssignedIdentityAsArray = !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? [ customerManagedKey.?userAssignedIdentityResourceId ] : [] - -var userAssignedIdentitiesUnion = !empty(managedIdentities) ? union(managedIdentities.?userAssignedResourceIds ?? [], cmkUserAssignedIdentityAsArray) : cmkUserAssignedIdentityAsArray - -var formattedUserAssignedIdentities = reduce(map((userAssignedIdentitiesUnion ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = { - type: !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' = { - name: name - location: location - identity: identity - tags: tags - properties: { - azureADOnlyAuthentication: azureADOnlyAuthentication ? azureADOnlyAuthentication : null - cspWorkspaceAdminProperties: !empty(initialWorkspaceAdminObjectID) ? { - initialWorkspaceAdminObjectId: initialWorkspaceAdminObjectID - } : null - defaultDataLakeStorage: { - resourceId: defaultDataLakeStorageAccountResourceId - accountUrl: 'https://${last(split(defaultDataLakeStorageAccountResourceId, '/'))!}.dfs.${environment().suffixes.storage}' - filesystem: defaultDataLakeStorageFilesystem - createManagedPrivateEndpoint: managedVirtualNetwork ? defaultDataLakeStorageCreateManagedPrivateEndpoint : null - } - encryption: !empty(customerManagedKey) ? { - cmk: { - kekIdentity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : { - useSystemAssignedIdentity: empty(customerManagedKey.?userAssignedIdentityResourceId) - } - - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } : null - - key: { - keyVaultUrl: cMKKeyVault::cMKKey.properties.keyUri - name: customerManagedKey!.keyName - } - } - } : null - managedResourceGroupName: !empty(managedResourceGroupName) ? managedResourceGroupName : null - managedVirtualNetwork: managedVirtualNetwork ? 'default' : null - managedVirtualNetworkSettings: managedVirtualNetwork ? { - allowedAadTenantIdsForLinking: allowedAadTenantIdsForLinking - linkedAccessCheckOnTargetResource: linkedAccessCheckOnTargetResource - preventDataExfiltration: preventDataExfiltration - } : null - publicNetworkAccess: managedVirtualNetwork ? publicNetworkAccess : null - purviewConfiguration: !empty(purviewResourceID) ? { - purviewResourceId: purviewResourceID - } : null - sqlAdministratorLogin: sqlAdministratorLogin - sqlAdministratorLoginPassword: !empty(sqlAdministratorLoginPassword) ? sqlAdministratorLoginPassword : null - workspaceRepositoryConfiguration: workspaceRepositoryConfiguration - } -} - -// Workspace integration runtimes -module synapse_integrationRuntimes 'integration-runtime/main.bicep' = [for (integrationRuntime, index) in integrationRuntimes: { - name: '${uniqueString(deployment().name, location)}-Synapse-IntegrationRuntime-${index}' - params: { - workspaceName: workspace.name - name: integrationRuntime.name - type: integrationRuntime.type - typeProperties: contains(integrationRuntime, 'typeProperties') ? integrationRuntime.typeProperties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -// Workspace encryption with customer managed keys -// - Assign Synapse Workspace MSI access to encryption key -module workspace_cmk_rbac 'modules/nested_cmkRbac.bicep' = if (encryptionActivateWorkspace) { - name: '${workspace.name}-cmk-rbac' - params: { - workspaceIndentityPrincipalId: workspace.identity.principalId - keyvaultName: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.name : '' - usesRbacAuthorization: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.properties.enableRbacAuthorization : true - } - scope: encryptionActivateWorkspace ? resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) : resourceGroup() -} - -// - Workspace encryption - Activate Workspace -module workspace_key 'key/main.bicep' = if (encryptionActivateWorkspace) { - name: '${workspace.name}-cmk-activation' - params: { - name: customerManagedKey!.keyName - isActiveCMK: true - keyVaultResourceId: cMKKeyVault.id - workspaceName: workspace.name - } - dependsOn: [ - workspace_cmk_rbac - ] -} - -// Resource Lock -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace -} - -// RBAC -resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: workspace -}] - -// Endpoints -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.service - ] - name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' - serviceResourceId: workspace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -// Diagnostics Settings -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: workspace -}] - -@description('The resource ID of the deployed Synapse Workspace.') -output resourceID string = workspace.id - -@description('The name of the deployed Synapse Workspace.') -output name string = workspace.name - -@description('The resource group of the deployed Synapse Workspace.') -output resourceGroupName string = resourceGroup().name - -@description('The workspace connectivity endpoints.') -output connectivityEndpoints object = workspace.properties.connectivityEndpoints - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = workspace.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[] -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json deleted file mode 100644 index 992c7ee7a8..0000000000 --- a/modules/synapse/workspace/main.json +++ /dev/null @@ -1,1761 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11432454877578684886" - }, - "name": "Synapse Workspaces", - "description": "This module deploys a Synapse Workspace.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 50, - "metadata": { - "description": "Required. The name of the Synapse Workspace." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The geo-location where the resource lives." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "azureADOnlyAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource." - } - }, - "initialWorkspaceAdminObjectID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. AAD object ID of initial workspace admin." - } - }, - "defaultDataLakeStorageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the default ADLS Gen2 storage account." - } - }, - "defaultDataLakeStorageFilesystem": { - "type": "string", - "metadata": { - "description": "Required. The default ADLS Gen2 file system." - } - }, - "defaultDataLakeStorageCreateManagedPrivateEndpoint": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "encryptionActivateWorkspace": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "managedResourceGroupName": { - "type": "string", - "defaultValue": "", - "maxLength": 90, - "metadata": { - "description": "Optional. Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'." - } - }, - "managedVirtualNetwork": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources." - } - }, - "integrationRuntimes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The Integration Runtimes to create." - } - }, - "allowedAadTenantIdsForLinking": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Allowed AAD Tenant IDs For Linking." - } - }, - "linkedAccessCheckOnTargetResource": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Linked Access Check On Target Resource." - } - }, - "preventDataExfiltration": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Prevent Data Exfiltration." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Enable or Disable public network access to workspace." - } - }, - "purviewResourceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Purview Resource ID." - } - }, - "sqlAdministratorLogin": { - "type": "string", - "metadata": { - "description": "Required. Login for administrator access to the workspace's SQL pools." - } - }, - "sqlAdministratorLoginPassword": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later." - } - }, - "workspaceRepositoryConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Git integration settings." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "cmkUserAssignedIdentityAsArray": "[if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createArray(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')), createArray())]", - "userAssignedIdentitiesUnion": "[if(not(empty(parameters('managedIdentities'))), union(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), variables('cmkUserAssignedIdentityAsArray')), variables('cmkUserAssignedIdentityAsArray'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(variables('userAssignedIdentitiesUnion'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": { - "type": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", - "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "workspace": { - "type": "Microsoft.Synapse/workspaces", - "apiVersion": "2021-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": { - "azureADOnlyAuthentication": "[if(parameters('azureADOnlyAuthentication'), parameters('azureADOnlyAuthentication'), null())]", - "cspWorkspaceAdminProperties": "[if(not(empty(parameters('initialWorkspaceAdminObjectID'))), createObject('initialWorkspaceAdminObjectId', parameters('initialWorkspaceAdminObjectID')), null())]", - "defaultDataLakeStorage": { - "resourceId": "[parameters('defaultDataLakeStorageAccountResourceId')]", - "accountUrl": "[format('https://{0}.dfs.{1}', last(split(parameters('defaultDataLakeStorageAccountResourceId'), '/')), environment().suffixes.storage)]", - "filesystem": "[parameters('defaultDataLakeStorageFilesystem')]", - "createManagedPrivateEndpoint": "[if(parameters('managedVirtualNetwork'), parameters('defaultDataLakeStorageCreateManagedPrivateEndpoint'), null())]" - }, - "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('cmk', createObject('kekIdentity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), createObject('useSystemAssignedIdentity', empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))), 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'key', createObject('keyVaultUrl', reference('cMKKeyVault::cMKKey').keyUri, 'name', parameters('customerManagedKey').keyName))), null())]", - "managedResourceGroupName": "[if(not(empty(parameters('managedResourceGroupName'))), parameters('managedResourceGroupName'), null())]", - "managedVirtualNetwork": "[if(parameters('managedVirtualNetwork'), 'default', null())]", - "managedVirtualNetworkSettings": "[if(parameters('managedVirtualNetwork'), createObject('allowedAadTenantIdsForLinking', parameters('allowedAadTenantIdsForLinking'), 'linkedAccessCheckOnTargetResource', parameters('linkedAccessCheckOnTargetResource'), 'preventDataExfiltration', parameters('preventDataExfiltration')), null())]", - "publicNetworkAccess": "[if(parameters('managedVirtualNetwork'), parameters('publicNetworkAccess'), null())]", - "purviewConfiguration": "[if(not(empty(parameters('purviewResourceID'))), createObject('purviewResourceId', parameters('purviewResourceID')), null())]", - "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", - "sqlAdministratorLoginPassword": "[if(not(empty(parameters('sqlAdministratorLoginPassword'))), parameters('sqlAdministratorLoginPassword'), null())]", - "workspaceRepositoryConfiguration": "[parameters('workspaceRepositoryConfiguration')]" - }, - "dependsOn": [ - "cMKKeyVault", - "cMKUserAssignedIdentity" - ] - }, - "workspace_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Synapse/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_diagnosticSettings": { - "copy": { - "name": "workspace_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "workspace" - ] - }, - "synapse_integrationRuntimes": { - "copy": { - "name": "synapse_integrationRuntimes", - "count": "[length(parameters('integrationRuntimes'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Synapse-IntegrationRuntime-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "workspaceName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('integrationRuntimes')[copyIndex()].name]" - }, - "type": { - "value": "[parameters('integrationRuntimes')[copyIndex()].type]" - }, - "typeProperties": "[if(contains(parameters('integrationRuntimes')[copyIndex()], 'typeProperties'), createObject('value', parameters('integrationRuntimes')[copyIndex()].typeProperties), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15433128731134325120" - }, - "name": "Synapse Workspace Integration Runtimes", - "description": "This module deploys a Synapse Workspace Integration Runtime.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Integration Runtime." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Managed", - "SelfHosted" - ], - "metadata": { - "description": "Required. The type of Integration Runtime." - } - }, - "typeProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. Integration Runtime type properties. Required if type is \"Managed\"." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Synapse/workspaces/integrationRuntimes", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": "[if(equals(parameters('type'), 'Managed'), createObject('type', parameters('type'), 'managedVirtualNetwork', createObject('referenceName', 'default', 'type', 'ManagedVirtualNetworkReference'), 'typeProperties', parameters('typeProperties')), createObject('type', parameters('type')))]" - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the Resource Group the Integration Runtime was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Integration Runtime." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Integration Runtime." - }, - "value": "[resourceId('Microsoft.Synapse/workspaces/integrationRuntimes', parameters('workspaceName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - }, - "workspace_cmk_rbac": { - "condition": "[parameters('encryptionActivateWorkspace')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-cmk-rbac', parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "workspaceIndentityPrincipalId": { - "value": "[reference('workspace', '2021-06-01', 'full').identity.principalId]" - }, - "keyvaultName": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), createObject('value', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), createObject('value', ''))]", - "usesRbacAuthorization": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), createObject('value', reference('cMKKeyVault').enableRbacAuthorization), createObject('value', true()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1182711601328740781" - } - }, - "parameters": { - "keyvaultName": { - "type": "string" - }, - "workspaceIndentityPrincipalId": { - "type": "string" - }, - "usesRbacAuthorization": { - "type": "bool", - "defaultValue": false - } - }, - "resources": [ - { - "condition": "[parameters('usesRbacAuthorization')]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('keyvaultName'))]", - "name": "[guid(format('{0}-{1}-Key-Vault-Crypto-User', resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultName')), parameters('workspaceIndentityPrincipalId')))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "principalId": "[parameters('workspaceIndentityPrincipalId')]", - "principalType": "ServicePrincipal" - } - }, - { - "condition": "[not(parameters('usesRbacAuthorization'))]", - "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyvaultName'), 'add')]", - "properties": { - "accessPolicies": [ - { - "permissions": { - "keys": [ - "wrapKey", - "unwrapKey", - "get" - ] - }, - "objectId": "[parameters('workspaceIndentityPrincipalId')]", - "tenantId": "[tenant().tenantId]" - } - ] - } - } - ] - } - }, - "dependsOn": [ - "cMKKeyVault", - "workspace" - ] - }, - "workspace_key": { - "condition": "[parameters('encryptionActivateWorkspace')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-cmk-activation', parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('customerManagedKey').keyName]" - }, - "isActiveCMK": { - "value": true - }, - "keyVaultResourceId": { - "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')))]" - }, - "workspaceName": { - "value": "[parameters('name')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17878422697036938783" - }, - "name": "Synapse Workspaces Keys", - "description": "This module deploys a Synapse Workspaces Key.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Encryption key name." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The geo-location where the resource lives." - } - }, - "isActiveCMK": { - "type": "bool", - "metadata": { - "description": "Required. Used to activate the workspace after a customer managed key is provided." - } - }, - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "type": "Microsoft.Synapse/workspaces/keys", - "apiVersion": "2021-06-01", - "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", - "properties": { - "isActiveCMK": "[parameters('isActiveCMK')]", - "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '2023-02-01').keyUri]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed key." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed key." - }, - "value": "[resourceId('Microsoft.Synapse/workspaces/keys', parameters('workspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed key." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "cMKKeyVault", - "workspace", - "workspace_cmk_rbac" - ] - }, - "workspace_privateEndpoints": { - "copy": { - "name": "workspace_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "workspace" - ] - } - }, - "outputs": { - "resourceID": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed Synapse Workspace." - }, - "value": "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed Synapse Workspace." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed Synapse Workspace." - }, - "value": "[resourceGroup().name]" - }, - "connectivityEndpoints": { - "type": "object", - "metadata": { - "description": "The workspace connectivity endpoints." - }, - "value": "[reference('workspace').connectivityEndpoints]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(contains(reference('workspace', '2021-06-01', 'full').identity, 'principalId'), reference('workspace', '2021-06-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('workspace', '2021-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/synapse/workspace/modules/nested_cmkRbac.bicep b/modules/synapse/workspace/modules/nested_cmkRbac.bicep deleted file mode 100644 index 1c14980eb9..0000000000 --- a/modules/synapse/workspace/modules/nested_cmkRbac.bicep +++ /dev/null @@ -1,40 +0,0 @@ -param keyvaultName string -param workspaceIndentityPrincipalId string -param usesRbacAuthorization bool = false - -// Workspace encryption - Assign Workspace System Identity Keyvault Crypto Reader at Encryption Keyvault -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: keyvaultName -} - -// Assign RBAC role Key Vault Crypto User -resource workspace_cmk_rbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (usesRbacAuthorization) { - name: guid('${keyVault.id}-${workspaceIndentityPrincipalId}-Key-Vault-Crypto-User') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - principalId: workspaceIndentityPrincipalId - principalType: 'ServicePrincipal' - } - scope: keyVault -} - -// Assign Acess Policy for Keys -resource workspace_cmk_accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = if (!usesRbacAuthorization) { - name: 'add' - parent: keyVault - properties: { - accessPolicies: [ - { - permissions: { - keys: [ - 'wrapKey' - 'unwrapKey' - 'get' - ] - } - objectId: workspaceIndentityPrincipalId - tenantId: tenant().tenantId - } - ] - } -} diff --git a/modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep b/modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index b057b0b981..0000000000 --- a/modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,31 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep b/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index f6084c8e78..0000000000 --- a/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,60 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep b/modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep deleted file mode 100644 index ef593e0e43..0000000000 --- a/modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep +++ /dev/null @@ -1,66 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep deleted file mode 100644 index bc21173e2f..0000000000 --- a/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep +++ /dev/null @@ -1,67 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swensa' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - } - encryptionActivateWorkspace: true - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep b/modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep deleted file mode 100644 index 6faa37afac..0000000000 --- a/modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep +++ /dev/null @@ -1,87 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: true - softDeleteRetentionInDays: 7 - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } - - resource key 'keys@2022-07-01' = { - name: 'keyEncryptionKey' - properties: { - kty: 'RSA' - } - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User - principalType: 'ServicePrincipal' - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep deleted file mode 100644 index bad49f51aa..0000000000 --- a/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep +++ /dev/null @@ -1,73 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swenua' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep b/modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep deleted file mode 100644 index b057b0b981..0000000000 --- a/modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep +++ /dev/null @@ -1,31 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep b/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep deleted file mode 100644 index 7d4f2b072c..0000000000 --- a/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep +++ /dev/null @@ -1,67 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swmanv' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - managedVirtualNetwork: true - preventDataExfiltration: true - allowedAadTenantIdsForLinking: [ - tenant().tenantId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/tests/e2e/max/dependencies.bicep b/modules/synapse/workspace/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 52da267176..0000000000 --- a/modules/synapse/workspace/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,92 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.sql.azuresynapse.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetworkName}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep deleted file mode 100644 index b94327be00..0000000000 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,137 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - location: location - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - service: 'SQL' - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedVirtualNetwork: true - integrationRuntimes: [ - { - type: 'SelfHosted' - name: 'shir01' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - logCategoriesAndGroups: [ - { - category: 'SynapseRbacOperations' - } - { - category: 'SynapseLinkEvent' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 52da267176..0000000000 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,92 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -var addressPrefix = '10.0.0.0/16' - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.sql.azuresynapse.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetworkName}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - isHnsEnabled: true - } - - resource blobService 'blobServices@2022-09-01' = { - name: 'default' - - resource container 'containers@2022-09-01' = { - name: 'synapsews' - } - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The name of the created container.') -output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index ddc6aaef1c..0000000000 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - location: location - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - name: '${namePrefix}${serviceShort}001' - defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName - sqlAdministratorLogin: 'synwsadmin' - initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - managedIdentities: { - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - service: 'SQL' - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedVirtualNetwork: true - integrationRuntimes: [ - { - type: 'SelfHosted' - name: 'shir01' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - logCategoriesAndGroups: [ - { - category: 'SynapseRbacOperations' - } - { - category: 'SynapseLinkEvent' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - enableDefaultTelemetry: enableDefaultTelemetry - } -}] diff --git a/modules/synapse/workspace/version.json b/modules/synapse/workspace/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/synapse/workspace/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/virtual-machine-images/image-template/MOVED-TO-AVM.md b/modules/virtual-machine-images/image-template/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/virtual-machine-images/image-template/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 5af46f5fc6..bae840b6b1 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -1,932 +1,7 @@ -# Virtual Machine Image Templates `[Microsoft.VirtualMachineImages/imageTemplates]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/virtual-machine-images/image-template](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/virtual-machine-images/image-template).** -This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB). +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/virtual-machine-images/image-template). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.VirtualMachineImages/imageTemplates` | [2022-02-14](https://learn.microsoft.com/en-us/azure/templates/Microsoft.VirtualMachineImages/2022-02-14/imageTemplates) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/virtual-machine-images.image-template:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitmin' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-10' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win10-22h2-ent' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitmin001' - userMsiName: '' - // Non-required parameters - enableDefaultTelemetry: '' - managedImageName: 'mi-vmiitmin-001' - userMsiResourceGroup: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "30m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-10", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win10-22h2-ent", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitmin001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedImageName": { - "value": "mi-vmiitmin-001" - }, - "userMsiResourceGroup": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitmax' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitmax001' - userMsiName: '' - // Non-required parameters - buildTimeoutInMinutes: 60 - enableDefaultTelemetry: '' - imageReplicationRegions: [] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedImageName: 'mi-vmiitmax-001' - osDiskSizeGB: 127 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sigImageDefinitionId: '' - sigImageVersion: '' - stagingResourceGroup: '' - subnetId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - unManagedImageName: 'umi-vmiitmax-001' - userAssignedIdentities: [ - '' - ] - userMsiResourceGroup: '' - vmSize: 'Standard_D2s_v3' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "10m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-11", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win11-22h2-avd", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitmax001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "buildTimeoutInMinutes": { - "value": 60 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageReplicationRegions": { - "value": [] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedImageName": { - "value": "mi-vmiitmax-001" - }, - "osDiskSizeGB": { - "value": 127 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sigImageDefinitionId": { - "value": "" - }, - "sigImageVersion": { - "value": "" - }, - "stagingResourceGroup": { - "value": "" - }, - "subnetId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "unManagedImageName": { - "value": "umi-vmiitmax-001" - }, - "userAssignedIdentities": { - "value": [ - "" - ] - }, - "userMsiResourceGroup": { - "value": "" - }, - "vmSize": { - "value": "Standard_D2s_v3" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitwaf' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitwaf001' - userMsiName: '' - // Non-required parameters - buildTimeoutInMinutes: 60 - enableDefaultTelemetry: '' - imageReplicationRegions: [] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedImageName: 'mi-vmiitwaf-001' - osDiskSizeGB: 127 - sigImageDefinitionId: '' - sigImageVersion: '' - stagingResourceGroup: '' - subnetId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - unManagedImageName: 'umi-vmiitwaf-001' - userAssignedIdentities: [ - '' - ] - userMsiResourceGroup: '' - vmSize: 'Standard_D2s_v3' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "10m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-11", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win11-22h2-avd", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitwaf001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "buildTimeoutInMinutes": { - "value": 60 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageReplicationRegions": { - "value": [] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedImageName": { - "value": "mi-vmiitwaf-001" - }, - "osDiskSizeGB": { - "value": 127 - }, - "sigImageDefinitionId": { - "value": "" - }, - "sigImageVersion": { - "value": "" - }, - "stagingResourceGroup": { - "value": "" - }, - "subnetId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "unManagedImageName": { - "value": "umi-vmiitwaf-001" - }, - "userAssignedIdentities": { - "value": [ - "" - ] - }, - "userMsiResourceGroup": { - "value": "" - }, - "vmSize": { - "value": "Standard_D2s_v3" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customizationSteps`](#parameter-customizationsteps) | array | Customization steps to be run when building the VM image. | -| [`imageSource`](#parameter-imagesource) | object | Image source definition in object format. | -| [`name`](#parameter-name) | string | Name prefix of the Image Template to be built by the Azure Image Builder service. | -| [`userMsiName`](#parameter-usermsiname) | string | Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`buildTimeoutInMinutes`](#parameter-buildtimeoutinminutes) | int | Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`excludeFromLatest`](#parameter-excludefromlatest) | bool | Exclude the created Azure Compute Gallery image version from the latest. | -| [`imageReplicationRegions`](#parameter-imagereplicationregions) | array | List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedImageName`](#parameter-managedimagename) | string | Name of the managed image that will be created in the AIB resourcegroup. | -| [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sigImageDefinitionId`](#parameter-sigimagedefinitionid) | string | Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. | -| [`sigImageVersion`](#parameter-sigimageversion) | string | Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). | -| [`stagingResourceGroup`](#parameter-stagingresourcegroup) | string | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. | -| [`storageAccountType`](#parameter-storageaccounttype) | string | Storage account type to be used to store the image in the Azure Compute Gallery. | -| [`subnetId`](#parameter-subnetid) | string | Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`unManagedImageName`](#parameter-unmanagedimagename) | string | Name of the unmanaged image that will be created in the AIB resourcegroup. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | array | List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. | -| [`userMsiResourceGroup`](#parameter-usermsiresourcegroup) | string | Resource group of the user assigned identity. | -| [`vmSize`](#parameter-vmsize) | string | Specifies the size for the VM. | - -**Generated parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a unique image template name. | - -### Parameter: `customizationSteps` - -Customization steps to be run when building the VM image. - -- Required: Yes -- Type: array - -### Parameter: `imageSource` - -Image source definition in object format. - -- Required: Yes -- Type: object - -### Parameter: `name` - -Name prefix of the Image Template to be built by the Azure Image Builder service. - -- Required: Yes -- Type: string - -### Parameter: `userMsiName` - -Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. - -- Required: Yes -- Type: string - -### Parameter: `buildTimeoutInMinutes` - -Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `excludeFromLatest` - -Exclude the created Azure Compute Gallery image version from the latest. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `imageReplicationRegions` - -List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedImageName` - -Name of the managed image that will be created in the AIB resourcegroup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `osDiskSizeGB` - -Specifies the size of OS disk. - -- Required: No -- Type: int -- Default: `128` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sigImageDefinitionId` - -Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sigImageVersion` - -Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `stagingResourceGroup` - -Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageAccountType` - -Storage account type to be used to store the image in the Azure Compute Gallery. - -- Required: No -- Type: string -- Default: `'Standard_LRS'` -- Allowed: - ```Bicep - [ - 'Standard_LRS' - 'Standard_ZRS' - ] - ``` - -### Parameter: `subnetId` - -Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `unManagedImageName` - -Name of the unmanaged image that will be created in the AIB resourcegroup. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `userAssignedIdentities` - -List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `userMsiResourceGroup` - -Resource group of the user assigned identity. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `vmSize` - -Specifies the size for the VM. - -- Required: No -- Type: string -- Default: `'Standard_D2s_v3'` - -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a unique image template name. - -- Required: No -- Type: string -- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The full name of the deployed image template. | -| `namePrefix` | string | The prefix of the image template name provided as input. | -| `resourceGroupName` | string | The resource group the image template was deployed into. | -| `resourceId` | string | The resource ID of the image template. | -| `runThisCommand` | string | The command to run in order to trigger the image build. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `imageSource` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -#### Platform Image - -
- -Parameter JSON format - -```json -"source": { - "type": "PlatformImage", - "publisher": "MicrosoftWindowsDesktop", - "offer": "Windows-10", - "sku": "19h2-evd", - "version": "latest" -} -``` - -
- -
- -Bicep format - -```bicep -source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-10' - sku: '19h2-evd' - version: 'latest' -} -``` - -
-

- -#### Managed Image - -

- -Parameter JSON format - -```json -"source": { - "type": "ManagedImage", - "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" -} -``` - -
- -
- -Bicep format - -```bicep -source: { - type: 'ManagedImage' - imageId: '/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/' -} -``` - -
-

- -#### Shared Image - -

- -Parameter JSON format - -```json -"source": { - "type": "SharedImageVersion", - "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" -} -``` - -
- -
- -Bicep format - -```bicep -source: { - type: 'SharedImageVersion' - imageVersionID: '/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/' -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep deleted file mode 100644 index bf152429d2..0000000000 --- a/modules/virtual-machine-images/image-template/main.bicep +++ /dev/null @@ -1,262 +0,0 @@ -metadata name = 'Virtual Machine Image Templates' -metadata description = 'This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name prefix of the Image Template to be built by the Azure Image Builder service.') -param name string - -@description('Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder.') -param userMsiName string - -@description('Optional. Resource group of the user assigned identity.') -param userMsiResourceGroup string = resourceGroup().name - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes.') -@minValue(0) -@maxValue(960) -param buildTimeoutInMinutes int = 0 - -@description('Optional. Specifies the size for the VM.') -param vmSize string = 'Standard_D2s_v3' - -@description('Optional. Specifies the size of OS disk.') -param osDiskSizeGB int = 128 - -@description('Optional. Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources.') -param subnetId string = '' - -@description('Optional. List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the \'userMsiName\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.') -param userAssignedIdentities array = [] - -@description('Required. Image source definition in object format.') -param imageSource object - -@description('Required. Customization steps to be run when building the VM image.') -param customizationSteps array - -@description('Optional. Name of the managed image that will be created in the AIB resourcegroup.') -param managedImageName string = '' - -@description('Optional. Name of the unmanaged image that will be created in the AIB resourcegroup.') -param unManagedImageName string = '' - -@description('Optional. Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/.') -param sigImageDefinitionId string = '' - -@description('Optional. Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., \'1.1.1\' or \'10.1.2\').') -param sigImageVersion string = '' - -@description('Optional. Exclude the created Azure Compute Gallery image version from the latest.') -param excludeFromLatest bool = false - -@description('Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment\'s location will be taken as a default value.') -param imageReplicationRegions array = [] - -@allowed([ - 'Standard_LRS' - 'Standard_ZRS' -]) -@description('Optional. Storage account type to be used to store the image in the Azure Compute Gallery.') -param storageAccountType string = 'Standard_LRS' - -@description('Optional. Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn\'t exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn\'t exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain.') -param stagingResourceGroup string = '' - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') -param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -var managedImageNameVar = '${managedImageName}-${baseTime}' -var managedImageId = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Compute/images/${managedImageNameVar}' -var imageReplicationRegionsVar = empty(imageReplicationRegions) ? array(location) : imageReplicationRegions - -var managedImage = { - type: 'ManagedImage' - imageId: managedImageId - location: location - runOutputName: '${managedImageNameVar}-ManagedImage' - artifactTags: { - sourceType: imageSource.type - sourcePublisher: contains(imageSource, 'publisher') ? imageSource.publisher : null - sourceOffer: contains(imageSource, 'offer') ? imageSource.offer : null - sourceSku: contains(imageSource, 'sku') ? imageSource.sku : null - sourceVersion: contains(imageSource, 'version') ? imageSource.version : null - sourceImageId: contains(imageSource, 'imageId') ? imageSource.imageId : null - sourceImageVersionID: contains(imageSource, 'imageVersionID') ? imageSource.imageVersionID : null - creationTime: baseTime - } -} -var conditionalManagedImage = empty(managedImageName) ? [] : array(managedImage) -var sharedImage = { - type: 'SharedImage' - galleryImageId: empty(sigImageVersion) ? sigImageDefinitionId : '${sigImageDefinitionId}/versions/${sigImageVersion}' - excludeFromLatest: excludeFromLatest - replicationRegions: imageReplicationRegionsVar - storageAccountType: storageAccountType - runOutputName: !empty(sigImageDefinitionId) ? '${last(split(sigImageDefinitionId, '/'))}-SharedImage' : 'SharedImage' - artifactTags: { - sourceType: imageSource.type - sourcePublisher: contains(imageSource, 'publisher') ? imageSource.publisher : null - sourceOffer: contains(imageSource, 'offer') ? imageSource.offer : null - sourceSku: contains(imageSource, 'sku') ? imageSource.sku : null - sourceVersion: contains(imageSource, 'version') ? imageSource.version : null - sourceImageId: contains(imageSource, 'imageId') ? imageSource.imageId : null - sourceImageVersionID: contains(imageSource, 'imageVersionID') ? imageSource.imageVersionID : null - creationTime: baseTime - } -} -var conditionalSharedImage = empty(sigImageDefinitionId) ? [] : array(sharedImage) -var unManagedImage = { - type: 'VHD' - runOutputName: '${unManagedImageName}-VHD' - artifactTags: { - sourceType: imageSource.type - sourcePublisher: contains(imageSource, 'publisher') ? imageSource.publisher : null - sourceOffer: contains(imageSource, 'offer') ? imageSource.offer : null - sourceSku: contains(imageSource, 'sku') ? imageSource.sku : null - sourceVersion: contains(imageSource, 'version') ? imageSource.version : null - sourceImageId: contains(imageSource, 'imageId') ? imageSource.imageId : null - sourceImageVersionID: contains(imageSource, 'imageVersionID') ? imageSource.imageVersionID : null - creationTime: baseTime - } -} -var conditionalUnManagedImage = empty(unManagedImageName) ? [] : array(unManagedImage) -var distribute = concat(conditionalManagedImage, conditionalSharedImage, conditionalUnManagedImage) -var vnetConfig = { - subnetId: subnetId -} - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { - name: '${name}-${baseTime}' - location: location - tags: tags - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${az.resourceId(userMsiResourceGroup, 'Microsoft.ManagedIdentity/userAssignedIdentities', userMsiName)}': {} - } - } - properties: { - buildTimeoutInMinutes: buildTimeoutInMinutes - vmProfile: { - vmSize: vmSize - osDiskSizeGB: osDiskSizeGB - userAssignedIdentities: userAssignedIdentities - vnetConfig: !empty(subnetId) ? vnetConfig : null - } - source: imageSource - customize: customizationSteps - distribute: distribute - stagingResourceGroup: stagingResourceGroup - } -} - -resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: imageTemplate -} - -resource imageTemplate_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(imageTemplate.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: imageTemplate -}] - -@description('The resource ID of the image template.') -output resourceId string = imageTemplate.id - -@description('The resource group the image template was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The full name of the deployed image template.') -output name string = imageTemplate.name - -@description('The prefix of the image template name provided as input.') -output namePrefix string = name - -@description('The command to run in order to trigger the image build.') -output runThisCommand string = 'Invoke-AzResourceAction -ResourceName ${imageTemplate.name} -ResourceGroupName ${resourceGroup().name} -ResourceType Microsoft.VirtualMachineImages/imageTemplates -Action Run -Force' - -@description('The location the resource was deployed into.') -output location string = imageTemplate.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json deleted file mode 100644 index f7c62ccb8c..0000000000 --- a/modules/virtual-machine-images/image-template/main.json +++ /dev/null @@ -1,467 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "3206365221053341077" - }, - "name": "Virtual Machine Image Templates", - "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name prefix of the Image Template to be built by the Azure Image Builder service." - } - }, - "userMsiName": { - "type": "string", - "metadata": { - "description": "Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder." - } - }, - "userMsiResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. Resource group of the user assigned identity." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "buildTimeoutInMinutes": { - "type": "int", - "defaultValue": 0, - "minValue": 0, - "maxValue": 960, - "metadata": { - "description": "Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3", - "metadata": { - "description": "Optional. Specifies the size for the VM." - } - }, - "osDiskSizeGB": { - "type": "int", - "defaultValue": 128, - "metadata": { - "description": "Optional. Specifies the size of OS disk." - } - }, - "subnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources." - } - }, - "userAssignedIdentities": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM." - } - }, - "imageSource": { - "type": "object", - "metadata": { - "description": "Required. Image source definition in object format." - } - }, - "customizationSteps": { - "type": "array", - "metadata": { - "description": "Required. Customization steps to be run when building the VM image." - } - }, - "managedImageName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the managed image that will be created in the AIB resourcegroup." - } - }, - "unManagedImageName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the unmanaged image that will be created in the AIB resourcegroup." - } - }, - "sigImageDefinitionId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/." - } - }, - "sigImageVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2')." - } - }, - "excludeFromLatest": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Exclude the created Azure Compute Gallery image version from the latest." - } - }, - "imageReplicationRegions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value." - } - }, - "storageAccountType": { - "type": "string", - "defaultValue": "Standard_LRS", - "allowedValues": [ - "Standard_LRS", - "Standard_ZRS" - ], - "metadata": { - "description": "Optional. Storage account type to be used to store the image in the Azure Compute Gallery." - } - }, - "stagingResourceGroup": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('yyyy-MM-dd-HH-mm-ss')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a unique image template name." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "managedImageNameVar": "[format('{0}-{1}', parameters('managedImageName'), parameters('baseTime'))]", - "managedImageId": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Compute/images/{2}', subscription().subscriptionId, resourceGroup().name, variables('managedImageNameVar'))]", - "imageReplicationRegionsVar": "[if(empty(parameters('imageReplicationRegions')), array(parameters('location')), parameters('imageReplicationRegions'))]", - "managedImage": { - "type": "ManagedImage", - "imageId": "[variables('managedImageId')]", - "location": "[parameters('location')]", - "runOutputName": "[format('{0}-ManagedImage', variables('managedImageNameVar'))]", - "artifactTags": { - "sourceType": "[parameters('imageSource').type]", - "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'), parameters('imageSource').publisher, null())]", - "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'), parameters('imageSource').offer, null())]", - "sourceSku": "[if(contains(parameters('imageSource'), 'sku'), parameters('imageSource').sku, null())]", - "sourceVersion": "[if(contains(parameters('imageSource'), 'version'), parameters('imageSource').version, null())]", - "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'), parameters('imageSource').imageId, null())]", - "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'), parameters('imageSource').imageVersionID, null())]", - "creationTime": "[parameters('baseTime')]" - } - }, - "conditionalManagedImage": "[if(empty(parameters('managedImageName')), createArray(), array(variables('managedImage')))]", - "sharedImage": { - "type": "SharedImage", - "galleryImageId": "[if(empty(parameters('sigImageVersion')), parameters('sigImageDefinitionId'), format('{0}/versions/{1}', parameters('sigImageDefinitionId'), parameters('sigImageVersion')))]", - "excludeFromLatest": "[parameters('excludeFromLatest')]", - "replicationRegions": "[variables('imageReplicationRegionsVar')]", - "storageAccountType": "[parameters('storageAccountType')]", - "runOutputName": "[if(not(empty(parameters('sigImageDefinitionId'))), format('{0}-SharedImage', last(split(parameters('sigImageDefinitionId'), '/'))), 'SharedImage')]", - "artifactTags": { - "sourceType": "[parameters('imageSource').type]", - "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'), parameters('imageSource').publisher, null())]", - "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'), parameters('imageSource').offer, null())]", - "sourceSku": "[if(contains(parameters('imageSource'), 'sku'), parameters('imageSource').sku, null())]", - "sourceVersion": "[if(contains(parameters('imageSource'), 'version'), parameters('imageSource').version, null())]", - "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'), parameters('imageSource').imageId, null())]", - "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'), parameters('imageSource').imageVersionID, null())]", - "creationTime": "[parameters('baseTime')]" - } - }, - "conditionalSharedImage": "[if(empty(parameters('sigImageDefinitionId')), createArray(), array(variables('sharedImage')))]", - "unManagedImage": { - "type": "VHD", - "runOutputName": "[format('{0}-VHD', parameters('unManagedImageName'))]", - "artifactTags": { - "sourceType": "[parameters('imageSource').type]", - "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'), parameters('imageSource').publisher, null())]", - "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'), parameters('imageSource').offer, null())]", - "sourceSku": "[if(contains(parameters('imageSource'), 'sku'), parameters('imageSource').sku, null())]", - "sourceVersion": "[if(contains(parameters('imageSource'), 'version'), parameters('imageSource').version, null())]", - "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'), parameters('imageSource').imageId, null())]", - "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'), parameters('imageSource').imageVersionID, null())]", - "creationTime": "[parameters('baseTime')]" - } - }, - "conditionalUnManagedImage": "[if(empty(parameters('unManagedImageName')), createArray(), array(variables('unManagedImage')))]", - "distribute": "[concat(variables('conditionalManagedImage'), variables('conditionalSharedImage'), variables('conditionalUnManagedImage'))]", - "vnetConfig": { - "subnetId": "[parameters('subnetId')]" - }, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "imageTemplate": { - "type": "Microsoft.VirtualMachineImages/imageTemplates", - "apiVersion": "2022-02-14", - "name": "[format('{0}-{1}', parameters('name'), parameters('baseTime'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[format('{0}', resourceId(parameters('userMsiResourceGroup'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName')))]": {} - } - }, - "properties": { - "buildTimeoutInMinutes": "[parameters('buildTimeoutInMinutes')]", - "vmProfile": { - "vmSize": "[parameters('vmSize')]", - "osDiskSizeGB": "[parameters('osDiskSizeGB')]", - "userAssignedIdentities": "[parameters('userAssignedIdentities')]", - "vnetConfig": "[if(not(empty(parameters('subnetId'))), variables('vnetConfig'), null())]" - }, - "source": "[parameters('imageSource')]", - "customize": "[parameters('customizationSteps')]", - "distribute": "[variables('distribute')]", - "stagingResourceGroup": "[parameters('stagingResourceGroup')]" - } - }, - "imageTemplate_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "imageTemplate" - ] - }, - "imageTemplate_roleAssignments": { - "copy": { - "name": "imageTemplate_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", - "name": "[guid(resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime'))), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "imageTemplate" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the image template." - }, - "value": "[resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the image template was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The full name of the deployed image template." - }, - "value": "[format('{0}-{1}', parameters('name'), parameters('baseTime'))]" - }, - "namePrefix": { - "type": "string", - "metadata": { - "description": "The prefix of the image template name provided as input." - }, - "value": "[parameters('name')]" - }, - "runThisCommand": { - "type": "string", - "metadata": { - "description": "The command to run in order to trigger the image build." - }, - "value": "[format('Invoke-AzResourceAction -ResourceName {0} -ResourceGroupName {1} -ResourceType Microsoft.VirtualMachineImages/imageTemplates -Action Run -Force', format('{0}-{1}', parameters('name'), parameters('baseTime')), resourceGroup().name)]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('imageTemplate', '2022-02-14', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep deleted file mode 100644 index 3c1a42f4bb..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep +++ /dev/null @@ -1,25 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource msi_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', '[[namePrefix]]') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Managed Identity.') -output managedIdentityName string = managedIdentity.name diff --git a/modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index ea6acdfabf..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,72 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'vmiitmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customizationSteps: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-10' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win10-22h2-ent' - type: 'PlatformImage' - version: 'latest' - } - managedImageName: '${namePrefix}-mi-${serviceShort}-001' - userMsiName: nestedDependencies.outputs.managedIdentityName - userMsiResourceGroup: resourceGroupName - } -} diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 3fd5595fde..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,109 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Shared Image Gallery to create.') -param galleryName string - -@description('Required. The name of the Image Definition to create in the Shared Image Gallery.') -param sigImageDefinitionName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The name of the Virtual Network to create.') -param virtualNetworkName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. -resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id) - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -var addressPrefix = '10.0.0.0/16' - -resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { - name: galleryName - location: location - properties: {} -} - -resource galleryImageDefinition 'Microsoft.Compute/galleries/images@2022-03-03' = { - name: sigImageDefinitionName - location: location - parent: gallery - properties: { - architecture: 'x64' - hyperVGeneration: 'V2' - identifier: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'Win11-AVD-g2' - } - osState: 'Generalized' - osType: 'Windows' - recommended: { - memory: { - max: 16 - min: 4 - } - vCPUs: { - max: 8 - min: 2 - } - } - } -} - -resource msi_contibutorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', '[[namePrefix]]') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The name of the created Managed Identity.') -output managedIdentityName string = managedIdentity.name - -@description('The resource ID of the created Image Definition.') -output sigImageDefinitionId string = galleryImageDefinition.id - -@description('The subnet resource id of the defaultSubnet of the created Virtual Network.') -output subnetId string = '${virtualNetwork.id}/subnets/defaultSubnet' diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep deleted file mode 100644 index 363cf67ccf..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,119 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'vmiitmax' - -@description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') -param sigImageVersion string = utcNow('yyyy.MM.dd') - -@description('Optional. The staging resource group name in the same location and subscription as the image template. Must not exist.') -param stagingResourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-staging-rg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - sigImageDefinitionName: 'dep-${namePrefix}-imgd-${serviceShort}' - galleryName: 'dep${namePrefix}sig${serviceShort}' - virtualNetworkName: 'dep${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - buildTimeoutInMinutes: 60 - imageReplicationRegions: [] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedImageName: '${namePrefix}-mi-${serviceShort}-001' - osDiskSizeGB: 127 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId - sigImageVersion: sigImageVersion - subnetId: nestedDependencies.outputs.subnetId - stagingResourceGroup: '${subscription().id}/resourcegroups/${stagingResourceGroupName}' - unManagedImageName: '${namePrefix}-umi-${serviceShort}-001' - userAssignedIdentities: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - userMsiName: nestedDependencies.outputs.managedIdentityName - userMsiResourceGroup: resourceGroupName - vmSize: 'Standard_D2s_v3' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index d2e04163bf..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,106 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Shared Image Gallery to create.') -param galleryName string - -@description('Required. The name of the Image Definition to create in the Shared Image Gallery.') -param sigImageDefinitionName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Optional. The name of the Virtual Network to create.') -param virtualNetworkName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. -resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id) - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -var addressPrefix = '10.0.0.0/16' - -resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { - name: galleryName - location: location - properties: {} -} - -resource galleryImageDefinition 'Microsoft.Compute/galleries/images@2022-03-03' = { - name: sigImageDefinitionName - location: location - parent: gallery - properties: { - architecture: 'x64' - hyperVGeneration: 'V2' - identifier: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'Win11-AVD-g2' - } - osState: 'Generalized' - osType: 'Windows' - recommended: { - memory: { - max: 16 - min: 4 - } - vCPUs: { - max: 8 - min: 2 - } - } - } -} - -resource msi_contibutorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(resourceGroup().id, 'Contributor', '[[namePrefix]]') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor - principalId: managedIdentity.properties.principalId - principalType: 'ServicePrincipal' - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - privateLinkServiceNetworkPolicies: 'Disabled' - } - } - ] - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The name of the created Managed Identity.') -output managedIdentityName string = managedIdentity.name - -@description('The resource ID of the created Image Definition.') -output sigImageDefinitionId string = galleryImageDefinition.id - -@description('The subnet resource id of the defaultSubnet of the created Virtual Network.') -output subnetId string = '${virtualNetwork.id}/subnets/defaultSubnet' diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 1367e24573..0000000000 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,102 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'vmiitwaf' - -@description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') -param sigImageVersion string = utcNow('yyyy.MM.dd') - -@description('Optional. The staging resource group name in the same location and subscription as the image template. Must not exist.') -param stagingResourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-staging-rg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - sigImageDefinitionName: 'dep-${namePrefix}-imgd-${serviceShort}' - galleryName: 'dep${namePrefix}sig${serviceShort}' - virtualNetworkName: 'dep${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - buildTimeoutInMinutes: 60 - imageReplicationRegions: [] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedImageName: '${namePrefix}-mi-${serviceShort}-001' - osDiskSizeGB: 127 - sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId - sigImageVersion: sigImageVersion - subnetId: nestedDependencies.outputs.subnetId - stagingResourceGroup: '${subscription().id}/resourcegroups/${stagingResourceGroupName}' - unManagedImageName: '${namePrefix}-umi-${serviceShort}-001' - userAssignedIdentities: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - userMsiName: nestedDependencies.outputs.managedIdentityName - userMsiResourceGroup: resourceGroupName - vmSize: 'Standard_D2s_v3' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} diff --git a/modules/virtual-machine-images/image-template/version.json b/modules/virtual-machine-images/image-template/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/virtual-machine-images/image-template/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/connection/MOVED-TO-AVM.md b/modules/web/connection/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/web/connection/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index cf5c33e583..144f87950c 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -1,482 +1,7 @@ -# API Connections `[Microsoft.Web/connections]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/web/connection](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/web/connection).** -This module deploys an Azure API Connection. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/web/connection). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Web/connections` | [2016-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2016-06-01/connections) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.connection:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module connection 'br:bicep/modules/web.connection:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wcmax' - params: { - // Required parameters - displayName: 'azuremonitorlogs' - name: 'azuremonitor' - // Non-required parameters - api: { - id: '' - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "displayName": { - "value": "azuremonitorlogs" - }, - "name": { - "value": "azuremonitor" - }, - // Non-required parameters - "api": { - "value": { - "id": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module connection 'br:bicep/modules/web.connection:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wcwaf' - params: { - // Required parameters - displayName: 'azuremonitorlogs' - name: 'azuremonitor' - // Non-required parameters - api: { - id: '' - } - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "displayName": { - "value": "azuremonitorlogs" - }, - "name": { - "value": "azuremonitor" - }, - // Non-required parameters - "api": { - "value": { - "id": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`displayName`](#parameter-displayname) | string | Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | -| [`name`](#parameter-name) | string | Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`api`](#parameter-api) | object | Specific values for some API connections. | -| [`customParameterValues`](#parameter-customparametervalues) | object | Customized parameter values for specific connections. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location of the deployment. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`nonSecretParameterValues`](#parameter-nonsecretparametervalues) | object | Dictionary of nonsecret parameter values. | -| [`parameterValues`](#parameter-parametervalues) | secureObject | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`statuses`](#parameter-statuses) | array | Status of the connection. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`testLinks`](#parameter-testlinks) | array | Links to test the API connection. | - -### Parameter: `displayName` - -Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. - -- Required: Yes -- Type: string - -### Parameter: `name` - -Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. - -- Required: Yes -- Type: string - -### Parameter: `api` - -Specific values for some API connections. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `customParameterValues` - -Customized parameter values for specific connections. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location of the deployment. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `nonSecretParameterValues` - -Dictionary of nonsecret parameter values. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `parameterValues` - -Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. - -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `statuses` - -Status of the connection. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `testLinks` - -Links to test the API connection. - -- Required: No -- Type: array -- Default: `[]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the connection. | -| `resourceGroupName` | string | The resource group the connection was deployed into. | -| `resourceId` | string | The resource ID of the connection. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep deleted file mode 100644 index 833405ad8a..0000000000 --- a/modules/web/connection/main.bicep +++ /dev/null @@ -1,149 +0,0 @@ -metadata name = 'API Connections' -metadata description = 'This module deploys an Azure API Connection.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Specific values for some API connections.') -param api object = {} - -@description('Required. Connection name for connection. Example: \'azureblob\' when using blobs. It can change depending on the resource.') -param name string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Customized parameter values for specific connections.') -param customParameterValues object = {} - -@description('Required. Display name connection. Example: \'blobconnection\' when using blobs. It can change depending on the resource.') -param displayName string - -@description('Optional. Location of the deployment.') -param location string = resourceGroup().location - -@description('Optional. Dictionary of nonsecret parameter values.') -#disable-next-line secure-secrets-in-params // Not a secret -param nonSecretParameterValues object = {} - -@description('Optional. Connection strings or access keys for connection. Example: \'accountName\' and \'accessKey\' when using blobs. It can change depending on the resource.') -@secure() -param parameterValues object = {} - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Status of the connection.') -param statuses array = [] - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Links to test the API connection.') -param testLinks array = [] - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource connection 'Microsoft.Web/connections@2016-06-01' = { - name: name - location: location - tags: tags - properties: { - displayName: displayName - customParameterValues: customParameterValues - api: api - parameterValues: !empty(parameterValues) ? parameterValues : null - nonSecretParameterValues: !empty(nonSecretParameterValues) ? nonSecretParameterValues : null - testLinks: !empty(testLinks) ? testLinks : null - statuses: !empty(statuses) ? statuses : null - } -} - -resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: connection -} - -resource connection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(connection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: connection -}] - -@description('The resource ID of the connection.') -output resourceId string = connection.id - -@description('The resource group the connection was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the connection.') -output name string = connection.name - -@description('The location the resource was deployed into.') -output location string = connection.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json deleted file mode 100644 index 99018cbb1c..0000000000 --- a/modules/web/connection/main.json +++ /dev/null @@ -1,304 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12952997110880403069" - }, - "name": "API Connections", - "description": "This module deploys an Azure API Connection.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "api": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specific values for some API connections." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "customParameterValues": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Customized parameter values for specific connections." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location of the deployment." - } - }, - "nonSecretParameterValues": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Dictionary of nonsecret parameter values." - } - }, - "parameterValues": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "statuses": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Status of the connection." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "testLinks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Links to test the API connection." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "connection": { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "displayName": "[parameters('displayName')]", - "customParameterValues": "[parameters('customParameterValues')]", - "api": "[parameters('api')]", - "parameterValues": "[if(not(empty(parameters('parameterValues'))), parameters('parameterValues'), null())]", - "nonSecretParameterValues": "[if(not(empty(parameters('nonSecretParameterValues'))), parameters('nonSecretParameterValues'), null())]", - "testLinks": "[if(not(empty(parameters('testLinks'))), parameters('testLinks'), null())]", - "statuses": "[if(not(empty(parameters('statuses'))), parameters('statuses'), null())]" - } - }, - "connection_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "connection" - ] - }, - "connection_roleAssignments": { - "copy": { - "name": "connection_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/connections', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "connection" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the connection." - }, - "value": "[resourceId('Microsoft.Web/connections', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the connection was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the connection." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('connection', '2016-06-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/connection/tests/e2e/max/dependencies.bicep b/modules/web/connection/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/web/connection/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/connection/tests/e2e/max/main.test.bicep b/modules/web/connection/tests/e2e/max/main.test.bicep deleted file mode 100644 index 6a482325ae..0000000000 --- a/modules/web/connection/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,88 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wcmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - displayName: 'azuremonitorlogs' - name: 'azuremonitor' - api: { - id: '${subscription().id}/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' - - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 9718e758f7..0000000000 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,71 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wcwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - displayName: 'azuremonitorlogs' - name: 'azuremonitor' - api: { - id: '${subscription().id}/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' - - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/connection/version.json b/modules/web/connection/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/connection/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 0d9f2ec478..ceb9b6a8ca 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -1,923 +1,7 @@ -# App Service Environments `[Microsoft.Web/hostingEnvironments]` +

⚠️ Moved to AVM ⚠️

-This module deploys an App Service Environment. +**This module has been evolved into the following AVM module: [avm/res/web/hosting-environment](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/web/hosting-environment).** -## Navigation +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/web/hosting-environment). -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Web/hostingEnvironments` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/hostingEnvironments) | -| `Microsoft.Web/hostingEnvironments/configurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.hosting-environment:1.0.0`. - -- [Asev2](#example-1-asev2) -- [Asev3](#example-2-asev3) - -### Example 1: _Asev2_ - -
- -via Bicep module - -```bicep -module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-whasev2' - params: { - // Required parameters - name: 'whasev2001' - subnetResourceId: '' - // Non-required parameters - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - ipsslAddressCount: 2 - kind: 'ASEv2' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - multiSize: 'Standard_D1_V2' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - hostingEnvironmentName: 'whasev2001' - resourceType: 'App Service Environment' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "whasev2001" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipsslAddressCount": { - "value": 2 - }, - "kind": { - "value": "ASEv2" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "multiSize": { - "value": "Standard_D1_V2" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "hostingEnvironmentName": "whasev2001", - "resourceType": "App Service Environment" - } - } - } -} -``` - -
-

- -### Example 2: _Asev3_ - -

- -via Bicep module - -```bicep -module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-whasev3' - params: { - // Required parameters - name: 'whasev3001' - subnetResourceId: '' - // Non-required parameters - allowNewPrivateEndpointConnections: true - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - customDnsSuffix: 'internal.contoso.com' - customDnsSuffixCertificateUrl: '' - customDnsSuffixKeyVaultReferenceIdentity: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - ftpEnabled: true - inboundIpAddressOverride: '10.0.0.10' - internalLoadBalancingMode: 'Web, Publishing' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - remoteDebugEnabled: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - hostingEnvironmentName: 'whasev3001' - resourceType: 'App Service Environment' - } - upgradePreference: 'Late' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "whasev3001" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "allowNewPrivateEndpointConnections": { - "value": true - }, - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, - "customDnsSuffix": { - "value": "internal.contoso.com" - }, - "customDnsSuffixCertificateUrl": { - "value": "" - }, - "customDnsSuffixKeyVaultReferenceIdentity": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ftpEnabled": { - "value": true - }, - "inboundIpAddressOverride": { - "value": "10.0.0.10" - }, - "internalLoadBalancingMode": { - "value": "Web, Publishing" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "remoteDebugEnabled": { - "value": true - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "hostingEnvironmentName": "whasev3001", - "resourceType": "App Service Environment" - } - }, - "upgradePreference": { - "value": "Late" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the App Service Environment. | -| [`subnetResourceId`](#parameter-subnetresourceid) | string | ResourceId for the subnet. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`customDnsSuffixCertificateUrl`](#parameter-customdnssuffixcertificateurl) | string | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | -| [`customDnsSuffixKeyVaultReferenceIdentity`](#parameter-customdnssuffixkeyvaultreferenceidentity) | string | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowNewPrivateEndpointConnections`](#parameter-allownewprivateendpointconnections) | bool | Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. | -| [`clusterSettings`](#parameter-clustersettings) | array | Custom settings for changing the behavior of the App Service Environment. | -| [`customDnsSuffix`](#parameter-customdnssuffix) | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. | -| [`dedicatedHostCount`](#parameter-dedicatedhostcount) | int | The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix of the App Service Environment. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`frontEndScaleFactor`](#parameter-frontendscalefactor) | int | Scale factor for frontends. | -| [`ftpEnabled`](#parameter-ftpenabled) | bool | Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. | -| [`inboundIpAddressOverride`](#parameter-inboundipaddressoverride) | string | Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. | -| [`internalLoadBalancingMode`](#parameter-internalloadbalancingmode) | string | Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. | -| [`ipsslAddressCount`](#parameter-ipssladdresscount) | int | Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. | -| [`kind`](#parameter-kind) | string | Kind of resource. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | -| [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Resource tags. | -| [`upgradePreference`](#parameter-upgradepreference) | string | Specify preference for when and how the planned maintenance is applied. | -| [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | - -### Parameter: `name` - -Name of the App Service Environment. - -- Required: Yes -- Type: string - -### Parameter: `subnetResourceId` - -ResourceId for the subnet. - -- Required: Yes -- Type: string - -### Parameter: `customDnsSuffixCertificateUrl` - -The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customDnsSuffixKeyVaultReferenceIdentity` - -The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `allowNewPrivateEndpointConnections` - -Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `clusterSettings` - -Custom settings for changing the behavior of the App Service Environment. - -- Required: No -- Type: array -- Default: - ```Bicep - [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - ``` - -### Parameter: `customDnsSuffix` - -Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dedicatedHostCount` - -The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `dnsSuffix` - -DNS suffix of the App Service Environment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `frontEndScaleFactor` - -Scale factor for frontends. - -- Required: No -- Type: int -- Default: `15` - -### Parameter: `ftpEnabled` - -Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `inboundIpAddressOverride` - -Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `internalLoadBalancingMode` - -Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'None' - 'Publishing' - 'Web' - 'Web, Publishing' - ] - ``` - -### Parameter: `ipsslAddressCount` - -Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `kind` - -Kind of resource. - -- Required: No -- Type: string -- Default: `'ASEv3'` -- Allowed: - ```Bicep - [ - 'ASEv2' - 'ASEv3' - ] - ``` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `multiSize` - -Frontend VM size. Cannot be used when kind is set to ASEv3. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'ExtraLarge' - 'Large' - 'Medium' - 'Standard_D1_V2' - 'Standard_D2' - 'Standard_D2_V2' - 'Standard_D3' - 'Standard_D3_V2' - 'Standard_D4' - 'Standard_D4_V2' - ] - ``` - -### Parameter: `remoteDebugEnabled` - -Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Resource tags. - -- Required: No -- Type: object - -### Parameter: `upgradePreference` - -Specify preference for when and how the planned maintenance is applied. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'Early' - 'Late' - 'Manual' - 'None' - ] - ``` - -### Parameter: `userWhitelistedIpRanges` - -User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `zoneRedundant` - -Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the App Service Environment. | -| `resourceGroupName` | string | The resource group the App Service Environment was deployed into. | -| `resourceId` | string | The resource ID of the App Service Environment. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/README.md b/modules/web/hosting-environment/configuration--customdnssuffix/README.md deleted file mode 100644 index 38b2d7b578..0000000000 --- a/modules/web/hosting-environment/configuration--customdnssuffix/README.md +++ /dev/null @@ -1,87 +0,0 @@ -# Hosting Environment Custom DNS Suffix Configuration `[Microsoft.Web/hostingEnvironments/configurations]` - -This module deploys a Hosting Environment Custom DNS Suffix Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/hostingEnvironments/configurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`certificateUrl`](#parameter-certificateurl) | string | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. | -| [`dnsSuffix`](#parameter-dnssuffix) | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. | -| [`keyVaultReferenceIdentity`](#parameter-keyvaultreferenceidentity) | string | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hostingEnvironmentName`](#parameter-hostingenvironmentname) | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `certificateUrl` - -The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. - -- Required: Yes -- Type: string - -### Parameter: `dnsSuffix` - -Enable the default custom domain suffix to use for all sites deployed on the ASE. - -- Required: Yes -- Type: string - -### Parameter: `keyVaultReferenceIdentity` - -The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. - -- Required: Yes -- Type: string - -### Parameter: `hostingEnvironmentName` - -The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the configuration. | -| `resourceGroupName` | string | The resource group of the deployed configuration. | -| `resourceId` | string | The resource ID of the deployed configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/main.bicep b/modules/web/hosting-environment/configuration--customdnssuffix/main.bicep deleted file mode 100644 index a7918a30ad..0000000000 --- a/modules/web/hosting-environment/configuration--customdnssuffix/main.bicep +++ /dev/null @@ -1,53 +0,0 @@ -metadata name = 'Hosting Environment Custom DNS Suffix Configuration' -metadata description = 'This module deploys a Hosting Environment Custom DNS Suffix Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment.') -param hostingEnvironmentName string - -@description('Required. Enable the default custom domain suffix to use for all sites deployed on the ASE.') -param dnsSuffix string - -@description('Required. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix.') -param certificateUrl string - -@description('Required. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available.') -param keyVaultReferenceIdentity string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' existing = { - name: hostingEnvironmentName -} - -resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2022-03-01' = { - name: 'customdnssuffix' - parent: appServiceEnvironment - properties: { - certificateUrl: certificateUrl - keyVaultReferenceIdentity: keyVaultReferenceIdentity - dnsSuffix: dnsSuffix - } -} - -@description('The name of the configuration.') -output name string = configuration.name - -@description('The resource ID of the deployed configuration.') -output resourceId string = configuration.id - -@description('The resource group of the deployed configuration.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/main.json b/modules/web/hosting-environment/configuration--customdnssuffix/main.json deleted file mode 100644 index 7bdfbc2f8a..0000000000 --- a/modules/web/hosting-environment/configuration--customdnssuffix/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2088750160033594355" - }, - "name": "Hosting Environment Custom DNS Suffix Configuration", - "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hostingEnvironmentName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment." - } - }, - "dnsSuffix": { - "type": "string", - "metadata": { - "description": "Required. Enable the default custom domain suffix to use for all sites deployed on the ASE." - } - }, - "certificateUrl": { - "type": "string", - "metadata": { - "description": "Required. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix." - } - }, - "keyVaultReferenceIdentity": { - "type": "string", - "metadata": { - "description": "Required. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/hostingEnvironments/configurations", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('hostingEnvironmentName'), 'customdnssuffix')]", - "properties": { - "certificateUrl": "[parameters('certificateUrl')]", - "keyVaultReferenceIdentity": "[parameters('keyVaultReferenceIdentity')]", - "dnsSuffix": "[parameters('dnsSuffix')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the configuration." - }, - "value": "customdnssuffix" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.Web/hostingEnvironments/configurations', parameters('hostingEnvironmentName'), 'customdnssuffix')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/version.json b/modules/web/hosting-environment/configuration--customdnssuffix/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/hosting-environment/configuration--customdnssuffix/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/hosting-environment/configuration--networking/README.md b/modules/web/hosting-environment/configuration--networking/README.md deleted file mode 100644 index 8b361c64f8..0000000000 --- a/modules/web/hosting-environment/configuration--networking/README.md +++ /dev/null @@ -1,94 +0,0 @@ -# Hosting Environment Network Configuration `[Microsoft.Web/hostingEnvironments/configurations]` - -This module deploys a Hosting Environment Network Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/hostingEnvironments/configurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hostingEnvironmentName`](#parameter-hostingenvironmentname) | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowNewPrivateEndpointConnections`](#parameter-allownewprivateendpointconnections) | bool | Property to enable and disable new private endpoint connection creation on ASE. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ftpEnabled`](#parameter-ftpenabled) | bool | Property to enable and disable FTP on ASEV3. | -| [`inboundIpAddressOverride`](#parameter-inboundipaddressoverride) | string | Customer provided Inbound IP Address. Only able to be set on Ase create. | -| [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. | - -### Parameter: `hostingEnvironmentName` - -The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allowNewPrivateEndpointConnections` - -Property to enable and disable new private endpoint connection creation on ASE. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ftpEnabled` - -Property to enable and disable FTP on ASEV3. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `inboundIpAddressOverride` - -Customer provided Inbound IP Address. Only able to be set on Ase create. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `remoteDebugEnabled` - -Property to enable and disable Remote Debug on ASEv3. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the configuration. | -| `resourceGroupName` | string | The resource group of the deployed configuration. | -| `resourceId` | string | The resource ID of the deployed configuration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/hosting-environment/configuration--networking/main.bicep b/modules/web/hosting-environment/configuration--networking/main.bicep deleted file mode 100644 index f1fa448d38..0000000000 --- a/modules/web/hosting-environment/configuration--networking/main.bicep +++ /dev/null @@ -1,57 +0,0 @@ -metadata name = 'Hosting Environment Network Configuration' -metadata description = 'This module deploys a Hosting Environment Network Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment.') -param hostingEnvironmentName string - -@description('Optional. Property to enable and disable new private endpoint connection creation on ASE.') -param allowNewPrivateEndpointConnections bool = false - -@description('Optional. Property to enable and disable FTP on ASEV3.') -param ftpEnabled bool = false - -@description('Optional. Customer provided Inbound IP Address. Only able to be set on Ase create.') -param inboundIpAddressOverride string = '' - -@description('Optional. Property to enable and disable Remote Debug on ASEv3.') -param remoteDebugEnabled bool = false - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' existing = { - name: hostingEnvironmentName -} - -resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2022-03-01' = { - name: 'networking' - parent: appServiceEnvironment - properties: { - allowNewPrivateEndpointConnections: allowNewPrivateEndpointConnections - ftpEnabled: ftpEnabled - inboundIpAddressOverride: inboundIpAddressOverride - remoteDebugEnabled: remoteDebugEnabled - } -} - -@description('The name of the configuration.') -output name string = configuration.name - -@description('The resource ID of the deployed configuration.') -output resourceId string = configuration.id - -@description('The resource group of the deployed configuration.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/hosting-environment/configuration--networking/main.json b/modules/web/hosting-environment/configuration--networking/main.json deleted file mode 100644 index c609fae4c5..0000000000 --- a/modules/web/hosting-environment/configuration--networking/main.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "545140399885435174" - }, - "name": "Hosting Environment Network Configuration", - "description": "This module deploys a Hosting Environment Network Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hostingEnvironmentName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment." - } - }, - "allowNewPrivateEndpointConnections": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable new private endpoint connection creation on ASE." - } - }, - "ftpEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable FTP on ASEV3." - } - }, - "inboundIpAddressOverride": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer provided Inbound IP Address. Only able to be set on Ase create." - } - }, - "remoteDebugEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable Remote Debug on ASEv3." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/hostingEnvironments/configurations", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('hostingEnvironmentName'), 'networking')]", - "properties": { - "allowNewPrivateEndpointConnections": "[parameters('allowNewPrivateEndpointConnections')]", - "ftpEnabled": "[parameters('ftpEnabled')]", - "inboundIpAddressOverride": "[parameters('inboundIpAddressOverride')]", - "remoteDebugEnabled": "[parameters('remoteDebugEnabled')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the configuration." - }, - "value": "networking" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.Web/hostingEnvironments/configurations', parameters('hostingEnvironmentName'), 'networking')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/hosting-environment/configuration--networking/version.json b/modules/web/hosting-environment/configuration--networking/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/hosting-environment/configuration--networking/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep deleted file mode 100644 index 6119f42ebe..0000000000 --- a/modules/web/hosting-environment/main.bicep +++ /dev/null @@ -1,324 +0,0 @@ -metadata name = 'App Service Environments' -metadata description = 'This module deploys an App Service Environment.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the App Service Environment.') -@minLength(1) -param name string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Resource tags.') -param tags object? - -@allowed([ - 'ASEv2' - 'ASEv3' -]) -@description('Optional. Kind of resource.') -param kind string = 'ASEv3' - -@description('Optional. Custom settings for changing the behavior of the App Service Environment.') -param clusterSettings array = [ - { - name: 'DisableTls1.0' - value: '1' - } -] - -@description('Optional. Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2.') -param customDnsSuffix string = '' - -@description('Conditional. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2.') -param customDnsSuffixCertificateUrl string = '' - -@description('Conditional. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2.') -param customDnsSuffixKeyVaultReferenceIdentity string = '' - -@description('Optional. The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2.') -param dedicatedHostCount int = 0 - -@description('Optional. DNS suffix of the App Service Environment.') -param dnsSuffix string = '' - -@description('Optional. Scale factor for frontends.') -param frontEndScaleFactor int = 15 - -@description('Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address.') -@allowed([ - 'None' - 'Web' - 'Publishing' - 'Web, Publishing' -]) -param internalLoadBalancingMode string = 'None' - -@description('Optional. Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3.') -param ipsslAddressCount int = 0 - -@description('Optional. Frontend VM size. Cannot be used when kind is set to ASEv3.') -@allowed([ - '' - 'Medium' - 'Large' - 'ExtraLarge' - 'Standard_D2' - 'Standard_D3' - 'Standard_D4' - 'Standard_D1_V2' - 'Standard_D2_V2' - 'Standard_D3_V2' - 'Standard_D4_V2' -]) -param multiSize string = '' - -@description('Optional. Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2.') -param allowNewPrivateEndpointConnections bool = false - -@description('Optional. Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2.') -param ftpEnabled bool = false - -@description('Optional. Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2.') -param inboundIpAddressOverride string = '' - -@description('Optional. Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2.') -param remoteDebugEnabled bool = false - -@description('Optional. Specify preference for when and how the planned maintenance is applied.') -@allowed([ - 'Early' - 'Late' - 'Manual' - 'None' -]) -param upgradePreference string = 'None' - -@description('Required. ResourceId for the subnet.') -param subnetResourceId string - -@description('Optional. User added IP ranges to whitelist on ASE DB. Cannot be used with \'kind\' `ASEv3`.') -param userWhitelistedIpRanges array = [] - -@description('Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`.') -param zoneRedundant bool = false - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : any(null) - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = { - name: name - kind: kind - location: location - tags: tags - identity: identity - properties: { - clusterSettings: clusterSettings - dedicatedHostCount: dedicatedHostCount != 0 ? dedicatedHostCount : null - dnsSuffix: !empty(dnsSuffix) ? dnsSuffix : null - frontEndScaleFactor: frontEndScaleFactor - internalLoadBalancingMode: internalLoadBalancingMode - ipsslAddressCount: ipsslAddressCount != 0 ? ipsslAddressCount : null - multiSize: !empty(multiSize) ? any(multiSize) : null - upgradePreference: upgradePreference - userWhitelistedIpRanges: !empty(userWhitelistedIpRanges) ? userWhitelistedIpRanges : null - virtualNetwork: { - id: subnetResourceId - subnet: last(split(subnetResourceId, '/')) - } - zoneRedundant: zoneRedundant - } -} - -module appServiceEnvironment_configurations_networking 'configuration--networking/main.bicep' = if (kind == 'ASEv3') { - name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Configurations-Networking' - params: { - hostingEnvironmentName: appServiceEnvironment.name - allowNewPrivateEndpointConnections: allowNewPrivateEndpointConnections - ftpEnabled: ftpEnabled - inboundIpAddressOverride: inboundIpAddressOverride - remoteDebugEnabled: remoteDebugEnabled - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module appServiceEnvironment_configurations_customDnsSuffix 'configuration--customdnssuffix/main.bicep' = if (kind == 'ASEv3' && !empty(customDnsSuffix)) { - name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Configurations-CustomDnsSuffix' - params: { - hostingEnvironmentName: appServiceEnvironment.name - certificateUrl: customDnsSuffixCertificateUrl - keyVaultReferenceIdentity: customDnsSuffixKeyVaultReferenceIdentity - dnsSuffix: customDnsSuffix - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: appServiceEnvironment -} - -resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: appServiceEnvironment -}] - -resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: appServiceEnvironment -}] - -@description('The resource ID of the App Service Environment.') -output resourceId string = appServiceEnvironment.id - -@description('The resource group the App Service Environment was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the App Service Environment.') -output name string = appServiceEnvironment.name - -@description('The location the resource was deployed into.') -output location string = appServiceEnvironment.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json deleted file mode 100644 index c74528106b..0000000000 --- a/modules/web/hosting-environment/main.json +++ /dev/null @@ -1,850 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13887067591224249437" - }, - "name": "App Service Environments", - "description": "This module deploys an App Service Environment.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the App Service Environment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "kind": { - "type": "string", - "defaultValue": "ASEv3", - "allowedValues": [ - "ASEv2", - "ASEv3" - ], - "metadata": { - "description": "Optional. Kind of resource." - } - }, - "clusterSettings": { - "type": "array", - "defaultValue": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ], - "metadata": { - "description": "Optional. Custom settings for changing the behavior of the App Service Environment." - } - }, - "customDnsSuffix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2." - } - }, - "customDnsSuffixCertificateUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2." - } - }, - "customDnsSuffixKeyVaultReferenceIdentity": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2." - } - }, - "dedicatedHostCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2." - } - }, - "dnsSuffix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. DNS suffix of the App Service Environment." - } - }, - "frontEndScaleFactor": { - "type": "int", - "defaultValue": 15, - "metadata": { - "description": "Optional. Scale factor for frontends." - } - }, - "internalLoadBalancingMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "None", - "Web", - "Publishing", - "Web, Publishing" - ], - "metadata": { - "description": "Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. \"None\" Exposes the ASE-hosted apps on an internet-accessible IP address." - } - }, - "ipsslAddressCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3." - } - }, - "multiSize": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Medium", - "Large", - "ExtraLarge", - "Standard_D2", - "Standard_D3", - "Standard_D4", - "Standard_D1_V2", - "Standard_D2_V2", - "Standard_D3_V2", - "Standard_D4_V2" - ], - "metadata": { - "description": "Optional. Frontend VM size. Cannot be used when kind is set to ASEv3." - } - }, - "allowNewPrivateEndpointConnections": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2." - } - }, - "ftpEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2." - } - }, - "inboundIpAddressOverride": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2." - } - }, - "remoteDebugEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2." - } - }, - "upgradePreference": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Early", - "Late", - "Manual", - "None" - ], - "metadata": { - "description": "Optional. Specify preference for when and how the planned maintenance is applied." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. ResourceId for the subnet." - } - }, - "userWhitelistedIpRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appServiceEnvironment": { - "type": "Microsoft.Web/hostingEnvironments", - "apiVersion": "2022-03-01", - "name": "[parameters('name')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "clusterSettings": "[parameters('clusterSettings')]", - "dedicatedHostCount": "[if(not(equals(parameters('dedicatedHostCount'), 0)), parameters('dedicatedHostCount'), null())]", - "dnsSuffix": "[if(not(empty(parameters('dnsSuffix'))), parameters('dnsSuffix'), null())]", - "frontEndScaleFactor": "[parameters('frontEndScaleFactor')]", - "internalLoadBalancingMode": "[parameters('internalLoadBalancingMode')]", - "ipsslAddressCount": "[if(not(equals(parameters('ipsslAddressCount'), 0)), parameters('ipsslAddressCount'), null())]", - "multiSize": "[if(not(empty(parameters('multiSize'))), parameters('multiSize'), null())]", - "upgradePreference": "[parameters('upgradePreference')]", - "userWhitelistedIpRanges": "[if(not(empty(parameters('userWhitelistedIpRanges'))), parameters('userWhitelistedIpRanges'), null())]", - "virtualNetwork": { - "id": "[parameters('subnetResourceId')]", - "subnet": "[last(split(parameters('subnetResourceId'), '/'))]" - }, - "zoneRedundant": "[parameters('zoneRedundant')]" - } - }, - "appServiceEnvironment_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "appServiceEnvironment" - ] - }, - "appServiceEnvironment_diagnosticSettings": { - "copy": { - "name": "appServiceEnvironment_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "appServiceEnvironment" - ] - }, - "appServiceEnvironment_roleAssignments": { - "copy": { - "name": "appServiceEnvironment_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/hostingEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "appServiceEnvironment" - ] - }, - "appServiceEnvironment_configurations_networking": { - "condition": "[equals(parameters('kind'), 'ASEv3')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppServiceEnv-Configurations-Networking', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hostingEnvironmentName": { - "value": "[parameters('name')]" - }, - "allowNewPrivateEndpointConnections": { - "value": "[parameters('allowNewPrivateEndpointConnections')]" - }, - "ftpEnabled": { - "value": "[parameters('ftpEnabled')]" - }, - "inboundIpAddressOverride": { - "value": "[parameters('inboundIpAddressOverride')]" - }, - "remoteDebugEnabled": { - "value": "[parameters('remoteDebugEnabled')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "545140399885435174" - }, - "name": "Hosting Environment Network Configuration", - "description": "This module deploys a Hosting Environment Network Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hostingEnvironmentName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment." - } - }, - "allowNewPrivateEndpointConnections": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable new private endpoint connection creation on ASE." - } - }, - "ftpEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable FTP on ASEV3." - } - }, - "inboundIpAddressOverride": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer provided Inbound IP Address. Only able to be set on Ase create." - } - }, - "remoteDebugEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property to enable and disable Remote Debug on ASEv3." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/hostingEnvironments/configurations", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('hostingEnvironmentName'), 'networking')]", - "properties": { - "allowNewPrivateEndpointConnections": "[parameters('allowNewPrivateEndpointConnections')]", - "ftpEnabled": "[parameters('ftpEnabled')]", - "inboundIpAddressOverride": "[parameters('inboundIpAddressOverride')]", - "remoteDebugEnabled": "[parameters('remoteDebugEnabled')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the configuration." - }, - "value": "networking" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.Web/hostingEnvironments/configurations', parameters('hostingEnvironmentName'), 'networking')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "appServiceEnvironment" - ] - }, - "appServiceEnvironment_configurations_customDnsSuffix": { - "condition": "[and(equals(parameters('kind'), 'ASEv3'), not(empty(parameters('customDnsSuffix'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppServiceEnv-Configurations-CustomDnsSuffix', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hostingEnvironmentName": { - "value": "[parameters('name')]" - }, - "certificateUrl": { - "value": "[parameters('customDnsSuffixCertificateUrl')]" - }, - "keyVaultReferenceIdentity": { - "value": "[parameters('customDnsSuffixKeyVaultReferenceIdentity')]" - }, - "dnsSuffix": { - "value": "[parameters('customDnsSuffix')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2088750160033594355" - }, - "name": "Hosting Environment Custom DNS Suffix Configuration", - "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hostingEnvironmentName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment." - } - }, - "dnsSuffix": { - "type": "string", - "metadata": { - "description": "Required. Enable the default custom domain suffix to use for all sites deployed on the ASE." - } - }, - "certificateUrl": { - "type": "string", - "metadata": { - "description": "Required. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix." - } - }, - "keyVaultReferenceIdentity": { - "type": "string", - "metadata": { - "description": "Required. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/hostingEnvironments/configurations", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('hostingEnvironmentName'), 'customdnssuffix')]", - "properties": { - "certificateUrl": "[parameters('certificateUrl')]", - "keyVaultReferenceIdentity": "[parameters('keyVaultReferenceIdentity')]", - "dnsSuffix": "[parameters('dnsSuffix')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the configuration." - }, - "value": "customdnssuffix" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed configuration." - }, - "value": "[resourceId('Microsoft.Web/hostingEnvironments/configurations', parameters('hostingEnvironmentName'), 'customdnssuffix')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed configuration." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "appServiceEnvironment" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the App Service Environment." - }, - "value": "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the App Service Environment was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the App Service Environment." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('appServiceEnvironment', '2022-03-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep b/modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep deleted file mode 100644 index d549b5f9f8..0000000000 --- a/modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep +++ /dev/null @@ -1,80 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -var addressPrefix = '10.0.0.0/16' - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'AllowPortsForASE2' - properties: { - access: 'Allow' - destinationAddressPrefix: addressPrefix - destinationPortRange: '454-455' - direction: 'Inbound' - priority: 1020 - protocol: '*' - sourceAddressPrefix: 'AppServiceManagement' - sourcePortRange: '*' - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'ase' - properties: { - serviceName: 'Microsoft.Web/hostingEnvironments' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep deleted file mode 100644 index 36c5157724..0000000000 --- a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep +++ /dev/null @@ -1,122 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.hostingenvironments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'whasev2' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'App Service Environment' - hostingEnvironmentName: '${namePrefix}${serviceShort}001' - } - subnetResourceId: nestedDependencies.outputs.subnetResourceId - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - ipsslAddressCount: 2 - kind: 'ASEv2' - multiSize: 'Standard_D1_V2' - } -}] diff --git a/modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep b/modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep deleted file mode 100644 index eedd2e4e78..0000000000 --- a/modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep +++ /dev/null @@ -1,135 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Network Security Group to create.') -param networkSecurityGroupName string - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Key Vault to create.') -param keyVaultName string - -@description('Required. The name of the Deployment Script to create for the Certificate generation.') -param certDeploymentScriptName string - -var addressPrefix = '10.0.0.0/16' - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { - name: networkSecurityGroupName - location: location - properties: { - securityRules: [ - { - name: 'AllowPortsForASE' - properties: { - access: 'Allow' - destinationAddressPrefix: '10.0.7.0/24' - destinationPortRange: '454-455' - direction: 'Inbound' - priority: 1010 - protocol: '*' - sourceAddressPrefix: 'AppServiceManagement' - sourcePortRange: '*' - } - } - ] - } -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - networkSecurityGroup: { - id: networkSecurityGroup.id - } - delegations: [ - { - name: 'ase' - properties: { - serviceName: 'Microsoft.Web/hostingEnvironments' - } - } - ] - } - } - ] - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { - name: keyVaultName - location: location - properties: { - sku: { - family: 'A' - name: 'standard' - } - tenantId: tenant().tenantId - enablePurgeProtection: null - enabledForTemplateDeployment: true - enabledForDiskEncryption: true - enabledForDeployment: true - enableRbacAuthorization: true - accessPolicies: [] - } -} - -resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator - principalType: 'ServicePrincipal' - } -} - -resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: certDeploymentScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-KeyVaultName "${keyVault.name}" -CertName "asev3certificate" -CertSubjectName "CN=*.internal.contoso.com"' - scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The URL of the created certificate.') -output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl diff --git a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep deleted file mode 100644 index 93269c7e3b..0000000000 --- a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep +++ /dev/null @@ -1,130 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.hostingenvironments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'whasev3' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'App Service Environment' - hostingEnvironmentName: '${namePrefix}${serviceShort}001' - } - subnetResourceId: nestedDependencies.outputs.subnetResourceId - internalLoadBalancingMode: 'Web, Publishing' - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - allowNewPrivateEndpointConnections: true - ftpEnabled: true - inboundIpAddressOverride: '10.0.0.10' - remoteDebugEnabled: true - upgradePreference: 'Late' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - customDnsSuffix: 'internal.contoso.com' - customDnsSuffixCertificateUrl: nestedDependencies.outputs.certificateSecretUrl - customDnsSuffixKeyVaultReferenceIdentity: nestedDependencies.outputs.managedIdentityResourceId - } -}] diff --git a/modules/web/hosting-environment/version.json b/modules/web/hosting-environment/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/hosting-environment/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/serverfarm/MOVED-TO-AVM.md b/modules/web/serverfarm/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/web/serverfarm/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 8e6283c085..463951172d 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -1,666 +1,7 @@ -# App Service Plans `[Microsoft.Web/serverfarms]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/web/serverfarm](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/web/serverfarm).** -This module deploys an App Service Plan. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/web/serverfarm). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Web/serverfarms` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/serverfarms) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.serverfarm:1.0.0`. - -- [Using large parameter set](#example-1-using-large-parameter-set) -- [WAF-aligned](#example-2-waf-aligned) - -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -
- -via Bicep module - -```bicep -module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsfmax' - params: { - // Required parameters - name: 'wsfmax001' - sku: { - capacity: '1' - family: 'S' - name: 'S1' - size: 'S1' - tier: 'Standard' - } - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wsfmax001" - }, - "sku": { - "value": { - "capacity": "1", - "family": "S", - "name": "S1", - "size": "S1", - "tier": "Standard" - } - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsfwaf' - params: { - // Required parameters - name: 'wsfwaf001' - sku: { - capacity: '1' - family: 'S' - name: 'S1' - size: 'S1' - tier: 'Standard' - } - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wsfwaf001" - }, - "sku": { - "value": { - "capacity": "1", - "family": "S", - "name": "S1", - "size": "S1", - "tier": "Standard" - } - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the app service plan to deploy. | -| [`sku`](#parameter-sku) | object | Defines the name, tier, size, family and capacity of the App Service Plan. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`reserved`](#parameter-reserved) | bool | Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appServiceEnvironmentId`](#parameter-appserviceenvironmentid) | string | The Resource ID of the App Service Environment to use for the App Service Plan. | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | -| [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`targetWorkerCount`](#parameter-targetworkercount) | int | Scaling worker count. | -| [`targetWorkerSize`](#parameter-targetworkersize) | int | The instance size of the hosting plan (small, medium, or large). | -| [`workerTierName`](#parameter-workertiername) | string | Target worker tier assigned to the App Service plan. | -| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, this App Service Plan will perform availability zone balancing. | - -### Parameter: `name` - -The name of the app service plan to deploy. - -- Required: Yes -- Type: string - -### Parameter: `sku` - -Defines the name, tier, size, family and capacity of the App Service Plan. - -- Required: Yes -- Type: object - -### Parameter: `reserved` - -Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `appServiceEnvironmentId` - -The Resource ID of the App Service Environment to use for the App Service Plan. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `maximumElasticWorkerCount` - -Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. - -- Required: No -- Type: int -- Default: `1` - -### Parameter: `perSiteScaling` - -If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `targetWorkerCount` - -Scaling worker count. - -- Required: No -- Type: int -- Default: `0` - -### Parameter: `targetWorkerSize` - -The instance size of the hosting plan (small, medium, or large). - -- Required: No -- Type: int -- Default: `0` -- Allowed: - ```Bicep - [ - 0 - 1 - 2 - ] - ``` - -### Parameter: `workerTierName` - -Target worker tier assigned to the App Service plan. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `zoneRedundant` - -When true, this App Service Plan will perform availability zone balancing. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the app service plan. | -| `resourceGroupName` | string | The resource group the app service plan was deployed into. | -| `resourceId` | string | The resource ID of the app service plan. | - -## Cross-referenced modules - -_None_ +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep deleted file mode 100644 index 81f5bb336a..0000000000 --- a/modules/web/serverfarm/main.bicep +++ /dev/null @@ -1,227 +0,0 @@ -metadata name = 'App Service Plans' -metadata description = 'This module deploys an App Service Plan.' -metadata owner = 'Azure/module-maintainers' - -// ================ // -// Parameters // -// ================ // -@description('Required. The name of the app service plan to deploy.') -@minLength(1) -@maxLength(40) -param name string - -@description('Required. Defines the name, tier, size, family and capacity of the App Service Plan.') -param sku object - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true.') -param reserved bool = false - -@description('Optional. The Resource ID of the App Service Environment to use for the App Service Plan.') -param appServiceEnvironmentId string = '' - -@description('Optional. Target worker tier assigned to the App Service plan.') -param workerTierName string = '' - -@description('Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan.') -param perSiteScaling bool = false - -@description('Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan.') -param maximumElasticWorkerCount int = 1 - -@description('Optional. Scaling worker count.') -param targetWorkerCount int = 0 - -@description('Optional. The instance size of the hosting plan (small, medium, or large).') -@allowed([ - 0 - 1 - 2 -]) -param targetWorkerSize int = 0 - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. When true, this App Service Plan will perform availability zone balancing.') -param zoneRedundant bool = false - -// ============ // -// Dependencies // -// ============ // -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = { - name: name - location: location - tags: tags - sku: sku - properties: { - workerTierName: workerTierName - hostingEnvironmentProfile: !empty(appServiceEnvironmentId) ? { - id: appServiceEnvironmentId - } : null - perSiteScaling: perSiteScaling - maximumElasticWorkerCount: maximumElasticWorkerCount - reserved: reserved - targetWorkerCount: targetWorkerCount - targetWorkerSizeId: targetWorkerSize - zoneRedundant: zoneRedundant - } -} - -resource appServicePlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: appServicePlan -}] - -resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: appServicePlan -} - -resource appServicePlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(appServicePlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: appServicePlan -}] - -// =========== // -// Outputs // -// =========== // -@description('The resource group the app service plan was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the app service plan.') -output name string = appServicePlan.name - -@description('The resource ID of the app service plan.') -output resourceId string = appServicePlan.id - -@description('The location the resource was deployed into.') -output location string = appServicePlan.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json deleted file mode 100644 index 9402f8697b..0000000000 --- a/modules/web/serverfarm/main.json +++ /dev/null @@ -1,437 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "8141689023365328842" - }, - "name": "App Service Plans", - "description": "This module deploys an App Service Plan.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 40, - "metadata": { - "description": "Required. The name of the app service plan to deploy." - } - }, - "sku": { - "type": "object", - "metadata": { - "description": "Required. Defines the name, tier, size, family and capacity of the App Service Plan." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "reserved": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true." - } - }, - "appServiceEnvironmentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource ID of the App Service Environment to use for the App Service Plan." - } - }, - "workerTierName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Target worker tier assigned to the App Service plan." - } - }, - "perSiteScaling": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan." - } - }, - "maximumElasticWorkerCount": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan." - } - }, - "targetWorkerCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Scaling worker count." - } - }, - "targetWorkerSize": { - "type": "int", - "defaultValue": 0, - "allowedValues": [ - 0, - 1, - 2 - ], - "metadata": { - "description": "Optional. The instance size of the hosting plan (small, medium, or large)." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "zoneRedundant": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When true, this App Service Plan will perform availability zone balancing." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "appServicePlan": { - "type": "Microsoft.Web/serverfarms", - "apiVersion": "2022-09-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": "[parameters('sku')]", - "properties": { - "workerTierName": "[parameters('workerTierName')]", - "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentId'))), createObject('id', parameters('appServiceEnvironmentId')), null())]", - "perSiteScaling": "[parameters('perSiteScaling')]", - "maximumElasticWorkerCount": "[parameters('maximumElasticWorkerCount')]", - "reserved": "[parameters('reserved')]", - "targetWorkerCount": "[parameters('targetWorkerCount')]", - "targetWorkerSizeId": "[parameters('targetWorkerSize')]", - "zoneRedundant": "[parameters('zoneRedundant')]" - } - }, - "appServicePlan_diagnosticSettings": { - "copy": { - "name": "appServicePlan_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "appServicePlan" - ] - }, - "appServicePlan_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "appServicePlan" - ] - }, - "appServicePlan_roleAssignments": { - "copy": { - "name": "appServicePlan_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "appServicePlan" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the app service plan was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the app service plan." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the app service plan." - }, - "value": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('appServicePlan', '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/serverfarm/tests/e2e/max/dependencies.bicep b/modules/web/serverfarm/tests/e2e/max/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/web/serverfarm/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/serverfarm/tests/e2e/max/main.test.bicep b/modules/web/serverfarm/tests/e2e/max/main.test.bicep deleted file mode 100644 index 7eadba7f28..0000000000 --- a/modules/web/serverfarm/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,118 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - sku: { - capacity: '1' - family: 'S' - name: 'S1' - size: 'S1' - tier: 'Standard' - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index a7f42aee7b..0000000000 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index f784e6761a..0000000000 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,101 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfwaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - sku: { - capacity: '1' - family: 'S' - name: 'S1' - size: 'S1' - tier: 'Standard' - } - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/serverfarm/version.json b/modules/web/serverfarm/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/serverfarm/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/MOVED-TO-AVM.md b/modules/web/site/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/web/site/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 8af07c0c65..8e0fe219d2 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1,1863 +1,7 @@ -# Web/Function Apps `[Microsoft.Web/sites]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/web/site](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/web/site).** -This module deploys a Web or Function App. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/web/site). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Web/sites` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites) | -| `Microsoft.Web/sites/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/hybridConnectionNamespaces/relays) | -| `Microsoft.Web/sites/slots` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots) | -| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.site:1.0.0`. - -- [Functionappcommon](#example-1-functionappcommon) -- [Functionappmin](#example-2-functionappmin) -- [Webappcommon](#example-3-webappcommon) -- [Webappmin](#example-4-webappmin) - -### Example 1: _Functionappcommon_ - -
- -via Bicep module - -```bicep -module site 'br:bicep/modules/web.site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsfacom' - params: { - // Required parameters - kind: 'functionapp' - name: 'wsfacom001' - serverFarmResourceId: '' - // Non-required parameters - appInsightResourceId: '' - appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: '' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' - } - authSettingV2Configuration: { - globalValidation: { - requireAuthentication: true - unauthenticatedClientAction: 'Return401' - } - httpSettings: { - forwardProxy: { - convention: 'NoProxy' - } - requireHttps: true - routes: { - apiPrefix: '/.auth' - } - } - identityProviders: { - azureActiveDirectory: { - enabled: true - login: { - disableWWWAuthenticate: false - } - registration: { - clientId: 'd874dd2f-2032-4db1-a053-f0ec243685aa' - clientSecretSettingName: 'EASYAUTH_SECRET' - openIdIssuer: '' - } - validation: { - allowedAudiences: [ - 'api://d874dd2f-2032-4db1-a053-f0ec243685aa' - ] - defaultAuthorizationPolicy: { - allowedPrincipals: {} - } - jwtClaimChecks: {} - } - } - } - login: { - allowedExternalRedirectUrls: [ - 'string' - ] - cookieExpiration: { - convention: 'FixedTime' - timeToExpiration: '08:00:00' - } - nonce: { - nonceExpirationInterval: '00:05:00' - validateNonce: true - } - preserveUrlFragmentsForLogins: false - routes: {} - tokenStore: { - azureBlobStorage: {} - enabled: true - fileSystem: {} - tokenRefreshExtensionHours: 72 - } - } - platform: { - enabled: true - runtimeVersion: '~1' - } - } - basicPublishingCredentialsPolicies: [ - { - allow: false - name: 'ftp' - } - { - allow: false - name: 'scm' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - hybridConnectionRelays: [ - { - resourceId: '' - sendKeyName: 'defaultSender' - } - ] - keyVaultAccessIdentityResourceId: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - setAzureWebJobsDashboard: true - siteConfig: { - alwaysOn: true - use32BitWorkerProcess: false - } - storageAccountResourceId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "functionapp" - }, - "name": { - "value": "wsfacom001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "appInsightResourceId": { - "value": "" - }, - "appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } - }, - "authSettingV2Configuration": { - "value": { - "globalValidation": { - "requireAuthentication": true, - "unauthenticatedClientAction": "Return401" - }, - "httpSettings": { - "forwardProxy": { - "convention": "NoProxy" - }, - "requireHttps": true, - "routes": { - "apiPrefix": "/.auth" - } - }, - "identityProviders": { - "azureActiveDirectory": { - "enabled": true, - "login": { - "disableWWWAuthenticate": false - }, - "registration": { - "clientId": "d874dd2f-2032-4db1-a053-f0ec243685aa", - "clientSecretSettingName": "EASYAUTH_SECRET", - "openIdIssuer": "" - }, - "validation": { - "allowedAudiences": [ - "api://d874dd2f-2032-4db1-a053-f0ec243685aa" - ], - "defaultAuthorizationPolicy": { - "allowedPrincipals": {} - }, - "jwtClaimChecks": {} - } - } - }, - "login": { - "allowedExternalRedirectUrls": [ - "string" - ], - "cookieExpiration": { - "convention": "FixedTime", - "timeToExpiration": "08:00:00" - }, - "nonce": { - "nonceExpirationInterval": "00:05:00", - "validateNonce": true - }, - "preserveUrlFragmentsForLogins": false, - "routes": {}, - "tokenStore": { - "azureBlobStorage": {}, - "enabled": true, - "fileSystem": {}, - "tokenRefreshExtensionHours": 72 - } - }, - "platform": { - "enabled": true, - "runtimeVersion": "~1" - } - } - }, - "basicPublishingCredentialsPolicies": { - "value": [ - { - "allow": false, - "name": "ftp" - }, - { - "allow": false, - "name": "scm" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "hybridConnectionRelays": { - "value": [ - { - "resourceId": "", - "sendKeyName": "defaultSender" - } - ] - }, - "keyVaultAccessIdentityResourceId": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "setAzureWebJobsDashboard": { - "value": true - }, - "siteConfig": { - "value": { - "alwaysOn": true, - "use32BitWorkerProcess": false - } - }, - "storageAccountResourceId": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Functionappmin_ - -

- -via Bicep module - -```bicep -module site 'br:bicep/modules/web.site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsfamin' - params: { - // Required parameters - kind: 'functionapp' - name: 'wsfamin001' - serverFarmResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - siteConfig: { - alwaysOn: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "functionapp" - }, - "name": { - "value": "wsfamin001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "siteConfig": { - "value": { - "alwaysOn": true - } - } - } -} -``` - -
-

- -### Example 3: _Webappcommon_ - -

- -via Bicep module - -```bicep -module site 'br:bicep/modules/web.site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wswa' - params: { - // Required parameters - kind: 'app' - name: 'wswa001' - serverFarmResourceId: '' - // Non-required parameters - basicPublishingCredentialsPolicies: [ - { - allow: false - name: 'ftp' - } - { - allow: false - name: 'scm' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - httpsOnly: true - hybridConnectionRelays: [ - { - resourceId: '' - sendKeyName: 'defaultSender' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - scmSiteAlsoStopped: true - siteConfig: { - alwaysOn: true - metadata: [ - { - name: 'CURRENT_STACK' - value: 'dotnetcore' - } - ] - } - slots: [ - { - basicPublishingCredentialsPolicies: [ - { - allow: false - name: 'ftp' - } - { - allow: false - name: 'scm' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - hybridConnectionRelays: [ - { - resourceId: '' - sendKeyName: 'defaultSender' - } - ] - name: 'slot1' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - siteConfig: { - alwaysOn: true - metadata: [ - { - name: 'CURRENT_STACK' - value: 'dotnetcore' - } - ] - } - } - { - basicPublishingCredentialsPolicies: [ - { - name: 'ftp' - } - { - name: 'scm' - } - ] - name: 'slot2' - } - ] - vnetContentShareEnabled: true - vnetImagePullEnabled: true - vnetRouteAllEnabled: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "app" - }, - "name": { - "value": "wswa001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "basicPublishingCredentialsPolicies": { - "value": [ - { - "allow": false, - "name": "ftp" - }, - { - "allow": false, - "name": "scm" - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "httpsOnly": { - "value": true - }, - "hybridConnectionRelays": { - "value": [ - { - "resourceId": "", - "sendKeyName": "defaultSender" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "scmSiteAlsoStopped": { - "value": true - }, - "siteConfig": { - "value": { - "alwaysOn": true, - "metadata": [ - { - "name": "CURRENT_STACK", - "value": "dotnetcore" - } - ] - } - }, - "slots": { - "value": [ - { - "basicPublishingCredentialsPolicies": [ - { - "allow": false, - "name": "ftp" - }, - { - "allow": false, - "name": "scm" - } - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "hybridConnectionRelays": [ - { - "resourceId": "", - "sendKeyName": "defaultSender" - } - ], - "name": "slot1", - "privateEndpoints": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], - "siteConfig": { - "alwaysOn": true, - "metadata": [ - { - "name": "CURRENT_STACK", - "value": "dotnetcore" - } - ] - } - }, - { - "basicPublishingCredentialsPolicies": [ - { - "name": "ftp" - }, - { - "name": "scm" - } - ], - "name": "slot2" - } - ] - }, - "vnetContentShareEnabled": { - "value": true - }, - "vnetImagePullEnabled": { - "value": true - }, - "vnetRouteAllEnabled": { - "value": true - } - } -} -``` - -
-

- -### Example 4: _Webappmin_ - -

- -via Bicep module - -```bicep -module site 'br:bicep/modules/web.site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wswamin' - params: { - // Required parameters - kind: 'app' - name: 'wswamin001' - serverFarmResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "app" - }, - "name": { - "value": "wswamin001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Type of site to deploy. | -| [`name`](#parameter-name) | string | Name of the site. | -| [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the site. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | -| [`appServiceEnvironmentResourceId`](#parameter-appserviceenvironmentresourceid) | string | The resource ID of the app service environment to use for this resource. | -| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | -| [`basicPublishingCredentialsPolicies`](#parameter-basicpublishingcredentialspolicies) | array | The site publishing credential policy names which are associated with the sites. | -| [`clientAffinityEnabled`](#parameter-clientaffinityenabled) | bool | If client affinity is enabled. | -| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | To enable client certificate authentication (TLS mutual authentication). | -| [`clientCertExclusionPaths`](#parameter-clientcertexclusionpaths) | string | Client certificate authentication comma-separated exclusion paths. | -| [`clientCertMode`](#parameter-clientcertmode) | string | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | -| [`cloningInfo`](#parameter-cloninginfo) | object | If specified during app creation, the app is cloned from a source app. | -| [`containerSize`](#parameter-containersize) | int | Size of the function container. | -| [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | -| [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | -| [`httpsOnly`](#parameter-httpsonly) | bool | Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. | -| [`hybridConnectionRelays`](#parameter-hybridconnectionrelays) | array | Names of hybrid connection relays to connect app with. | -| [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | -| [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`scmSiteAlsoStopped`](#parameter-scmsitealsostopped) | bool | Stop SCM (KUDU) site when the app is stopped. | -| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| [`siteConfig`](#parameter-siteconfig) | object | The site config object. | -| [`slots`](#parameter-slots) | array | Configuration for deployment slots for an app. | -| [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | -| [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | -| [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | -| [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | - -### Parameter: `kind` - -Type of site to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `name` - -Name of the site. - -- Required: Yes -- Type: string - -### Parameter: `serverFarmResourceId` - -The resource ID of the app service plan to use for the site. - -- Required: Yes -- Type: string - -### Parameter: `appInsightResourceId` - -Resource ID of the app insight to leverage for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appServiceEnvironmentResourceId` - -The resource ID of the app service environment to use for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appSettingsKeyValuePairs` - -The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `authSettingV2Configuration` - -The auth settings V2 configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `basicPublishingCredentialsPolicies` - -The site publishing credential policy names which are associated with the sites. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `clientAffinityEnabled` - -If client affinity is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `clientCertEnabled` - -To enable client certificate authentication (TLS mutual authentication). - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `clientCertExclusionPaths` - -Client certificate authentication comma-separated exclusion paths. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `clientCertMode` - -This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. - -- Required: No -- Type: string -- Default: `'Optional'` -- Allowed: - ```Bicep - [ - 'Optional' - 'OptionalInteractiveUser' - 'Required' - ] - ``` - -### Parameter: `cloningInfo` - -If specified during app creation, the app is cloned from a source app. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `containerSize` - -Size of the function container. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `customDomainVerificationId` - -Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dailyMemoryTimeQuota` - -Maximum allowed daily memory-time quota (applicable on dynamic apps only). - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enabled` - -Setting this value to false disables the app (takes the app offline). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hostNameSslStates` - -Hostname SSL states are used to manage the SSL bindings for app's hostnames. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `httpsOnly` - -Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hybridConnectionRelays` - -Names of hybrid connection relays to connect app with. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `hyperV` - -Hyper-V sandbox. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `keyVaultAccessIdentityResourceId` - -The resource ID of the assigned identity to be used to access a key vault with. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `redundancyMode` - -Site redundancy mode. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'ActiveActive' - 'Failover' - 'GeoRedundant' - 'Manual' - 'None' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `scmSiteAlsoStopped` - -Stop SCM (KUDU) site when the app is stopped. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `setAzureWebJobsDashboard` - -For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. - -- Required: No -- Type: bool -- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` - -### Parameter: `siteConfig` - -The site config object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `slots` - -Configuration for deployment slots for an app. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `storageAccountRequired` - -Checks if Customer provided storage account is required. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `storageAccountResourceId` - -Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualNetworkSubnetId` - -Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vnetContentShareEnabled` - -To enable accessing content over virtual network. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vnetImagePullEnabled` - -To enable pulling image over Virtual Network. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vnetRouteAllEnabled` - -Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `defaultHostname` | string | Default hostname of the app. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the site. | -| `resourceGroupName` | string | The resource group the site was deployed into. | -| `resourceId` | string | The resource ID of the site. | -| `slotResourceIds` | array | The list of the slot resource ids. | -| `slots` | array | The list of the slots. | -| `slotSystemAssignedMIPrincipalIds` | array | The principal ID of the system assigned identity of slots. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -
- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' -} -``` - -
-

+For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/web/site/basic-publishing-credentials-policy/README.md b/modules/web/site/basic-publishing-credentials-policy/README.md deleted file mode 100644 index 518f921374..0000000000 --- a/modules/web/site/basic-publishing-credentials-policy/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Web Site Basic Publishing Credentials Policies `[Microsoft.Web/sites/basicPublishingCredentialsPolicies]` - -This module deploys a Web Site Basic Publishing Credentials Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`webAppName`](#parameter-webappname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allow`](#parameter-allow) | bool | Set to true to enable or false to disable a publishing method. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | - -### Parameter: `name` - -The name of the resource. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ftp' - 'scm' - ] - ``` - -### Parameter: `webAppName` - -The name of the parent web site. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allow` - -Set to true to enable or false to disable a publishing method. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the basic publishing credential policy. | -| `resourceGroupName` | string | The name of the resource group the basic publishing credential policy was deployed into. | -| `resourceId` | string | The resource ID of the basic publishing credential policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/basic-publishing-credentials-policy/main.bicep b/modules/web/site/basic-publishing-credentials-policy/main.bicep deleted file mode 100644 index dd55286295..0000000000 --- a/modules/web/site/basic-publishing-credentials-policy/main.bicep +++ /dev/null @@ -1,59 +0,0 @@ -metadata name = 'Web Site Basic Publishing Credentials Policies' -metadata description = 'This module deploys a Web Site Basic Publishing Credentials Policy.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. The name of the resource.') -@allowed([ - 'scm' - 'ftp' -]) -param name string - -@sys.description('Optional. Set to true to enable or false to disable a publishing method.') -param allow bool = true - -@sys.description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param webAppName string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource webApp 'Microsoft.Web/sites@2022-09-01' existing = { - name: webAppName -} - -resource basicPublishingCredentialsPolicy 'Microsoft.Web/sites/basicPublishingCredentialsPolicies@2022-09-01' = { - name: name - location: location - parent: webApp - properties: { - allow: allow - } -} - -@sys.description('The name of the basic publishing credential policy.') -output name string = basicPublishingCredentialsPolicy.name - -@sys.description('The resource ID of the basic publishing credential policy.') -output resourceId string = basicPublishingCredentialsPolicy.id - -@sys.description('The name of the resource group the basic publishing credential policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = basicPublishingCredentialsPolicy.location diff --git a/modules/web/site/basic-publishing-credentials-policy/main.json b/modules/web/site/basic-publishing-credentials-policy/main.json deleted file mode 100644 index 2c3ec469f0..0000000000 --- a/modules/web/site/basic-publishing-credentials-policy/main.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12054216906297236281" - }, - "name": "Web Site Basic Publishing Credentials Policies", - "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "allowedValues": [ - "scm", - "ftp" - ], - "metadata": { - "description": "Required. The name of the resource." - } - }, - "allow": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Set to true to enable or false to disable a publishing method." - } - }, - "webAppName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('webAppName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "allow": "[parameters('allow')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the basic publishing credential policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the basic publishing credential policy." - }, - "value": "[resourceId('Microsoft.Web/sites/basicPublishingCredentialsPolicies', parameters('webAppName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the basic publishing credential policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Web/sites/basicPublishingCredentialsPolicies', parameters('webAppName'), parameters('name')), '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/basic-publishing-credentials-policy/version.json b/modules/web/site/basic-publishing-credentials-policy/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/basic-publishing-credentials-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md deleted file mode 100644 index 8beef8b592..0000000000 --- a/modules/web/site/config--appsettings/README.md +++ /dev/null @@ -1,166 +0,0 @@ -# Site App Settings `[Microsoft.Web/sites/config]` - -This module deploys a Site App Setting. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Type of site to deploy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | -| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | - -### Parameter: `kind` - -Type of site to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `appInsightResourceId` - -Resource ID of the app insight to leverage for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appSettingsKeyValuePairs` - -The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `setAzureWebJobsDashboard` - -For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. - -- Required: No -- Type: bool -- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` - -### Parameter: `storageAccountResourceId` - -Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the site config. | -| `resourceGroupName` | string | The resource group the site config was deployed into. | -| `resourceId` | string | The resource ID of the site config. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -

- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": [ - { - "name": "key1", - "value": "val1" - }, - { - "name": "key2", - "value": "val2" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: [ - { - name: 'key1' - value: 'val1' - } - { - name: 'key2' - value: 'val2' - } -] -``` - -
-

diff --git a/modules/web/site/config--appsettings/main.bicep b/modules/web/site/config--appsettings/main.bicep deleted file mode 100644 index 75f9a5d5eb..0000000000 --- a/modules/web/site/config--appsettings/main.bicep +++ /dev/null @@ -1,86 +0,0 @@ -metadata name = 'Site App Settings' -metadata description = 'This module deploys a Site App Setting.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment.') -param appName string - -@description('Required. Type of site to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions.') -param storageAccountResourceId string = '' - -@description('Optional. Resource ID of the app insight to leverage for this resource.') -param appInsightResourceId string = '' - -@description('Optional. For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons.') -param setAzureWebJobsDashboard bool = contains(kind, 'functionapp') ? true : false - -@description('Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING.') -param appSettingsKeyValuePairs object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -var azureWebJobsValues = !empty(storageAccountResourceId) ? union({ - AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value};' - }, ((setAzureWebJobsDashboard == true) ? { - AzureWebJobsDashboard: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value};' - } : {})) : {} - -var appInsightsValues = !empty(appInsightResourceId) ? { - APPINSIGHTS_INSTRUMENTATIONKEY: appInsight.properties.InstrumentationKey - APPLICATIONINSIGHTS_CONNECTION_STRING: appInsight.properties.ConnectionString -} : {} - -var expandedAppSettings = union(appSettingsKeyValuePairs, azureWebJobsValues, appInsightsValues) - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName -} - -resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { - name: last(split(appInsightResourceId, '/'))! - scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if (!empty(storageAccountResourceId)) { - name: last(split(storageAccountResourceId, '/'))! - scope: resourceGroup(split(storageAccountResourceId, '/')[2], split(storageAccountResourceId, '/')[4]) -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appSettings 'Microsoft.Web/sites/config@2022-09-01' = { - name: 'appsettings' - kind: kind - parent: app - properties: expandedAppSettings -} - -@description('The name of the site config.') -output name string = appSettings.name - -@description('The resource ID of the site config.') -output resourceId string = appSettings.id - -@description('The resource group the site config was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/config--appsettings/main.json b/modules/web/site/config--appsettings/main.json deleted file mode 100644 index ace57555b6..0000000000 --- a/modules/web/site/config--appsettings/main.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12410494471478708764" - }, - "name": "Site App Settings", - "description": "This module deploys a Site App Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), 'appsettings')]", - "kind": "[parameters('kind')]", - "properties": "[union(parameters('appSettingsKeyValuePairs'), if(not(empty(parameters('storageAccountResourceId'))), union(createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), if(equals(parameters('setAzureWebJobsDashboard'), true()), createObject('AzureWebJobsDashboard', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), createObject())), createObject()), if(not(empty(parameters('appInsightResourceId'))), createObject('APPINSIGHTS_INSTRUMENTATIONKEY', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').InstrumentationKey, 'APPLICATIONINSIGHTS_CONNECTION_STRING', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').ConnectionString), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site config." - }, - "value": "appsettings" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site config." - }, - "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), 'appsettings')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/config--appsettings/version.json b/modules/web/site/config--appsettings/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/config--appsettings/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md deleted file mode 100644 index 3c76ae259b..0000000000 --- a/modules/web/site/config--authsettingsv2/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Site Auth Settings V2 Config `[Microsoft.Web/sites/config]` - -This module deploys a Site Auth Settings V2 Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | -| [`kind`](#parameter-kind) | string | Type of site to deploy. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter: `authSettingV2Configuration` - -The auth settings V2 configuration. - -- Required: Yes -- Type: object - -### Parameter: `kind` - -Type of site to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the site config. | -| `resourceGroupName` | string | The resource group the site config was deployed into. | -| `resourceId` | string | The resource ID of the site config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/config--authsettingsv2/main.bicep b/modules/web/site/config--authsettingsv2/main.bicep deleted file mode 100644 index 14f9589f8f..0000000000 --- a/modules/web/site/config--authsettingsv2/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'Site Auth Settings V2 Config' -metadata description = 'This module deploys a Site Auth Settings V2 Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment.') -param appName string - -@description('Required. Type of site to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Required. The auth settings V2 configuration.') -param authSettingV2Configuration object - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource appSettings 'Microsoft.Web/sites/config@2022-09-01' = { - name: 'authsettingsV2' - kind: kind - parent: app - properties: authSettingV2Configuration -} - -@description('The name of the site config.') -output name string = appSettings.name - -@description('The resource ID of the site config.') -output resourceId string = appSettings.id - -@description('The resource group the site config was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/config--authsettingsv2/main.json b/modules/web/site/config--authsettingsv2/main.json deleted file mode 100644 index 6f40405eb1..0000000000 --- a/modules/web/site/config--authsettingsv2/main.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15667145082226037238" - }, - "name": "Site Auth Settings V2 Config", - "description": "This module deploys a Site Auth Settings V2 Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "authSettingV2Configuration": { - "type": "object", - "metadata": { - "description": "Required. The auth settings V2 configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), 'authsettingsV2')]", - "kind": "[parameters('kind')]", - "properties": "[parameters('authSettingV2Configuration')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site config." - }, - "value": "authsettingsV2" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site config." - }, - "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), 'authsettingsV2')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/config--authsettingsv2/version.json b/modules/web/site/config--authsettingsv2/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/config--authsettingsv2/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/hybrid-connection-namespace/relay/README.md b/modules/web/site/hybrid-connection-namespace/relay/README.md deleted file mode 100644 index 920762c984..0000000000 --- a/modules/web/site/hybrid-connection-namespace/relay/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Web/Function Apps Hybrid Connection Relay `[Microsoft.Web/sites/hybridConnectionNamespaces/relays]` - -This module deploys a Site Hybrid Connection Namespace Relay. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/hybridConnectionNamespaces/relays) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hybridConnectionResourceId`](#parameter-hybridconnectionresourceid) | string | The resource ID of the relay namespace hybrid connection. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | - -### Parameter: `hybridConnectionResourceId` - -The resource ID of the relay namespace hybrid connection. - -- Required: Yes -- Type: string - -### Parameter: `appName` - -The name of the parent web site. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `sendKeyName` - -Name of the authorization rule send key to use. - -- Required: No -- Type: string -- Default: `'defaultSender'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the hybrid connection relay.. | -| `resourceGroupName` | string | The name of the resource group the resource was deployed into. | -| `resourceId` | string | The resource ID of the hybrid connection relay. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/hybrid-connection-namespace/relay/main.bicep b/modules/web/site/hybrid-connection-namespace/relay/main.bicep deleted file mode 100644 index f1972afaaa..0000000000 --- a/modules/web/site/hybrid-connection-namespace/relay/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'Web/Function Apps Hybrid Connection Relay' -metadata description = 'This module deploys a Site Hybrid Connection Namespace Relay.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The resource ID of the relay namespace hybrid connection.') -param hybridConnectionResourceId string - -@description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param appName string - -@description('Optional. Name of the authorization rule send key to use.') -param sendKeyName string = 'defaultSender' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: split(hybridConnectionResourceId, '/')[8] - scope: resourceGroup(split(hybridConnectionResourceId, '/')[2], split(hybridConnectionResourceId, '/')[4]) - - resource hybridConnection 'hybridConnections@2021-11-01' existing = { - name: split(hybridConnectionResourceId, '/')[10] - - resource authorizationRule 'authorizationRules@2021-11-01' existing = { - name: sendKeyName - } - } -} - -resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/relays@2022-09-01' = { - name: '${appName}/${namespace.name}/${namespace::hybridConnection.name}' - properties: { - serviceBusNamespace: namespace.name - serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] - relayName: namespace::hybridConnection.name - relayArmUri: namespace::hybridConnection.id - hostname: split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[0] - port: int(split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[1]) - sendKeyName: namespace::hybridConnection::authorizationRule.name - sendKeyValue: namespace::hybridConnection::authorizationRule.listKeys().primaryKey - } -} - -@description('The name of the hybrid connection relay..') -output name string = hybridConnectionRelay.name - -@description('The resource ID of the hybrid connection relay.') -output resourceId string = hybridConnectionRelay.id - -@description('The name of the resource group the resource was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/hybrid-connection-namespace/relay/main.json b/modules/web/site/hybrid-connection-namespace/relay/main.json deleted file mode 100644 index e230e699f6..0000000000 --- a/modules/web/site/hybrid-connection-namespace/relay/main.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14574905385050050440" - }, - "name": "Web/Function Apps Hybrid Connection Relay", - "description": "This module deploys a Site Hybrid Connection Namespace Relay.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hybridConnectionResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the relay namespace hybrid connection." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "sendKeyName": { - "type": "string", - "defaultValue": "defaultSender", - "metadata": { - "description": "Optional. Name of the authorization rule send key to use." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/hybridConnectionNamespaces/relays", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "properties": { - "serviceBusNamespace": "[split(parameters('hybridConnectionResourceId'), '/')[8]]", - "serviceBusSuffix": "[split(substring(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, indexOf(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, '.servicebus')), ':')[0]]", - "relayName": "[split(parameters('hybridConnectionResourceId'), '/')[10]]", - "relayArmUri": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "hostname": "[split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[0]]", - "port": "[int(split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[1])]", - "sendKeyName": "[parameters('sendKeyName')]", - "sendKeyValue": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10], parameters('sendKeyName')), '2021-11-01').primaryKey]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the hybrid connection relay.." - }, - "value": "[format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the hybrid connection relay." - }, - "value": "[resourceId('Microsoft.Web/sites/hybridConnectionNamespaces/relays', split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[0], split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[1], split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[2])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/hybrid-connection-namespace/relay/version.json b/modules/web/site/hybrid-connection-namespace/relay/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/hybrid-connection-namespace/relay/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep deleted file mode 100644 index 78c7f41c6c..0000000000 --- a/modules/web/site/main.bicep +++ /dev/null @@ -1,561 +0,0 @@ -metadata name = 'Web/Function Apps' -metadata description = 'This module deploys a Web or Function App.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the site.') -param name string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Required. Type of site to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Required. The resource ID of the app service plan to use for the site.') -param serverFarmResourceId string - -@description('Optional. Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests.') -param httpsOnly bool = true - -@description('Optional. If client affinity is enabled.') -param clientAffinityEnabled bool = true - -@description('Optional. The resource ID of the app service environment to use for this resource.') -param appServiceEnvironmentResourceId string = '' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The resource ID of the assigned identity to be used to access a key vault with.') -param keyVaultAccessIdentityResourceId string = '' - -@description('Optional. Checks if Customer provided storage account is required.') -param storageAccountRequired bool = false - -@description('Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.') -param virtualNetworkSubnetId string = '' - -@description('Optional. To enable accessing content over virtual network.') -param vnetContentShareEnabled bool = false - -@description('Optional. To enable pulling image over Virtual Network.') -param vnetImagePullEnabled bool = false - -@description('Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.') -param vnetRouteAllEnabled bool = false - -@description('Optional. Stop SCM (KUDU) site when the app is stopped.') -param scmSiteAlsoStopped bool = false - -@description('Optional. The site config object.') -param siteConfig object = {} - -@description('Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions.') -param storageAccountResourceId string = '' - -@description('Optional. Resource ID of the app insight to leverage for this resource.') -param appInsightResourceId string = '' - -@description('Optional. For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons.') -param setAzureWebJobsDashboard bool = contains(kind, 'functionapp') ? true : false - -@description('Optional. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING.') -param appSettingsKeyValuePairs object = {} - -@description('Optional. The auth settings V2 configuration.') -param authSettingV2Configuration object = {} - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType - -@description('Optional. Configuration for deployment slots for an app.') -param slots array = [] - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. To enable client certificate authentication (TLS mutual authentication).') -param clientCertEnabled bool = false - -@description('Optional. Client certificate authentication comma-separated exclusion paths.') -param clientCertExclusionPaths string = '' - -@description('Optional. This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.') -@allowed([ - 'Optional' - 'OptionalInteractiveUser' - 'Required' -]) -param clientCertMode string = 'Optional' - -@description('Optional. If specified during app creation, the app is cloned from a source app.') -param cloningInfo object = {} - -@description('Optional. Size of the function container.') -param containerSize int = -1 - -@description('Optional. Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification.') -param customDomainVerificationId string = '' - -@description('Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only).') -param dailyMemoryTimeQuota int = -1 - -@description('Optional. Setting this value to false disables the app (takes the app offline).') -param enabled bool = true - -@description('Optional. Hostname SSL states are used to manage the SSL bindings for app\'s hostnames.') -param hostNameSslStates array = [] - -@description('Optional. Hyper-V sandbox.') -param hyperV bool = false - -@description('Optional. Site redundancy mode.') -@allowed([ - 'ActiveActive' - 'Failover' - 'GeoRedundant' - 'Manual' - 'None' -]) -param redundancyMode string = 'None' - -@description('Optional. The site publishing credential policy names which are associated with the sites.') -param basicPublishingCredentialsPolicies array = [] - -@description('Optional. Names of hybrid connection relays to connect app with.') -param hybridConnectionRelays array = [] - -@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource app 'Microsoft.Web/sites@2022-09-01' = { - name: name - location: location - kind: kind - tags: tags - identity: identity - properties: { - serverFarmId: serverFarmResourceId - clientAffinityEnabled: clientAffinityEnabled - httpsOnly: httpsOnly - hostingEnvironmentProfile: !empty(appServiceEnvironmentResourceId) ? { - id: appServiceEnvironmentResourceId - } : null - storageAccountRequired: storageAccountRequired - keyVaultReferenceIdentity: !empty(keyVaultAccessIdentityResourceId) ? keyVaultAccessIdentityResourceId : null - virtualNetworkSubnetId: !empty(virtualNetworkSubnetId) ? virtualNetworkSubnetId : any(null) - siteConfig: siteConfig - clientCertEnabled: clientCertEnabled - clientCertExclusionPaths: !empty(clientCertExclusionPaths) ? clientCertExclusionPaths : null - clientCertMode: clientCertMode - cloningInfo: !empty(cloningInfo) ? cloningInfo : null - containerSize: containerSize != -1 ? containerSize : null - customDomainVerificationId: !empty(customDomainVerificationId) ? customDomainVerificationId : null - dailyMemoryTimeQuota: dailyMemoryTimeQuota != -1 ? dailyMemoryTimeQuota : null - enabled: enabled - hostNameSslStates: hostNameSslStates - hyperV: hyperV - redundancyMode: redundancyMode - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : 'Enabled') - vnetContentShareEnabled: vnetContentShareEnabled - vnetImagePullEnabled: vnetImagePullEnabled - vnetRouteAllEnabled: vnetRouteAllEnabled - scmSiteAlsoStopped: scmSiteAlsoStopped - } -} - -module app_appsettings 'config--appsettings/main.bicep' = if (!empty(appSettingsKeyValuePairs)) { - name: '${uniqueString(deployment().name, location)}-Site-Config-AppSettings' - params: { - appName: app.name - kind: kind - storageAccountResourceId: storageAccountResourceId - appInsightResourceId: appInsightResourceId - setAzureWebJobsDashboard: setAzureWebJobsDashboard - appSettingsKeyValuePairs: appSettingsKeyValuePairs - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module app_authsettingsv2 'config--authsettingsv2/main.bicep' = if (!empty(authSettingV2Configuration)) { - name: '${uniqueString(deployment().name, location)}-Site-Config-AuthSettingsV2' - params: { - appName: app.name - kind: kind - authSettingV2Configuration: authSettingV2Configuration - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -@batchSize(1) -module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { - name: '${uniqueString(deployment().name, location)}-Slot-${slot.name}' - params: { - name: slot.name - appName: app.name - location: location - kind: kind - serverFarmResourceId: serverFarmResourceId - httpsOnly: contains(slot, 'httpsOnly') ? slot.httpsOnly : httpsOnly - appServiceEnvironmentResourceId: !empty(appServiceEnvironmentResourceId) ? appServiceEnvironmentResourceId : '' - clientAffinityEnabled: contains(slot, 'clientAffinityEnabled') ? slot.clientAffinityEnabled : clientAffinityEnabled - managedIdentities: contains(slot, 'managedIdentities') ? slot.managedIdentities : managedIdentities - keyVaultAccessIdentityResourceId: contains(slot, 'keyVaultAccessIdentityResourceId') ? slot.keyVaultAccessIdentityResourceId : keyVaultAccessIdentityResourceId - storageAccountRequired: contains(slot, 'storageAccountRequired') ? slot.storageAccountRequired : storageAccountRequired - virtualNetworkSubnetId: contains(slot, 'virtualNetworkSubnetId') ? slot.virtualNetworkSubnetId : virtualNetworkSubnetId - siteConfig: contains(slot, 'siteConfig') ? slot.siteConfig : siteConfig - storageAccountResourceId: contains(slot, 'storageAccountResourceId') ? slot.storageAccountResourceId : storageAccountResourceId - appInsightResourceId: contains(slot, 'appInsightResourceId') ? slot.appInsightResourceId : appInsightResourceId - setAzureWebJobsDashboard: contains(slot, 'setAzureWebJobsDashboard') ? slot.setAzureWebJobsDashboard : setAzureWebJobsDashboard - authSettingV2Configuration: contains(slot, 'authSettingV2Configuration') ? slot.authSettingV2Configuration : authSettingV2Configuration - enableDefaultTelemetry: enableReferencedModulesTelemetry - diagnosticSettings: slot.?diagnosticSettings - roleAssignments: contains(slot, 'roleAssignments') ? slot.roleAssignments : roleAssignments - appSettingsKeyValuePairs: contains(slot, 'appSettingsKeyValuePairs') ? slot.appSettingsKeyValuePairs : appSettingsKeyValuePairs - basicPublishingCredentialsPolicies: contains(slot, 'basicPublishingCredentialsPolicies') ? slot.basicPublishingCredentialsPolicies : basicPublishingCredentialsPolicies - lock: slot.?lock ?? lock - privateEndpoints: contains(slot, 'privateEndpoints') ? slot.privateEndpoints : privateEndpoints - tags: slot.?tags ?? tags - clientCertEnabled: contains(slot, 'clientCertEnabled') ? slot.clientCertEnabled : false - clientCertExclusionPaths: contains(slot, 'clientCertExclusionPaths') ? slot.clientCertExclusionPaths : '' - clientCertMode: contains(slot, 'clientCertMode') ? slot.clientCertMode : 'Optional' - cloningInfo: contains(slot, 'cloningInfo') ? slot.cloningInfo : {} - containerSize: contains(slot, 'containerSize') ? slot.containerSize : -1 - customDomainVerificationId: contains(slot, 'customDomainVerificationId') ? slot.customDomainVerificationId : '' - dailyMemoryTimeQuota: contains(slot, 'dailyMemoryTimeQuota') ? slot.dailyMemoryTimeQuota : -1 - enabled: contains(slot, 'enabled') ? slot.enabled : true - hostNameSslStates: contains(slot, 'hostNameSslStates') ? slot.hostNameSslStates : [] - hyperV: contains(slot, 'hyperV') ? slot.hyperV : false - publicNetworkAccess: contains(slot, 'publicNetworkAccess') ? slot.publicNetworkAccess : '' - redundancyMode: contains(slot, 'redundancyMode') ? slot.redundancyMode : 'None' - vnetContentShareEnabled: contains(slot, 'vnetContentShareEnabled') ? slot.vnetContentShareEnabled : false - vnetImagePullEnabled: contains(slot, 'vnetImagePullEnabled') ? slot.vnetImagePullEnabled : false - vnetRouteAllEnabled: contains(slot, 'vnetRouteAllEnabled') ? slot.vnetRouteAllEnabled : false - hybridConnectionRelays: contains(slot, 'hybridConnectionRelays') ? slot.hybridConnectionRelays : [] - } -}] - -module app_basicPublishingCredentialsPolicies 'basic-publishing-credentials-policy/main.bicep' = [for (basicPublishingCredentialsPolicy, index) in basicPublishingCredentialsPolicies: { - name: '${uniqueString(deployment().name, location)}-Site-Publish-Cred-${index}' - params: { - webAppName: app.name - name: basicPublishingCredentialsPolicy.name - allow: contains(basicPublishingCredentialsPolicy, 'allow') ? basicPublishingCredentialsPolicy.allow : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module app_hybridConnectionRelays 'hybrid-connection-namespace/relay/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { - name: '${uniqueString(deployment().name, location)}-HybridConnectionRelay-${index}' - params: { - hybridConnectionResourceId: hybridConnectionRelay.resourceId - appName: app.name - sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource app_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: app -} - -resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: app -}] - -resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(app.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: app -}] - -module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-app-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'sites' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(app.id, '/'))}-${privateEndpoint.?service ?? 'sites'}-${index}' - serviceResourceId: app.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the site.') -output name string = app.name - -@description('The resource ID of the site.') -output resourceId string = app.id - -@description('The list of the slots.') -output slots array = [for (slot, index) in slots: app_slots[index].name] - -@description('The list of the slot resource ids.') -output slotResourceIds array = [for (slot, index) in slots: app_slots[index].outputs.resourceId] - -@description('The resource group the site was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(app.identity, 'principalId') ? app.identity.principalId : '' - -@description('The principal ID of the system assigned identity of slots.') -output slotSystemAssignedMIPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] - -@description('The location the resource was deployed into.') -output location string = app.location - -@description('Default hostname of the app.') -output defaultHostname string = app.properties.defaultHostName - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/web/site/main.json b/modules/web/site/main.json deleted file mode 100644 index 211a57eeee..0000000000 --- a/modules/web/site/main.json +++ /dev/null @@ -1,4259 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6627371400613258723" - }, - "name": "Web/Function Apps", - "description": "This module deploys a Web or Function App.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the site." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "serverFarmResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the app service plan to use for the site." - } - }, - "httpsOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests." - } - }, - "clientAffinityEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If client affinity is enabled." - } - }, - "appServiceEnvironmentResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the app service environment to use for this resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "keyVaultAccessIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the assigned identity to be used to access a key vault with." - } - }, - "storageAccountRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Checks if Customer provided storage account is required." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}." - } - }, - "vnetContentShareEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable accessing content over virtual network." - } - }, - "vnetImagePullEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable pulling image over Virtual Network." - } - }, - "vnetRouteAllEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied." - } - }, - "scmSiteAlsoStopped": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Stop SCM (KUDU) site when the app is stopped." - } - }, - "siteConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The site config object." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "authSettingV2Configuration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The auth settings V2 configuration." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "slots": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration for deployment slots for an app." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable client certificate authentication (TLS mutual authentication)." - } - }, - "clientCertExclusionPaths": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Client certificate authentication comma-separated exclusion paths." - } - }, - "clientCertMode": { - "type": "string", - "defaultValue": "Optional", - "allowedValues": [ - "Optional", - "OptionalInteractiveUser", - "Required" - ], - "metadata": { - "description": "Optional. This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted." - } - }, - "cloningInfo": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If specified during app creation, the app is cloned from a source app." - } - }, - "containerSize": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Size of the function container." - } - }, - "customDomainVerificationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification." - } - }, - "dailyMemoryTimeQuota": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only)." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Setting this value to false disables the app (takes the app offline)." - } - }, - "hostNameSslStates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Hostname SSL states are used to manage the SSL bindings for app's hostnames." - } - }, - "hyperV": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Hyper-V sandbox." - } - }, - "redundancyMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "ActiveActive", - "Failover", - "GeoRedundant", - "Manual", - "None" - ], - "metadata": { - "description": "Optional. Site redundancy mode." - } - }, - "basicPublishingCredentialsPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The site publishing credential policy names which are associated with the sites." - } - }, - "hybridConnectionRelays": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Names of hybrid connection relays to connect app with." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "app": { - "type": "Microsoft.Web/sites", - "apiVersion": "2022-09-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "serverFarmId": "[parameters('serverFarmResourceId')]", - "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", - "httpsOnly": "[parameters('httpsOnly')]", - "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", - "storageAccountRequired": "[parameters('storageAccountRequired')]", - "keyVaultReferenceIdentity": "[if(not(empty(parameters('keyVaultAccessIdentityResourceId'))), parameters('keyVaultAccessIdentityResourceId'), null())]", - "virtualNetworkSubnetId": "[if(not(empty(parameters('virtualNetworkSubnetId'))), parameters('virtualNetworkSubnetId'), null())]", - "siteConfig": "[parameters('siteConfig')]", - "clientCertEnabled": "[parameters('clientCertEnabled')]", - "clientCertExclusionPaths": "[if(not(empty(parameters('clientCertExclusionPaths'))), parameters('clientCertExclusionPaths'), null())]", - "clientCertMode": "[parameters('clientCertMode')]", - "cloningInfo": "[if(not(empty(parameters('cloningInfo'))), parameters('cloningInfo'), null())]", - "containerSize": "[if(not(equals(parameters('containerSize'), -1)), parameters('containerSize'), null())]", - "customDomainVerificationId": "[if(not(empty(parameters('customDomainVerificationId'))), parameters('customDomainVerificationId'), null())]", - "dailyMemoryTimeQuota": "[if(not(equals(parameters('dailyMemoryTimeQuota'), -1)), parameters('dailyMemoryTimeQuota'), null())]", - "enabled": "[parameters('enabled')]", - "hostNameSslStates": "[parameters('hostNameSslStates')]", - "hyperV": "[parameters('hyperV')]", - "redundancyMode": "[parameters('redundancyMode')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", - "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", - "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", - "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]", - "scmSiteAlsoStopped": "[parameters('scmSiteAlsoStopped')]" - } - }, - "app_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "app" - ] - }, - "app_diagnosticSettings": { - "copy": { - "name": "app_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "app" - ] - }, - "app_roleAssignments": { - "copy": { - "name": "app_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/sites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "app" - ] - }, - "app_appsettings": { - "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-Config-AppSettings', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appName": { - "value": "[parameters('name')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "storageAccountResourceId": { - "value": "[parameters('storageAccountResourceId')]" - }, - "appInsightResourceId": { - "value": "[parameters('appInsightResourceId')]" - }, - "setAzureWebJobsDashboard": { - "value": "[parameters('setAzureWebJobsDashboard')]" - }, - "appSettingsKeyValuePairs": { - "value": "[parameters('appSettingsKeyValuePairs')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12410494471478708764" - }, - "name": "Site App Settings", - "description": "This module deploys a Site App Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), 'appsettings')]", - "kind": "[parameters('kind')]", - "properties": "[union(parameters('appSettingsKeyValuePairs'), if(not(empty(parameters('storageAccountResourceId'))), union(createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), if(equals(parameters('setAzureWebJobsDashboard'), true()), createObject('AzureWebJobsDashboard', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), createObject())), createObject()), if(not(empty(parameters('appInsightResourceId'))), createObject('APPINSIGHTS_INSTRUMENTATIONKEY', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').InstrumentationKey, 'APPLICATIONINSIGHTS_CONNECTION_STRING', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').ConnectionString), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site config." - }, - "value": "appsettings" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site config." - }, - "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), 'appsettings')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_authsettingsv2": { - "condition": "[not(empty(parameters('authSettingV2Configuration')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-Config-AuthSettingsV2', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appName": { - "value": "[parameters('name')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "authSettingV2Configuration": { - "value": "[parameters('authSettingV2Configuration')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15667145082226037238" - }, - "name": "Site Auth Settings V2 Config", - "description": "This module deploys a Site Auth Settings V2 Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "authSettingV2Configuration": { - "type": "object", - "metadata": { - "description": "Required. The auth settings V2 configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), 'authsettingsV2')]", - "kind": "[parameters('kind')]", - "properties": "[parameters('authSettingV2Configuration')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site config." - }, - "value": "authsettingsV2" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site config." - }, - "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), 'authsettingsV2')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_slots": { - "copy": { - "name": "app_slots", - "count": "[length(parameters('slots'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}', uniqueString(deployment().name, parameters('location')), parameters('slots')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('slots')[copyIndex()].name]" - }, - "appName": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "serverFarmResourceId": { - "value": "[parameters('serverFarmResourceId')]" - }, - "httpsOnly": "[if(contains(parameters('slots')[copyIndex()], 'httpsOnly'), createObject('value', parameters('slots')[copyIndex()].httpsOnly), createObject('value', parameters('httpsOnly')))]", - "appServiceEnvironmentResourceId": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('value', parameters('appServiceEnvironmentResourceId')), createObject('value', ''))]", - "clientAffinityEnabled": "[if(contains(parameters('slots')[copyIndex()], 'clientAffinityEnabled'), createObject('value', parameters('slots')[copyIndex()].clientAffinityEnabled), createObject('value', parameters('clientAffinityEnabled')))]", - "managedIdentities": "[if(contains(parameters('slots')[copyIndex()], 'managedIdentities'), createObject('value', parameters('slots')[copyIndex()].managedIdentities), createObject('value', parameters('managedIdentities')))]", - "keyVaultAccessIdentityResourceId": "[if(contains(parameters('slots')[copyIndex()], 'keyVaultAccessIdentityResourceId'), createObject('value', parameters('slots')[copyIndex()].keyVaultAccessIdentityResourceId), createObject('value', parameters('keyVaultAccessIdentityResourceId')))]", - "storageAccountRequired": "[if(contains(parameters('slots')[copyIndex()], 'storageAccountRequired'), createObject('value', parameters('slots')[copyIndex()].storageAccountRequired), createObject('value', parameters('storageAccountRequired')))]", - "virtualNetworkSubnetId": "[if(contains(parameters('slots')[copyIndex()], 'virtualNetworkSubnetId'), createObject('value', parameters('slots')[copyIndex()].virtualNetworkSubnetId), createObject('value', parameters('virtualNetworkSubnetId')))]", - "siteConfig": "[if(contains(parameters('slots')[copyIndex()], 'siteConfig'), createObject('value', parameters('slots')[copyIndex()].siteConfig), createObject('value', parameters('siteConfig')))]", - "storageAccountResourceId": "[if(contains(parameters('slots')[copyIndex()], 'storageAccountResourceId'), createObject('value', parameters('slots')[copyIndex()].storageAccountResourceId), createObject('value', parameters('storageAccountResourceId')))]", - "appInsightResourceId": "[if(contains(parameters('slots')[copyIndex()], 'appInsightResourceId'), createObject('value', parameters('slots')[copyIndex()].appInsightResourceId), createObject('value', parameters('appInsightResourceId')))]", - "setAzureWebJobsDashboard": "[if(contains(parameters('slots')[copyIndex()], 'setAzureWebJobsDashboard'), createObject('value', parameters('slots')[copyIndex()].setAzureWebJobsDashboard), createObject('value', parameters('setAzureWebJobsDashboard')))]", - "authSettingV2Configuration": "[if(contains(parameters('slots')[copyIndex()], 'authSettingV2Configuration'), createObject('value', parameters('slots')[copyIndex()].authSettingV2Configuration), createObject('value', parameters('authSettingV2Configuration')))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('slots')[copyIndex()], 'diagnosticSettings')]" - }, - "roleAssignments": "[if(contains(parameters('slots')[copyIndex()], 'roleAssignments'), createObject('value', parameters('slots')[copyIndex()].roleAssignments), createObject('value', parameters('roleAssignments')))]", - "appSettingsKeyValuePairs": "[if(contains(parameters('slots')[copyIndex()], 'appSettingsKeyValuePairs'), createObject('value', parameters('slots')[copyIndex()].appSettingsKeyValuePairs), createObject('value', parameters('appSettingsKeyValuePairs')))]", - "basicPublishingCredentialsPolicies": "[if(contains(parameters('slots')[copyIndex()], 'basicPublishingCredentialsPolicies'), createObject('value', parameters('slots')[copyIndex()].basicPublishingCredentialsPolicies), createObject('value', parameters('basicPublishingCredentialsPolicies')))]", - "lock": { - "value": "[coalesce(tryGet(parameters('slots')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateEndpoints": "[if(contains(parameters('slots')[copyIndex()], 'privateEndpoints'), createObject('value', parameters('slots')[copyIndex()].privateEndpoints), createObject('value', parameters('privateEndpoints')))]", - "tags": { - "value": "[coalesce(tryGet(parameters('slots')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "clientCertEnabled": "[if(contains(parameters('slots')[copyIndex()], 'clientCertEnabled'), createObject('value', parameters('slots')[copyIndex()].clientCertEnabled), createObject('value', false()))]", - "clientCertExclusionPaths": "[if(contains(parameters('slots')[copyIndex()], 'clientCertExclusionPaths'), createObject('value', parameters('slots')[copyIndex()].clientCertExclusionPaths), createObject('value', ''))]", - "clientCertMode": "[if(contains(parameters('slots')[copyIndex()], 'clientCertMode'), createObject('value', parameters('slots')[copyIndex()].clientCertMode), createObject('value', 'Optional'))]", - "cloningInfo": "[if(contains(parameters('slots')[copyIndex()], 'cloningInfo'), createObject('value', parameters('slots')[copyIndex()].cloningInfo), createObject('value', createObject()))]", - "containerSize": "[if(contains(parameters('slots')[copyIndex()], 'containerSize'), createObject('value', parameters('slots')[copyIndex()].containerSize), createObject('value', -1))]", - "customDomainVerificationId": "[if(contains(parameters('slots')[copyIndex()], 'customDomainVerificationId'), createObject('value', parameters('slots')[copyIndex()].customDomainVerificationId), createObject('value', ''))]", - "dailyMemoryTimeQuota": "[if(contains(parameters('slots')[copyIndex()], 'dailyMemoryTimeQuota'), createObject('value', parameters('slots')[copyIndex()].dailyMemoryTimeQuota), createObject('value', -1))]", - "enabled": "[if(contains(parameters('slots')[copyIndex()], 'enabled'), createObject('value', parameters('slots')[copyIndex()].enabled), createObject('value', true()))]", - "hostNameSslStates": "[if(contains(parameters('slots')[copyIndex()], 'hostNameSslStates'), createObject('value', parameters('slots')[copyIndex()].hostNameSslStates), createObject('value', createArray()))]", - "hyperV": "[if(contains(parameters('slots')[copyIndex()], 'hyperV'), createObject('value', parameters('slots')[copyIndex()].hyperV), createObject('value', false()))]", - "publicNetworkAccess": "[if(contains(parameters('slots')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('slots')[copyIndex()].publicNetworkAccess), createObject('value', ''))]", - "redundancyMode": "[if(contains(parameters('slots')[copyIndex()], 'redundancyMode'), createObject('value', parameters('slots')[copyIndex()].redundancyMode), createObject('value', 'None'))]", - "vnetContentShareEnabled": "[if(contains(parameters('slots')[copyIndex()], 'vnetContentShareEnabled'), createObject('value', parameters('slots')[copyIndex()].vnetContentShareEnabled), createObject('value', false()))]", - "vnetImagePullEnabled": "[if(contains(parameters('slots')[copyIndex()], 'vnetImagePullEnabled'), createObject('value', parameters('slots')[copyIndex()].vnetImagePullEnabled), createObject('value', false()))]", - "vnetRouteAllEnabled": "[if(contains(parameters('slots')[copyIndex()], 'vnetRouteAllEnabled'), createObject('value', parameters('slots')[copyIndex()].vnetRouteAllEnabled), createObject('value', false()))]", - "hybridConnectionRelays": "[if(contains(parameters('slots')[copyIndex()], 'hybridConnectionRelays'), createObject('value', parameters('slots')[copyIndex()].hybridConnectionRelays), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16876460167630133410" - }, - "name": "Web/Function App Deployment Slots", - "description": "This module deploys a Web or Function App Deployment Slot.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the slot." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "serverFarmResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the app service plan to use for the slot." - } - }, - "httpsOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests." - } - }, - "clientAffinityEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If client affinity is enabled." - } - }, - "appServiceEnvironmentResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the app service environment to use for this resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "keyVaultAccessIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the assigned identity to be used to access a key vault with." - } - }, - "storageAccountRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Checks if Customer provided storage account is required." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}." - } - }, - "siteConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The site config object." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "authSettingV2Configuration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The auth settings V2 configuration." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable client certificate authentication (TLS mutual authentication)." - } - }, - "clientCertExclusionPaths": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Client certificate authentication comma-separated exclusion paths." - } - }, - "clientCertMode": { - "type": "string", - "defaultValue": "Optional", - "allowedValues": [ - "Optional", - "OptionalInteractiveUser", - "Required" - ], - "metadata": { - "description": "Optional. This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted." - } - }, - "cloningInfo": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If specified during app creation, the app is cloned from a source app." - } - }, - "containerSize": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Size of the function container." - } - }, - "customDomainVerificationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification." - } - }, - "dailyMemoryTimeQuota": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only)." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Setting this value to false disables the app (takes the app offline)." - } - }, - "hostNameSslStates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Hostname SSL states are used to manage the SSL bindings for app's hostnames." - } - }, - "hyperV": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Hyper-V sandbox." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Enabled", - "Disabled", - "" - ], - "metadata": { - "description": "Optional. Allow or block all public traffic." - } - }, - "redundancyMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "ActiveActive", - "Failover", - "GeoRedundant", - "Manual", - "None" - ], - "metadata": { - "description": "Optional. Site redundancy mode." - } - }, - "basicPublishingCredentialsPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The site publishing credential policy names which are associated with the site slot." - } - }, - "vnetContentShareEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable accessing content over virtual network." - } - }, - "vnetImagePullEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable pulling image over Virtual Network." - } - }, - "vnetRouteAllEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied." - } - }, - "hybridConnectionRelays": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Names of hybrid connection relays to connect app with." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": { - "app": { - "existing": true, - "type": "Microsoft.Web/sites", - "apiVersion": "2021-03-01", - "name": "[parameters('appName')]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "slot": { - "type": "Microsoft.Web/sites/slots", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "serverFarmId": "[parameters('serverFarmResourceId')]", - "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", - "httpsOnly": "[parameters('httpsOnly')]", - "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", - "storageAccountRequired": "[parameters('storageAccountRequired')]", - "keyVaultReferenceIdentity": "[if(not(empty(parameters('keyVaultAccessIdentityResourceId'))), parameters('keyVaultAccessIdentityResourceId'), null())]", - "virtualNetworkSubnetId": "[if(not(empty(parameters('virtualNetworkSubnetId'))), parameters('virtualNetworkSubnetId'), null())]", - "siteConfig": "[parameters('siteConfig')]", - "clientCertEnabled": "[parameters('clientCertEnabled')]", - "clientCertExclusionPaths": "[if(not(empty(parameters('clientCertExclusionPaths'))), parameters('clientCertExclusionPaths'), null())]", - "clientCertMode": "[parameters('clientCertMode')]", - "cloningInfo": "[if(not(empty(parameters('cloningInfo'))), parameters('cloningInfo'), null())]", - "containerSize": "[if(not(equals(parameters('containerSize'), -1)), parameters('containerSize'), null())]", - "customDomainVerificationId": "[if(not(empty(parameters('customDomainVerificationId'))), parameters('customDomainVerificationId'), null())]", - "dailyMemoryTimeQuota": "[if(not(equals(parameters('dailyMemoryTimeQuota'), -1)), parameters('dailyMemoryTimeQuota'), null())]", - "enabled": "[parameters('enabled')]", - "hostNameSslStates": "[parameters('hostNameSslStates')]", - "hyperV": "[parameters('hyperV')]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "redundancyMode": "[parameters('redundancyMode')]", - "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", - "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", - "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]" - }, - "dependsOn": [ - "app" - ] - }, - "slot_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_diagnosticSettings": { - "copy": { - "name": "slot_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_roleAssignments": { - "copy": { - "name": "slot_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_appsettings": { - "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Config-AppSettings', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "slotName": { - "value": "[parameters('name')]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "storageAccountResourceId": { - "value": "[parameters('storageAccountResourceId')]" - }, - "appInsightResourceId": { - "value": "[parameters('appInsightResourceId')]" - }, - "setAzureWebJobsDashboard": { - "value": "[parameters('setAzureWebJobsDashboard')]" - }, - "appSettingsKeyValuePairs": { - "value": "[parameters('appSettingsKeyValuePairs')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10562313393461278954" - }, - "name": "Site Slot App Settings", - "description": "This module deploys a Site Slot App Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'appsettings')]", - "kind": "[parameters('kind')]", - "properties": "[union(parameters('appSettingsKeyValuePairs'), if(not(empty(parameters('storageAccountResourceId'))), union(createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), if(equals(parameters('setAzureWebJobsDashboard'), true()), createObject('AzureWebJobsDashboard', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), createObject())), createObject()), if(not(empty(parameters('appInsightResourceId'))), createObject('APPINSIGHTS_INSTRUMENTATIONKEY', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').InstrumentationKey, 'APPLICATIONINSIGHTS_CONNECTION_STRING', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').ConnectionString), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "appsettings" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'appsettings')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_authsettingsv2": { - "condition": "[not(empty(parameters('authSettingV2Configuration')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Config-AuthSettingsV2', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "slotName": { - "value": "[parameters('name')]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "authSettingV2Configuration": { - "value": "[parameters('authSettingV2Configuration')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13215271953171449159" - }, - "name": "Site Slot Auth Settings V2 Config", - "description": "This module deploys a Site Auth Settings V2 Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "authSettingV2Configuration": { - "type": "object", - "metadata": { - "description": "Required. The auth settings V2 configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'authsettingsV2')]", - "kind": "[parameters('kind')]", - "properties": "[parameters('authSettingV2Configuration')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "authsettingsV2" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'authsettingsV2')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_basicPublishingCredentialsPolicies": { - "copy": { - "name": "slot_basicPublishingCredentialsPolicies", - "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appName": { - "value": "[parameters('appName')]" - }, - "slotName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" - }, - "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9260112433322771379" - }, - "name": "Web Site Slot Basic Publishing Credentials Policies", - "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "allowedValues": [ - "scm", - "ftp" - ], - "metadata": { - "description": "Required. The name of the resource." - } - }, - "allow": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Set to true to enable or false to disable a publishing method." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "allow": "[parameters('allow')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the basic publishing credential policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the basic publishing credential policy." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the basic publishing credential policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_hybridConnectionRelays": { - "copy": { - "name": "slot_hybridConnectionRelays", - "count": "[length(parameters('hybridConnectionRelays'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-HybridConnectionRelay-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hybridConnectionResourceId": { - "value": "[parameters('hybridConnectionRelays')[copyIndex()].resourceId]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "slotName": { - "value": "[parameters('name')]" - }, - "sendKeyName": "[if(contains(parameters('hybridConnectionRelays')[copyIndex()], 'sendKeyName'), createObject('value', parameters('hybridConnectionRelays')[copyIndex()].sendKeyName), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "299894459930368764" - }, - "name": "Web/Function Apps Slot Hybrid Connection Relay", - "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hybridConnectionResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the relay namespace hybrid connection." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the site slot. Required if the template is used in a standalone deployment." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "sendKeyName": { - "type": "string", - "defaultValue": "defaultSender", - "metadata": { - "description": "Optional. Name of the authorization rule send key to use." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "properties": { - "serviceBusNamespace": "[split(parameters('hybridConnectionResourceId'), '/')[8]]", - "serviceBusSuffix": "[split(substring(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, indexOf(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, '.servicebus')), ':')[0]]", - "relayName": "[split(parameters('hybridConnectionResourceId'), '/')[10]]", - "relayArmUri": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "hostname": "[split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[0]]", - "port": "[int(split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[1])]", - "sendKeyName": "[parameters('sendKeyName')]", - "sendKeyValue": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10], parameters('sendKeyName')), '2021-11-01').primaryKey]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the hybrid connection relay.." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the hybrid connection relay." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays', split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_privateEndpoints": { - "copy": { - "name": "slot_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('appName')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Web/sites', parameters('appName'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot." - }, - "value": "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId')), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('slot', '2022-09-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_basicPublishingCredentialsPolicies": { - "copy": { - "name": "app_basicPublishingCredentialsPolicies", - "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "webAppName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" - }, - "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "12054216906297236281" - }, - "name": "Web Site Basic Publishing Credentials Policies", - "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "allowedValues": [ - "scm", - "ftp" - ], - "metadata": { - "description": "Required. The name of the resource." - } - }, - "allow": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Set to true to enable or false to disable a publishing method." - } - }, - "webAppName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('webAppName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "allow": "[parameters('allow')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the basic publishing credential policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the basic publishing credential policy." - }, - "value": "[resourceId('Microsoft.Web/sites/basicPublishingCredentialsPolicies', parameters('webAppName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the basic publishing credential policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Web/sites/basicPublishingCredentialsPolicies', parameters('webAppName'), parameters('name')), '2022-09-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_hybridConnectionRelays": { - "copy": { - "name": "app_hybridConnectionRelays", - "count": "[length(parameters('hybridConnectionRelays'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-HybridConnectionRelay-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hybridConnectionResourceId": { - "value": "[parameters('hybridConnectionRelays')[copyIndex()].resourceId]" - }, - "appName": { - "value": "[parameters('name')]" - }, - "sendKeyName": "[if(contains(parameters('hybridConnectionRelays')[copyIndex()], 'sendKeyName'), createObject('value', parameters('hybridConnectionRelays')[copyIndex()].sendKeyName), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14574905385050050440" - }, - "name": "Web/Function Apps Hybrid Connection Relay", - "description": "This module deploys a Site Hybrid Connection Namespace Relay.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hybridConnectionResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the relay namespace hybrid connection." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "sendKeyName": { - "type": "string", - "defaultValue": "defaultSender", - "metadata": { - "description": "Optional. Name of the authorization rule send key to use." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/hybridConnectionNamespaces/relays", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "properties": { - "serviceBusNamespace": "[split(parameters('hybridConnectionResourceId'), '/')[8]]", - "serviceBusSuffix": "[split(substring(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, indexOf(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, '.servicebus')), ':')[0]]", - "relayName": "[split(parameters('hybridConnectionResourceId'), '/')[10]]", - "relayArmUri": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "hostname": "[split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[0]]", - "port": "[int(split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[1])]", - "sendKeyName": "[parameters('sendKeyName')]", - "sendKeyValue": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10], parameters('sendKeyName')), '2021-11-01').primaryKey]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the hybrid connection relay.." - }, - "value": "[format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the hybrid connection relay." - }, - "value": "[resourceId('Microsoft.Web/sites/hybridConnectionNamespaces/relays', split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[0], split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[1], split(format('{0}/{1}/{2}', parameters('appName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[2])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_privateEndpoints": { - "copy": { - "name": "app_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site." - }, - "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" - }, - "slots": { - "type": "array", - "metadata": { - "description": "The list of the slots." - }, - "copy": { - "count": "[length(parameters('slots'))]", - "input": "[format('{0}-Slot-{1}', uniqueString(deployment().name, parameters('location')), parameters('slots')[copyIndex()].name)]" - } - }, - "slotResourceIds": { - "type": "array", - "metadata": { - "description": "The list of the slot resource ids." - }, - "copy": { - "count": "[length(parameters('slots'))]", - "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.resourceId.value]" - } - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" - }, - "slotSystemAssignedMIPrincipalIds": { - "type": "array", - "metadata": { - "description": "The principal ID of the system assigned identity of slots." - }, - "copy": { - "count": "[length(parameters('slots'))]", - "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.systemAssignedMIPrincipalId.value]" - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('app', '2022-09-01', 'full').location]" - }, - "defaultHostname": { - "type": "string", - "metadata": { - "description": "Default hostname of the app." - }, - "value": "[reference('app').defaultHostName]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md deleted file mode 100644 index 81cb13f3a5..0000000000 --- a/modules/web/site/slot/README.md +++ /dev/null @@ -1,954 +0,0 @@ -# Web/Function App Deployment Slots `[Microsoft.Web/sites/slots]` - -This module deploys a Web or Function App Deployment Slot. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Web/sites/slots` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots) | -| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | -| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Type of slot to deploy. | -| [`name`](#parameter-name) | string | Name of the slot. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | -| [`appServiceEnvironmentResourceId`](#parameter-appserviceenvironmentresourceid) | string | The resource ID of the app service environment to use for this resource. | -| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | -| [`basicPublishingCredentialsPolicies`](#parameter-basicpublishingcredentialspolicies) | array | The site publishing credential policy names which are associated with the site slot. | -| [`clientAffinityEnabled`](#parameter-clientaffinityenabled) | bool | If client affinity is enabled. | -| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | To enable client certificate authentication (TLS mutual authentication). | -| [`clientCertExclusionPaths`](#parameter-clientcertexclusionpaths) | string | Client certificate authentication comma-separated exclusion paths. | -| [`clientCertMode`](#parameter-clientcertmode) | string | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | -| [`cloningInfo`](#parameter-cloninginfo) | object | If specified during app creation, the app is cloned from a source app. | -| [`containerSize`](#parameter-containersize) | int | Size of the function container. | -| [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | -| [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | -| [`httpsOnly`](#parameter-httpsonly) | bool | Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. | -| [`hybridConnectionRelays`](#parameter-hybridconnectionrelays) | array | Names of hybrid connection relays to connect app with. | -| [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | -| [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | -| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | -| [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the slot. | -| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| [`siteConfig`](#parameter-siteconfig) | object | The site config object. | -| [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | -| [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | -| [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | -| [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | - -### Parameter: `kind` - -Type of slot to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `name` - -Name of the slot. - -- Required: Yes -- Type: string - -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `appInsightResourceId` - -Resource ID of the app insight to leverage for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appServiceEnvironmentResourceId` - -The resource ID of the app service environment to use for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appSettingsKeyValuePairs` - -The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `authSettingV2Configuration` - -The auth settings V2 configuration. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `basicPublishingCredentialsPolicies` - -The site publishing credential policy names which are associated with the site slot. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `clientAffinityEnabled` - -If client affinity is enabled. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `clientCertEnabled` - -To enable client certificate authentication (TLS mutual authentication). - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `clientCertExclusionPaths` - -Client certificate authentication comma-separated exclusion paths. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `clientCertMode` - -This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. - -- Required: No -- Type: string -- Default: `'Optional'` -- Allowed: - ```Bicep - [ - 'Optional' - 'OptionalInteractiveUser' - 'Required' - ] - ``` - -### Parameter: `cloningInfo` - -If specified during app creation, the app is cloned from a source app. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `containerSize` - -Size of the function container. - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `customDomainVerificationId` - -Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `dailyMemoryTimeQuota` - -Maximum allowed daily memory-time quota (applicable on dynamic apps only). - -- Required: No -- Type: int -- Default: `-1` - -### Parameter: `diagnosticSettings` - -The diagnostic settings of the service. - -- Required: No -- Type: array - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.eventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` - -A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'AzureDiagnostics' - 'Dedicated' - ] - ``` - -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.metricCategories` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -### Parameter: `diagnosticSettings.name` - -The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.storageAccountResourceId` - -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.workspaceResourceId` - -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `enabled` - -Setting this value to false disables the app (takes the app offline). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hostNameSslStates` - -Hostname SSL states are used to manage the SSL bindings for app's hostnames. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `httpsOnly` - -Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hybridConnectionRelays` - -Names of hybrid connection relays to connect app with. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `hyperV` - -Hyper-V sandbox. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `keyVaultAccessIdentityResourceId` - -The resource ID of the assigned identity to be used to access a key vault with. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `publicNetworkAccess` - -Allow or block all public traffic. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `redundancyMode` - -Site redundancy mode. - -- Required: No -- Type: string -- Default: `'None'` -- Allowed: - ```Bicep - [ - 'ActiveActive' - 'Failover' - 'GeoRedundant' - 'Manual' - 'None' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `serverFarmResourceId` - -The resource ID of the app service plan to use for the slot. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `setAzureWebJobsDashboard` - -For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. - -- Required: No -- Type: bool -- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` - -### Parameter: `siteConfig` - -The site config object. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `storageAccountRequired` - -Checks if Customer provided storage account is required. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `storageAccountResourceId` - -Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `virtualNetworkSubnetId` - -Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vnetContentShareEnabled` - -To enable accessing content over virtual network. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vnetImagePullEnabled` - -To enable pulling image over Virtual Network. - -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `vnetRouteAllEnabled` - -Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. - -- Required: No -- Type: bool -- Default: `False` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the slot. | -| `resourceGroupName` | string | The resource group the slot was deployed into. | -| `resourceId` | string | The resource ID of the slot. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | - -## Notes - -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -
- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' -} -``` - -
-

diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/README.md b/modules/web/site/slot/basic-publishing-credentials-policy/README.md deleted file mode 100644 index 832ba049c9..0000000000 --- a/modules/web/site/slot/basic-publishing-credentials-policy/README.md +++ /dev/null @@ -1,105 +0,0 @@ -# Web Site Slot Basic Publishing Credentials Policies `[Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies]` - -This module deploys a Web Site Slot Basic Publishing Credentials Policy. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The name of the resource. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | -| [`slotName`](#parameter-slotname) | string | The name of the parent web site slot. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allow`](#parameter-allow) | bool | Set to true to enable or false to disable a publishing method. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | - -### Parameter: `name` - -The name of the resource. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ftp' - 'scm' - ] - ``` - -### Parameter: `appName` - -The name of the parent web site. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `slotName` - -The name of the parent web site slot. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `allow` - -Set to true to enable or false to disable a publishing method. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the basic publishing credential policy. | -| `resourceGroupName` | string | The name of the resource group the basic publishing credential policy was deployed into. | -| `resourceId` | string | The resource ID of the basic publishing credential policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep b/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep deleted file mode 100644 index 303b1d9e70..0000000000 --- a/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep +++ /dev/null @@ -1,66 +0,0 @@ -metadata name = 'Web Site Slot Basic Publishing Credentials Policies' -metadata description = 'This module deploys a Web Site Slot Basic Publishing Credentials Policy.' -metadata owner = 'Azure/module-maintainers' - -@sys.description('Required. The name of the resource.') -@allowed([ - 'scm' - 'ftp' -]) -param name string - -@sys.description('Optional. Set to true to enable or false to disable a publishing method.') -param allow bool = true - -@sys.description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param appName string - -@sys.description('Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment.') -param slotName string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName - - resource slot 'slots' existing = { - name: slotName - } -} - -resource basicPublishingCredentialsPolicy 'Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies@2022-09-01' = { - name: name - location: location - parent: app::slot - properties: { - allow: allow - } -} - -@sys.description('The name of the basic publishing credential policy.') -output name string = basicPublishingCredentialsPolicy.name - -@sys.description('The resource ID of the basic publishing credential policy.') -output resourceId string = basicPublishingCredentialsPolicy.id - -@sys.description('The name of the resource group the basic publishing credential policy was deployed into.') -output resourceGroupName string = resourceGroup().name - -@sys.description('The location the resource was deployed into.') -output location string = basicPublishingCredentialsPolicy.location diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/main.json b/modules/web/site/slot/basic-publishing-credentials-policy/main.json deleted file mode 100644 index f658a67a56..0000000000 --- a/modules/web/site/slot/basic-publishing-credentials-policy/main.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9260112433322771379" - }, - "name": "Web Site Slot Basic Publishing Credentials Policies", - "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "allowedValues": [ - "scm", - "ftp" - ], - "metadata": { - "description": "Required. The name of the resource." - } - }, - "allow": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Set to true to enable or false to disable a publishing method." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "allow": "[parameters('allow')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the basic publishing credential policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the basic publishing credential policy." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the basic publishing credential policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/version.json b/modules/web/site/slot/basic-publishing-credentials-policy/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/modules/web/site/slot/basic-publishing-credentials-policy/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md deleted file mode 100644 index 7ef555845d..0000000000 --- a/modules/web/site/slot/config--appsettings/README.md +++ /dev/null @@ -1,169 +0,0 @@ -# Site Slot App Settings `[Microsoft.Web/sites/slots/config]` - -This module deploys a Site Slot App Setting. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Type of slot to deploy. | -| [`slotName`](#parameter-slotname) | string | Slot name to be configured. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | -| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | - -### Parameter: `kind` - -Type of slot to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `slotName` - -Slot name to be configured. - -- Required: Yes -- Type: string - -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `appInsightResourceId` - -Resource ID of the app insight to leverage for this resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `appSettingsKeyValuePairs` - -The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `setAzureWebJobsDashboard` - -For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. - -- Required: No -- Type: bool -- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` - -### Parameter: `storageAccountResourceId` - -Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. - -- Required: No -- Type: string -- Default: `''` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the slot config. | -| `resourceGroupName` | string | The resource group the slot config was deployed into. | -| `resourceId` | string | The resource ID of the slot config. | - -## Cross-referenced modules - -_None_ - -## Notes - -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -

- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' -} -``` - -
-

- -

-

diff --git a/modules/web/site/slot/config--appsettings/main.bicep b/modules/web/site/slot/config--appsettings/main.bicep deleted file mode 100644 index 5f3ea19248..0000000000 --- a/modules/web/site/slot/config--appsettings/main.bicep +++ /dev/null @@ -1,93 +0,0 @@ -metadata name = 'Site Slot App Settings' -metadata description = 'This module deploys a Site Slot App Setting.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Slot name to be configured.') -param slotName string - -@description('Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment.') -param appName string - -@description('Required. Type of slot to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions.') -param storageAccountResourceId string = '' - -@description('Optional. Resource ID of the app insight to leverage for this resource.') -param appInsightResourceId string = '' - -@description('Optional. For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons.') -param setAzureWebJobsDashboard bool = contains(kind, 'functionapp') ? true : false - -@description('Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING.') -param appSettingsKeyValuePairs object = {} - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -var azureWebJobsValues = !empty(storageAccountResourceId) ? union({ - AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value};' - }, ((setAzureWebJobsDashboard == true) ? { - AzureWebJobsDashboard: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value};' - } : {})) : {} - -var appInsightsValues = !empty(appInsightResourceId) ? { - APPINSIGHTS_INSTRUMENTATIONKEY: appInsight.properties.InstrumentationKey - APPLICATIONINSIGHTS_CONNECTION_STRING: appInsight.properties.ConnectionString -} : {} - -var expandedAppSettings = union(appSettingsKeyValuePairs, azureWebJobsValues, appInsightsValues) - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName - - resource slot 'slots' existing = { - name: slotName - } -} - -resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { - name: last(split(appInsightResourceId, '/'))! - scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if (!empty(storageAccountResourceId)) { - name: last(split(storageAccountResourceId, '/'))! - scope: resourceGroup(split(storageAccountResourceId, '/')[2], split(storageAccountResourceId, '/')[4]) -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource slotSettings 'Microsoft.Web/sites/slots/config@2022-09-01' = { - name: 'appsettings' - kind: kind - parent: app::slot - properties: expandedAppSettings -} - -@description('The name of the slot config.') -output name string = slotSettings.name - -@description('The resource ID of the slot config.') -output resourceId string = slotSettings.id - -@description('The resource group the slot config was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/slot/config--appsettings/main.json b/modules/web/site/slot/config--appsettings/main.json deleted file mode 100644 index 9f20225ec7..0000000000 --- a/modules/web/site/slot/config--appsettings/main.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10562313393461278954" - }, - "name": "Site Slot App Settings", - "description": "This module deploys a Site Slot App Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'appsettings')]", - "kind": "[parameters('kind')]", - "properties": "[union(parameters('appSettingsKeyValuePairs'), if(not(empty(parameters('storageAccountResourceId'))), union(createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), if(equals(parameters('setAzureWebJobsDashboard'), true()), createObject('AzureWebJobsDashboard', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), createObject())), createObject()), if(not(empty(parameters('appInsightResourceId'))), createObject('APPINSIGHTS_INSTRUMENTATIONKEY', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').InstrumentationKey, 'APPLICATIONINSIGHTS_CONNECTION_STRING', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').ConnectionString), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "appsettings" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'appsettings')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/config--appsettings/version.json b/modules/web/site/slot/config--appsettings/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/slot/config--appsettings/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md deleted file mode 100644 index f6a3b6b73c..0000000000 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Site Slot Auth Settings V2 Config `[Microsoft.Web/sites/slots/config]` - -This module deploys a Site Auth Settings V2 Configuration. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | -| [`kind`](#parameter-kind) | string | Type of slot to deploy. | -| [`slotName`](#parameter-slotname) | string | Slot name to be configured. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | - -### Parameter: `authSettingV2Configuration` - -The auth settings V2 configuration. - -- Required: Yes -- Type: object - -### Parameter: `kind` - -Type of slot to deploy. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapp,linux' - 'functionapp,workflowapp' - 'functionapp,workflowapp,linux' - ] - ``` - -### Parameter: `slotName` - -Slot name to be configured. - -- Required: Yes -- Type: string - -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). - -- Required: No -- Type: bool -- Default: `True` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the slot config. | -| `resourceGroupName` | string | The resource group the slot config was deployed into. | -| `resourceId` | string | The resource ID of the slot config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/slot/config--authsettingsv2/main.bicep b/modules/web/site/slot/config--authsettingsv2/main.bicep deleted file mode 100644 index 739d7745ad..0000000000 --- a/modules/web/site/slot/config--authsettingsv2/main.bicep +++ /dev/null @@ -1,61 +0,0 @@ -metadata name = 'Site Slot Auth Settings V2 Config' -metadata description = 'This module deploys a Site Auth Settings V2 Configuration.' -metadata owner = 'Azure/module-maintainers' - -@description('Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment.') -param appName string - -@description('Required. Slot name to be configured.') -param slotName string - -@description('Required. Type of slot to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Required. The auth settings V2 configuration.') -param authSettingV2Configuration object - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName - - resource slot 'slots' existing = { - name: slotName - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource slotSettings 'Microsoft.Web/sites/slots/config@2022-09-01' = { - name: 'authsettingsV2' - kind: kind - parent: app::slot - properties: authSettingV2Configuration -} - -@description('The name of the slot config.') -output name string = slotSettings.name - -@description('The resource ID of the slot config.') -output resourceId string = slotSettings.id - -@description('The resource group the slot config was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/slot/config--authsettingsv2/main.json b/modules/web/site/slot/config--authsettingsv2/main.json deleted file mode 100644 index a9c77ad4c3..0000000000 --- a/modules/web/site/slot/config--authsettingsv2/main.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13215271953171449159" - }, - "name": "Site Slot Auth Settings V2 Config", - "description": "This module deploys a Site Auth Settings V2 Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "authSettingV2Configuration": { - "type": "object", - "metadata": { - "description": "Required. The auth settings V2 configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'authsettingsV2')]", - "kind": "[parameters('kind')]", - "properties": "[parameters('authSettingV2Configuration')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "authsettingsV2" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'authsettingsV2')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/config--authsettingsv2/version.json b/modules/web/site/slot/config--authsettingsv2/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/slot/config--authsettingsv2/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md b/modules/web/site/slot/hybrid-connection-namespace/relay/README.md deleted file mode 100644 index 7c1752c839..0000000000 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Web/Function Apps Slot Hybrid Connection Relay `[Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays]` - -This module deploys a Site Slot Hybrid Connection Namespace Relay. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`hybridConnectionResourceId`](#parameter-hybridconnectionresourceid) | string | The resource ID of the relay namespace hybrid connection. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | -| [`slotName`](#parameter-slotname) | string | The name of the site slot. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | - -### Parameter: `hybridConnectionResourceId` - -The resource ID of the relay namespace hybrid connection. - -- Required: Yes -- Type: string - -### Parameter: `appName` - -The name of the parent web site. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `slotName` - -The name of the site slot. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all Resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `sendKeyName` - -Name of the authorization rule send key to use. - -- Required: No -- Type: string -- Default: `'defaultSender'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the hybrid connection relay.. | -| `resourceGroupName` | string | The name of the resource group the resource was deployed into. | -| `resourceId` | string | The resource ID of the hybrid connection relay. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/main.bicep b/modules/web/site/slot/hybrid-connection-namespace/relay/main.bicep deleted file mode 100644 index fe51fdf589..0000000000 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/main.bicep +++ /dev/null @@ -1,69 +0,0 @@ -metadata name = 'Web/Function Apps Slot Hybrid Connection Relay' -metadata description = 'This module deploys a Site Slot Hybrid Connection Namespace Relay.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The resource ID of the relay namespace hybrid connection.') -param hybridConnectionResourceId string - -@description('Conditional. The name of the site slot. Required if the template is used in a standalone deployment.') -param slotName string - -@description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param appName string - -@description('Optional. Name of the authorization rule send key to use.') -param sendKeyName string = 'defaultSender' - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: split(hybridConnectionResourceId, '/')[8] - scope: resourceGroup(split(hybridConnectionResourceId, '/')[2], split(hybridConnectionResourceId, '/')[4]) - - resource hybridConnection 'hybridConnections@2021-11-01' existing = { - name: split(hybridConnectionResourceId, '/')[10] - - resource authorizationRule 'authorizationRules@2021-11-01' existing = { - name: sendKeyName - } - } -} - -resource hybridConnectionRelay 'Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays@2022-09-01' = { - name: '${appName}/${slotName}/${namespace.name}/${namespace::hybridConnection.name}' - properties: { - serviceBusNamespace: namespace.name - serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] - relayName: namespace::hybridConnection.name - relayArmUri: namespace::hybridConnection.id - hostname: split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[0] - port: int(split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[1]) - sendKeyName: namespace::hybridConnection::authorizationRule.name - sendKeyValue: namespace::hybridConnection::authorizationRule.listKeys().primaryKey - } -} - -@description('The name of the hybrid connection relay..') -output name string = hybridConnectionRelay.name - -@description('The resource ID of the hybrid connection relay.') -output resourceId string = hybridConnectionRelay.id - -@description('The name of the resource group the resource was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json b/modules/web/site/slot/hybrid-connection-namespace/relay/main.json deleted file mode 100644 index 3895e0f3d3..0000000000 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "299894459930368764" - }, - "name": "Web/Function Apps Slot Hybrid Connection Relay", - "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hybridConnectionResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the relay namespace hybrid connection." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the site slot. Required if the template is used in a standalone deployment." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "sendKeyName": { - "type": "string", - "defaultValue": "defaultSender", - "metadata": { - "description": "Optional. Name of the authorization rule send key to use." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "properties": { - "serviceBusNamespace": "[split(parameters('hybridConnectionResourceId'), '/')[8]]", - "serviceBusSuffix": "[split(substring(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, indexOf(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, '.servicebus')), ':')[0]]", - "relayName": "[split(parameters('hybridConnectionResourceId'), '/')[10]]", - "relayArmUri": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "hostname": "[split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[0]]", - "port": "[int(split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[1])]", - "sendKeyName": "[parameters('sendKeyName')]", - "sendKeyValue": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10], parameters('sendKeyName')), '2021-11-01').primaryKey]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the hybrid connection relay.." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the hybrid connection relay." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays', split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/version.json b/modules/web/site/slot/hybrid-connection-namespace/relay/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep deleted file mode 100644 index dd2199d0bd..0000000000 --- a/modules/web/site/slot/main.bicep +++ /dev/null @@ -1,505 +0,0 @@ -metadata name = 'Web/Function App Deployment Slots' -metadata description = 'This module deploys a Web or Function App Deployment Slot.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the slot.') -param name string - -@description('Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment.') -param appName string - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Required. Type of slot to deploy.') -@allowed([ - 'functionapp' // function app windows os - 'functionapp,linux' // function app linux os - 'functionapp,workflowapp' // logic app workflow - 'functionapp,workflowapp,linux' // logic app docker container - 'app' // normal web app -]) -param kind string - -@description('Optional. The resource ID of the app service plan to use for the slot.') -param serverFarmResourceId string = '' - -@description('Optional. Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests.') -param httpsOnly bool = true - -@description('Optional. If client affinity is enabled.') -param clientAffinityEnabled bool = true - -@description('Optional. The resource ID of the app service environment to use for this resource.') -param appServiceEnvironmentResourceId string = '' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The resource ID of the assigned identity to be used to access a key vault with.') -param keyVaultAccessIdentityResourceId string = '' - -@description('Optional. Checks if Customer provided storage account is required.') -param storageAccountRequired bool = false - -@description('Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.') -param virtualNetworkSubnetId string = '' - -@description('Optional. The site config object.') -param siteConfig object = {} - -@description('Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions.') -param storageAccountResourceId string = '' - -@description('Optional. Resource ID of the app insight to leverage for this resource.') -param appInsightResourceId string = '' - -@description('Optional. For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons.') -param setAzureWebJobsDashboard bool = contains(kind, 'functionapp') ? true : false - -@description('Optional. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING.') -param appSettingsKeyValuePairs object = {} - -@description('Optional. The auth settings V2 configuration.') -param authSettingV2Configuration object = {} - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Configuration details for private endpoints.') -param privateEndpoints privateEndpointType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType - -@description('Optional. To enable client certificate authentication (TLS mutual authentication).') -param clientCertEnabled bool = false - -@description('Optional. Client certificate authentication comma-separated exclusion paths.') -param clientCertExclusionPaths string = '' - -@description('Optional. This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.') -@allowed([ - 'Optional' - 'OptionalInteractiveUser' - 'Required' -]) -param clientCertMode string = 'Optional' - -@description('Optional. If specified during app creation, the app is cloned from a source app.') -param cloningInfo object = {} - -@description('Optional. Size of the function container.') -param containerSize int = -1 - -@description('Optional. Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification.') -param customDomainVerificationId string = '' - -@description('Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only).') -param dailyMemoryTimeQuota int = -1 - -@description('Optional. Setting this value to false disables the app (takes the app offline).') -param enabled bool = true - -@description('Optional. Hostname SSL states are used to manage the SSL bindings for app\'s hostnames.') -param hostNameSslStates array = [] - -@description('Optional. Hyper-V sandbox.') -param hyperV bool = false - -@description('Optional. Allow or block all public traffic.') -@allowed([ - 'Enabled' - 'Disabled' - '' -]) -param publicNetworkAccess string = '' - -@description('Optional. Site redundancy mode.') -@allowed([ - 'ActiveActive' - 'Failover' - 'GeoRedundant' - 'Manual' - 'None' -]) -param redundancyMode string = 'None' - -@description('Optional. The site publishing credential policy names which are associated with the site slot.') -param basicPublishingCredentialsPolicies array = [] - -@description('Optional. To enable accessing content over virtual network.') -param vnetContentShareEnabled bool = false - -@description('Optional. To enable pulling image over Virtual Network.') -param vnetImagePullEnabled bool = false - -@description('Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.') -param vnetRouteAllEnabled bool = false - -@description('Optional. Names of hybrid connection relays to connect app with.') -param hybridConnectionRelays array = [] - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource app 'Microsoft.Web/sites@2021-03-01' existing = { - name: appName -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource slot 'Microsoft.Web/sites/slots@2022-09-01' = { - name: name - parent: app - location: location - kind: kind - tags: tags - identity: identity - properties: { - serverFarmId: serverFarmResourceId - clientAffinityEnabled: clientAffinityEnabled - httpsOnly: httpsOnly - hostingEnvironmentProfile: !empty(appServiceEnvironmentResourceId) ? { - id: appServiceEnvironmentResourceId - } : null - storageAccountRequired: storageAccountRequired - keyVaultReferenceIdentity: !empty(keyVaultAccessIdentityResourceId) ? keyVaultAccessIdentityResourceId : any(null) - virtualNetworkSubnetId: !empty(virtualNetworkSubnetId) ? virtualNetworkSubnetId : any(null) - siteConfig: siteConfig - clientCertEnabled: clientCertEnabled - clientCertExclusionPaths: !empty(clientCertExclusionPaths) ? clientCertExclusionPaths : null - clientCertMode: clientCertMode - cloningInfo: !empty(cloningInfo) ? cloningInfo : null - containerSize: containerSize != -1 ? containerSize : null - customDomainVerificationId: !empty(customDomainVerificationId) ? customDomainVerificationId : null - dailyMemoryTimeQuota: dailyMemoryTimeQuota != -1 ? dailyMemoryTimeQuota : null - enabled: enabled - hostNameSslStates: hostNameSslStates - hyperV: hyperV - publicNetworkAccess: publicNetworkAccess - redundancyMode: redundancyMode - vnetContentShareEnabled: vnetContentShareEnabled - vnetImagePullEnabled: vnetImagePullEnabled - vnetRouteAllEnabled: vnetRouteAllEnabled - } -} - -module slot_appsettings 'config--appsettings/main.bicep' = if (!empty(appSettingsKeyValuePairs)) { - name: '${uniqueString(deployment().name, location)}-Slot-${name}-Config-AppSettings' - params: { - slotName: slot.name - appName: app.name - kind: kind - storageAccountResourceId: storageAccountResourceId - appInsightResourceId: appInsightResourceId - setAzureWebJobsDashboard: setAzureWebJobsDashboard - appSettingsKeyValuePairs: appSettingsKeyValuePairs - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module slot_authsettingsv2 'config--authsettingsv2/main.bicep' = if (!empty(authSettingV2Configuration)) { - name: '${uniqueString(deployment().name, location)}-Slot-${name}-Config-AuthSettingsV2' - params: { - slotName: slot.name - appName: app.name - kind: kind - authSettingV2Configuration: authSettingV2Configuration - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module slot_basicPublishingCredentialsPolicies 'basic-publishing-credentials-policy/main.bicep' = [for (basicPublishingCredentialsPolicy, index) in basicPublishingCredentialsPolicies: { - name: '${uniqueString(deployment().name, location)}-Slot-Publish-Cred-${index}' - params: { - appName: app.name - slotName: slot.name - name: basicPublishingCredentialsPolicy.name - allow: contains(basicPublishingCredentialsPolicy, 'allow') ? basicPublishingCredentialsPolicy.allow : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] -module slot_hybridConnectionRelays 'hybrid-connection-namespace/relay/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { - name: '${uniqueString(deployment().name, location)}-Slot-HybridConnectionRelay-${index}' - params: { - hybridConnectionResourceId: hybridConnectionRelay.resourceId - appName: app.name - slotName: slot.name - sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource slot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: slot -} - -resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { - name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' - properties: { - storageAccountId: diagnosticSetting.?storageAccountResourceId - workspaceId: diagnosticSetting.?workspaceResourceId - eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId - eventHubName: diagnosticSetting.?eventHubName - metrics: diagnosticSetting.?metricCategories ?? [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - } - ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] - marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId - logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType - } - scope: slot -}] - -resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(slot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: slot -}] - -module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-app-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'sites' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(app.id, '/'))}-${privateEndpoint.?service ?? 'sites'}-${index}' - serviceResourceId: app.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the slot.') -output name string = slot.name - -@description('The resource ID of the slot.') -output resourceId string = slot.id - -@description('The resource group the slot was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(slot.identity, 'principalId') ? slot.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = slot.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? - -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') - name: string? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') - category: string - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json deleted file mode 100644 index d108d20bcd..0000000000 --- a/modules/web/site/slot/main.json +++ /dev/null @@ -1,2091 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16876460167630133410" - }, - "name": "Web/Function App Deployment Slots", - "description": "This module deploys a Web or Function App Deployment Slot.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the slot." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "serverFarmResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the app service plan to use for the slot." - } - }, - "httpsOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests." - } - }, - "clientAffinityEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If client affinity is enabled." - } - }, - "appServiceEnvironmentResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the app service environment to use for this resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "keyVaultAccessIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the assigned identity to be used to access a key vault with." - } - }, - "storageAccountRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Checks if Customer provided storage account is required." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}." - } - }, - "siteConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The site config object." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "authSettingV2Configuration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The auth settings V2 configuration." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable client certificate authentication (TLS mutual authentication)." - } - }, - "clientCertExclusionPaths": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Client certificate authentication comma-separated exclusion paths." - } - }, - "clientCertMode": { - "type": "string", - "defaultValue": "Optional", - "allowedValues": [ - "Optional", - "OptionalInteractiveUser", - "Required" - ], - "metadata": { - "description": "Optional. This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted." - } - }, - "cloningInfo": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. If specified during app creation, the app is cloned from a source app." - } - }, - "containerSize": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Size of the function container." - } - }, - "customDomainVerificationId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification." - } - }, - "dailyMemoryTimeQuota": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only)." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Setting this value to false disables the app (takes the app offline)." - } - }, - "hostNameSslStates": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Hostname SSL states are used to manage the SSL bindings for app's hostnames." - } - }, - "hyperV": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Hyper-V sandbox." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Enabled", - "Disabled", - "" - ], - "metadata": { - "description": "Optional. Allow or block all public traffic." - } - }, - "redundancyMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "ActiveActive", - "Failover", - "GeoRedundant", - "Manual", - "None" - ], - "metadata": { - "description": "Optional. Site redundancy mode." - } - }, - "basicPublishingCredentialsPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The site publishing credential policy names which are associated with the site slot." - } - }, - "vnetContentShareEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable accessing content over virtual network." - } - }, - "vnetImagePullEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable pulling image over Virtual Network." - } - }, - "vnetRouteAllEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied." - } - }, - "hybridConnectionRelays": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Names of hybrid connection relays to connect app with." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": { - "app": { - "existing": true, - "type": "Microsoft.Web/sites", - "apiVersion": "2021-03-01", - "name": "[parameters('appName')]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "slot": { - "type": "Microsoft.Web/sites/slots", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "serverFarmId": "[parameters('serverFarmResourceId')]", - "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", - "httpsOnly": "[parameters('httpsOnly')]", - "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", - "storageAccountRequired": "[parameters('storageAccountRequired')]", - "keyVaultReferenceIdentity": "[if(not(empty(parameters('keyVaultAccessIdentityResourceId'))), parameters('keyVaultAccessIdentityResourceId'), null())]", - "virtualNetworkSubnetId": "[if(not(empty(parameters('virtualNetworkSubnetId'))), parameters('virtualNetworkSubnetId'), null())]", - "siteConfig": "[parameters('siteConfig')]", - "clientCertEnabled": "[parameters('clientCertEnabled')]", - "clientCertExclusionPaths": "[if(not(empty(parameters('clientCertExclusionPaths'))), parameters('clientCertExclusionPaths'), null())]", - "clientCertMode": "[parameters('clientCertMode')]", - "cloningInfo": "[if(not(empty(parameters('cloningInfo'))), parameters('cloningInfo'), null())]", - "containerSize": "[if(not(equals(parameters('containerSize'), -1)), parameters('containerSize'), null())]", - "customDomainVerificationId": "[if(not(empty(parameters('customDomainVerificationId'))), parameters('customDomainVerificationId'), null())]", - "dailyMemoryTimeQuota": "[if(not(equals(parameters('dailyMemoryTimeQuota'), -1)), parameters('dailyMemoryTimeQuota'), null())]", - "enabled": "[parameters('enabled')]", - "hostNameSslStates": "[parameters('hostNameSslStates')]", - "hyperV": "[parameters('hyperV')]", - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "redundancyMode": "[parameters('redundancyMode')]", - "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", - "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", - "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]" - }, - "dependsOn": [ - "app" - ] - }, - "slot_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_diagnosticSettings": { - "copy": { - "name": "slot_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_roleAssignments": { - "copy": { - "name": "slot_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "slot" - ] - }, - "slot_appsettings": { - "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Config-AppSettings', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "slotName": { - "value": "[parameters('name')]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "storageAccountResourceId": { - "value": "[parameters('storageAccountResourceId')]" - }, - "appInsightResourceId": { - "value": "[parameters('appInsightResourceId')]" - }, - "setAzureWebJobsDashboard": { - "value": "[parameters('setAzureWebJobsDashboard')]" - }, - "appSettingsKeyValuePairs": { - "value": "[parameters('appSettingsKeyValuePairs')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10562313393461278954" - }, - "name": "Site Slot App Settings", - "description": "This module deploys a Site Slot App Setting.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "storageAccountResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "appInsightResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the app insight to leverage for this resource." - } - }, - "setAzureWebJobsDashboard": { - "type": "bool", - "defaultValue": "[if(contains(parameters('kind'), 'functionapp'), true(), false())]", - "metadata": { - "description": "Optional. For function apps. If true the app settings \"AzureWebJobsDashboard\" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons." - } - }, - "appSettingsKeyValuePairs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'appsettings')]", - "kind": "[parameters('kind')]", - "properties": "[union(parameters('appSettingsKeyValuePairs'), if(not(empty(parameters('storageAccountResourceId'))), union(createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), if(equals(parameters('setAzureWebJobsDashboard'), true()), createObject('AzureWebJobsDashboard', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};', last(split(parameters('storageAccountResourceId'), '/')), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('storageAccountResourceId'), '/')[2], split(parameters('storageAccountResourceId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2023-01-01').keys[0].value)), createObject())), createObject()), if(not(empty(parameters('appInsightResourceId'))), createObject('APPINSIGHTS_INSTRUMENTATIONKEY', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').InstrumentationKey, 'APPLICATIONINSIGHTS_CONNECTION_STRING', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('appInsightResourceId'), '/')[2], split(parameters('appInsightResourceId'), '/')[4]), 'Microsoft.Insights/components', last(split(parameters('appInsightResourceId'), '/'))), '2020-02-02').ConnectionString), createObject()))]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "appsettings" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'appsettings')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_authsettingsv2": { - "condition": "[not(empty(parameters('authSettingV2Configuration')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Config-AuthSettingsV2', uniqueString(deployment().name, parameters('location')), parameters('name'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "slotName": { - "value": "[parameters('name')]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "kind": { - "value": "[parameters('kind')]" - }, - "authSettingV2Configuration": { - "value": "[parameters('authSettingV2Configuration')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13215271953171449159" - }, - "name": "Site Slot Auth Settings V2 Config", - "description": "This module deploys a Site Auth Settings V2 Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Required. Slot name to be configured." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "app" - ], - "metadata": { - "description": "Required. Type of slot to deploy." - } - }, - "authSettingV2Configuration": { - "type": "object", - "metadata": { - "description": "Required. The auth settings V2 configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/config", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), 'authsettingsV2')]", - "kind": "[parameters('kind')]", - "properties": "[parameters('authSettingV2Configuration')]" - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot config." - }, - "value": "authsettingsV2" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot config." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/config', parameters('appName'), parameters('slotName'), 'authsettingsV2')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_basicPublishingCredentialsPolicies": { - "copy": { - "name": "slot_basicPublishingCredentialsPolicies", - "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appName": { - "value": "[parameters('appName')]" - }, - "slotName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" - }, - "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9260112433322771379" - }, - "name": "Web Site Slot Basic Publishing Credentials Policies", - "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "allowedValues": [ - "scm", - "ftp" - ], - "metadata": { - "description": "Required. The name of the resource." - } - }, - "allow": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Set to true to enable or false to disable a publishing method." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", - "location": "[parameters('location')]", - "properties": { - "allow": "[parameters('allow')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the basic publishing credential policy." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the basic publishing credential policy." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the basic publishing credential policy was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_hybridConnectionRelays": { - "copy": { - "name": "slot_hybridConnectionRelays", - "count": "[length(parameters('hybridConnectionRelays'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-HybridConnectionRelay-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "hybridConnectionResourceId": { - "value": "[parameters('hybridConnectionRelays')[copyIndex()].resourceId]" - }, - "appName": { - "value": "[parameters('appName')]" - }, - "slotName": { - "value": "[parameters('name')]" - }, - "sendKeyName": "[if(contains(parameters('hybridConnectionRelays')[copyIndex()], 'sendKeyName'), createObject('value', parameters('hybridConnectionRelays')[copyIndex()].sendKeyName), createObject('value', null()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "299894459930368764" - }, - "name": "Web/Function Apps Slot Hybrid Connection Relay", - "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "hybridConnectionResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the relay namespace hybrid connection." - } - }, - "slotName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the site slot. Required if the template is used in a standalone deployment." - } - }, - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." - } - }, - "sendKeyName": { - "type": "string", - "defaultValue": "defaultSender", - "metadata": { - "description": "Optional. Name of the authorization rule send key to use." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays", - "apiVersion": "2022-09-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "properties": { - "serviceBusNamespace": "[split(parameters('hybridConnectionResourceId'), '/')[8]]", - "serviceBusSuffix": "[split(substring(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, indexOf(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces', split(parameters('hybridConnectionResourceId'), '/')[8]), '2021-11-01').serviceBusEndpoint, '.servicebus')), ':')[0]]", - "relayName": "[split(parameters('hybridConnectionResourceId'), '/')[10]]", - "relayArmUri": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]", - "hostname": "[split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[0]]", - "port": "[int(split(json(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '2021-11-01').userMetadata)[0].value, ':')[1])]", - "sendKeyName": "[parameters('sendKeyName')]", - "sendKeyValue": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hybridConnectionResourceId'), '/')[2], split(parameters('hybridConnectionResourceId'), '/')[4]), 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules', split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10], parameters('sendKeyName')), '2021-11-01').primaryKey]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the hybrid connection relay.." - }, - "value": "[format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10])]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the hybrid connection relay." - }, - "value": "[resourceId('Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays', split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[0], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[1], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[2], split(format('{0}/{1}/{2}/{3}', parameters('appName'), parameters('slotName'), split(parameters('hybridConnectionResourceId'), '/')[8], split(parameters('hybridConnectionResourceId'), '/')[10]), '/')[3])]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app", - "slot" - ] - }, - "slot_privateEndpoints": { - "copy": { - "name": "slot_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('appName')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Web/sites', parameters('appName'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "app" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the slot." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the slot." - }, - "value": "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the slot was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId')), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('slot', '2022-09-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/web/site/slot/version.json b/modules/web/site/slot/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/slot/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep b/modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep deleted file mode 100644 index 72e118bc12..0000000000 --- a/modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep +++ /dev/null @@ -1,148 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -@description('Required. The name of the Storage Account to create.') -param storageAccountName string - -@description('Required. The name of the Application Insights instance to create.') -param applicationInsightsName string - -@description('Required. The name of the Relay Namespace to create.') -param relayNamespaceName string - -@description('Required. The name of the Hybrid Connection to create.') -param hybridConnectionName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azurewebsites.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: {} -} - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { - name: applicationInsightsName - location: location - kind: '' - properties: {} -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { - name: relayNamespaceName - location: location - sku: { - name: 'Standard' - } - properties: {} -} - -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { - name: hybridConnectionName - parent: namespace - properties: { - requiresClientAuthorization: true - userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' - } -} - -resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { - name: 'defaultSender' - parent: hybridConnection - properties: { - rights: [ - 'Send' - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Server Farm.') -output serverFarmResourceId string = serverFarm.id - -@description('The resource ID of the created Storage Account.') -output storageAccountResourceId string = storageAccount.id - -@description('The resource ID of the created Application Insights instance.') -output applicationInsightsResourceId string = applicationInsights.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Hybrid Connection.') -output hybridConnectionResourceId string = hybridConnection.id diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep deleted file mode 100644 index 5abbca04b8..0000000000 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ /dev/null @@ -1,222 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-[[namePrefix]]-vnet-${serviceShort}' - managedIdentityName: 'dep-[[namePrefix]]-msi-${serviceShort}' - serverFarmName: 'dep-[[namePrefix]]-sf-${serviceShort}' - storageAccountName: 'dep[[namePrefix]]st${serviceShort}' - applicationInsightsName: 'dep-[[namePrefix]]-appi-${serviceShort}' - relayNamespaceName: 'dep-[[namePrefix]]-ns-${serviceShort}' - hybridConnectionName: 'dep-[[namePrefix]]-hc-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -// For the below test case, please consider the guidelines described here: https://github.com/Azure/ResourceModules/wiki/Getting%20started%20-%20Scenario%202%20Onboard%20module%20library%20and%20CI%20environment#microsoftwebsites -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'functionapp' - serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId - appInsightResourceId: nestedDependencies.outputs.applicationInsightsResourceId - appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://${namePrefix}-KeyVault${environment().suffixes.keyvaultDns}/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' - } - authSettingV2Configuration: { - globalValidation: { - requireAuthentication: true - unauthenticatedClientAction: 'Return401' - } - httpSettings: { - forwardProxy: { - convention: 'NoProxy' - } - requireHttps: true - routes: { - apiPrefix: '/.auth' - } - } - identityProviders: { - azureActiveDirectory: { - enabled: true - login: { - disableWWWAuthenticate: false - } - registration: { - clientId: 'd874dd2f-2032-4db1-a053-f0ec243685aa' - clientSecretSettingName: 'EASYAUTH_SECRET' - openIdIssuer: 'https://sts.windows.net/${tenant().tenantId}/v2.0/' - } - validation: { - allowedAudiences: [ - 'api://d874dd2f-2032-4db1-a053-f0ec243685aa' - ] - defaultAuthorizationPolicy: { - allowedPrincipals: {} - } - jwtClaimChecks: {} - } - } - } - login: { - allowedExternalRedirectUrls: [ - 'string' - ] - cookieExpiration: { - convention: 'FixedTime' - timeToExpiration: '08:00:00' - } - nonce: { - nonceExpirationInterval: '00:05:00' - validateNonce: true - } - preserveUrlFragmentsForLogins: false - routes: {} - tokenStore: { - azureBlobStorage: {} - enabled: true - fileSystem: {} - tokenRefreshExtensionHours: 72 - } - } - platform: { - enabled: true - runtimeVersion: '~1' - } - } - basicPublishingCredentialsPolicies: [ - { - name: 'ftp' - allow: false - } - { - name: 'scm' - allow: false - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - setAzureWebJobsDashboard: true - keyVaultAccessIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - siteConfig: { - alwaysOn: true - use32BitWorkerProcess: false - } - storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - hybridConnectionRelays: [ - { - resourceId: nestedDependencies.outputs.hybridConnectionResourceId - sendKeyName: 'defaultSender' - } - ] - } -}] diff --git a/modules/web/site/tests/e2e/functionAppMin/dependencies.bicep b/modules/web/site/tests/e2e/functionAppMin/dependencies.bicep deleted file mode 100644 index cd93e7ed3f..0000000000 --- a/modules/web/site/tests/e2e/functionAppMin/dependencies.bicep +++ /dev/null @@ -1,21 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -@description('The resource ID of the created Server Farm.') -output serverFarmResourceId string = serverFarm.id diff --git a/modules/web/site/tests/e2e/functionAppMin/main.test.bicep b/modules/web/site/tests/e2e/functionAppMin/main.test.bicep deleted file mode 100644 index 4b341b5be5..0000000000 --- a/modules/web/site/tests/e2e/functionAppMin/main.test.bicep +++ /dev/null @@ -1,59 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'functionapp' - serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId - siteConfig: { - alwaysOn: true - } - } -}] diff --git a/modules/web/site/tests/e2e/webAppCommon/dependencies.bicep b/modules/web/site/tests/e2e/webAppCommon/dependencies.bicep deleted file mode 100644 index 79da8b010c..0000000000 --- a/modules/web/site/tests/e2e/webAppCommon/dependencies.bicep +++ /dev/null @@ -1,119 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -@description('Required. The name of the Relay Namespace to create.') -param relayNamespaceName string - -@description('Required. The name of the Hybrid Connection to create.') -param hybridConnectionName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azurewebsites.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -resource relayNamespace 'Microsoft.Relay/namespaces@2021-11-01' = { - name: relayNamespaceName - location: location - sku: { - name: 'Standard' - } - properties: {} -} - -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { - name: hybridConnectionName - parent: relayNamespace - properties: { - requiresClientAuthorization: true - userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' - } -} - -resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { - name: 'defaultSender' - parent: hybridConnection - properties: { - rights: [ - 'Send' - ] - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Server Farm.') -output serverFarmResourceId string = serverFarm.id - -@description('The resource ID of the created Private DNS Zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Hybrid Connection.') -output hybridConnectionResourceId string = hybridConnection.id diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep deleted file mode 100644 index 4fea3485cd..0000000000 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ /dev/null @@ -1,231 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wswa' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-[[namePrefix]]-vnet-${serviceShort}' - managedIdentityName: 'dep-[[namePrefix]]-msi-${serviceShort}' - serverFarmName: 'dep-[[namePrefix]]-sf-${serviceShort}' - relayNamespaceName: 'dep-[[namePrefix]]-ns-${serviceShort}' - hybridConnectionName: 'dep-[[namePrefix]]-hc-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'app' - serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - httpsOnly: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - slots: [ - { - name: 'slot1' - diagnosticSettings: [ - { - name: 'customSetting' - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - basicPublishingCredentialsPolicies: [ - { - name: 'ftp' - allow: false - } - { - name: 'scm' - allow: false - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - siteConfig: { - alwaysOn: true - metadata: [ - { - name: 'CURRENT_STACK' - value: 'dotnetcore' - } - ] - } - hybridConnectionRelays: [ - { - resourceId: nestedDependencies.outputs.hybridConnectionResourceId - sendKeyName: 'defaultSender' - } - ] - } - { - name: 'slot2' - basicPublishingCredentialsPolicies: [ - { - name: 'ftp' - } - { - name: 'scm' - } - ] - } - ] - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - siteConfig: { - alwaysOn: true - metadata: [ - { - name: 'CURRENT_STACK' - value: 'dotnetcore' - } - ] - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - basicPublishingCredentialsPolicies: [ - { - name: 'ftp' - allow: false - } - { - name: 'scm' - allow: false - } - - ] - hybridConnectionRelays: [ - { - resourceId: nestedDependencies.outputs.hybridConnectionResourceId - sendKeyName: 'defaultSender' - } - ] - scmSiteAlsoStopped: true - vnetContentShareEnabled: true - vnetImagePullEnabled: true - vnetRouteAllEnabled: true - publicNetworkAccess: 'Disabled' - } -}] diff --git a/modules/web/site/tests/e2e/webAppMin/dependencies.bicep b/modules/web/site/tests/e2e/webAppMin/dependencies.bicep deleted file mode 100644 index cd93e7ed3f..0000000000 --- a/modules/web/site/tests/e2e/webAppMin/dependencies.bicep +++ /dev/null @@ -1,21 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -@description('The resource ID of the created Server Farm.') -output serverFarmResourceId string = serverFarm.id diff --git a/modules/web/site/tests/e2e/webAppMin/main.test.bicep b/modules/web/site/tests/e2e/webAppMin/main.test.bicep deleted file mode 100644 index c173fb23e1..0000000000 --- a/modules/web/site/tests/e2e/webAppMin/main.test.bicep +++ /dev/null @@ -1,56 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wswamin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'app' - serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId - } -}] diff --git a/modules/web/site/version.json b/modules/web/site/version.json deleted file mode 100644 index 96236a61ba..0000000000 --- a/modules/web/site/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/static-site/MOVED-TO-AVM.md b/modules/web/static-site/MOVED-TO-AVM.md deleted file mode 100644 index cec0941d12..0000000000 --- a/modules/web/static-site/MOVED-TO-AVM.md +++ /dev/null @@ -1 +0,0 @@ -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index d2bd379801..2522d38224 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -1,1055 +1,7 @@ -# Static Web Apps `[Microsoft.Web/staticSites]` +

⚠️ Moved to AVM ⚠️

-> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +**This module has been evolved into the following AVM module: [avm/res/web/static-site](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res/web/static-site).** -This module deploys a Static Web App. +The source code of this module has been removed from the main branch of this repository. If for any reason, you still need to access the CARML version of the module, you can find it [here](https://github.com/Azure/ResourceModules/tree/module-archive/modules/web/static-site). -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Web/staticSites` | [2021-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-03-01/staticSites) | -| `Microsoft.Web/staticSites/config` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/staticSites/config) | -| `Microsoft.Web/staticSites/customDomains` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/customDomains) | -| `Microsoft.Web/staticSites/linkedBackends` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/linkedBackends) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.static-site:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -
- -via Bicep module - -```bicep -module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wssmin' - params: { - // Required parameters - name: 'wssmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wssmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wssmax' - params: { - // Required parameters - name: 'wssmax001' - // Non-required parameters - allowConfigFileUpdates: true - appSettings: { - foo: 'bar' - setting: 1 - } - enableDefaultTelemetry: '' - enterpriseGradeCdnStatus: 'Disabled' - functionAppSettings: { - foo: 'bar' - setting: 1 - } - linkedBackend: { - resourceId: '' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - sku: 'Standard' - stagingEnvironmentPolicy: 'Enabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wssmax001" - }, - // Non-required parameters - "allowConfigFileUpdates": { - "value": true - }, - "appSettings": { - "value": { - "foo": "bar", - "setting": 1 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enterpriseGradeCdnStatus": { - "value": "Disabled" - }, - "functionAppSettings": { - "value": { - "foo": "bar", - "setting": 1 - } - }, - "linkedBackend": { - "value": { - "resourceId": "" - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "sku": { - "value": "Standard" - }, - "stagingEnvironmentPolicy": { - "value": "Enabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsswaf' - params: { - // Required parameters - name: 'wsswaf001' - // Non-required parameters - allowConfigFileUpdates: true - appSettings: { - foo: 'bar' - setting: 1 - } - enableDefaultTelemetry: '' - enterpriseGradeCdnStatus: 'Disabled' - functionAppSettings: { - foo: 'bar' - setting: 1 - } - linkedBackend: { - resourceId: '' - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - sku: 'Standard' - stagingEnvironmentPolicy: 'Enabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wsswaf001" - }, - // Non-required parameters - "allowConfigFileUpdates": { - "value": true - }, - "appSettings": { - "value": { - "foo": "bar", - "setting": 1 - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enterpriseGradeCdnStatus": { - "value": "Disabled" - }, - "functionAppSettings": { - "value": { - "foo": "bar", - "setting": 1 - } - }, - "linkedBackend": { - "value": { - "resourceId": "" - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "sku": { - "value": "Standard" - }, - "stagingEnvironmentPolicy": { - "value": "Enabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | Name of the static site. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`allowConfigFileUpdates`](#parameter-allowconfigfileupdates) | bool | False if config file is locked for this static web app; otherwise, true. | -| [`appSettings`](#parameter-appsettings) | object | Static site app settings. | -| [`branch`](#parameter-branch) | string | The branch name of the GitHub repository. | -| [`buildProperties`](#parameter-buildproperties) | object | Build properties for the static site. | -| [`customDomains`](#parameter-customdomains) | array | The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`enterpriseGradeCdnStatus`](#parameter-enterprisegradecdnstatus) | string | State indicating the status of the enterprise grade CDN serving traffic to the static web app. | -| [`functionAppSettings`](#parameter-functionappsettings) | object | Function app settings. | -| [`linkedBackend`](#parameter-linkedbackend) | object | Object with "resourceId" and "location" of the a user defined function app. | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. | -| [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | -| [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | -| [`repositoryUrl`](#parameter-repositoryurl) | string | The name of the GitHub repository. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`sku`](#parameter-sku) | string | Type of static site to deploy. | -| [`stagingEnvironmentPolicy`](#parameter-stagingenvironmentpolicy) | string | State indicating whether staging environments are allowed or not allowed for a static web app. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`templateProperties`](#parameter-templateproperties) | object | Template Options for the static site. | - -### Parameter: `name` - -Name of the static site. - -- Required: Yes -- Type: string - -### Parameter: `allowConfigFileUpdates` - -False if config file is locked for this static web app; otherwise, true. - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `appSettings` - -Static site app settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `branch` - -The branch name of the GitHub repository. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `buildProperties` - -Build properties for the static site. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `customDomains` - -The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. - -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enterpriseGradeCdnStatus` - -State indicating the status of the enterprise grade CDN serving traffic to the static web app. - -- Required: No -- Type: string -- Default: `'Disabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Disabling' - 'Enabled' - 'Enabling' - ] - ``` - -### Parameter: `functionAppSettings` - -Function app settings. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `linkedBackend` - -Object with "resourceId" and "location" of the a user defined function app. - -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | -| [`name`](#parameter-lockname) | string | Specify the name of lock. | - -### Parameter: `lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints` - -Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.subnetResourceId` - -Resource ID of the subnet where the endpoint needs to be created. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Application security groups in which the private endpoint IP configuration is included. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customDnsConfigs` - -Custom DNS configurations. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.customNetworkInterfaceName` - -The custom name of the network interface attached to the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.enableTelemetry` - -Enable/Disable usage telemetry for module. - -- Required: No -- Type: bool - -### Parameter: `privateEndpoints.ipConfigurations` - -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.location` - -The location to deploy the private endpoint to. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.lock` - -Specify the type of lock. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | -| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | - -### Parameter: `privateEndpoints.lock.kind` - -Specify the type of lock. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'CanNotDelete' - 'None' - 'ReadOnly' - ] - ``` - -### Parameter: `privateEndpoints.lock.name` - -Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` - -Manual PrivateLink Service Connections. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.name` - -The name of the private endpoint. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneGroupName` - -The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` - -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - -- Required: No -- Type: array - -### Parameter: `privateEndpoints.roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `privateEndpoints.roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `privateEndpoints.service` - -The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". - -- Required: No -- Type: string - -### Parameter: `privateEndpoints.tags` - -Tags to be applied on all resources/resource groups in this deployment. - -- Required: No -- Type: object - -### Parameter: `provider` - -The provider that submitted the last deployment to the primary environment of the static site. - -- Required: No -- Type: string -- Default: `'None'` - -### Parameter: `repositoryToken` - -The Personal Access Token for accessing the GitHub repository. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `repositoryUrl` - -The name of the GitHub repository. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `roleAssignments` - -Array of role assignments to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `roleAssignments.principalId` - -The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Version of the condition. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: - ```Bicep - [ - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `sku` - -Type of static site to deploy. - -- Required: No -- Type: string -- Default: `'Free'` -- Allowed: - ```Bicep - [ - 'Free' - 'Standard' - ] - ``` - -### Parameter: `stagingEnvironmentPolicy` - -State indicating whether staging environments are allowed or not allowed for a static web app. - -- Required: No -- Type: string -- Default: `'Enabled'` -- Allowed: - ```Bicep - [ - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `tags` - -Tags of the resource. - -- Required: No -- Type: object - -### Parameter: `templateProperties` - -Template Options for the static site. - -- Required: No -- Type: object -- Default: `{}` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `defaultHostname` | string | The default autogenerated hostname for the static site. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the static site. | -| `resourceGroupName` | string | The resource group the static site was deployed into. | -| `resourceId` | string | The resource ID of the static site. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/network/private-endpoint` | Local reference | +For more information about this transition, see the notice, [here](https://github.com/Azure/ResourceModules?tab=readme-ov-file#%EF%B8%8F-CARML---AVM-transition-%EF%B8%8F). diff --git a/modules/web/static-site/config/README.md b/modules/web/static-site/config/README.md deleted file mode 100644 index c9ff608e25..0000000000 --- a/modules/web/static-site/config/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# Static Web App Site Config `[Microsoft.Web/staticSites/config]` - -This module deploys a Static Web App Site Config. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/staticSites/config` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/staticSites/config) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`kind`](#parameter-kind) | string | Type of settings to apply. | -| [`properties`](#parameter-properties) | object | App settings. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | - -### Parameter: `kind` - -Type of settings to apply. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'appsettings' - 'functionappsettings' - ] - ``` - -### Parameter: `properties` - -App settings. - -- Required: Yes -- Type: object - -### Parameter: `staticSiteName` - -The name of the parent Static Web App. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the config. | -| `resourceGroupName` | string | The name of the resource group the config was created in. | -| `resourceId` | string | The resource ID of the config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/static-site/config/main.bicep b/modules/web/static-site/config/main.bicep deleted file mode 100644 index 1db5657bc3..0000000000 --- a/modules/web/static-site/config/main.bicep +++ /dev/null @@ -1,54 +0,0 @@ -metadata name = 'Static Web App Site Config' -metadata description = 'This module deploys a Static Web App Site Config.' -metadata owner = 'Azure/module-maintainers' - -@allowed([ - 'appsettings' - 'functionappsettings' -]) -@description('Required. Type of settings to apply.') -param kind string - -@description('Required. App settings.') -param properties object - -@description('Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment.') -param staticSiteName string - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -resource staticSite 'Microsoft.Web/staticSites@2022-03-01' existing = { - name: staticSiteName -} - -resource config 'Microsoft.Web/staticSites/config@2022-03-01' = { - #disable-next-line BCP225 // Disables incorrect error that `name` cannot be determined at compile time. - name: kind - parent: staticSite - properties: properties -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@description('The name of the config.') -output name string = config.name - -@description('The resource ID of the config.') -output resourceId string = config.id - -@description('The name of the resource group the config was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/static-site/config/main.json b/modules/web/static-site/config/main.json deleted file mode 100644 index 4740c67aec..0000000000 --- a/modules/web/static-site/config/main.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2145280265348211589" - }, - "name": "Static Web App Site Config", - "description": "This module deploys a Static Web App Site Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "kind": { - "type": "string", - "allowedValues": [ - "appsettings", - "functionappsettings" - ], - "metadata": { - "description": "Required. Type of settings to apply." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. App settings." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/config", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('kind'))]", - "properties": "[parameters('properties')]" - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the config." - }, - "value": "[parameters('kind')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the config." - }, - "value": "[resourceId('Microsoft.Web/staticSites/config', parameters('staticSiteName'), parameters('kind'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the config was created in." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/static-site/config/version.json b/modules/web/static-site/config/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/web/static-site/config/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/static-site/custom-domain/README.md b/modules/web/static-site/custom-domain/README.md deleted file mode 100644 index 0ca1252cb2..0000000000 --- a/modules/web/static-site/custom-domain/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Static Web App Site Custom Domains `[Microsoft.Web/staticSites/customDomains]` - -This module deploys a Static Web App Site Custom Domain. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/staticSites/customDomains` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/customDomains) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`name`](#parameter-name) | string | The custom domain name. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`validationMethod`](#parameter-validationmethod) | string | Validation method for adding a custom domain. | - -### Parameter: `name` - -The custom domain name. - -- Required: Yes -- Type: string - -### Parameter: `staticSiteName` - -The name of the parent Static Web App. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `validationMethod` - -Validation method for adding a custom domain. - -- Required: No -- Type: string -- Default: `'cname-delegation'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the static site custom domain. | -| `resourceGroupName` | string | The resource group the static site custom domain was deployed into. | -| `resourceId` | string | The resource ID of the static site custom domain. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/static-site/custom-domain/main.bicep b/modules/web/static-site/custom-domain/main.bicep deleted file mode 100644 index b392892704..0000000000 --- a/modules/web/static-site/custom-domain/main.bicep +++ /dev/null @@ -1,51 +0,0 @@ -metadata name = 'Static Web App Site Custom Domains' -metadata description = 'This module deploys a Static Web App Site Custom Domain.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The custom domain name.') -param name string - -@description('Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment.') -param staticSiteName string - -@description('Optional. Validation method for adding a custom domain.') -param validationMethod string = 'cname-delegation' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -resource staticSite 'Microsoft.Web/staticSites@2022-03-01' existing = { - name: staticSiteName -} - -resource customDomain 'Microsoft.Web/staticSites/customDomains@2022-03-01' = { - name: name - parent: staticSite - properties: { - validationMethod: validationMethod - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@description('The name of the static site custom domain.') -output name string = customDomain.name - -@description('The resource ID of the static site custom domain.') -output resourceId string = customDomain.id - -@description('The resource group the static site custom domain was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json deleted file mode 100644 index 138ed53dc4..0000000000 --- a/modules/web/static-site/custom-domain/main.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10034836397316444891" - }, - "name": "Static Web App Site Custom Domains", - "description": "This module deploys a Static Web App Site Custom Domain.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The custom domain name." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "validationMethod": { - "type": "string", - "defaultValue": "cname-delegation", - "metadata": { - "description": "Optional. Validation method for adding a custom domain." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/customDomains", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('name'))]", - "properties": { - "validationMethod": "[parameters('validationMethod')]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the static site custom domain." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the static site custom domain." - }, - "value": "[resourceId('Microsoft.Web/staticSites/customDomains', parameters('staticSiteName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static site custom domain was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/static-site/custom-domain/version.json b/modules/web/static-site/custom-domain/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/web/static-site/custom-domain/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/static-site/linked-backend/README.md b/modules/web/static-site/linked-backend/README.md deleted file mode 100644 index c12b65dbd1..0000000000 --- a/modules/web/static-site/linked-backend/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# Static Web App Site Linked Backends `[Microsoft.Web/staticSites/linkedBackends]` - -This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Web/staticSites/linkedBackends` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/linkedBackends) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`backendResourceId`](#parameter-backendresourceid) | string | The resource ID of the backend linked to the static site. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`location`](#parameter-location) | string | Location for all resources. | -| [`name`](#parameter-name) | string | Name of the backend to link to the static site. | -| [`region`](#parameter-region) | string | The region of the backend linked to the static site. | - -### Parameter: `backendResourceId` - -The resource ID of the backend linked to the static site. - -- Required: Yes -- Type: string - -### Parameter: `staticSiteName` - -The name of the parent Static Web App. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). - -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `name` - -Name of the backend to link to the static site. - -- Required: No -- Type: string -- Default: `[uniqueString(parameters('backendResourceId'))]` - -### Parameter: `region` - -The region of the backend linked to the static site. - -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the static site linked backend. | -| `resourceGroupName` | string | The resource group the static site linked backend was deployed into. | -| `resourceId` | string | The resource ID of the static site linked backend. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/static-site/linked-backend/main.bicep b/modules/web/static-site/linked-backend/main.bicep deleted file mode 100644 index ac5132d50f..0000000000 --- a/modules/web/static-site/linked-backend/main.bicep +++ /dev/null @@ -1,55 +0,0 @@ -metadata name = 'Static Web App Site Linked Backends' -metadata description = 'This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. The resource ID of the backend linked to the static site.') -param backendResourceId string - -@description('Optional. The region of the backend linked to the static site.') -param region string = resourceGroup().location - -@description('Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment.') -param staticSiteName string - -@description('Optional. Name of the backend to link to the static site.') -param name string = uniqueString(backendResourceId) - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -resource staticSite 'Microsoft.Web/staticSites@2022-03-01' existing = { - name: staticSiteName -} - -resource linkedBackend 'Microsoft.Web/staticSites/linkedBackends@2022-03-01' = { - name: name - parent: staticSite - properties: { - backendResourceId: backendResourceId - region: region - } -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -@description('The name of the static site linked backend.') -output name string = linkedBackend.name - -@description('The resource ID of the static site linked backend.') -output resourceId string = linkedBackend.id - -@description('The resource group the static site linked backend was deployed into.') -output resourceGroupName string = resourceGroup().name diff --git a/modules/web/static-site/linked-backend/main.json b/modules/web/static-site/linked-backend/main.json deleted file mode 100644 index 849ca3e262..0000000000 --- a/modules/web/static-site/linked-backend/main.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2577415583443518856" - }, - "name": "Static Web App Site Linked Backends", - "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "backendResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the backend linked to the static site." - } - }, - "region": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The region of the backend linked to the static site." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[uniqueString(parameters('backendResourceId'))]", - "metadata": { - "description": "Optional. Name of the backend to link to the static site." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/linkedBackends", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('name'))]", - "properties": { - "backendResourceId": "[parameters('backendResourceId')]", - "region": "[parameters('region')]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the static site linked backend." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the static site linked backend." - }, - "value": "[resourceId('Microsoft.Web/staticSites/linkedBackends', parameters('staticSiteName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static site linked backend was deployed into." - }, - "value": "[resourceGroup().name]" - } - } -} \ No newline at end of file diff --git a/modules/web/static-site/linked-backend/version.json b/modules/web/static-site/linked-backend/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/web/static-site/linked-backend/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -} diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep deleted file mode 100644 index 704cebbe70..0000000000 --- a/modules/web/static-site/main.bicep +++ /dev/null @@ -1,355 +0,0 @@ -metadata name = 'Static Web Apps' -metadata description = 'This module deploys a Static Web App.' -metadata owner = 'Azure/module-maintainers' - -@description('Required. Name of the static site.') -@minLength(1) -@maxLength(40) -param name string - -@allowed([ - 'Free' - 'Standard' -]) -@description('Optional. Type of static site to deploy.') -param sku string = 'Free' - -@description('Optional. False if config file is locked for this static web app; otherwise, true.') -param allowConfigFileUpdates bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@allowed([ - 'Enabled' - 'Disabled' -]) -@description('Optional. State indicating whether staging environments are allowed or not allowed for a static web app.') -param stagingEnvironmentPolicy string = 'Enabled' - -@allowed([ - 'Disabled' - 'Disabling' - 'Enabled' - 'Enabling' -]) -@description('Optional. State indicating the status of the enterprise grade CDN serving traffic to the static web app.') -param enterpriseGradeCdnStatus string = 'Disabled' - -@description('Optional. Build properties for the static site.') -param buildProperties object = {} - -@description('Optional. Template Options for the static site.') -param templateProperties object = {} - -@description('Optional. The provider that submitted the last deployment to the primary environment of the static site.') -param provider string = 'None' - -@secure() -@description('Optional. The Personal Access Token for accessing the GitHub repository.') -param repositoryToken string = '' - -@description('Optional. The name of the GitHub repository.') -param repositoryUrl string = '' - -@description('Optional. The branch name of the GitHub repository.') -param branch string = '' - -@description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType - -@description('Optional. The lock settings of the service.') -param lock lockType - -@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the \'sku\' to be \'Standard\'.') -param privateEndpoints privateEndpointType - -@description('Optional. Tags of the resource.') -param tags object? - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType - -@description('Optional. Object with "resourceId" and "location" of the a user defined function app.') -param linkedBackend object = {} - -@description('Optional. Static site app settings.') -param appSettings object = {} - -@description('Optional. Function app settings.') -param functionAppSettings object = {} - -@description('Optional. The custom domains associated with this static site. The deployment will fail as long as the validation records are not present.') -param customDomains array = [] - -var enableReferencedModulesTelemetry = false - -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } - -var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) - userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null -} : null - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource staticSite 'Microsoft.Web/staticSites@2021-03-01' = { - name: name - location: location - tags: tags - identity: identity - sku: { - name: sku - tier: sku - } - properties: { - allowConfigFileUpdates: allowConfigFileUpdates - stagingEnvironmentPolicy: stagingEnvironmentPolicy - enterpriseGradeCdnStatus: enterpriseGradeCdnStatus - provider: !empty(provider) ? provider : 'None' - branch: !empty(branch) ? branch : null - buildProperties: !empty(buildProperties) ? buildProperties : null - repositoryToken: !empty(repositoryToken) ? repositoryToken : null - repositoryUrl: !empty(repositoryUrl) ? repositoryUrl : null - templateProperties: !empty(templateProperties) ? templateProperties : null - } -} - -module staticSite_linkedBackend 'linked-backend/main.bicep' = if (!empty(linkedBackend)) { - name: '${uniqueString(deployment().name, location)}-StaticSite-UserDefinedFunction' - params: { - staticSiteName: staticSite.name - backendResourceId: linkedBackend.resourceId - region: contains(linkedBackend, 'location') ? linkedBackend.location : location - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module staticSite_appSettings 'config/main.bicep' = if (!empty(appSettings)) { - name: '${uniqueString(deployment().name, location)}-StaticSite-appSettings' - params: { - kind: 'appsettings' - staticSiteName: staticSite.name - properties: appSettings - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module staticSite_functionAppSettings 'config/main.bicep' = if (!empty(functionAppSettings)) { - name: '${uniqueString(deployment().name, location)}-StaticSite-functionAppSettings' - params: { - kind: 'functionappsettings' - staticSiteName: staticSite.name - properties: functionAppSettings - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module staticSite_customDomains 'custom-domain/main.bicep' = [for (customDomain, index) in customDomains: { - name: '${uniqueString(deployment().name, location)}-StaticSite-customDomains-${index}' - params: { - name: customDomain - staticSiteName: staticSite.name - validationMethod: indexOf(customDomain, '.') == lastIndexOf(customDomain, '.') ? 'dns-txt-token' : 'cname-delegation' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' - } - scope: staticSite -} - -resource staticSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(staticSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId - } - scope: staticSite -}] - -module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-staticSite-PrivateEndpoint-${index}' - params: { - groupIds: [ - privateEndpoint.?service ?? 'staticSites' - ] - name: privateEndpoint.?name ?? 'pep-${last(split(staticSite.id, '/'))}-${privateEndpoint.?service ?? 'staticSites'}-${index}' - serviceResourceId: staticSite.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry - location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds - roleAssignments: privateEndpoint.?roleAssignments - tags: privateEndpoint.?tags ?? tags - manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections - customDnsConfigs: privateEndpoint.?customDnsConfigs - ipConfigurations: privateEndpoint.?ipConfigurations - applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds - customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName - } -}] - -@description('The name of the static site.') -output name string = staticSite.name - -@description('The resource ID of the static site.') -output resourceId string = staticSite.id - -@description('The resource group the static site was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(staticSite.identity, 'principalId') ? staticSite.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = staticSite.location - -@description('The default autogenerated hostname for the static site.') -output defaultHostname string = staticSite.properties.defaultHostname - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') - privateDnsZoneGroupName: string? - - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @description('Required. Fqdn that resolves to private endpoint ip address.') - fqdn: string? - - @description('Required. A list of private ip addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private ip address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType - - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Manual PrivateLink Service Connections.') - manualPrivateLinkServiceConnections: array? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? -}[]? diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json deleted file mode 100644 index 850eea7879..0000000000 --- a/modules/web/static-site/main.json +++ /dev/null @@ -1,1731 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1972191621448105734" - }, - "name": "Static Web Apps", - "description": "This module deploys a Static Web App.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 40, - "metadata": { - "description": "Required. Name of the static site." - } - }, - "sku": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Standard" - ], - "metadata": { - "description": "Optional. Type of static site to deploy." - } - }, - "allowConfigFileUpdates": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. False if config file is locked for this static web app; otherwise, true." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "stagingEnvironmentPolicy": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. State indicating whether staging environments are allowed or not allowed for a static web app." - } - }, - "enterpriseGradeCdnStatus": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Disabling", - "Enabled", - "Enabling" - ], - "metadata": { - "description": "Optional. State indicating the status of the enterprise grade CDN serving traffic to the static web app." - } - }, - "buildProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Build properties for the static site." - } - }, - "templateProperties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Template Options for the static site." - } - }, - "provider": { - "type": "string", - "defaultValue": "None", - "metadata": { - "description": "Optional. The provider that submitted the last deployment to the primary environment of the static site." - } - }, - "repositoryToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. The Personal Access Token for accessing the GitHub repository." - } - }, - "repositoryUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the GitHub repository." - } - }, - "branch": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The branch name of the GitHub repository." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "linkedBackend": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Object with \"resourceId\" and \"location\" of the a user defined function app." - } - }, - "appSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Static site app settings." - } - }, - "functionAppSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Function app settings." - } - }, - "customDomains": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The custom domains associated with this static site. The deployment will fail as long as the validation records are not present." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "staticSite": { - "type": "Microsoft.Web/staticSites", - "apiVersion": "2021-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "[parameters('sku')]", - "tier": "[parameters('sku')]" - }, - "properties": { - "allowConfigFileUpdates": "[parameters('allowConfigFileUpdates')]", - "stagingEnvironmentPolicy": "[parameters('stagingEnvironmentPolicy')]", - "enterpriseGradeCdnStatus": "[parameters('enterpriseGradeCdnStatus')]", - "provider": "[if(not(empty(parameters('provider'))), parameters('provider'), 'None')]", - "branch": "[if(not(empty(parameters('branch'))), parameters('branch'), null())]", - "buildProperties": "[if(not(empty(parameters('buildProperties'))), parameters('buildProperties'), null())]", - "repositoryToken": "[if(not(empty(parameters('repositoryToken'))), parameters('repositoryToken'), null())]", - "repositoryUrl": "[if(not(empty(parameters('repositoryUrl'))), parameters('repositoryUrl'), null())]", - "templateProperties": "[if(not(empty(parameters('templateProperties'))), parameters('templateProperties'), null())]" - } - }, - "staticSite_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_roleAssignments": { - "copy": { - "name": "staticSite_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Web/staticSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_linkedBackend": { - "condition": "[not(empty(parameters('linkedBackend')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-UserDefinedFunction', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "staticSiteName": { - "value": "[parameters('name')]" - }, - "backendResourceId": { - "value": "[parameters('linkedBackend').resourceId]" - }, - "region": "[if(contains(parameters('linkedBackend'), 'location'), createObject('value', parameters('linkedBackend').location), createObject('value', parameters('location')))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2577415583443518856" - }, - "name": "Static Web App Site Linked Backends", - "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "backendResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the backend linked to the static site." - } - }, - "region": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. The region of the backend linked to the static site." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[uniqueString(parameters('backendResourceId'))]", - "metadata": { - "description": "Optional. Name of the backend to link to the static site." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/linkedBackends", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('name'))]", - "properties": { - "backendResourceId": "[parameters('backendResourceId')]", - "region": "[parameters('region')]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the static site linked backend." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the static site linked backend." - }, - "value": "[resourceId('Microsoft.Web/staticSites/linkedBackends', parameters('staticSiteName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static site linked backend was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_appSettings": { - "condition": "[not(empty(parameters('appSettings')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-appSettings', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "kind": { - "value": "appsettings" - }, - "staticSiteName": { - "value": "[parameters('name')]" - }, - "properties": { - "value": "[parameters('appSettings')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2145280265348211589" - }, - "name": "Static Web App Site Config", - "description": "This module deploys a Static Web App Site Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "kind": { - "type": "string", - "allowedValues": [ - "appsettings", - "functionappsettings" - ], - "metadata": { - "description": "Required. Type of settings to apply." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. App settings." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/config", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('kind'))]", - "properties": "[parameters('properties')]" - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the config." - }, - "value": "[parameters('kind')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the config." - }, - "value": "[resourceId('Microsoft.Web/staticSites/config', parameters('staticSiteName'), parameters('kind'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the config was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_functionAppSettings": { - "condition": "[not(empty(parameters('functionAppSettings')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-functionAppSettings', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "kind": { - "value": "functionappsettings" - }, - "staticSiteName": { - "value": "[parameters('name')]" - }, - "properties": { - "value": "[parameters('functionAppSettings')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2145280265348211589" - }, - "name": "Static Web App Site Config", - "description": "This module deploys a Static Web App Site Config.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "kind": { - "type": "string", - "allowedValues": [ - "appsettings", - "functionappsettings" - ], - "metadata": { - "description": "Required. Type of settings to apply." - } - }, - "properties": { - "type": "object", - "metadata": { - "description": "Required. App settings." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/config", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('kind'))]", - "properties": "[parameters('properties')]" - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the config." - }, - "value": "[parameters('kind')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the config." - }, - "value": "[resourceId('Microsoft.Web/staticSites/config', parameters('staticSiteName'), parameters('kind'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the config was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_customDomains": { - "copy": { - "name": "staticSite_customDomains", - "count": "[length(parameters('customDomains'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-customDomains-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('customDomains')[copyIndex()]]" - }, - "staticSiteName": { - "value": "[parameters('name')]" - }, - "validationMethod": "[if(equals(indexOf(parameters('customDomains')[copyIndex()], '.'), lastIndexOf(parameters('customDomains')[copyIndex()], '.')), createObject('value', 'dns-txt-token'), createObject('value', 'cname-delegation'))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10034836397316444891" - }, - "name": "Static Web App Site Custom Domains", - "description": "This module deploys a Static Web App Site Custom Domain.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The custom domain name." - } - }, - "staticSiteName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment." - } - }, - "validationMethod": { - "type": "string", - "defaultValue": "cname-delegation", - "metadata": { - "description": "Optional. Validation method for adding a custom domain." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - } - }, - "resources": [ - { - "type": "Microsoft.Web/staticSites/customDomains", - "apiVersion": "2022-03-01", - "name": "[format('{0}/{1}', parameters('staticSiteName'), parameters('name'))]", - "properties": { - "validationMethod": "[parameters('validationMethod')]" - } - }, - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the static site custom domain." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the static site custom domain." - }, - "value": "[resourceId('Microsoft.Web/staticSites/customDomains', parameters('staticSiteName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static site custom domain was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "staticSite" - ] - }, - "staticSite_privateEndpoints": { - "copy": { - "name": "staticSite_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-staticSite-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "groupIds": { - "value": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'staticSites')]" - ] - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/staticSites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'staticSites'), copyIndex()))]" - }, - "serviceResourceId": { - "value": "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" - }, - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableDefaultTelemetry": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true - }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." - } - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "staticSite" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the static site." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the static site." - }, - "value": "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static site was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('staticSite', '2021-03-01', 'full').identity, 'principalId')), reference('staticSite', '2021-03-01', 'full').identity.principalId, '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('staticSite', '2021-03-01', 'full').location]" - }, - "defaultHostname": { - "type": "string", - "metadata": { - "description": "The default autogenerated hostname for the static site." - }, - "value": "[reference('staticSite').defaultHostname]" - } - } -} \ No newline at end of file diff --git a/modules/web/static-site/tests/e2e/defaults/main.test.bicep b/modules/web/static-site/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 4165b5c13e..0000000000 --- a/modules/web/static-site/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,49 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wssmin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - } -}] diff --git a/modules/web/static-site/tests/e2e/max/dependencies.bicep b/modules/web/static-site/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 7939cfd2d2..0000000000 --- a/modules/web/static-site/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,94 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Function App to create.') -param siteName string - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azurestaticapps.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -resource functionApp 'Microsoft.Web/sites@2022-03-01' = { - name: siteName - location: location - kind: 'functionapp' - properties: { - serverFarmId: serverFarm.id - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Function App.') -output siteResourceId string = functionApp.id diff --git a/modules/web/static-site/tests/e2e/max/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep deleted file mode 100644 index 8181fac011..0000000000 --- a/modules/web/static-site/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,120 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wssmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - siteName: 'dep-${namePrefix}-fa-${serviceShort}' - serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - allowConfigFileUpdates: true - enterpriseGradeCdnStatus: 'Disabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'Standard' - stagingEnvironmentPolicy: 'Enabled' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - appSettings: { - foo: 'bar' - setting: 1 - } - functionAppSettings: { - foo: 'bar' - setting: 1 - } - linkedBackend: { - resourceId: nestedDependencies.outputs.siteResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep deleted file mode 100644 index 7939cfd2d2..0000000000 --- a/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep +++ /dev/null @@ -1,94 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Virtual Network to create.') -param virtualNetworkName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Function App to create.') -param siteName string - -@description('Required. The name of the Server Farm to create.') -param serverFarmName string - -var addressPrefix = '10.0.0.0/16' - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - addressPrefix - ] - } - subnets: [ - { - name: 'defaultSubnet' - properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) - } - } - ] - } -} - -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.azurestaticapps.net' - location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } -} - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { - name: serverFarmName - location: location - sku: { - name: 'S1' - tier: 'Standard' - size: 'S1' - family: 'S' - capacity: 1 - } - properties: {} -} - -resource functionApp 'Microsoft.Web/sites@2022-03-01' = { - name: siteName - location: location - kind: 'functionapp' - properties: { - serverFarmId: serverFarm.id - } -} - -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceId string = virtualNetwork.properties.subnets[0].id - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - -@description('The resource ID of the created Private DNS zone.') -output privateDNSZoneResourceId string = privateDNSZone.id - -@description('The resource ID of the created Function App.') -output siteResourceId string = functionApp.id diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 183fa819ef..0000000000 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,103 +0,0 @@ -targetScope = 'subscription' - -metadata name = 'WAF-aligned' -metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsswaf' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - siteName: 'dep-${namePrefix}-fa-${serviceShort}' - serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - allowConfigFileUpdates: true - enterpriseGradeCdnStatus: 'Disabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - sku: 'Standard' - stagingEnvironmentPolicy: 'Enabled' - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - appSettings: { - foo: 'bar' - setting: 1 - } - functionAppSettings: { - foo: 'bar' - setting: 1 - } - linkedBackend: { - resourceId: nestedDependencies.outputs.siteResourceId - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -}] diff --git a/modules/web/static-site/version.json b/modules/web/static-site/version.json deleted file mode 100644 index 9ed3662aba..0000000000 --- a/modules/web/static-site/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.6", - "pathFilters": [ - "./main.json" - ] -}